RFI 21619 ADDENDUM #1 Issued on: March 20, 2007 RFP due no later than March 23, 2007 at 11:00 a.m. (our clock) to Jefferson County School District R-1 Education Center, Purchasing Dept. 1829 Denver West Drive, Bldg. # 27, 3rd Flr P.O. Box 4001 Golden, Colorado 80401-0001 RFP to be returned prior to the time and date above Please contact Barbara Ruley, Purchasing Agent at 303-982-6757 if you require any additional information. This Addendum #1, in its entirety shall become a part of the contract documents as if originally included. This original signed document must be included with your response to this bid. Company Name Authorized Signature Question: In 8.1, does every password reset request need to open a ticket in Remedy? And do we wait for Remedy tickets to close before we show the transaction as complete? Any further details would be appreciated. It would be a nice to have if every password reset request opened a ticket in Remedy. It doesn t matter if the ticket is closed before the transaction shows as complete. Question: In 8.2, since there is not already an Enterprise Identity Management system currently deployed at the District (is this assumption, correct?), what level of integration between password reset and enterprise identity management do you envision in the future? There is not an Enterprise Identity Management system currently deployed at the District. There should be some level of integration between an EIM system and a self-service password. The following areas are potential places: Auditing: As end-users change their passwords, an audit trail is created in the EIM for tracking all account changes. Page 1 of 5
Directory: If the EIM controls accounts attributes for a user, then the self-service password system will need to integrate with the EIM to change the passwords for the various system a user logs on to. Question: In System audit reporting, are we talking about providing reports or just the data in the system will suffice? If there are any specific reports required, please elaborate on how many and what those reports are specifically. We need to show that we have strong and reliable authentication, audit trails recording user access rights across the environment/over time, ability to review user rights and controls over user access to systems and data. Question: The Windows GINA component will use the native encryption mechanism provided by Microsoft. Will that suffice? Are there any special requirement vis-à-vis encryption? The native Microsoft encryption will suffice. There are no special requirements. Question: When is this voicemail system integration required? Please provide details on which system is being used and what level of integration. This is a nice to have solution. We use Nortel CallPilot 4.0. CallPilot has a simple and flat LDAP directory that contains about 10 fields. Passwords must be numerical only. Question: Is this the native SQL Server store or a custom table with SQL database? This is a custom table in a Microsoft SQL 2000 Enterprise database. Question: 2.2 states that campus staff passwords are stored in a SQL 2000 database. Are these passwords encrypted? If so, is the algorithm available for use by the password management tool? The passwords are in clear text. Question: 2.4 states that voicemail passwords may be a target for the password management tool in the future. Can you share details on the voicemail system? We use Nortel CallPilot 4.0. CallPilot has a simple and flat LDAP directory that contains about 10 fields. Passwords must be numerical only. Question: 3.1 and 3.2 refer to question sets used for user authentication, and that the answers should come from external data sources such as AD, Oracle, SQL or LDAP. Does this mean Jeffco already has the answers to questions for user authentication stored in these repositories, or that these repositories are the preferred locations for the storage of questions and answers? We would like to pull the questions from existing data sources. We would prefer to use existing information and not require end-users or administrators to manually populate a separate database. We would also prefer these questions to be queried dynamically, and not have to be stored within a separate database. The data sources include Active Directory, PeopleSoft HCM 8.9 (Oracle database, we can create a view), SQL server table and LDAP sources. Page 2 of 5
Question: In the initial overview section of the proposal you refer to wanting to potentially support the parent population as well. Can you share that user population with us? Would you like all vendors to price for this as well? Would you like more information on supporting an external user population through a portal? The parent population at Jeffco logs onto our Student Information System, Campus, through a parent portal. The userid and passwords are in the same data store as staff passwords and are not in Active Directory. They only have access to Campus via the web. If your proposal includes Active Directory, include that and if you can support the Campus (parent, staff, student) population, include that as a separate line item. Question: You have requested pricing for the password reset software but have not included any specific parameters for how you would the pricing structured (ie, per user, site/enterprise license, internal/external). To ensure an apples to apples comparison on pricing did you have a structure that you want the vendors to adhere to? Since this is a RFP, the District will be evaluating each proposal received. We did not give a specific structure due to the variety of products and how each vendor prices their products. Question: 4.0 states "See the District's password policy". Is this contained in a separate document (doesn't seem to be in the RFP doc)? See the District s password policy was a link to the document, but it seems not to work. See policy below. Password Requirements Passwords must be at least seven characters. Passwords will expire every 240 days. Passwords must contain mixed character types (explanation below*). *Mixed character types means your password will need to include three of the following four character types. This will help to ensure that your password is secure. o Upper case alphabetical (A,B,C Z) o Lower case alphabetical (a,b,c z) (example: R1chmond) o Numbers (0,1,2 9) (example: Richm0nd) o Special characters: (!@#$%^&*()_+-={}[] \:; <>,.?/~`) (example: R!chmond) Question: 8.0 talks about supporting future systems. Can you provide further information on what systems/targets you are referring to? Currently, Jeffco has 50+ services/systems it supports. While we are working to consolidate authentication against Active Directory, we realize there maybe other systems that will not have the capability. In some cases, these systems have not been implemented yet. Most of these systems will rely on an Oracle/SQL Server backend. How does your product work with 3 rd party systems? How easy is it for companies that have your product to integrate new systems after they ve purchased and implemented your password reset tool? Question: Many organizations implement password reset functionality as part of a holistic identity management framework. Does Jefferson County School District currently own an identity management framework consisting of other identity services (such as single sign-on, account provisioning/deprovisioning, directory services)? Page 3 of 5
No, Jeffco does not own any other identity services. There is a requirement to be able to integrate with EIM tools as that will be a future implementation. Please specify what EIM tools your product integrates with. Question: Does Jefferson County Public School District have any regulatory requirements which may affect their password reset/identity management initiatives? See the District s password policy stated above. Question: Does Jefferson County have any ROI defined for password reset functionality? Not yet. Without pricing information we cannot determine our ROI. If you are asking what we anticipate our ROI should be, then in terms of what? Percent, time? 2-3 years would be our guess. Question: Is there a proof of concept or pilot already deployed? No. Question: What types of resources (if any) will Jefferson County Public School District allocate to the password reset project? Integral Business Solutions means what Jefferson County School s team members (resources) will be available to us in order to complete the password reset project? In other words, will Jefferson County Schools allocate a project manager for this initiative? Will Integral Business Solutions have access to various technical team members from Jefferson County Schools during the project? Jeffco will have a Project Manager and other technical resources (as defined) allocated to this project. However, these resources will not be dedicated full-time to the project, but rather shared between this project, and their operational duties, other project work. We will need to know the anticipated resources and the professional services required for successful implementation. Question: Would Jefferson County Public School District like training at the end of the implementation, or a ride along approach to understand the chosen technology and its associated functionality as the solution is implemented? For IT personnel supporting this service, we would expect some level of knowledge transfer from the implementation as well as formal training. For the end user population, we would not expect to rollout formal training. We are anticipating the toolset to be user friendly and intuitive therefore, not require formal training. We are expecting to communicate how to use the toolset through a cheat sheet or short video. Any pricing for training or materials should be presented in the RFP. Question: In Section 8 when referring to expanding to an Enterprise Identity Management System. Do you want the password management solution to be a component of a broader enterprise solution where expansion will be virtually seamless? Or you considering purchasing a point password reset solution with the goal of integrating into a future enterprise identity solution with the associated costs of integration? Jeffco is considering both approaches. Question: The "best practice" approach to a project is a phased methodology. Is the District considering a requirements/design phase of the project which will determine the cost of implementation Page 4 of 5
services for the password reset component? Or is the district going to handle the implementation and deployment of the system. Yes, we are considering a design phase to the project where the selected vendor would work with us to determine functional requirements for system configuration. We are also anticipating the need for assistance with deployment of toolset. Any professional services options and pricing should be outlined and presented as part of the RFP. Question: What types of resources (if any) will Jefferson County Public School District allocate to the password reset project? See above. Question: What is meant when referencing programming? Is that intended to refer to integration services? Yes. Question: Is training to be included in our proposal? Yes, if necessary. Question: How many workstations are needed the Windows client GINA/Vista? 1,000 initially, up to 6,000 eventually. Question: How many user accounts are in Active Directory and how many in SQL? Currently there are 13,000 Active Directory accounts and approximately 91,000 in our Student Information System SQL user table. Question: What is the breakdown of students, staff, and parents? Students: 85,000 Staff: 13,000 Parents: 50,000 households. Question: How many domains and forests? One forest, one domain. Page 5 of 5