Software Requirements Assessment

Software Requirements Assessment ID Requirements Vendor Responses Security Policy and Administration 1. 2. 3. 4. 5...

0 downloads 281 Views 280KB Size
Software Requirements Assessment ID

Requirements

Vendor Responses

Security Policy and Administration 1.

2. 3.

4.

5.

6.

7.

8.

9.



What are the data entity and attribute access rules that protect the data from unintentional and unauthorized alterations, disclosure, and distribution? What are the data protection mechanisms to protect data from unauthorized external access? What are the data protection mechanisms to control access to data from external sources that temporarily have internal residence within the enterprise? Discuss how we can use your system to centrally manage security for groups of users (for example, the creation of an access profile by role or integrate with Active Directory or LDAP). Does your system support role-based security? Describe all audit trails available in the system, audit trail reports that are standard and the system requirements to support the retention of the audit trails. Are controls or safeguards in place to prevent unauthorized interception or damage to your organization’s network, power or telecommunications (i.e. wiring and data closets, etc.)? Does your organization scan and/or test for vulnerabilities in your service / application, and if so, how quickly are any identified vulnerabilities remediated? If you don’t scan for vulnerabilities, how do you identify and remediate vulnerabilities? Please provide as much detail as possible. Is your data environment dedicated or a shared? If it a shared environment, how is the data segregated from other shared environments? Describe timeout policy due to inactivity. Page 1 of 7

Version 07152015ArchEng

Software Requirements Assessment ID

Requirements

10.

What version of transport layer security does the application use?

Vendor Responses

Business Continuity, Disaster Recovery & Data Backup 1.



2. 3.



4. 5. 6.

7. 8. 9.



Describe your business continuity & disaster recovery design / solution. Include test plan and frequency of testing. Where are the DR data centers locations located? How is your environment architected with respect to fault tolerance and high availability? If the primary environment is down, how quickly will be DR environment be made active? Discuss the disaster recovery options and scenarios for your solution (e.g. active-passive, load balanced). Describe your backup policy for how system application and data backups are performed. Include frequency, storage location of backup data, retention / destruction schedules, etc. How do you verify that the backup process is functional and that restores work? How often is this done? Describe security of backups to protect data from unauthorized access and tampering. How many unplanned outages or failures have you experienced in the past 12 month? What were the shortest and longest durations? What were the fastest and slowest times to recover? Data Ownership

1. 2. 3.

What are your terms when it comes to ownership of data? How about any metadata I generate while using the application? Is data deleted completely when deleted from the application? Describe policy on data ownership. What provisions are in place for MIHS to download / retain data if service / contract is discontinued? Page 2 of 7

Version 07152015ArchEng

Software Requirements Assessment ID

Requirements

Vendor Responses

Application Access / User security 1.

2.

3.

4.

5. 6.

What is your provisioning scheme, i.e. do all users have access to the entire application or can you customize who has access to what on an individual and by role basis? Does your system allow for the ability of an MIHS security administrator? If yes, describe capabilities to grant and deny access to users, set password expiration timeframes, ability for user / administrator to reset password, define roles, etc. Does the application or service provide appropriate role-based access? (E.g., can date viewing/editing/deleting data, or approving/rejecting changes be restricted or enabled based on a user's role or profile?) Does the application or service provide adequate monitoring and escalation via dashboard alerts, email, or other auditable system of communication? Please describe your system’s flexibility to create and customize users’ menus and or screens. Describe users’ ability to create new data elements/fields. Support and Training

1.

2.

3.

Describe your available tier-level support, to include time/day of support, applicable time zone of your support, limitations on incident/request tickets, etc. What is included as “standard” support? What, if any, higher tiers are available for additional cost? Does your organization provide web-based support site for entering non-emergent issues? Does your organization provide a web-based technical support knowledgebase? In the event of an interruption of your service, what is your process for notifying customer operations of the circumstances Page 3 of 7

Version 07152015ArchEng

Software Requirements Assessment ID

Requirements

Vendor Responses

of the interruption or outage and the expected recovery time? 4. 5. 6.

What training is available to users upon implementation of your application? Describe onsite, web-based, training manuals, etc. What training is available after implementation, for new users of system, refresher for existing users, etc.? What training or documentation is provided for application enhancements and upgrades? Report Generation

1.

2.

Describe features of the standard reporting tools and report writer(s) provided with the proposed system. Identify any optional or required third party reporting tools. Describe ability to export data in a usable, non-proprietary format. What provisions are in place to quickly gain access to data in a usable, non-proprietary format? Interfaces

1. 2. 3. 4.

5.

What integration points are targeted by this solution (business process, activity, application, data and computing environment) Describe your adherence to HIPAA standards for transactions and code sets. Describe your ability to exchange information with other systems. Describe your system’s ability to exchange information through interface engines. Which interface engines are supported or required? Describe interface queuing methods, acknowledgement commands and other interface operational practices supported by your system.

Page 4 of 7

Version 07152015ArchEng

Software Requirements Assessment ID

Requirements

6.

Describe your system’s ability to request/receive individual requests/scripts for data that may involve querying specific databases in real-time and receiving a return response. Describe any system interfaces (inbound or outbound to your system) that are included as standard. Distinguish between realtime and batch. Describe how the system interfaces handle error conditions. Specifically: a. Are records locked from updating by the interface when online users have the record open? b. Are inbound transactions single-threaded, such that a record locking situation backs up processing all other inbound transactions? c. If an inbound transaction is found to be missing required information, how does the system handle it (e.g., alert to user, appear on exception report, suspend transaction, etc.)? List any internal interfaces in your system to exchange information between modules and describe the mechanism by which this information is exchanged. Describe your experience at other client sites with time delays when passing or receiving a transaction when the system is busy. What precautions do you recommend to clients to prevent long delays? Describe your system’s ability to incorporate technology to streamline the data gathering and information access processes (e.g., bar code, optical or magnetic disk storage via SAN, voice dictation, etc.)

7.

8.

9.

10.

11.

Vendor Responses

Hosting / Data Location, Hardware & Network

Page 5 of 7

Version 07152015ArchEng

Software Requirements Assessment ID

Requirements

1.

Who is the hosting provider? Where is the hosting location, i.e. country, state? Where is the primary data being stored? Describe your server and network architecture regarding hardware, software, operating system, technology platform, redundancy, etc. What type of scalability is provided for additional computing power, i.e. CPU, RAM, storage, time to implement? What type of network bandwidth is available?

2.

3. 4.

Vendor Responses

Client Access 1.

2. 3.

4.

5.

Specify the workstation requirements to access the system: List supported Platform(s) and include minimum hardware specifications (CPU, MEMORY, CAPACITY) Are there any special ports that need to be enabled at the client access e.g. port 440, 8080? Describe how your product visually interfaces with smartphones and tablets. What handheld devices does your application support? Include manufacturer and operating system (and version) Describe the user manuals, technical manuals, operating manuals, service manuals and other functional documentation that you provide. Are the technical and user documentation available on-line? Product Releases/Upgrades

1.

2.

How often do you provide updates/fixes/new software releases to your customers? Provide an update schedule for the coming year. Describe validation and test plans provided during installation, implementation and upgrades. Page 6 of 7

Version 07152015ArchEng

Software Requirements Assessment ID

Requirements

3.

What is your policy regarding acceptance and incorporation of client enhancement requests into a future release? How are enhancement requests collected, reviewed, prioritized and incorporated? Do you have a User Group? Describe how you validate/certify system and application patches. What is your method of deployment? Describe the process of deploying new releases at your customer sites. What is the typical timeframe for implementation of a major release? How soon is the documentation updated with each new release/upgrade? How is the documentation distributed to your clients? How many prior releases will be supported at any given point in time? What are the implications if your client continues to use a prior release? What costs are associated with new releases? Is the system unavailable to users during the installation of an upgrade or new release? Can new releases/upgrades be applied all at once, or must they be done one at a time? Describe how software defects are corrected, and your policy regarding the notification and correction of defects.

4. 5.

6.

7.

8.

9.

Vendor Responses

Page 7 of 7

Version 07152015ArchEng