CTS Software Acquisition Guide

Tags software

Description

This CTS Software Acquisition Guide provides a list of questions for evaluating new software. It will help guide you through the process with the questions to consider when meeting and communicating with the vendor. You can download the attachment and use it as a working project document. This guide covers both cloud and on-prem solutions. This document is intended for project kick-off meetings/planning with vendors. It addresses some common technical issues/questions to consider in evaluating software/technical implementations including security, costs, and requirements. Download the attachment for use. 

 

Document Preview: 

CTS Software Acquisition Guide
Last updated 2/20/24
Box Share:
https://duq.box.com/s/fppgr2wluvhyarp57iuj6rwnyylznplz

 

Sample Template

This document is intended for CTS to use in project kick-off meetings/planning with vendors. It addresses some common technical issues/questions to consider in evaluating software/technical implementations.

  • Determine Information Security & IT intersections and needs
    • What is this solution intended to do?
    • Assumptions:
      • What assumptions are you making?
        • Ex. Is SSO, Hosting and Integration included as part of the package? If not, will we need to build integration or are there extra costs? 
    • Onboarding and implementation: What parties need to be involved?
    • Cloud, On-Prem, Hybrid, what needs to be installed on servers and desktops?
      • For Cloud/hybrid:
        • Can we customize/extend? If so, how? and are there any limitations?
        • What Out-of-the-box integrations do you have, Banner, etc.? What specific Technologies are needed?
        • what are the capabilities to build integrations?
        • Will we have query access and be able to update our data?
      • What data is going to be sent from our system to your solution, what data is being sent from your solution to our systems? What, if any data will you be feeding to another third party or system?
        • What is the exit strategy for data recovery? Do you have a Data liberation clause, including schema? What is the timeline for it?
        • If passing Duquesne's data into the cloud, we require:
          •  FERPA, SOC2, HECVAT
          • PII/Sensitive data in use? (FERPA, HIPAA)
    • Do you support Single Sign On (SSO) – SAML 2.0 or Azure AD are recommended and supported by CTS, (InCommon member)?
      • If they don’t support SSO, Do you have multi-factor authentication (MFA) and do you support DUO MFA?
    • Is PCI (Credit Card compliance) in use?
    • Can you share any configuration documentation (firewall, VLAN, server, client systems, database)?
    • Define hosting requirements.
      • SaaS, PaaS, on-prem, hybrid, managed, non-managed
      • Is there any on-prem integration tool required?
      • How many environments/instances? (i.e., dev, test, prod)
        • What is the process to publish/migrate content to dev/test/prod.
      • How will our data and resources be segregated from other clients? (will it be a dedicated or shared instance).
      • Who owns what?
      • Is this service hosted on a public cloud? (AWS, GCP (Google Cloud Platform), Azure etc.).
      • Who hosts?  Do we have SOC2 from the vendor and host?
      • Hosts & vendors Business Continuity (BC), Disaster Recovery (DR) model
      • Who is responsible for each party for standard upgrade, maintenance, access management, Backup DR, Performance Monitoring
        • Is it true DR with a recovery site in a region outside of our production zone, is there replication, or is there true recovery of our data?
      • Where will our data be hosted?  Will the data be housed within the US? Is there potential for the data to be housed outside the US?
      • Security patches, periodic upgrades, how often, how much notification, what’s the process?
      • What provisions are there for peaks and availability, scalability of their capacity?
      • What type of data encryption do you use at rest, in transit?
    • User access control audit of information?
    • Does your product require any specific networking requirements? (ex. L2 connection to campus, layer 2 connection to our data center).
    • What is your standard contract and Master Service Agreement?
      • Do you have a SLA document for the US?
    • Define project requirements, and what is needed for the project to be successful.
      • How long does a typical implementation take?
      • How many Duquesne resources will be needed? What resources will you bring to the project? 
      • Do you have a standard project plan that describes the responsibilities and timelines?
      • Do you have implementation partners that would be available if needed?
      • Do you have other higher education institutions using your product?
        • Do you have other Ellucian Banner schools using your product?
        • Do you have references (particularly: higher ed or Ellucian Banner references)?
    • Define the closing criteria for the project and what defines project completion
  • After the implementation project is closed, what is the process to turn us over to your support organization?
  • Will the project team also be assigned until the full transition is complete?
  • What is the transition process from project to support?
  • What is the knowledge transfer process?
  • Costs:
    • Can you separate hardware and software costs?
    • 5-year projected costs
      • cost escalator and percentage
    • Do you offer multi-year options with a discount?
    • Are there one-time implementation costs?
    • What are your user levels and license costs?
    • What functionality in your proposed solution will require add-on software or consulting?
    • How much of what you showed us is out-of-the-box functionality?
    • Can we purchase through a consortium?
  • Is there an expiration date on the project?
    • If the project goes beyond the expected timeline will your resources be consistent on the project, or will a new team be assigned?

Are there extra costs if the project extends the slated timeline? What are they?