Specifications include, but are not limited to: • Solution offers multi-tenant architecture (single instance of application services multiple customers) with single-tenant data storage option (data separated from other customers). • Solution must be accessible from any internet-enabled device, e.g., windows desktop/laptop, MacBook, iOS, Android. • Solution must support most commonly used web browsers, e.g., IE, Chrome, Firefox, Safari. • Solution uptime must be at least 99.99%. • Stored data should be available 24/7/365 during agreement term. • Solution must incorporate best practices and recommendations such as OWASP or NIST. • Solution must undergo annual 3rd party application vulnerability penetration testing. • Solution must have role-based user access control. • Authentication must take place over a secure/encrypted transport protocol (e.g., HTTPS); two- factor authentication is required for access to backend infrastructure. • Password rules must comply with NIST guidelines. • Passwords must be hashed, salted and stretched before storage. • Confidential information at rest must be encrypted using AES-256 encryption algorithm. • Confidential information in transit must be encrypted using AES-128 encryption algorithm • Solution must have user audit trail capabilities for at least user transactions, logons, and access changes. • Methods for ensuring the security of online situational judgment test content, and how it intends to minimize unwarranted exposure of the content • Description of vendor's data storage and transfer security protocols, including the use of encryption. • Description of vendor's security protocols for ensuring the confidentiality of assessment content and scoring, including vendor's procedures to minimize exposure of assessment content in the event of a security breach. • Description of vendor's protocols for ensuring the confidentiality of candidates' Personally identifiable information (PII), unique candidate identifiers (e.g., Social Security number, etc.), including Contractor's procedures to minimize exposure of candidates'·personal identifying information in the event of a security breach • Description of vendor's third-party attestation standards and certifications such as SSAE 18, Service Organization Control (SOC), TRUSTe, etc • Description of vendor's data security/ cyber liability insurance. • Description of vendor's incident response plan. • Description of vendor's policy for disclosing known security vulnerabilities, including any suspected or actual unauthorized access to customer data. • Description of vendor's policies and procedures for the return, deletion, or destruction of customer data when the contract end.
