Introduction This is a print version of the event. It contains a summary of the event and its contents. The response shown below is the last accepted response. If there is no accepted response, the latest draft

response will be shown. Please review this for correctness and mark it up as necessary.

This file was downloaded at: [Monday, March 2, 2020 at 4:21 PM]

Overview ID Doc2292887251

Description Office of Legal Counsel wants to purchase a Document Management System

Status Open

Version v2

Version Comment

Owner Brett A Decker

Editors (none)

Event Type RFP

Test Event No

Template RFQ Templatev2

Base Language English

Commodity Software 4323

Regions WLITAP ITAP Group

Departments 4045002000 Office of Legal Coun

Last Modified 03/01/2020

Currency US Dollar

Creation Date 03/01/2020

Access Control

Timing Rules Publish time 3/1/2020 8:12 AM

Due date 3/12/2020 5:00 PM

Specify how lot bidding will begin and end Parallel

Planned response start date 3/1/2020 8:12 AM

Planned due date 3/12/2020 5:00 PM

Set a review period after lot closes No

Allow bidding overtime No

Estimated Award Date

Bidding Rules Enable scoring on participant responses Yes

Default Grading Method Select

Must participants improve their bids No

Can participants submit tie bids Allow tie bids for all ranks

Choose Scoring Type 0

Require participant to give a reason for

declining to bid No

Allow Pricing Conditions No

Currency Rules Allow participants to select bidding currency No

Market Feedback Show formulas to all participants No

Allow participants to see scoring weights No

Specify how participants view market

information Enable a starting gate for each lot

Show calculated value of competitive term

before participant submits bid Yes

Indicate to participants that participant-specific

initial values have been specified No

Can owner see responses before event closes Yes

Content

Name Initial Historic Reserve Blue

Technologies

Affinity

Consulting LogicForce

Totals

Extended Price $0.00 USD $0.00 USD $0.00 USD

1 Welcome to PURDUE UNIVERSITY WEST LAFAYETTE CAMPUS RFQ OLC

DOCUMENT MANAGEMENT SYSTEM - M. ARTHUR

The Office of Legal Counsel is seeking pricing for a Document Management System.

2 OBJECTIVE: Purdue University requests pricing for item(s) listed within this

request.

BELOW ARE THE MINIMUM SPECIFICATIONS. A cost narative should be

attached in your reponse. No more than one (1) page. Also, you have been given the IT

Security Questionnaire (attached) that needs to be completed and returned with your

response.

Document Management System

Cloud-based service

15-20 licenses

Desktop integration for MS Windows or MAC

OCR ability

Integration for Outlook, Adobe, Word and PPT

Mobile and offline access to email and documents

Redundancy/back-up data source

Web admin interfaces

Consultant Services:

Design and implementation

Training

Quote for existing document conversion

Support Services:

Access to 24/7 support

3 INSTITUTIONAL CONTACT(S) & COMMUNICATION

The Procurement Services contact person for this RFQ is Brett Decker at badecker@purdue.edu. All communication pertaining to this RFQ should be submitted through the AribaEvent messages board. If there are changes to this request a revised event will be issued to all bidders. Please contact Ariba Support at (866) 218 2155 if you need technical assistance.

4 RESPONSES

Bidders MUST submit their responses through the Ariba system. Insert your response in the appropriate sections below. Include/identify discounts you are offering within your attached detailed company quote.

4.1 See attached specifications (if applicable) RFQ Attachment place

holder doc.docx

4.2 Bidders should attach your detailed company quote(s) and response documentation here. When providing multiple documents please use a zip file.

VendorSecurityQuestionnaireV7.3.xlsx

5 COST

You should attach a one (1) page cost narrative to your proposal.

5.1 Cost

Price

Quantity 1 each

Extended Price

6 Purdue's available payment terms are noted in item 1 of the INFORMATION section. Please identify which of the payment terms you prefer.

7 Please note if shipping from outside U.S and list country of origin.

8 Provide the warranty associated with the product/services offered.

9 Provide your timeline to delivery upon receipt of a PO.

10 Provide the validity period of your quote/offer.

11 CERTIFICATE OF INSURANCE (If Applicable)

Proof of Insurance is required from the Seller and/or its Subcontractor for all work conducted on Purdue’s premises. See Purdue’s standard terms and conditions link in the INFORMATION section for details. If applicable, please attach your COI along with your detailed quote response noted in Section 4.

12 Is the item to be purchased a defense article on the United States Munitions List (USML) or a 600 series item on the Commerce Control List (CCL) that has a specific military purpose?

13 INFORMATION

1. Purdue University’s available payment terms are as follows: ACH Options: (3% 10, Net 45), (2% 20, Net 45), (1% 30, Net 45), (Net 45, no discount) Pay immediately, payment method “Virtual Credit Card”. For more information about the “Virtual Credit Card” accelerated payment program, visit: http://www.purdue.edu/business/procurement/acctpay/sua.html . 2. Purdue University is exempt from Federal Excise Tax and Indiana Sales Tax (#003123723-004-1) 3. Purdue University’s standard terms and condition for all purchases can be found at the following URL: http://www.purdue.edu/business/procurement/about/termsconditions.html 4. Purdue University accepts no obligation for costs incurred by the supplier in responding to the request or in anticipation of being awarded

the contract. 5. Purdue reserves the right to accept all or part, or to decline to buy the whole. THERE IS NO OBLIGATION TO BUY. In determining an award, qualifications of the prospective vendor, conformity with specification for goods and/or services, cost, and delivery of terms will be considered by Purdue University in absolute and sole discretion. 6. Purdue University is a public institution and therefore subject to the Indiana Access to Public Records Act (APRA). 7. To assist us in complying with Federal Guidelines, please verify the following classifications of your company: Minority Owned Business _____Woman Owned Business ______ Veteran Owned Business ______ The University encourages the participation of MBE/WBE/VBE providers in our procurement activities. Further, the University encourages Firms bidding for major contracts to provide for the participation of small businesses and businesses owned by Minorities, Women, and Veterans through partnerships, joint ventures, and other contractual opportunities. If you are subcontracting with a MBE/WBE/VBE please provide their contact information: Company Name, Contact Name, Company Address, Phone/Fax Number, Email address. Identify the subcontracted

products/services portion being offered in your response.

Scoring Maximum points for content: 0 Name Weight Importance Target Grade Overall %

Totals 0 100%

1 Welcome to PURDUE UNIVERSITY WEST LAFAYETTE CAMPUS RFQ OLC

DOCUMENT MANAGEMENT SYSTEM - M. ARTHUR 0 0%

The Office of Legal Counsel is seeking pricing for a Document Management System.

2 OBJECTIVE: Purdue University requests pricing for item(s) listed within this

request. 0 0%

BELOW ARE THE MINIMUM SPECIFICATIONS. A cost narative should be

attached in your reponse. No more than one (1) page. Also, you have been given the IT

Security Questionnaire (attached) that needs to be completed and returned with your

response.

Document Management System

Cloud-based service

15-20 licenses

Desktop integration for MS Windows or MAC

OCR ability

Integration for Outlook, Adobe, Word and PPT

Mobile and offline access to email and documents

Redundancy/back-up data source

Web admin interfaces

Consultant Services:

Design and implementation

Training

Quote for existing document conversion

Support Services:

Access to 24/7 support

3 INSTITUTIONAL CONTACT(S) & COMMUNICATION 0 0%

The Procurement Services contact person for this RFQ is Brett Decker at badecker@purdue.edu. All communication pertaining to this RFQ should be submitted through the AribaEvent messages board. If there are changes to this request a revised event will be issued to all bidders. Please contact Ariba Support at (866) 218 2155 if you need technical assistance.

4 RESPONSES 0 0%

Bidders MUST submit their responses through the Ariba system. Insert your response in the appropriate sections below. Include/identify discounts you are offering within your attached detailed company quote.

4.1 See attached specifications (if applicable) RFQ Attachment place

holder doc.docx

4.2 Bidders should attach your detailed company quote(s) and response documentation here. When providing multiple documents please use a zip file.

0 0%

5 COST 0 0%

You should attach a one (1) page cost narrative to your proposal.

5.1 Cost 0 0%

Price

0 0%

Quantity

0 0%

Extended Price

0 0%

6 Purdue's available payment terms are noted in item 1 of the INFORMATION section. Please identify which of the payment terms you prefer.

0 0%

7 Please note if shipping from outside U.S and list country of origin. 0 0%

8 Provide the warranty associated with the product/services offered. 0 0%

9 Provide your timeline to delivery upon receipt of a PO. 0 0%

10 Provide the validity period of your quote/offer. 0 0%

11 CERTIFICATE OF INSURANCE (If Applicable) 0 0%

Proof of Insurance is required from the Seller and/or its Subcontractor for all work conducted on Purdue’s premises. See Purdue’s standard terms and conditions link in the INFORMATION section for details. If applicable, please attach your COI along with your detailed quote response noted in Section 4.

12 Is the item to be purchased a defense article on the United States Munitions List (USML) or a 600 series item on the Commerce Control List (CCL) that has a specific military purpose?

0 0%

13 INFORMATION 0 0%

1. Purdue University’s available payment terms are as follows: ACH Options: (3% 10, Net 45), (2% 20, Net 45), (1% 30, Net 45), (Net 45, no discount) Pay immediately, payment method “Virtual Credit Card”. For more information about the “Virtual Credit Card” accelerated payment program, visit: http://www.purdue.edu/business/procurement/acctpay/sua.html . 2. Purdue University is exempt from Federal Excise Tax and Indiana Sales Tax (#003123723-004-1) 3. Purdue University’s standard terms and condition for all purchases can be found at the following URL: http://www.purdue.edu/business/procurement/about/termsconditions.html 4. Purdue University accepts no obligation for costs incurred by the supplier in responding to the request or in anticipation of being awarded the contract. 5. Purdue reserves the right to accept all or part, or to decline to buy the whole. THERE IS NO OBLIGATION TO BUY. In determining an award, qualifications of the prospective vendor, conformity with specification for goods and/or services, cost, and delivery of terms will be considered by Purdue University in absolute and sole

discretion. 6. Purdue University is a public institution and therefore subject to the Indiana Access to Public Records Act (APRA). 7. To assist us in complying with Federal Guidelines, please verify the following classifications of your company: Minority Owned Business _____Woman Owned Business ______ Veteran Owned Business ______ The University encourages the participation of MBE/WBE/VBE providers in our procurement activities. Further, the University encourages Firms bidding for major contracts to provide for the participation of small businesses and businesses owned by Minorities, Women, and Veterans through partnerships, joint ventures, and other contractual opportunities. If you are subcontracting with a MBE/WBE/VBE please provide their contact information: Company Name, Contact Name, Company Address, Phone/Fax Number, Email address. Identify the subcontracted

products/services portion being offered in your response.

Project Information - Tab 1

Tab 1 - Project Information and Tab 2 -Data Security of the workbook are to be filled out by the University staff that is requesting the project (the "Requestor"). Please complete all fields and be as descriptive as possible. After completing Tabs 1 and 2, please send this spreadsheet to itpolicyreq@ Purdue.edu for review. IT Policy will send the Questionnaire to the vendor if required. N/A

Vendor Information Vendor Information Answers Additional InformationVendor Name:

Product name and Version:

Vendor Contact Information (including email address) :

Company URL:

Purdue Requestor's Information Purdue Requestor's Information Answers Additional InformationPurdue Department purchasing the service or application:

Department contact name and contact information (including email address):

Identify the ITaP Project Title (if known):

Describe the reasons for the purchase and the business need for the software or services:

For example: The current application license is expiring or the service provides functionality we do not currently have.

Describe the functionality of the software or services to include how a user would access the application and what they would accomplish while using the application:

Walk us through a typical logon and session with the application/service.

Please list the parts or modules of the application/service that are intended to be used and any functionality or modules that are not intended to be used.

Often not all features and function of the solution is to be used by the requestor. Using or not using different modules or functions of the solution may change the level of security review required.

Is the application intended or proposed to be integrated with existing systems or access data from existing systems? Please indicate system(s):

Is the application intended to integrate with Purdue authentication services (career account)? Please indicate service (CAS, Shibboleth/SAML, or other):

Is the application/service intended to be hosted in the Cloud by the vendor or is it to be hosted by Purdue in University facilities?

If this system or solution will handle sensitive/restricted information related to research projects or is covered under a Non-Disclosure Agreement with an outside entity, please provide the relevant Coeus or Grant number:

Is there any intention to use the application to accept credit card payments from students, staff, or faculty? Please describe the purpose:

Is the Purchaser aware of any citizenship or access restrictions on the software due to Export Control restrictions? Questions related to this topic can be addressed to exportcontrols@purdue.edu

Vendor Security Questionnaire

Data Security - Tab 2 N/A N/A N/A

In order to protect Purdue University data and Purdue IT Resources, the Purdue department requesting the information technology software product or service, must complete this worksheet if the product/service will store, process, or transmit data classified by Purdue as sensitive or restricted data*. It is the responsibility of the requesting department to identify whether Purdue classified or restricted data will be in use. This process will assist Purdue in understanding how its data is being used, how data is being protected, and in compliance with University policies, and state and federal laws.

*Definition of Data Classification for Sensitive or Restricted: Sensitive - Information whose access must be guarded due to proprietary, ethical, or privacy considerations. This classification applies even though there may not be a civil statute requiring this protection. Restricted - Information protected because of protective contractual obligations, statutes, policies or regulations. This level also represents information that isn't by default protected by legal statute, but for which the Information Owner has exercised their right to restrict access. Questions regarding the applicability of these definitions to specific data elements should be directed to either the Data Steward or the Information Owner.

Data Used, Stored, or Processed by the Service or Application Yes No Please click in the appropriate Yes or No columnWill your product, service, or application store, process, or transmit any of these types of data or information?

If "Yes" is answered in any of the data types listed, please supply specifics about the data, including the source of the data, whether the data is to be stored by the application or service and who is the University Data Steward for the data (if known).

Social Security Numbers

Drivers License Numbers or State Identification Numbers (for IN or any state)

Purdue University Identification Numbers (PUID)

Visa or Passport Numbers or related data

Student Educational Records

Data regarding student financial aid and/or employee loans

Credit or debit card numbers

Credit Card Transaction Approval Data

Personal Health Information (whether included in medical records or otherwise)

Banking account or other financial account numbers and/or access codes or passwords for Purdue or any other person or entity

Financial Accounting or Transactions

Purdue Account Numbers, P-Card data, or other financial data of Purdue University

Computer User Names and Passwords

Personal contact data for students, personnel, alumni, donors, business partners, or members of the public

Building Blueprints

Institutional Infrastructure Data (Building Subsystems: HVAC, Electrical, Plumbing, Security, Sprinklers, Utility usage, Data Networks)

Data that will be used in academic research activities

Information received from another entity that is subject to a Non-Disclosure Agreement or a Confidentiality AgreementResearch Information that is subject to export control regulations and the subject of a Technology Control Plan on file with the Office of Research and Partnerships' Export Control OfficeAny data that Purdue has otherwise classified as "Restricted" under the Data Classification & Handling Guidelines*Any data that Purdue has otherwise classified as "Sensitive" under the Data Classifcation & Handling Guidelines*Data Usage Intended Yes No Please click in the appropriate Yes or No columnConsider the complete lifecycle of your product or service. Does it utilize any of the above types of data in any of the following ways?

If "Yes" is answered in any of the data types listed, please supply specifics about the data usage.

Obtain Existing DataExamples: subscribing to databases containing such data; receiving data that has been collected by a third-party vendor; receiving data from a University office or personnelCollect New DataExamples: account creation that requires user information; web forms that are filled out by students, staff, or public; credit card transactions; engaging in transactions that generate new student records, such as registering students for classes or participants for training sessions, and conducting those classes/sessions; reading HVAC and utility meter receiving unitsMaintain InformationExamples: Use of Google Docs, other Google Apps, MS 365, Doodle, and similar services in which University data is stored on third party servers; warehousing paper or electronic records at a third party site; email outsourcing

Vendor Security Questionnaire

Use InformationExamples: accessing a data set with protected information to generate queries or reports; using data obtained from magnetic cards used for security systems or for payments (e.g. building entry swipe cards or similar devices) to evaluate those services; using health information supplied by a HIPAA covered component to provide health care services or process benefits requests; using SSNs and other personnel information to print W2 forms

Access InformationExamples: Gaining entry through either the Purdue network or an internet hosted application that requires authentication to gain access, in order to view/obtain/use data; integration with or access to SAP, Banner, or other systems to view/obtain/use data.

Store InformationExamples: POS unit for credit card sales; archiving electronic or paper records either on- or off-site; saving electronic files to a server either at Purdue or at a vendor's location

Transport InformationExamples: courier service for delivery of sensitive documents or files ; electronic file saved to any network location; transporting medical records electronically among health care providers and/or insurers; saving, uploading, downloading, or viewing information on a network; sensor and sending units for HVAC and utility systems sending data for reading and use; POS systems which accept and send credit card data to process transactions; vending machines which accept and send credit card data to process transactions

Dispose of InformationExamples: shredding, incinerating, or otherwise destroying records; secure data deletion; disk and memory wipingComplete and Forward the Spreadsheet to IT Security & Policy N/A N/A Comments and Notes

If an X is placed in the Yes column in any box above, and the product/service is hosted by the vendor or cloud services provider, Tab 3 - Cloud Services must be completed by the vendor. If the product/service is internally hosted by Purdue, then the vendor must complete Tab 4 - Internally Hosted.

The responses on this Tab determine whether the product/service requires further information security review prior to purchase. This completed questionnaire will become the security plan for each product/service purchased or implemented.

The requesting Purdue department should work with the product/service vendor to provide the following documentation, (as applicable and/or available and under a nondisclosure agreement - NDA - as needed) in support of this security review. (These documents are also listed for the vendor on Tab 3 - Cloud Services.

• SSAE No. 16 SOC 2 report if a service provider• Cloud Security Alliance Consensus Assessments Initiative Questionnaire (if Cloud service provider)• A vulnerability, penetration, or ethical hack report prepared by a third party (not by the vendor themselves)• WebTrust Assurance Report• Any documentation created by the vendor or you that describes its technical and security infrastructure• Data flow diagram

• For any items related to research (within 18 -21 checked 'yes' above) provide the Coeus or Grant number for reference on the 'Tab 1-Project Information' tab• PCI DSS certified vulnerability scan (if credit cards will be accepted via the service)• PCI DSS Attestation of Compliance (AOC) if a service provider handling credit card dataAfter Submission of the Completed Spreadsheet N/A N/A Comments and NotesIf Sensitive or Restricted data is involved, the Risk Analysis will be reviewed by IT Security & Policy management and the vendor will be required to complete Tab 3 - Cloud Services or Tab 4 - Internally Hosted.The requesting Purdue department is also responsible for ensuring Purdue Procurement includes appropriate security clause terms within the contract, for example ,the PCI DSS Requirements in the case of solutions storing, processing, or transmitting credit cards; restricted data for FERPA, SSNs. If HIPAA data (PHI) is involved with services a Business Associates Agreement will be needed. If performing an RFP, please provide responses from each vendor.

Cloud Services Solution - Tab 3

1. In addition to completing the questionaire below, the following documentation should be provided to the University (as applicable and/or available and under a nondisclosure agreement - NDA - as needed in support of this security review.) 2. If the requested documentation does not apply or is unavailable, please indicate N/A in the comments field. 3. If you additionally reference other documentation in your answers, please provide that documentation. N/A

Requested Documentation Document Titles CommentsSSAE No. 16 SOC 2 report if a service provider

Cloud Security Alliance Consensus Assessments Initiative Questionnaire (if Cloud service provider)

A vulnerability, penetration, or ethical hack report prepared by a third party (not by the vendor themselves)

WebTrust Assurance Report

Any documentation that describes your technical and security infrastructure

Data flow diagram For University data processed by the application/service

Data dictionary For University data processed by the application/service

PCI DSS certified vulnerability scan (if credit cards will be accepted via the service)

PCI DSS Attestation of Compliance (AOC) if you are a service provider handling credit card data (or use a third-party redirect to manage card data)

Control Group Consensus Assessment Questions Comments and Notes (please provide more detail than a Yes or No)

Company Overview Company Overview Questions Comments and Notes General Corporate Information Describe your organization’s business background and ownership structure, including

all parent and subsidiary relationships.

Describe how long your organization has conducted business in this product area.

How many higher education, commercial customers and government customers do you serve in North America? Please provide a higher education customer reference if available.

Has your company been involved in any business-related litigation in the last five years by your organization, its management, or the staff that will be providing the administrative services.

Describe the structure and size of your Security Office and overall information security staff.

Describe the structure and size of your Software and System Development teams.

Use this area to share information about your environment that will assist those who are evaluating you company data security safeguards.

Information Security Information Security Questions Comments and NotesManagement Program

Please describe your Security Management Program or attach a copy. Does your organization follow a particular security standard such as ISO-27001, ISO-22307, CoBIT, HITRUST, etc. or do you have your own?

Policy Reviews

Can you notify us when changes are made to your security policies or procedures?

User Access PolicyPlease describe your employee termination procedures.

Encryption Key ManagementWill our data be encrypted at rest? What algorithm?

Will our data be encrypted in transit, including between servers? What algorithm?

Do you have an encryption key management system? If so, please tell us about it?

Vulnerability / Patch ManagementDo you conduct vulnerability scans of the servers?

Do you conduct application vulnerability cans?

Please explain your patching policy, timeframes, and procedures.

Antivirus / Malicious Software Do you have anti-malware and/or virus protection programs installed? Which programs?

How often are your malware/virus protection programs updated? How often are complete scans scheduled?

Incident Management How will you alert your clients if their data may have been breached? Do you have a documented security incident response plan?

Vendor Security Questionnaire

Can you incorporate client specific needs into your incident reponse plan?

Can you outline for us what responsibilities are ours and what are yours for an incident?

Incident ReportingWhat method do you use for log management?

Does your logging and monitoring method allow for isolation of an incident to specific tenants?

Incident Response Legal PreparationHow do you encorporate "chain of custody" into your incident response plan?

Please share your procedures for forensic data collection and analysis?

Are you capable of supporting litigation holds (freeze of data from a specific point in time) for us?

Asset ReturnsPlease share a copy of your Privacy Policy.

eCommerce Transactions (*eCommerce services will be expected to answer questions re: PCI compliance.)

Is data encrypted in transit?

Audit Tools Access

How do you restrict, log, and monitor access to your systems? (Ex. Hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)

Portable / Mobile DevicesHow do you deal with access to sensitive data from portable and mobile devices, such as laptops, tablets, and cell phones?

Source Code Access RestrictionPlease describe your Source Code Analysis process.

Security Architecture Security Architecture Questions Comments and NotesUser ID Credentials Please describe your identity management system and any options that are available

to your clients.

Does your system support both role-based and context-based access to the data?

Do you support two factor authentication? If so, what options are available?

Data Security / IntegrityIs your Data Security Architecture designed using an industry standard? (ex. CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP CAESARS)

Application SecurityDo you utilize NIST 800-64 (Security Considerations in the System Development Life Cycle) as the guideline for application development? Or, do you use another standard application security development framework?

Do you utilize an automated source-code analysis tool to detect code security defects?

Data Integrity Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?

Production / Nonproduction Environments For your SaaS or PaaS offering, do you provide clients with separate environments for production and test processes?

For your IaaS offering, do you provide tenants with guidance on how to create suitable production and test environments?

Do you provide (or offer) secure non-production environments (e.g., test, development, QA environments) with the same security controls as a production environment ?

Remote User Multifactor Authentication Is multi-factor authentication available for remote user access?

SegmentationAre system and network environments logically separated?

Are system and network environments segmented to allow isolation of restricted data?

Wireless SecurityWhat procedures are in place that require strong encryption for authentication and transmission during wireless transmission?

Have vendor default passwords been changed?

Shared NetworksHow is access to systems with shared infrastructure restricted to only appropriate personnel?

Equipment Identification How does the information system identify and authenticate devices before establishing a network connection?

Audit Logging / Intrusion DetectionAre file integrity (host) and network intrusion detection (IDS) tools implemented?

Are audit logs protected from modification?

Mobile CodeHow is mobile code monitored and controlled in your system?

Is all unauthorized mobile code prevented from executing?

Facility Security Facility Security Questions Comments and NotesPolicy What policies and procedures exist for providing physical safeguards of the systems

and environment?

Controlled Access PointsWhat physical security perimeters (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) have been implemented?

Secure Area AuthorizationWhere will the data be located? Backups? Alternate data center?

Offsite AuthorizationAre you able to alert us if the data is to be moved to a different location?

Operations Management Operations Management Questions Comments and NotesEquipment Maintenance Are maintenance records available for all repairs and modifications to the facility

which are related to security (for example, hardware, walls, doors and locks)?

Resiliency Resiliency Questions Comments and NotesBusiness Continuity Planning Please explain your backup strategy? Disaster Recovery plan? Business Continuity

plan?

Equipment Power Failures What types of mechanisms and redundancies are implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.)?

Power / TelecommunicationsPlease share a data flow diagram of your systems as realted to backups/mirrors/failovers?

Compliance Compliance Questions Comments and NotesIndependent Audits Please share your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit

reports.

Do you conduct network penetration tests?

Do you conduct application penetration tests of your cloud infrastructure yearly or after any upgrade?

Please share your penetration test results.

Third Party AuditsAre clients able to conduct their own vulnerability scans?

Information System Regulatory MappingDo you have capability to logically segment and recover data for a specific customer in the case of a failure or data loss?

Risk ManagementIs your organization insured by a 3rd party for losses?

Data Governance Data Governance Questions Comments and NotesRetention Policy

Do you have capabilities to enforce client data retention policies?

Secure Disposal Are you able to support secure deletion (ex. degaussing / cryptographic wiping) of archived data as determined by the client?

What happens to the data at the end of the contract?

Nonproduction Data Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?

Information LeakageDo you have controls in place to prevent data leakage or intentional/accidental compromise between tenants in a multi-tenant environment?

Do you have a Data Loss Prevention (DLP) or extrusion prevention solution in place for all systems which interface with your cloud service offering?

Human Resources Security Human Resources Security Comments and NotesEmployment Agreements Do you specifically train your employees regarding their role vs. the client's role in

providing information security controls?Export Control Compliance Export Control Compliance Comments and NotesCitizenship requirements

Do you have controls in place to prevent non-US Person employees from accessing information that is subject to export control regulations, if applicable?

Are there any citizenship restrictions placed on users of your system? (e.g. only US Persons or US Citizens)

HIPAA Compliance HIPAA Compliance Questions Comments and NotesIs your organization able to sign a Business Associates Agreement for HIPAA purposes, if applicable?

PCI Compliance PCI Compliance Questions Comments and NotesMerchant or Service Provider level Are you considered a Merchant or Service Provider?

What level Merchant or Service Provider are you?

Documentation of Compliance Please provide a Report on Compliance or a completed Self Assessment Questionnaire. Please attach to the Questionnaire submissionPlease provide a signed Attestation of Compliance. Please attach to the Questionnaire submission

Please provide an ASV certified External Vulnerability Scan. Please attach to the Questionnaire submissionWhat is the date on which compliance documentation expires, requiring revalidation to be completed?

Is the AOC signed by a Chief Officer, QSA, or ISA?

With what security and compliance vendors and assessors do you work with? This may include QSAs, ASVs performing scans, etc.

What specific service areas have been validated and how do they align with the services being provided to the University?

Please provide a data-flow diagram for the payment card tranaction data from the customer until it is received by the acquirer. Please attach to the Questionnaire submission

Outside ServicesAre there other third-party service providers or payment or transaction services relevant to PCI , nested within your compliance? If so, what services do they provide?

Can you provide PCI Compliance documentation for all third-parties? Please attach to the Questionnaire submission

Internally Hosted Solution - Tab 4

Purdue reviews the IT security of all applications that store, process, or transmit data that Purdue considers to be Sensitive or Restricted. Please provide the documentation requested below and complete the questionnaire. N/A

Control Group Consensus Assessment Questions Comments and Notes (please provide more detail than a Yes or No)

Information Security Information Security Questions Comments and NotesUser Access Policy How are accounts created and controlled within this system? Do access controls

employ role-based access or principle of least-privilege?

Are unsuccesful login attempts limited?

Vulnerability / Patch Management How are notices of patches and updates provided?

How are patches and updates distributed?Do you scan for vulnerabilities on information systems and applications perioically and remediate those according to the level of risk?

Is there a release schedule for patches and updates and, if so, what is the schedule?

eCommerce Transactions (*eCommerce services will be expected to answer questions re: PCI compliance.)

How are zero day vulnerabilities handled?

Is the data encrypted in transit? Even between servers? What algorithm?

Will data be encrypted at rest? What algorithm?

Architecture Architecture Questions Comments and NotesWeb Services Are web services integral to the application?

Are they hosted on the application or on an additional server?Are web services scanned for vulnerabilities?Describe how the server is secured.

Database Services Is a database integral to the application?Is it hosted on the applications server or on an additional server?Is the database proprietary to your application, or an industry standard database integrated into your application?If the database is an industry standard, please specify which one.Does the database use any additional security (encryption, authentication) other than application security?Is the maintenance of the database done by you or is it the responsibility of the customer?

Application Services What system services does the application require to be running on the host server (FTP, TFTP, UUCP, -r commands, telnet, sendmail, etc.)?Please list the ports, protocols and purpose of all necessary connections to any services or systems outside of the application’s server (e.g. dial-in/out, 3rd party, internet, local) and any security measures employed for each connection (such as encryption including the type and level of encryption).Describe how the server is physically secured.How is employee contact with the server limited?What data is stored on this server?Is there any firewall protecting the server (packet filter, application gateway, etc.)?

Describe the system logging and review process.Describe the security in place to restrict/monitor access.

Remote Access Do you require remote access for vendor maintenance and, if so, how is that accomplished and through what mechanism, including encryption and authentication?

Do you require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate those connection when maintenance is complete?

Purdue classifies student/medical/restricted payroll information that will be collected to be sensitive in nature. If remote support access is required, how will you ensure that only authorized individuals and programs have access to this sensitive information?

Application Security What system services does the application require to be running on the host server?

Do you utilize industry standards (Build Security in Maturity Model [BSIMM] Benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build-in security for your Systems/Software Development Lifecycle (SDLC)?

Do you utilize an automated source-code analysis tool to detect code security defects prior to production?Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Vendor Security Questionnaire

Control Group Consensus Assessment Questions Comments and Notes (please provide more detail than a Yes or No)

How does the application encrypt data for transmission or storage?

Does the application have any "hooks" into the operating system that would pose a problem to future upgrades of the system?

Does the application work properly with monitoring software installed (TCP Wrapper, TCP Dump, Tripwire, CGIWRAP, etc.)?Does the application require users other than the system administrator to have any direct access to the operating system?

Application Logging Describe the audit trails within the application

What events does the application log to the host operating system?

Is there an internal auditing/logging function and, if so, what activities does it document?

Is the audit log configurable? Can audit log retention periods be specified?

Source Code Access Restriction Are controls in place to prevent unauthorized access to your application, program or object source code, and assure it is restricted to authorized personnel only?

Are controls in place to prevent unauthorized access to customer application, program or object source code, and assure it is restricted to authorized personnel only?

User ID Credentials Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?Do you have an identity management system in place which enables both role-based and context-based entitlement to data (enables classification of data for a customer)?

Do you provide customers with strong (multifactor) authentication options (digital certs, tokens, biometric, etc..) for user access?Do you allow customers to use third party identity assurance services?

How are password files secured?

What authentication control features such as password aging, complexity, and allowable login attempts are offered and are they configurable?Does the application contain inactivity time-outs and is the parameter configurable?

Does the application require users other than the system administrator to have any direct access to the operating system?Are any shared accounts required for the application to run properly?Please describe any account on the secured server for which more than one person requires access. This includes accounts like Anonymous, Guest, Everyone, etc.

Data Integrity Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?

Compliance Compliance Questions Comments and NotesIndependent Audits Do you allow customers to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar

third party audit reports?

Human Resources Security Human Resources Security Questions Comments and NotesEmployment Agreements Are employees trained on security awareness (describe)?

Is a policy maintained that address information security for employees and contractors (describe)?

Export Control Compliance Export Control Compliance Questions Comments and NotesCitizenship requirements Are there any citizenship restrictions placed on users of your system? (e.g. only US

Persons or US Citizens)Is access to the source code or executable code limited to by citizenship?

Jurisdiction and Classification Please provide the applicable Jurisdiction (ITAR - International Traffic in Arms Regulations or EAR - Export Administration Regulations) and, either USML (United States Munitions List) category or ECCN (Export Control Classification Number) for the software.

Date Version Notes10/2/2015 Version 3 updates to Worksheet 1-Data Security to include definitions for

'sensitive' and 'restricted' data; Step 3 more guidance on additional required reports such as SOC2, PCI Attestation of Compliance, PCI vulnerability scan results

1/27/2016 Version 4 update to Project Info & Worksheet 1-Data Security to include info on integration with other systems or access to data on other systems

6/30/2016 Version 5 update to 'restricted' data definition to include 'contractual obligations'

9/13/2016 Version 6 update to include Coeus or Grant number for research on the Project Information tab; identify data elements on Data Security tab to include information subject to a non-disclosure agreement or is research subject to Export Control regulations; added questions related to EAR/ITAR on the Cloud Services and Internally Hosted tabs

9/27/2016 Version 6 Added mapping to NIST 800-171 on Cloud Services worksheet

10/31/2016 Version 6.1

Added question to Project Information tab regarding authentication (CAS, Shibboleth/SAML, career account) integration

5/1/2017 Version 6.2

Separated and clarified PCI document needs.

8/14/2017 Version 7 Added clarification of information needed and procedure to complete the questionnaire and submit to ITSP. Also, made spreadsheet compliant for individuals with disabilities by using the Accessibility Checker and making changes as indicated.

12/4/2018 V. 7.2 removed note about sending to vendor on line 17, tab 12/13/2019 V7.3 Added question on non-production environment security controls

(line 57 Cloud Services tab). Changed information regarding including documentation and entered on cell B2 on Tab 3 Cloud Services. Removed row 4 in previous version containing same info.