RFP INFORMATION

REQUEST FOR PROPOSAL

* CONFIDENTIAL *

RFP INFORMATION

RFP Number: FY09-042 RFP Issue Date: October 14, 2008

RFP Title: Data Loss Prevention System

Proposal Due Date/Time (Eastern): Friday, October 31, 2008 at 3:00 (EST) Number of pages including this cover sheet and attachments: 24

UNIVERSITY CONTACT & SUBMISSION INFORMATION

Name: Sharon Hunt Title: Contract Manager

Email: [email protected]: 419-530-8716 FX: 419-530-8711

Mailing Address: THE UNIVERSITY OF TOLEDO PURCHASING SERVICES 2225 NEBRASKA AVE.

LRC 2170C, MS 400 TOLEDO, OH 43607 Attn: SHARON HUNT RFP# FY09-042

*** RFP # & Title must be referenced on outside label of envelope/package

*** 1 original, 1 copy & 1 CD to be sent to mailing address***

RESPONDENTS MUST COMPLETE THE FOLLOWING

Federal I.D. or TIN Number:

Company Name: Company Website:

Primary Contact Name: Primary Contact Title:

Business Address: Phone: Fax:

Email:

Billing inquiry phone:

Authorized Signer’s Name: Authorized Signer’s Title:

State Certified MBE I.D. Number, if applicable: ____________________

For More Information see the Ohio State Web Site http://das.ohio.gov/eod/EODMBEOff.htm

State Certified EDGE I.D. Number, if applicable: ______________________

For More Information see the State of Ohio Web Site http://das.ohio.gov/eod/EODMBEOff.htm

RESPONDENTS MUST RETURN THIS COVER SHEET WITH RFP RESPONSE

The mandatory process for proposal submission for award consideration is contained within Section 3 of this Request for Proposal. UNIVERSITY TERMS AND CONDITIONS contained within Section 6 of this Request for Proposal will

prevail unless expressly altered by the University. Proposals must be received by the Due Date/Time specified above. Plan your delivery method appropriately. Proposals received after the Due Date/Time will not be considered for award.

TABLE OF CONTENTS

SECTION 1 Definitions

SECTION 2 RFP Schedule of Events

SECTION 3 Instructions for Proposal Submission

SECTION 4 General Information and Notice to Respondents

SECTION 5 Scope of Services or Materials

SECTION 6 Terms and Conditions

ATTACHMENTS/EXHIBITS

A. RFP Offer Sheet

B. DMA form (Declaration Regarding Material Assistance/Non-assistance to a Terrorist Organization)

C. BAA (Business Associate Agreement)

D. Technical Criteria

E. Response & Financial Consideration Sheet

F. Other: __________________

SECTION 1: DEFINITIONS

Relative to this Request for Proposal, and any University-issued addenda, the following definitions apply:

1.1 Award: Agreement, Contract or Purchase Order resulting from this RFP.

1.2 Vendor, Supplier, Contractor: Respondent who is officially awarded the business through the RFP process and entered into a contractual agreement with the University.

1.3 Proposal: Respondent’s formally prepared response to this RFP, which was received by the University.

1.4 Due Date/Time: The date and time specified in this RFP by which a Proposal must be received by the University in accordance with this RFP. Proposals received after such date and time will not be considered.

1.5 Respondent: Individual or company submitting a Proposal in response to this RFP.

1.6 RFP: Request for Proposal

1.7 Scope: Scope of Services or Materials identified by University within this RFP that forms basis of Respondent Proposal.

1.8 University: The University of Toledo.

1.9 DMA: Declaration Regarding Material Assistance is a form each vendor is required to complete for any contract where a state entity spends over $100,000 annually.

1.10 Addendum: Refers to document issued by the Contract Manager which modifies this Request for Proposal or provides additional information to respondents.

RFP FY09-042 Data Loss Prevention 2 of 25

SECTION 2: RFP SCHEDULE OF EVENTS

The University will make every effort to adhere to the schedule detailed below:

RFP Issue Date:

Site Visit (if applicable)

Questions Submitted by:

University Response to Questions by:

October 14, 2008

Not Applicable

October 20, 2008 at Noon

October 23, 2008 by 5:00 PM

Proposal Due Date/Time:

Vendor Presentations:

October 31, 2008 at 3:00 PM

Week of November 10, 2008 (if applicable)

Anticipated Award Date: November 24, 2008

SECTION 3: INSTRUCTIONS FOR PROPOSAL SUBMISSION

Respondents are cautioned to read this entire RFP carefully and to comply with all directives to avoid disqualification from an award.

3.1 Proposal Preparation: Respondents must develop and submit a complete and accurate Proposal to this RFP. Proposals must adhere

to all directives contained herein and must follow the chronology of this RFP as specified and sign Attachment A (RFP Offer Sheet)

Respondent is to submit one (1) original Proposal which is to be bound into a single document and clearly marked “ORIGINAL”. Should a discrepancy arise between various copies of the RFP, information contained in the “ORIGINAL” will prevail over conflicting information.

Respondent is to submit one (1) quality Proposal copy, which are to be individually bound and clearly marked “COPY”.

An electronic copy on CD.

Proposals should be prepared providing a straight-forward, concise description of Respondents capabilities to satisfy the requirements of the Request for Proposal. Emphasis should be on completeness and clarity of content. Unnecessarily elaborate brochures or other presentations beyond that sufficient to respond to each section and beyond that sufficient to present a complete and effective bid response are neither necessary nor desired.

Respondent may include any optional data not requested yet considered by the Respondent to be pertinent to this RFP as an addendum to the Proposal.

Any Proposal that does not include the express requirements of this RFP and any University issued addenda may be considered an incomplete Proposal and rejected.

Ownership of all data, materials and documentation originated and prepared for the University pursuant to the RFP shall belong exclusively to the University and be subject to public inspection in accordance with the Ohio Freedom of Information Act. Trade secrets or proprietary information submitted by the Respondent shall not be subject to public disclosure under the Ohio Freedom of Information Act. Any confidential or proprietary data must be clearly marked.

RFP FY09-042 Data Loss Prevention 3 of 25

3.2 Site Visit/Pre-Bid Conference:A site visit is not required for this RFP.

3.3 University Revisions to the RFP:In the event that it becomes necessary for the University to revise any part of this RFP, revisions will be provided by the University Purchasing Office to all Respondents via an addendum that is sent electronically.

3.4 Respondent Questions regarding Scope or Procedure:Respondents with questions or requiring clarification or interpretation of any section within this RFP must address these questions via e-mail to [email protected] prior to the submission date stated in Section 2: RFP Schedule of Events. The respondent needs to reference each question to the RFP in consecutive order, from beginning to end, following the chronology of the RFP. Each question should begin by referencing the RFP page number and section number to which it relates.

3.5 Respondent Requests for Exceptions from Terms and Conditions: Respondents must submit all exceptions of presented Terms and Conditions requests in writing and include

those with their Proposal. Exceptions with an explanation as to why the Respondent cannot accept the University’s provision and what

alternative language the Respondent proposes, should be included. The University will make any final determination of changes to the Terms and Conditions.

3.6 Single Point of Contact:From the RFP Issue Date until an Award is made and announced by the University, Respondents are not allowed to communicate with any University staff or officials regarding this RFP, except at the direction of the University contact listed on the Cover Sheet of this RFP. Any unauthorized contact may disqualify the Respondent from further consideration. After an Award is made, all communication will be directly with the Contractor Liaison.

3.7 Submission Requirements: Proposals must be received by The University of Toledo Purchasing Services Office as per the due date/time

listed on RFP cover sheet. Respondents are responsible for selecting the method of delivery (first class certified mail, return-receipt requested, express mail, or hand-delivery) to ensure the proposal is received in the Purchasing Office prior to the due date/time (as determined by the University’s Purchasing date stamp clock. Any RFP or RFP revision which is received after the due date and time specified will not be considered.

University Purchasing Department Office hours for receipt of Proposals are Monday through Friday, 8 AM through 5 PM, EST. Refer to cover sheet for address of the Purchasing Services office.

Envelope/package must be securely sealed and clearly marked with the RFP number and RFP Title from the Cover Sheet.

An electronic version of the Proposal (required if checked) must be emailed to the University contact as identified on the Cover Sheet prior to the Due Date/Time in addition to the submission of hard documents as directed above. This electronic version is in addition to, and does not negate the need for, the hard copy submission.

A Business Associates Agreement (required if checked ) must be submitted with the Proposal. Contractor will be required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The University of Toledo master BAA agreement is Attachment D and will become an integral part of any agreement.

3.8 Failure to meet RFP Closing: Regardless of cause, Proposals received after the Due Date/Time will not be considered. Requests for extension of Due Date/Time will not be granted unless the University determines, at its’ sole

discretion, that the original Due Date/Time appears impractical. Notice of any extension will be provided in the form of an Addendum to all Respondents.

It is the Respondent’s responsibility to see that the Proposal is received prior to the Due Date/Time.

RFP FY09-042 Data Loss Prevention 4 of 25

3.9 Pricing Format: Respondents must clearly outline their fee structure including initial up front costs and any ongoing yearly

maintenance, licenses, services and support fees. This document will be used as the primary representation of each Respondent’s cost/price, and will be used extensively during Proposal evaluations. Additional information should be included as necessary to explain in detail the Respondent’s cost/price.

Prices quoted in the Proposal must be FIRM and compliant with RFP specifications. Proposals may not be corrected after the Due Date/Time.

As an institution of the State of Ohio, we must adhere to the State’s T & E reimbursement policies.

3.10 No Bid Requirement: If Respondent is unable or unwilling to submit a Proposal, the Respondent should as a courtesy notify the University Contact identified on the Cover Sheet via email to [email protected] and provide a brief explanation for the “no-bid” prior to the Due Date/Time.

Failure to extend this courtesy may jeopardize your consideration for receiving future RFP’s.

3.11 Withdrawal of Proposal:

Respondents may withdraw Proposals at any time prior to the Due Date/Time with written notification to the University Contact listed on the Cover Sheet.

3.12 Cancellation of the RFP:The University reserves the right to cancel this RFP, in whole or in part, at any time before the opening of the proposals. Should it become evident during the evaluation of the proposals that it is no longer in the best interest of the University to make an award under this solicitation, the University reserves the right to cancel this RFP. The University shall not be responsible for any costs incurred due to the cancellation of the RFP.

3.13 Respondent Presentations:Respondents may be required to make an oral presentation and product/service demonstration to clarify their Proposal or to further define their offer. Respondents should be prepared to send qualified personnel to the University campus, at the Respondent’s sole expense, to discuss technical and contractual aspects of the Proposal. The Respondent may be required to provide a trial implementation of the proposed solution prior to award of the RFP.

3.14 Alternative Proposals:Respondent may offer alternative Proposals; in which case each Proposal will be evaluated by the University as a separate option. Alternative proposals must be clearly marked.

3.15 References: Proposal must include a minimum of three (3) client references where the Respondent has successfully

implemented a Data Loss Prevention System over the last three (3) calendar years. References need to be similar in size and scope.

The University may contact these references to verify Respondent’s ability to perform. Respondents must clearly identify the following for all references:

company/institution name contact name, title, and telephone contact’s email address contact’s mailing address the size of the organization dates and performance

3.16 Minority Business Participation:The University of Toledo has a goal consistent with the State of Ohio legislative mandate to procure a percentage of its goods and services from State Certified Minority Vendors (CMV) and/or Encouraging Diversity Growth and Equity (EDGE) vendors. The University of Toledo reserves the right to award a CMV or EDGE vendor, at its sole discretion, in order to meet said goal.

3.17 Service Guarantees:

RFP FY09-042 Data Loss Prevention 5 of 25

Final acceptance and approval of the work performed lies with the University. Please detail your service guarantees, including the coverage time frames and any exclusions or University performance requirements.

SECTION 4: GENERAL INFORMATION AND NOTICE TO RESPONDENTS

The Respondent whose Proposal, in the sole opinion of the University, represents the best overall value to the University will be selected. Factors which determine the selection include but are not limited to: the Proposal’s compliance with the RFP; quality of the Respondent’s products or services; ability to perform the Scope; and general responsibility as evidenced by past performance. Price/Discounts, although a factor, will not be the sole determining factor in the award of an agreement.

4.1 Rights Reserved:The University, at its sole discretion and upon its determination that such actions would be in its best interest, reserves the right to: Accept or reject any or all Proposals, or any part thereof, or to withhold the award and to waive, or decline to

waive, irregularities, informalities, and technicalities in any Proposal when determined that it is in its best interest to do so;

Hold all Proposals for a period of up to ninety (90) days after the Due Date/Time and to accept a Proposal not withdrawn before the scheduled Due Date/Time;

Cancel and/or reissue this RFP at any time; Invite some, all, or none of the Respondents for interviews, demonstrations, presentations, and further

discussion; Negotiate a possible contract and may solicit “best and final offers” from some or all Respondents prior to or

during this negotiation process; Choose to not evaluate, may deem non-responsive, and/or may disqualify from further consideration any

Proposals that do not follow the RFP directives, are difficult to understand, are difficult to read, or are missing any requested information;

Make an Award by items, groups of items, or as a whole, whichever is deemed most advantageous to the University. The University also reserves the right to make multiple awards when it is deemed in the best interest of the University.

4.2 Right to Investigate and Reject:The University may make such investigations as deemed necessary to determine the ability of the Respondent to provide the supplies and/or perform the services specified. The University reserves the right to reject any Proposal if the evidence submitted by, or investigation of, the Respondent fails to satisfy the University that the Respondent is properly qualified. This includes the University’s ability to reject the Proposal based on negative references

4.3 Purchase Orders, Invoicing & Cash Discounts: University purchases will be procured through University authorized personnel on a valid purchase order or procurement card. Purchase Order numbers are required on all invoices to ensure proper payment. Payment terms are NET 30 days. Any cash discounts offered will be accepted and the University will endeavor to use in the evaluation, if possible.

4.4 Incurred Expenses:The Respondent, by submitting a Proposal, agrees that any cost incurred by responding to this RFP, or in support of activities associated with this RFP, will be born by the Respondent and may not be billed to the University. The University will incur no obligation or liability whatsoever to anyone resulting from issuance of, or activities pertaining to, this RFP, including samples. Respondents submit Proposals at their own risk and expense.

4.5 Resulting Contract(s):This RFP, any addenda, the Respondent’s Proposal, any addenda or exhibits, best and final offer, and any clarification question responses may be included in any resulting contract(s).

4.6 Evaluation Process and Contract Term:All proposals submitted by the due date/time deadline will be evaluated by a committee designated by the University, who will be responsible for the selection of a firm (or firms) to which a contract may be awarded.

If an award of contract is made, the respondent whose proposal, in the sole opinion of the University, represents the best overall value to the University will be selected.

RFP FY09-042 Data Loss Prevention 6 of 25

Evaluation Criteria for this RFP include, but not limited to:

Technical Proposal & Requirements Functionality and Features Service & Support Installation & Implementation Total Cost Fulfilling the request for information per each section of this RFP

The initial term of this agreement will be for (1) one year with annual software maintenance renewals upon mutual agreement of all parties, for a maximum total of (5) five years.

4.7 Declaration Regarding Material Assistance/Non-assistance to a Terrorist Organization (D.M.A.): If required as indicated in the Attachments/Exhibits, the Respondent is responsible for reviewing, completing,

signing, and including Attachment C within their Proposal to certify that they have not provided “material assistance” to a terrorist organization.

The DMA was created to provide the state with an additional tool to deter and prosecute acts of terrorism within the state. The Declaration is a part of Senate Bill 9, which is Ohio's homeland security and anti-terrorism legislation. The revised version of the bill was signed into law by Governor Taft on January 11, 2006. Sections 2909.32, 2909.33, and 2909.34 of the Ohio Revised Code officially defined and created the DMA. Compliance with the DMA will take effect on Friday, April 14, 2006.

Additional information is available at http://www.homelandsecurity.ohio.gov/DMA_forms.asp

[The balance of this page is left blank intentionally]

RFP FY09-042 Data Loss Prevention 7 of 25

SECTION 5: SCOPE OF SERVICES

5.1 Background information:The University of Toledo and the Medical University of Ohio at Toledo were combined by law effective July 1, 2006. The new University of Toledo is the third largest university in the state in terms of operating budget and one of 17 public universities in the country that has colleges of business, education, engineering, law, medicine and pharmacy. The new University now has:

• An enrollment of 23,000 students; • Research funding approaching $60 million;• A work force of more than 7,000;• An economic impact in northwest Ohio of more than $700 million; and more than 100,000 alumni.

The University of Toledo is an institution of excellence committed to improving the human condition through learning, discovery and engagement. The University of Toledo has six campuses – Bancroft, Scott Park, the Health Science Campus, the Center for the Visual Arts, the R.A. Stranahan Arboretum and the Lake Erie Research Center – located throughout Northwest Ohio and is one of the premier academic health care centers in the Midwest. The University has a spectrum of colleges, departments and professional programs matched only by a handful of public institutions nationwide. The University has world-renowned faculty and staff experts and $60 million in funded research and grants. UT has more than 20,000 students, 7,000 employees and 100,000 alumni.

In addition to Main Campus, which features many arts, athletics and alumni events, the Health Science Campus at The University of Toledo houses many of the University’s health sciences programs and research. It is also home to The University of Toledo Medical Center, renowned for its facilities, physicians and innovative and patient-focused care and treatments.

The University of Toledo’s mission: The mission of The University of Toledo is to improve the human condition; to advance knowledge through excellence in learning, discovery and engagement; and to serve as a diverse, student-centered public metropolitan research university. For more information: www.u toledo .edu/

Campus MapA University of Toledo Map of all locations can be found on the University’s website via the following link:http://www.utoledo.edu/campus/maps/index.html

5.2 Project Overview: The UNIVERSITY OF TOLEDO (UT) located in Toledo, Ohio, is looking for a highly reputable firm which has extensive experience in a data loss prevention system that will assist the Information Security Office in identifying where sensitive data (PHI, PII, SSN, etc) resides and when it is moving off the university network. Further, the system is intended to offer opportunities to alert, restrict, redirect, or otherwise manage the access or transfer of this data.

General:This RFP Contains the minimum specifications and requirements which must be satisfied in order for a proposal to be considered; the instructions governing the proposal format; statements concerning the respondent’s responsibilities before, during and after services are rendered; and other general requirements which must be included in the proposal.

5.3 Scope of Bid:Upon award, the vendor will provide implementation, documentation, training and support for the proposed software solution

5.4 Technical Specifications : Technical Specifications listed under Exhibit D; Proposal Response Sheet.

RFP FY09-042 Data Loss Prevention 8 of 25

SECTION 6: THE UNIVERSITY OF TOLEDO TERMS AND CONDITIONS

6.1 Indemnification:Contractor agrees to indemnify the University, its governing board, officers, employees, agents, students and the State of Ohio from and against any and all costs, losses, damages, liabilities, expenses, demands, and judgments, including court costs, and attorney’s fees, which may arise out of Contractor’s performance of this Agreement, except to the extent such are caused by the sole fault or negligence of the University. Contractor agrees to indemnify the University, its governing board, officers, employees, agents, students and the State of Ohio from and against any and all costs, losses, damages, liabilities, expenses, demands, and judgments, including court costs, and attorney’s fees, suffered by failure to perform this Agreement according to its provisions and in accordance with the Statement of Services.

6.2 Governing Law:All questions relating to the validity, interpretation, performance or enforcement of this Agreement, and any claims arising from or related to this Agreement, will be governed by and construed in accordance with the laws of the State of Ohio, without regard to the principle of conflict of laws. Any litigation arising from or related to this Agreement may be brought only in the federal or state courts of Ohio with appropriate jurisdiction, and the parties irrevocably consent to the jurisdiction and venue of such courts.

6.3 Contingent upon Appropriation:It is understood that any and all expenditures of State funds are contingent on the availability of lawful appropriations by the Ohio General Assembly. If the General Assembly fails at any time to continue funding for the payments and/or other obligations that may be due hereunder, then the State of Ohio’s obligations under this Contract are terminated as of the date that the funding expires without further obligation of the State.

6.4 Taxes:The University of Toledo, as an instrumentality of the State of Ohio, is exempt from Ohio sales tax and Federal excise tax, including Federal transportation tax. An exemption certificate is available, upon request, from the University Purchasing office.

6.5 Unresolved Findings:Vendor warrants that it is not subject to an “unresolved” finding for recovery under Ohio Revised Code Section 9.24. If the warranty is deemed to be false, the Agreement is void ab initio and the Contractor must immediately repay to the State any funds paid under this Agreement.

6.6 Suspension or Debarment:Vendor certifies that it is not suspended or debarred by the Federal Government or State of Ohio from participating in Federal or State funded projects.

6.7 Assignment:Neither party may assign its right or obligation hereunder without the prior written approval of the other party.

6.8 Absence of Sanctions:Contractor represents that neither it nor any of its owners, officers or employees have been sanctioned by or excluded from participation in any federal or state health care program, including Medicare and Medicaid. Contractor agrees that if it or any such individual associated with it should become the subject of an investigation relating to health care fraud, abuse or misconduct, or should be sanctioned by or excluded from participating in any federal or state health care program, including Medicare and Medicaid, it will immediately notify the Medical University of such event and the Medical University will have the right to immediately terminate this Agreement without penalty or cost.

6.9 Compliance with Law and Policies Contractor hereby covenants and agrees that in the course of Contractor’s performance of its duties hereunder,

Contractor will comply with all applicable federal, state and local government statutes, ordinances and regulations, and University policies and procedures.

If professional licensing or certification constitutes a qualification for Contractor’s performance under this

RFP FY09-042 Data Loss Prevention 9 of 25

Agreement, Contractor will make immediately available, at the University’s request, a copy of said certification or licensure.

The Contractor warrants that it has complied with all federal, state and local laws regarding business permits and licenses of any kind, including but not limited to:o Family Educational Rights and Privacy Act (FERPA) o Gram-Leach-Bliley (GLB) Act o Health Insurance Portability and Accountability (HIPAA) Act of 1996o Privacy Act of 1974o OSHA Compliance

The Contractor agrees to comply with all applicable Federal, State and Local laws regarding smoke-free and drug-free workplaces and shall make a good faith effort to ensure that any of its employees or permitted subcontractors engaged in any work being performed hereunder do not purchase, transfer, use or possess illegal drugs or alcohol or abuse prescription drugs in any way.

6.10 Non-Discrimination:Pursuant to R.C. §125.111, and Executive Order 11246, Laws and Regulations of the State of Ohio, the Vietnam Era Veterans Readjustment Assistance Act and policy of the University, the Contractor agrees that Contractor, and any Sub-supplier there of, or any person acting on behalf of Contractor or a Sub-supplier, will not discriminate, by reason of race, creed, color, religion, sex, age, handicap, national origin, or ancestry, or status as a disabled veteran or Vietnam era veteran against any citizen of this state in the employment of any person qualified and available to perform the work under the agreement. The successful Contractor further agrees that every sub-contract for parts and/or service for any ensuing order will contain a provision requiring non-discrimination in employment as specified above. Any breach thereof may be regarded as material breach of contract or purchase order. The Contractor further agrees that Contractor, any Sub-supplier, and any person acting on behalf of Contractor or its Sub-supplier, will not in any manner, discriminate against, intimidate, or retaliate against any employee hired for the performance of work under the agreement on account of race, creed, color, religion, sex, age, handicap, national origin, or ancestry, or status as a disabled veteran or Vietnam era veteran. Contractor represents that it has a written affirmative action program for the employment and effective utilization of economically disadvantaged persons and annually will file a description of that program and a progress report on its implementation with the Equal Employment Opportunity Office of the Department of Administrative Services.

6.11 Limitation of Liability: The University’s liability for damages, whether in contract or in tort, will not exceed the total amount of

compensation payable to Contractor under this Agreement. IN NO EVENT WILL THE UNIVERSITY BE LIABLE FOR ANY INDIRECT OR CONSEQUENTIAL

DAMAGES, INCLUDING LOSS OF PROFITS, EVEN IF THE UNIVERSITY IS ADVISED, KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES.

NOTWITHSTANDING ANY LANGUAGE TO THE CONTRARY, THE CONTRACTOR WILL BE LIABLE FOR ANY PERSONAL INJURY OR DAMAGE TO THE UNIVERSITY IN PERFORMING THE SERVICES, INCLUDING DAMAGE TO REAL PROPERTY OR TANGIBLE PERSONAL PROPERTY, CAUSED BY ITS FAULT OR NEGLIGENCE.

6.12 Insurance:Contractor (“Contractor”) shall purchase and maintain liability insurance which will protect the Contractor from claims which may arise out of or result from the Contractor’s performance or obligations under the contract, whether due to action or inaction by the Contractor, or any person for whom the Contractor is responsible.Refer to the following website for information:http://www.utoledo.edu/depts/risk/main/rm/policies/contractors.html

6.13 Suspension and Termination Provisions: The University reserves the right to terminate this Agreement for any reason and at any time upon 30 days

written notice to Contractor. In the event of termination prior to completion of all Services described within this RFP, the amount of the total fee to be paid the Contractor will be determined by University on the basis of the portion of the total Services actually completed up to the time of such termination.

If either party fails to perform any of the requirements of this Agreement, or is in violation of a specific provision of this Agreement, then the non-breaching party may suspend or terminate this Agreement if the breaching party fails to cure such non-performance or violation within ten (10) business days following delivery of written notice of the breach.

RFP FY09-042 Data Loss Prevention 10 of 25

6.14 Customer Service: It is expected that all Contractors working with the University associates maintain a professional and

courteous nature and that phone calls and order confirmations be promptly returned. It is the desire of the University that a dedicated Customer Service Representative, or team thereof, be

placed on the University account during regular business hours with e-mail capabilities. It is the Contractor’s responsibility to communicate changes in representatives and coordinate

introductions to key personnel at the University. This includes sales and internal customer service reps.

6.15 Meetings:The Contractor is required to meet with the University to resolve technical or contractual problems that may occur during the term of the contract or to discuss the progress made by Contractor and the University in the performance of their respective obligations, at no additional cost to the University.

6.16 Conflict of Interest:Contractor acknowledges that no conflict of interest exists between the Contractor and the University, or Contractor and its employees, or any members of their families in relation to any University policies or guidelines or state laws. Any person who acquires a conflicting personal interest as of the date the services begin must immediately disclose such interest to the University in writing. Contractor will not participate in any action affecting the services of this Agreement unless the University has determined that such participation would not be contrary to the public interest.

6.17 Ethical Conduct: It is expected once an agreement is issued, Suppliers (awarded or not awarded) will not undertake any actions that might interfere with, or be detrimental to, the contractual obligations of The University of Toledo. University reserves the right to take any and all actions deemed appropriate in response to unethical conduct by a Supplier. Such actions include, but are not limited to: establishing guidelines for campus visits by Supplier, and/or removal of a Supplier from University’s supplier list.

6.18 Public Records:Contractor understands that any records kept or maintained by the University, including any quotes or pricing of Contractor, may require disclosure under Ohio’s Public Records Act, R.C. § 149.43 and Ohio law and Contractor consents to such disclosure.

6.19 Advertising:No Contractor providing products or services to the University will appropriate or make use of the name or other identifying marks or property in its advertising.

6.20 Termination: Either party may terminate this agreement without cause by giving other party thirty (30) days written notice. Any proposal by the contractor to cancel must include provisions for a transition period to a replacement program.In the event that either party is in default under any of the terms of this Agreement, they shall be entitled to terminate this Agreement by giving the other party seven (7) days written notice. It is understood that any and all expenditures of State funds are contingent on the availability of lawful appropriations by the Ohio General Assembly. If the General Assembly fails at any time to continue funding for the payments and/or other obligations that may be due hereunder, then the State of Ohio’s obligations under this Contract are terminated as of the date that the funding expires without further obligation of the State.

6.21 Warranty:Contractor warrants that the work performed and equipment supplied hereunder will be of first quality, in full compliance with the requirements of the Agreement, and free from defects in material, workmanship and design for one year from initial operations. If any aspect of the above warranty will be breached, Contractor shall, upon receipt of notice thereof from University and at Contractor’s sole cost and expense, promptly repair or replace the defective materials, workmanship, or design or pay the University the costs and expenses incurred by University in conducting such repair and replacement.

6.22 Force Majeure:Neither party will be liable or deemed in default for any delay or failure in performance under an Agreement or interruption of service resulting directly or indirectly from acts of God, civil or military authority, acts of the

RFP FY09-042 Data Loss Prevention 11 of 25

public enemy, war, riots, civil disturbances, insurrections, accidents, fires, explosions, earthquakes, floods, the elements or any other cause beyond the reasonable control of such party.

6.23 HB694 Campaign Contributions:The Contractor hereby certifies that all applicable parties listed in Division (I) (3) or (J) (3) of ORC Section 3517.13 are in full compliance with Divisions (I) (1) and (J) (1) of ORC Section 3517.13.

ATTACHMENT A – RFP OFFER SHEETRFP FY09-042

Data Loss Prevention System

THE UNIVERSITY OF TOLEDO

TOLEDO, OHIO

TO: Sharon Hunt

Contract Manager

The University of ToledoPurchasing Services DepartmentLearning Resource Center, 2170C, MS#4002225 Nebraska AveToledo, Ohio 43607

By signing this document I am agreeing, on behalf of my firm, to the specifications of this RFP and accepting, without exception or amendment the University of Toledo’s RFP Project Overview, General Information, Scope of Project, and Agreement Terms and Conditions. Any contract resulting from this RFP shall be subject to these instructions, terms, and requirements incorporated herein.

Contractors are further advised that in accordance with the provisions of January 27, 1972, Executive Order by the Governor of Ohio, equal employment opportunity conditions are applicable to this proposal invitation. The contractor shall not discriminate against any employee or applicant for employment because of age, race, ethnicity, religion, national origin, ancestry, gender or handicap. The contractor shall take affirmative action to ensure that applicants are employed and that employees are treated during employment without regard to their age, race, ethnicity, religion, national origin, ancestry, gender or handicap. The contractor shall conform to all provisions of law relating hereto. Documents containing all pertinent requirements are on file with the Department of Administrative Services, Division of Public Works, 30 East Broad Street, Columbus, Ohio 43215.

Proposer understands that the University of Toledo reserves the right to reject any and all proposals, waive irregularities or technicalities in any proposal, and accept any proposal in whole or in part which is deemed to be in its best interest.

Proposer agrees that this proposal may not be withdrawn for a period of sixty (60) calendar days after due date of the proposal.

Proposer hereby certifies: (a) that this proposal is genuine and is not made in the interest or on behalf of any undisclosed person, firm, or corporation; (b) that proposer has not directly or indirectly included or solicited any other firm to put in a false or sham proposal; (c) that firm has not solicited or induced any person, firm, or corporation to refrain from sending a proposal and (d) this proposal is in all respects fair and in good faith without collusion or fraud.

Company Date

Signature (Required)

RFP FY09-042 Data Loss Prevention 12 of 25

Printed Name Title

RFP FY09-042 Data Loss Prevention 13 of 25

ATTACHMENT B - DECLARATION OF MATERIAL ASSISTANCERFP FY09-042

Senate Bill 9, which is Ohio’s homeland security and anti-terrorism legislation, requires all vendors receiving orders with an aggregate of $100K or more to fill out a D.M.A. questionnaire form (Declaration Regarding Material Assistance/Non-assistance to a Terrorist Organization) before issuance of an order.

Enclosed is the D.M.A. Form which must be filled out and faxed back to my attention at 419-383-6250. Please fill out the appropriate form and fax back as soon as possible.

If you have questions regarding Senate Bill 9, please go to http://www.homelandsecurity.ohio.gov/dma.asp for further explanation. Failure to comply may jeopardize future business with your company.

RFP FY09-042 Data Loss Prevention 14 of 25

RFP FY09-042 Data Loss Prevention 15 of 25

RFP FY09-042 Data Loss Prevention 16 of 25

ATTACHMENT C - BUSINESS ASSOCIATE AGREEMENTRFP FY09-042

BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT is an exhibit to and is hereby made part of and incorporated into that certain agreement (“Agreement”) entered into between THE UNIVERSITY OF TOLEDO, (“Covered Entity”), and       (“Business Associate”).

WITNESSETH:

WHEREAS, Business Associate provides said goods or services to Covered Entity pursuant to a contract entitled       (“Services Contract”) which has an effective date of      ; and

WHEREAS, Covered Entity permits Business Associate to have access to and/or receive from Covered Entity certain information, in conjunction with goods or services that are being provided by Business Associate to Covered Entity that is confidential and must be afforded special treatment and protection; and

WHEREAS, Business Associate can use or disclose such information only in accordance with this Agreement and the HHS Privacy and Security Regulations of the Health Insurance Portability and Accountability Act of 1996.

NOW, THEREFORE, Covered Entity and Business Associate agree as follows:

1. Definitions. The following terms shall have the meaning ascribed to them in this Section. Other capitalized terms shall have the meaning ascribed to them in the context in which they first appear.

A. “Agreement” refers to this document.

B. “Business Associate” means the vendor/contractor identified in the first paragraph above.

C. “Covered Entity” means the THE UNIVERSITY OF TOLEDO.

D. “Electronic media” means the mode of electronic transmission. It includes, but not limited to, the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, compact disk or optical media.

E. “HHS Privacy Regulations” means the Code of Federal Regulations (“CFR”) at Title 45, Sections 160 and 164, Subparts A and E.

F. “HHS Security Regulations” means the Code of Federal Regulations (“CFR”) at Title 45, Section 164, Subpart C.

G. “Individual” means the person who is the subject of the Protected Health Information. (Ref 45 CFR 160.103)

H “Protected Health Information” means any individually identifiable health information that is transmitted by electronic media, maintained in any medium described as electronic media, or transmitted or maintained in any other form or medium. (Ref 45 CFR 160.103) It includes:

(i) Names;

RFP FY09-042 Data Loss Prevention 17 of 25

(ii) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census;

(a) The geographic unit formed by combing all zip codes with the same three initial digits contains more than 20,000 people; and

(b) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(iii) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(iv) Telephone numbers;(v) Fax numbers;(vi) Electronic mail addresses;(vii)Social Security Numbers;(viii) Medical record number;(ix) Health plan beneficiary numbers;(x) Account numbers;(xi) Certificate/license numbers;(xii)Vehicle identifiers and serial numbers, including license plate numbers;(xiii) Device identifiers and serial numbers;(xiv) Web Universal Resource Locators (URLs);(xv) Internet Protocol (IP) address numbers;(xvi) Biometric identifiers, including finger and voice prints;(xvii) Full face photographic images and any comparable images.

I. “Parties” means Business Associate and Covered Entity.

J. “Secretary” means the Secretary of the Department of Health and Human Services (“HHS”) and any other officer or employee of HHS to whom the authority involved has been delegated.

2. Limits On Use and Disclosure Established by Terms of Agreement. Business Associate hereby agrees that it shall be prohibited from using or disclosing Protected Health Information provided or made available by Covered Entity for any purpose other than as expressly permitted or required by this Agreement. (Ref 164.504(e)(2)(i))

3. Stated Purposes For Which Business Associate May Use Or Disclose Protected Health Information. The Parties hereby agree that Business Associate shall be permitted to use and/or disclose Protected Health Information on behalf of or to provide services to Covered Entity for the following stated purposes, if such use or disclosure would not violate the HHS Privacy Regulations if done by Covered Entity: (Ref 164.504(e)(2)(i))

[Include a general statement describing the stated purposes that Business Associate may use or disclose the Protected Health Information of the Covered Entity. These uses and disclosures must be within the scope of the Business Associate’s agreement or representation of the Covered Entity]

4. Additional Purposes For Which Business Associate May Use Or Disclose Protected Health Information. In addition to the Stated Purposes for which Business Associate may use or disclose Protected Health Information

RFP FY09-042 Data Loss Prevention 18 of 25

described in clause 3, Business Associate may use or disclose Protected Health Information provided or made available from Covered Entity for the following additional purpose(s):

A. Use of Protected Health Information for Management, Administration and Legal Responsibilities. Business Associate shall be permitted to use Protected Health Information if necessary for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate. (Ref 164.504(e)(4)(i)(A-B))

B. Disclosure of Protected Health Information for Management, Administration and Legal Responsibilities. Business Associate shall be permitted to disclose Protected Health Information received from Covered Entity for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, provided: (Ref 164.504(e)(4)(ii))

(1). The disclosure is required by law; (Ref. 164.504(e)(4)(ii)(A)) or

(2). The Business Associate obtains reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, the person shall use appropriate safeguards to prevent use or disclosure of the Protected Health Information, and the person immediately notifies the Business Associate of any instance of which it is aware in which the confidentiality of the Protected Health Information has been breached. (Ref 164.504(e)(4)(ii)(B))

C. Data Aggregation Services. Business Associate shall be also permitted to use or disclose Protected Health Information to provide data aggregation services, as that term is defined by 45 CFR 164.501, relating to the health care operations of Covered Entity. (Ref 164.504(e)(2)(i)(B))

5. Business Associate Obligations.

A. Limits on Use and Further Disclosure Established by Agreement and Law. Business Associate hereby agrees that the Protected Health Information provided or made available by Covered Entity shall not be further used or disclosed other than as permitted or required by the Agreement or as required by law. (Ref 164.504(e)(2)(ii)(A))

B. Appropriate Safeguards. Business Associate shall establish and maintain appropriate procedural, physical and electronic safeguards to prevent any use or disclosure of the Protected Health Information, other than as provided for by this Agreement. (Ref 164.504(e)(2)(ii)(B))

C. Reports of Improper Use or Disclosure. Business Associate hereby agrees that it shall report to Covered Entity within five (5) days of discovery any use or disclosure of Protected Health Information not provided for or allowed by this Agreement or any security incident of which it becomes aware. (Ref 164.504(e)(2)(ii)(C) and 164.314(a)(2)(iv))

D. Subcontractors and Agents. Business Associate hereby agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same terms, conditions and restrictions on the use and disclo-sure of Protected Health Information as contained in this Agreement and to implement reasonable and appropriate safeguards to protect the Protected Health Information. (Ref 164.504(e)(2)(ii)(D) and 164.314(a)(i)(B))

E. Right of Access to Protected Health Information. Business Associate hereby agrees to make available and provide a right of access to Protected Health Information by the Covered Entity or an Individual. This right of access shall conform with and meet all of the requirements of 45 CFR 164.524. (Ref 164.504(e)(2)(ii)(E))

RFP FY09-042 Data Loss Prevention 19 of 25

F. Amendment and Incorporation of Amendments. Business Associate agrees to make Protected Health Information available for amendment and to incorporate any amendments to Protected Health Information in accordance with 45 CFR 164.526. (Ref 164.504(e)(2)(ii)(F))

G. Provide Accounting. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required by Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR 164.528. (Ref 164.504(e)(2)(ii)(G))

H. Access to Books and Records. Business Associate hereby agrees to make its internal practices, books, and records, including policies and procedures, relating to the use or disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of the Covered Entity, available to the Secretary or the Secretary’s designee for purposes of determining compliance with the HHS Privacy Regulations. (Ref 164.504(e)(2)(ii)(H))

I. Minimum Necessary. Business Associate will limit any use, disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request in accordance with the requirements of the HHS Privacy Regulations. The Covered Entity may, pursuant to the HHS Privacy Regulations, reasonably rely on any requested disclosure as the minimum necessary for the stated purpose when the information is requested by Business Associate. (Ref. 164.514(d))

J. Return or Destruction of Protected Health Information. At termination of this Agreement, Business Associate hereby agrees to return or destroy, at its expense, all Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity. Business Associate agrees not to retain any copies of the Protected Health Information after termination of this Agreement. If return or destruction of the Protected Health Information is not feasible, Business Associate agrees to extend the protections of this Agreement for as long as necessary to protect the Protected Health Information and to limit any further use or disclosure. If Business Associate elects to destroy the Protected Health Information, it shall certify to Covered Entity that the Protected Health Information has been destroyed. (Ref 164.504(e)(2)(ii)(I))

K. Security Safeguards. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity as required by HHS Security Regulations. (Ref 164.314(a)(2)(i)(A))

6. Covered Entity Obligations.

A. Notice of Limitations. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.

B. Notice of Change or Revocation. Covered Entity shall notify Business Associate of any changes in or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.

C. Notice of Restrictions. Covered Entity shall notify Business Associate of any restrictions to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.

RFP FY09-042 Data Loss Prevention 20 of 25

7. Term and Termination.

A. Term. The term of this Agreement shall commence as of      , and shall expire when all of the Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity pursuant to Paragraph 5.J above.

B. Termination for Cause. Business Associate agrees that Covered Entity has the right to immediately terminate this Agreement, and the aforementioned Services Contract, if Covered Entity determines that Business Associate has violated a material term of this Agreement or failed to comply with the HHS Privacy and/or Security Regulations. (Ref 164.504(e)(2)(iii) and 164.314(a)(2)(i)(A))

C. Cure of Breach. The Covered Entity may, but is not obligated, provide an opportunity for Business Associate to cure a breach.

D. Reporting to Secretary. It is acknowledged by the parties that if neither termination nor cure is feasible, the Covered Entity will be required to report the violation to the Secretary. (Ref. 164.504(e)(1)9ii)(B))

8. Notices. Whenever under this Agreement one Party is required to give notice to the other, such notice shall be deemed given if mailed by First Class United States mail, postage prepaid, and addressed as follows:

Covered Entity: Administrative DirectorHealth Information SystemsTHE UNIVERSITY OF TOLEDO 3000 Arlington AvenueToledo, OH 43614-2598

Business Associate: Name/Address

Either Party may at any time change its address for notification purposes by mailing a notice stating the change and setting forth the new address.

9. Miscellaneous.

A. Property Rights. The Protected Health Information shall be and remain the property of Covered Entity. Business Associate agrees that it acquires no title or rights to the Protected Health Information, including any de-identified Protected Health Information, as a result of this Agreement.

B. Choice of Law. This Agreement shall be governed by the laws of the State of Ohio and, with respect for purposes of privacy rights, the HHS Privacy and Security Regulations.

C. Regulatory References. A reference in this Agreement to a section of the HHA Privacy and Security Regulations means the section as in effect or as amended.

D. Binding Nature and Assignment. This Agreement shall be binding on the Parties hereto and their successors and assigns, but neither Party may assign this Agreement without the prior written consent of the other which consent shall not be unreasonably withheld.

E. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations promulgated thereunder.

RFP FY09-042 Data Loss Prevention 21 of 25

F. Article Headings. The article headings used are for reference and convenience only, and shall not enter into the interpretation of this Agreement.

G. Non-Waiver. Failure by any Party to insist upon strict compliance with any term or provision of this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of the other Party shall not affect nor constitute a waiver of, any Party’s right to insist upon such compliance, exercise that right, or seek that remedy with respect to that default or an prior, contemporaneous, or subsequent default.

H. Counterparts. This Agreement may be executed simultaneously in one or more counterparts, each of which shall be deemed an original, but all of which shall constitute one instrument

I. Severability. With respect to any provision of this Agreement finally determined by a court of competent jurisdiction to be unenforceable, such court shall have the jurisdiction to reform such provision so that it is enforceable to the maximum extent permitted by applicable law. If any provision of this Agreement shall be deemed unenforceable, such provision shall not affect the enforceability of the other provisions of this Agreement, which can be given effect without the unenforceable provision.

J. Survival. All representations, covenants and agreements in or under this Agreement or any other documents executed in connection with the transactions contemplated by this Agreement, shall survive the termination of this Agreement and such other documents.

10. Entire Agreement. This Agreement constitutes the entire agreement between the Parties concerning the subject matter herein. There are no understandings or agreements relating to this Agreement which is not fully expressed in this Agreement and no change, waiver or discharge of obligations arising under this Agreement shall be valid unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be enforced.

IN WITNESS WHEREOF, Business Associate and Covered Entity have caused this Business Associate d Agreement to be signed and delivered by their duly authorized representatives.

BUSINESS ASSOCIATE: THE UNIVERSITY OF TOLEDO:

By: ___________________________ By: ___________________________Print Name: _____________________ Print Name: ____________________Title: __________________________ Title: _________________________Date: __________________________ Date: _________________________

v: 01/2008

RFP FY09-042 Data Loss Prevention 22 of 25

ATTACHMENT D – TECHNICAL CRITERIARFP FY09-042

Scope and ObjectivesThe University of Toledo is currently looking for a data loss prevention system that will assist the Information Security Office in identifying where sensitive data (PHI, PII, SSN, etc.) resides and when it is moving off the university network. Further, the system is intended to offer opportunities to alert, restrict, redirect, or otherwise manage the access or transfer of this data.

The bidders on this request should propose a solution that provides data loss prevention technologies as described above. Further the scope of the product set proposed must address at a minimum:

data in motion across the University’s internet connection (1 connection). data at rest on enterprise servers and file storage locations. Data on endpoint computers (desktops, laptops).

The proposed system must be able to identify at a minimum: Social Security Numbers Personal Identification Information Personal Health Information Credit Card Information and other personal financial information Any other information required for HIPAA, FERPA, and PCI compliance

The proposed system should be licensed to include all UT faculty, staff, students, and University-owned computing/network devices. The current quantities of each are reasonably estimated at:

Full time students (both campuses)     16,389  Part Time Students (both campuses)    4,739   Full time Faculty (both campuses)   1,178  Part Time Faculty (both campuses)   450  Full time staff ( both campuses)     2,044  Part time staff ( both campuses)    1,291  Hospital staff full time    676  Hospital Staff part time    188  University-owned computing devices 7,500

ATTACHMENT E – PROPOSAL RESPONSE

RFP FY09-042 Data Loss Prevention 23 of 25

RFP FY09-042

In responding, it is feasible to propose multiple configurations. If doing so, it is necessary to clearly identify the various proposals, the respective costs, and any variance in answers from sections 1 through 12 of the RFP. Incomplete responses will be eliminated from further consideration.

Company Information (including resellers)

Please answer the following quantitative or qualitative questions regarding the solution that has been proposed:

1. Proposed solution1.1. Please itemize the solution(s) being proposed including itemized cost

1.1.1.Hardware1.1.2.Software (perpetual license)1.1.3.Services1.1.4.Support & Maintenance for 5 days x 8 hrs minimum (annual maintenance cost for each of the next

3 years; annual maintenance cost escalation caps, etc.)

2. Lexicons2.1. Which lexicons do you support out of the box?

Some examples are HIPPA, FERPA, PII, PCI, GLBA

3. Presentation3.1. Is your management console Web based on Client software based?3.2. If client software based which client OS’s are supported?3.3. If web based which browsers are supported?3.4. Will your product prioritize and push important events up to the top? If so, how are priorities

established?3.5. Can incidents be re-sorted easily by the console user based on varying criteria? 3.6. When you present data at rest incidents do you display file owners and/or ACL’s of the offending file? 3.7. Do you have dashboards and if so are they customizable?3.8. Are you able to have user specific dashboards for various administrator types such as Help Desk,

Auditor, and Security Team?

4. Precision4.1. What is your out of the box accuracy as to false positives and false negatives?4.2. Have any third party evaluations been done on your product to rate the precision?4.3. If so who did them and what were the results (include copies of results if possible)?

5. Environment Compatibility5.1. Does your product support Active Directory integration / security?5.2. Which OS, database or other storage platforms do you support with you r product?

(i.e. Unix, Linux, AIX, Macintosh, Windows, MS SQL, Oracle)

6. Support / Maintenance6.1. What support options (24x7, 8x5, etc.) are available?6.2. What types of support are available? (i.e. E-mail, phone, web)

7. Impact on system / network performance7.1. What bandwidth can you support on the data in motion piece?7.2. What kind of load is put on the servers / endpoints when scanning data at rest?7.3. What reports are provided?7.4. Are the reports customizable? 7.5. Can user-defined reports be developed? If so, can third party report writers (e.g. Crystal, Access, etc.)

be used to develop them or is there a report writing utility provided with the product?

8. Policy Enforcement

RFP FY09-042 Data Loss Prevention 24 of 25

8.1. What methods of data policy enforcement are available at all 3 layers?8.2. Does your endpoint support removable media, printing or copy and paste checking and enforcement?8.3. Do you support mail redirect of SMTP traffic, for mail that trips a policy, to an encryption gateway?8.4. What actions can the system take to enforce violations?8.5. What alerting, notification or workflow processes can be initiated when a policy infraction is detected?8.6. Do you support paging / alerting of offences to an external system (remedy, exchange, what’s up, etc)?

9. Data Retention Management9.1. What are the estimated storage requirements for your product?9.2. If you need parameters to calculate this, what are they?9.3. Can you have different retention parameters for different types of data policies? HIPPA PII PCI9.4. What types of storage do you support with your devices?

10. Rule Complexity10.1. How easy is it to create custom rules/policies?10.2. How are your custom rules defined? (i.e. point and click, scripts)10.3. Are scripts supported?10.4. Is there training available if necessary for writing rules?

11. Product Distinction11.1. What do you consider distinguishes your product from other DLP products?11.2. Are there any other technical differentiators that you think we should consider as we compare DLP

products?

12. Vendor demonstration and proof of concept implementations12.1. The university may require on-site vendor presentations and/or a trial implementation of the proposed

solution prior to awarding a bid. This is at the discretion of the University as to whether this is required.

RFP FY09-042 Data Loss Prevention 25 of 25