University of Louisville DEPARTMENT OF PROCUREMENT SERVICES

LOUISVILLE, KENTUCKY

RFP No: RP-104-20 Date 2/21/2020

Title: Student Meal Plan Transaction

Addendum No. 1

The following shall clarify and/or modify the original bid document(s) as issued by the University of Louisville.

Update the Evaluation Criteria list on page 10 of the RFP document to reflect the following:

o Financial Proposal 30%

o Services Offered 25%

o System Requirements/Technology 15%

o Customers Service 15%

o Experience and Qualifications 10%

o Optional Services 5%

Update Attachment A formatting, as the version in the RFP document was cut off.

Add the questions and University responses included in this Addendum to this Request for

Proposal.

Bidder must acknowledge receipt of this and any addenda either with bid or by separate letter. Acknowledgement

must be received in the Department of Procurement Services, Service Complex Building, University of Louisville no

later than February 28 at 2:00 PM. If by separate letter, the following information must be placed in the lower left

hand corner of the envelope:

RFP No: RP-104-20

Title: Student Meal Plan Transaction

Due Date: 2/28/2020

BY: Authorized Purchasing Officer

Receipt Acknowledged:

FIRM

BY:

Third Party Vendor/Cloud Computing Risk Assessment and

Guidance Document

Department:

Contact:

Vendor/Service Provider:

Vendor/Provider Contact:

Vendor Service Relationship:

Please identify any regulation(s) that the data accessed, viewed, stored or transmitted by vendor may be subject to. Mark all that apply.

HIPAA FERPA PCI HB5 (Ky Privacy) Export Control Other

Vendor Worksheet

Questions for the vendor – as applicable to the service provided Relationship Management

Question Yes No Comments

1. Please provide details regarding any outsourcing. Include identification of all other third parties that may handle University data.

2. How do you ensure the security controls of third party vendors that may handle or access University data?

3. Please provide details on your availability and maintenance schedule and process.

Data Management

Question Yes No Comments

1. Define the companies view on roles and responsibilities regarding data management and University ownership.

2. Will you be able to provide a clear exit strategy that includes data return and format? Provide details.

Third Party Vendor/Cloud Computing Risk Assessment and

Guidance Document

3. Destruction/sanitization of data has been defined and documented? Please describe.

4. Will you allow the University to audit, and to see reports or certifications, assessments and scan results preformed on systems, network?

5. Please provided required or industry standard certification documentation as pertinent to the regulations of the data involved (i.e., PCI Attestation, HIPAA compliance, FISM, SOC3, ISO27001, etc.)

6. Has your company completed the Cloud Security Alliance (CSA) self-assessment or is the company STAR certified?

7. Has the company undergone a SSAE 16 audit? Is the company SOC certified? Documentation provided.

8. Does your company have Cyberliability insurance? If so, please provide your limits.

Infrastructure and Data Security – controls, physical security and continuity

Question Yes No Comments

1. Will university data will be stored and transmitted securely using industry/regulatory standards (encryption). This includes backups. Please explain encryption in transit and at rest controls for all instances of university data.

2. Will University data be stored within the United States? Storage locations have been identify and are in compliance with applicable regulations or contracts. This includes data backups, and cloud providers.

3. Is two-factor authentication utilized? Please explain your authentication methods. This should include the details of how these methods are used based on employee roles including administrators that may have access to University data.

4. Access control policies require approvals, granting of access based on the principle of “least privilege” and changing of default passwords.

5. A formalized incident response plan which includes defined breach responsibility, process, format, and timing expectations is in place.

6. Describe your firewall and IDS usage and audit logs.

9. Regular network penetration and vulnerability testing is conducted. Current results (or attestations) have been provided and results ongoing throughout the terms of this agreement will be provided if requested.

Third Party Vendor/Cloud Computing Risk Assessment and

Guidance Document

10. Procedures in place to obtain, assess, rank and ensure timely patching of system and device vulnerabilities.

11. Procedures in place to ensure anti-virus is running and up-to-date on all devices included in the service provided to the University.

12. Dataflow documentation depicting all points in the transmission and storage of University data has been provided.

13. Information Security Policy and Procedures are available and implemented addressing areas such as user responsibility, network and data security, incident response and system development?

12. Business Continuity and DR plans which include continuous service, data recovery, security and backups are in place, tested regularly and updated.

13. Employee management policies and procedures exist including requirements for background checks, awareness training and personnel change notification.

14. Will company consent to allow the University to perform its own inspection including the right to review the physical security controls, infrastructure and other inspection documentation?

15. The company utilizes a formal, industry standard process for secure development, testing and coding of software.

16. The preferred method for systematically transferring University data securely utilizes PGP. Can your systems support this process? If not, please explain the method for ensuring data encryption both during transfer and upon receipt (at rest).

17. Will your service required interfacing or authentication with university systems? Explain. List all data elements involved (e.g., Name, ID, email, GPA, etc.)

18. Are you in compliance with the EU General Data Protection Regulation (GDPR)? Please explain what steps have been taken to comply with the regulation.

Third Party Vendor/Cloud Computing Risk Assessment and

Guidance Document

For Services that include a mobile application

Mobile App Security – to be used if a mobile application is included in current or future services

Question Yes No Comments

1. Does your company currently offer or plan to offer in the future mobile app solutions related to the services you are currently proposing?

2. If so, please explain security previsions specific to this service. This should include data transmission, storage, and backup details.

3. Has the mobile application been reviewed by a third party? Please include details regarding application development controls including 3rd party application code reviews by external companies and the frequency of the review process.

4. Does the app testing process ensure that device considerations (variation in devices) are addressed?

5. Has the mobile application been designed based on industry standard security guidelines provided by both NIST and OWASP? The scope for these would include server side controls, transport layer protection, data leakage, authorization / authentication controls, broken cryptography, client side injection, session handling and binary protections.

6. Does the company have procedures to address handling public user reviews and complaints regarding the mobile application?

7. Does the company’s mobile application include layered security controls for the app? This would include the use of internal security controls to protect stored data for example a pin number to gain access to the application itself that would go beyond access to the device’s OS.

8. Does the company’s mobile application include a time out feature to ensure data protection?

Third Party Vendor/Cloud Computing Risk Assessment and

Guidance Document

9. How long has the company made this mobile application available to the general public? How many updates has it received since its initial roll out?

10. Does the company have procedures regarding the turn-around time for bug reports?

11. Does the company’s mobile application allow for external storage? If so what security controls are included to protect this data?

12. Can the company’s mobile application be accessed by other applications? If so what security controls are included to protect this data?

Vendor Questions 1. What is the University's preferred binding method for the proposal copies to avoid submitting

superfluous binders? University Response: Please use appropriate binding based on the size of your proposal.

2. Regarding III .B. We noticed there are no quantities for your hardware needs. It’s very hard for most partners to accurately build a system without having quantities. Bidding a system of 1 unit wouldn’t do you justice and would also not reflect the accurate consulting package. There are more hours and investment needed into a system of 10 units compared to 1, and we can’t guess what that is without knowing your quantities. Can you provide the specific quantity details related to POS units, peripherals, ID printers, and any other hardware item requested? University Response: See Attachment 1

3. Regarding IV. A. 6. Can the University please provide hardware specifics and more data around the requested laundry services. Do you use a card reader to track or pay for laundry? If so, we will need to know the number of laundry rooms and how many units are in each room. University Response: The University will not be pursuing a laundry option at this time.

4. Regarding IV. D. 9. What type of banking customization are you expecting? University Response: The University is not expecting any bank customization in the meal plan transaction program/software.

5. Could you please give details on the POD to Pantry program and the spend tracking requirement? University Response: At the end of each semester, students are encouraged to purchase items from the POD with remaining flex points and donate these to the Cardinal Cupboard. There is no spending tracking currently involved in this process

6. Card Production a. What ID types are used on Cardinal Card? Mag stripe, barcode, proximity, NFC?

i. If NFC, what type? MiFare Classic, MiFare DESFire, ICLASS SEOS? ii. If not NFC, is there a preference on type based on existing campus

infrastructure investments, especially in door readers and locks? University Response: Mag stripe, proximity. We are hoping to introduce MiFare DESFire cards later this year?

b. Who does UofL use for card production? Datacard ID Works? University Response: Vision Database, IDMS

c. Does UofL wish to keep this system, or is UofL interested in other options? University Response: We are keeping at this moment, but will be exploring options at a later date.

d. How many card production stations are there? Please provide the quantity, make and model of the current card printers and cameras. Are we to bid new or reuse the existing printers and cameras? University Response: 3, DataCard CP80+ (4), Canon EOS rebel T6 (3). Not at this time.

7. Dining services to include POS, tablet, kiosk, and mobile ordering a. What is the current make/model of point of sale? Micros 9700 on premise? Micros

Simphony 1.7 on premise, Micros Simphony 2.0, other? University Response: Micros Simphony (38),

b. May we get a breakdown of the current POS equipment by venue so we can price a 1-for-1 replacement of the current POS? In reviewing the UofL Dining Services website (louisville.campusdish.com) it appears there are approximately 23 venues. We would like to know for each of these, the quantities and type of hardware deployed. For example, how many registers, cash drawers, receipt printers, kitchen printers and kitchen display units. University Response: See Attachment 1

c. Does UofL currently accept credit/debit cards at these POS locations? Is so, are their P2PE (point to point encrypted) EMV pin pads currently in place for processing these payments? If so, what P2PE gateway provider is used (e.g. Freedom Pay, Elavon Fusebox, Verifone Point, other)? University Response: Yes. Yes, 39 credit card machines interfaced to Freedom pay.

8. Library Usage a. What ID card credential does the library use? Barcode?

University Response: Mag stripe

b. What campus card use cases must be supported at the library? Just person authentication? Pay fines? Other? University Response: Person authentication. Library has their own system for checking out books.

9. Access Control a. What access control system(s) does UofL use? CBORD Access?

University Response: Continuum, Lenel

b. What Cardinal Card credential is used for access? Proximity? Magstripe? NFC? University Response: Proximity

c. Is the replacement of this system(s) within the scope of this RFP? i. If yes, may we please have a detailed listing of the current footprint of buildings

and doors? ii. If no, can you please list the approximate quantities and make/model of exterior

door readers and interior locks as this is necessary to inform our decision on what NFC type to propose that best leverages the existing investments in access reader hardware.

University Response: No. These items are controlled by DPS and are not affected by this RFP.

10. Vending Services a. Who is your vending provider(s)?

University Response: Canteen and Pepsi

b. Please provide the quantity and make/model of current snack and drink vending

machine readers. Are they TCP/IP readers? 4-in-1 cellular readers from MEI Crane, Coinco or USATech? University Response: MEI A5K CREDIT CARD READERS

11. Laundry Services a. Are we to bid laundry control as part of this RFP?

University Response: No

b. If yes, can we have a picture and the make/model of the current hardware? University Response: No

c. If the current hardware is proprietary, or UofL desires new laundry control hardware, please provide:

iii. number of laundry rooms iv. total quantity of washers/dryers v. make/model of current machines

vi. laundry service provider is (e.g., Caldwell Gregory, CSC, etc.). vii. All of this information is required to price new laundry control hardware.

University Response: NA

12. Copy Services & Print Management a. What is your existing print/copy solution? Pharos? PaperCut? Other?

University Response: Pharos

b. Are we to bid a connection to this existing service? The Cardinal Card website indicates printing and copying is currently supported by the existing campus card system. University Response: Yes, the transaction program will need to interface with the printers

c. Please provide the quantities of any proprietary standalone copy readers that would need to be replaced by a new campus card provider. University Response: None

13. Off-Campus Merchant Acceptance a. Does UofL use UGryd for off-campus merchant management, or does UofL self-operate

off campus merchants? University Response: UGryd, managed 100% by vendor

b. Please describe the approximate number of off campus merchants, annual total revenue and make/model of current readers. University Response: Currently 28, $85,000 last year. Maintained and provided by UGryd

14. Marketing & Communications Service a. Please confirm what UofL is looking for in terms of “Marketing & Communications

Service.”

University Response: Must be able to market, recruit and promote for our off-campus venues.

15. Student Information System (SIS) and Residence Management System (RMS) a. What SIS does UofL use? Banner, PeopleSoft, other? Is it connected to the current card

system? If so, please describe the method of connection (flat file, other)? University Response: PeopleSoft. Flat files are currently communicated between our IDMS and PeopleSoft then into our meal plan transaction program.

b. What RMS does UofL use? StarRez, Odyssey, Adirondack? Is it connected to the current card system? If so, please describe the method of connection (flat file, other)? University Response: RMS Mercury, Flat file.

16. Regarding section VI. Point of Sale System Requirements, c. Back Office Software, ix. Describe the system’s ability to import date: What type of data is UofL looking to import? Are you looking to import data on the initial setup so that you will not have to hand key in all current menu items/employees, etc. into the new system? Or is there a specific use case you are hoping an import may solve? University Response: Yes, we are hoping to import existing data into the new system. Daily sales, declining balance, reporting and data gathering.

17. Regarding section IX. Required Functionality, b. Meal Plan Functionality: How are meal plans currently purchased and billed? Reviewing the web site, it appears the process is largely manual. Does UofL wish to entertain an automated meal plan purchasing and billing solution as part of this RFP or are we to bid based on reusing the existing process? University Response: Meal plans are assessed depending upon the students campus housing and enrollment status. We would like to automate as much as possible.

18. Does UofL use the card system for attendance tracking? If not, is there a desire to have such capabilities in the new One Card system? University Response: We do not currently use our system for attendance tracking, however, other departments on campus have purchased their own system for attendance tracking.

19. Does UofL intend to continue use of the cash deposit kiosks? If so, please provide a picture and the make/model of the existing kiosks so we may determine if they can be re-used. University Response: ValuePorts 4VPT0201 (11), Nine in service and 6 dispense cards. See Attachment 2

Attachment 1

Attachment 2