Specifications include, but are not limited to: Describe the overall application architecture, including applicable diagrams. Include a full description of the data communications architecture for all components of the system. Describe the recommended network security architecture for implementation of the system components. Include diagrams that expose any requirements for external security devices such as firewalls. Describe encryption technology employed for transmitting sensitive information over a TCP/IP network from user workstations to the server, and to customers. Describe all web-enabled features and functionality of the system. Describe all communication protocols used by the system. Describe your key management specifications, process, and procedures. Who has access to encryption keys? Credit Card Processing: Include documentation describing the systems’ ability to comply with Payment Card Industry Data Security Standards (PCI-DSS), and any features or capabilities of the system that must be added, enabled, disabled, or changed in order for the system to operate in compliance with the PCI-DSS standards. Has the software been validated as a PCI compliant payment application (“PAPB” certified)? Describe the architecture employed by the system to verify and authorize credit card transactions. What payment processors/gateways does the system support? Please provide evidence of most recent PCI-DSS compliance certification. Database Security: Does the database support encryption of specified data elements in storage? What type of encryption is supported? List the data elements, tables, or databases that may be (are) encrypted. What methods of data exchange do you support? Can your system support transferring data via batch processes? If so, can it be automated via secure FTP, or another secure IP connection, to eliminate any intervention by users? Does the system allow for archive/removal of database records at an interval? Describe the format available for archived records, and encryption option. System Security: Does the system support user authentication through unique passwords? Describe your software’s ability to integrate with our existing Microsoft Active Directory from an authentication and authorization perspective. Describe all authentication methods the system supports, with specific attention given to Shibboleth, SAML, and multifactor authentication. Does the system provide data input validation and error messages? Can user access be customized to allow read-only access, update access, or no-access to specific types of records, record attributes, components, or functions? Are security roles fully customizable? How is user security administration performed? Does the system have the capability to require users to change their system passwords at regular intervals? Does the system provide user system lockout after a defined number of unsuccessful login attempts? Describe the system capability to log security/authorization changes as well as user and administrator security events (e.g, login failures, access denied, changes accepted), and all requirements necessary to implement logging, monitoring, and reporting of security events for the system. Does the system natively support full auditing of unauthorized system or functional access attempts? Full user and system activity logging? Describe the facilities available in the system to provide separation of duties between security administration and system administration functions. Has your service experienced a security breach in the last 12 months, for any tenant? How did it occur, and how will you ensure it doesn’t reoccur? Describe your security breach notification and incident response processes. Describe your companies’ security assessments/audits/penetration tests process and procedures. How often are security audits performed? Provide results of most recent third-party assessment performed. Disaster Recovery Describe the features and functionality of the system which prevent data loss, and how data recovery is performed when needed. Describe the recommended method, cycle and architecture for generating backups of system and transaction data. Describe any software escrow arrangements that are available.
