REQUEST FOR PROPOSAL
* CONFIDENTIAL *
RFP Number: FY09-042 RFP Issue Date: October 14, 2008
RFP Title: Data Loss Prevention System
Proposal Due Date/Time (Eastern): Friday, October 31, 2008 at 3:00 (EST) Number of pages including this cover
sheet and attachments: 24
UNIVERSITY CONTACT & SUBMISSION INFORMATION
Name: Sharon Hunt Title: Contract Manager
PH: 419-530-8716 FX: 419-530-8711
Mailing Address: THE UNIVERSITY OF TOLEDO
*** RFP # & Title must be referenced on outside label of envelope/
2225 NEBRASKA AVE.
LRC 2170C, MS 400
TOLEDO, OH 43607 *** 1 original, 1 copy & 1 CD to be sent to mailing address***
Attn: SHARON HUNT
RESPONDENTS MUST COMPLETE THE FOLLOWING
Federal I.D. or TIN Number:
Company Name: Company Website:
Primary Contact Name: Primary Contact Title:
Business Address: Phone: Fax:
Billing inquiry phone:
Authorized Signer’s Name: Authorized Signer’s Title:
State Certified MBE State Certified EDGE
I.D. Number, if applicable: ____________________ I.D. Number, if applicable: ______________________
For More Information see the Ohio State Web Site For More Information see the State of Ohio Web Site
RESPONDENTS MUST RETURN THIS COVER SHEET WITH RFP RESPONSE
The mandatory process for proposal submission for award consideration is contained within Section 3 of this Request for
Proposal. UNIVERSITY TERMS AND CONDITIONS contained within Section 6 of this Request for Proposal will
prevail unless expressly altered by the University. Proposals must be received by the Due Date/Time specified above. Plan
your delivery method appropriately. Proposals received after the Due Date/Time will not be considered for award.
TABLE OF CONTENTS
SECTION 1 Definitions
SECTION 2 RFP Schedule of Events
SECTION 3 Instructions for Proposal Submission
SECTION 4 General Information and Notice to Respondents
SECTION 5 Scope of Services or Materials
SECTION 6 Terms and Conditions
A. RFP Offer Sheet
B. DMA form (Declaration Regarding Material Assistance/Non-assistance to a Terrorist Organization)
C. BAA (Business Associate Agreement)
D. Technical Criteria
E. Response & Financial Consideration Sheet
F. Other: __________________
SECTION 1: DEFINITIONS
Relative to this Request for Proposal, and any University-issued addenda, the following definitions apply:
1.1 Award: Agreement, Contract or Purchase Order resulting from this RFP.
1.2 Vendor, Supplier, Contractor: Respondent who is officially awarded the business through the RFP process and
entered into a contractual agreement with the University.
1.3 Proposal: Respondent’s formally prepared response to this RFP, which was received by the University.
1.4 Due Date/Time: The date and time specified in this RFP by which a Proposal must be received by the University
in accordance with this RFP. Proposals received after such date and time will not be considered.
1.5 Respondent: Individual or company submitting a Proposal in response to this RFP.
1.6 RFP: Request for Proposal
1.7 Scope: Scope of Services or Materials identified by University within this RFP that forms basis of Respondent
1.8 University: The University of Toledo.
1.9 DMA: Declaration Regarding Material Assistance is a form each vendor is required to complete for any contract
RFP FY09-042 Data Loss Prevention 2 of 25
where a state entity spends over $100,000 annually.
1.10 Addendum: Refers to document issued by the Contract Manager which modifies this Request for Proposal or
provides additional information to respondents.
SECTION 2: RFP SCHEDULE OF EVENTS
The University will make every effort to adhere to the schedule detailed below:
RFP Issue Date: October 14, 2008
Site Visit (if applicable) Not Applicable
Questions Submitted by: October 20, 2008 at Noon
University Response to Questions by: October 23, 2008 by 5:00 PM
Proposal Due Date/Time: October 31, 2008 at 3:00 PM
Vendor Presentations: Week of November 10, 2008 (if applicable)
Anticipated Award Date: November 24, 2008
SECTION 3: INSTRUCTIONS FOR PROPOSAL SUBMISSION
Respondents are cautioned to read this entire RFP carefully and to comply with all directives to avoid disqualification from
3.1 Proposal Preparation:
Respondents must develop and submit a complete and accurate Proposal to this RFP. Proposals must adhere
to all directives contained herein and must follow the chronology of this RFP as specified and sign
Attachment A (RFP Offer Sheet)
Respondent is to submit one (1) original Proposal which is to be bound into a single document and clearly
marked “ORIGINAL”. Should a discrepancy arise between various copies of the RFP, information contained
in the “ORIGINAL” will prevail over conflicting information.
Respondent is to submit one (1) quality Proposal copy, which are to be individually bound and clearly marked
An electronic copy on CD.
Proposals should be prepared providing a straight-forward, concise description of Respondents capabilities to
satisfy the requirements of the Request for Proposal. Emphasis should be on completeness and clarity of
content. Unnecessarily elaborate brochures or other presentations beyond that sufficient to respond to each
section and beyond that sufficient to present a complete and effective bid response are neither necessary nor
Respondent may include any optional data not requested yet considered by the Respondent to be pertinent to
this RFP as an addendum to the Proposal.
Any Proposal that does not include the express requirements of this RFP and any University issued addenda
RFP FY09-042 Data Loss Prevention 3 of 25
may be considered an incomplete Proposal and rejected.
Ownership of all data, materials and documentation originated and prepared for the University pursuant to the
RFP shall belong exclusively to the University and be subject to public inspection in accordance with the
Ohio Freedom of Information Act. Trade secrets or proprietary information submitted by the Respondent
shall not be subject to public disclosure under the Ohio Freedom of Information Act. Any confidential or
proprietary data must be clearly marked.
3.2 Site Visit/Pre-Bid Conference:
A site visit is not required for this RFP.
3.3 University Revisions to the RFP:
In the event that it becomes necessary for the University to revise any part of this RFP, revisions will be provided
by the University Purchasing Office to all Respondents via an addendum that is sent electronically.
3.4 Respondent Questions regarding Scope or Procedure:
Respondents with questions or requiring clarification or interpretation of any section within this RFP must address
these questions via e-mail to email@example.com prior to the submission date stated in Section 2: RFP
Schedule of Events. The respondent needs to reference each question to the RFP in consecutive order, from
beginning to end, following the chronology of the RFP. Each question should begin by referencing the RFP page
number and section number to which it relates.
3.5 Respondent Requests for Exceptions from Terms and Conditions:
Respondents must submit all exceptions of presented Terms and Conditions requests in writing and include
those with their Proposal.
Exceptions with an explanation as to why the Respondent cannot accept the University’s provision and what
alternative language the Respondent proposes, should be included.
The University will make any final determination of changes to the Terms and Conditions.
3.6 Single Point of Contact:
From the RFP Issue Date until an Award is made and announced by the University, Respondents are not allowed
to communicate with any University staff or officials regarding this RFP, except at the direction of the University
contact listed on the Cover Sheet of this RFP. Any unauthorized contact may disqualify the Respondent from
further consideration. After an Award is made, all communication will be directly with the Contractor Liaison.
3.7 Submission Requirements:
Proposals must be received by The University of Toledo Purchasing Services Office as per the due date/time
listed on RFP cover sheet. Respondents are responsible for selecting the method of delivery (first class
certified mail, return-receipt requested, express mail, or hand-delivery) to ensure the proposal is received in
the Purchasing Office prior to the due date/time (as determined by the University’s Purchasing date stamp
clock. Any RFP or RFP revision which is received after the due date and time specified will not be
University Purchasing Department Office hours for receipt of Proposals are Monday through Friday, 8 AM
through 5 PM, EST. Refer to cover sheet for address of the Purchasing Services office.
Envelope/package must be securely sealed and clearly marked with the RFP number and RFP Title from the
An electronic version of the Proposal (required if checked) must be emailed to the University contact as
identified on the Cover Sheet prior to the Due Date/Time in addition to the submission of hard documents as
directed above. This electronic version is in addition to, and does not negate the need for, the hard copy
A Business Associates Agreement (required if checked ) must be submitted with the Proposal. Contractor
will be required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The University of Toledo master BAA agreement is Attachment D and will become an integral part of any
RFP FY09-042 Data Loss Prevention 4 of 25
3.8 Failure to meet RFP Closing:
Regardless of cause, Proposals received after the Due Date/Time will not be considered.
Requests for extension of Due Date/Time will not be granted unless the University determines, at its’ sole
discretion, that the original Due Date/Time appears impractical. Notice of any extension will be provided in
the form of an Addendum to all Respondents.
It is the Respondent’s responsibility to see that the Proposal is received prior to the Due Date/Time.
3.9 Pricing Format:
Respondents must clearly outline their fee structure including initial up front costs and any ongoing yearly
maintenance, licenses, services and support fees. This document will be used as the primary representation of
each Respondent’s cost/price, and will be used extensively during Proposal evaluations. Additional
information should be included as necessary to explain in detail the Respondent’s cost/price.
Prices quoted in the Proposal must be FIRM and compliant with RFP specifications. Proposals may not be
corrected after the Due Date/Time.
As an institution of the State of Ohio, we must adhere to the State’s T & E reimbursement policies.
3.10 No Bid Requirement:
If Respondent is unable or unwilling to submit a Proposal, the Respondent should as a courtesy notify the
University Contact identified on the Cover Sheet via email to firstname.lastname@example.org and provide a brief
explanation for the “no-bid” prior to the Due Date/Time.
Failure to extend this courtesy may jeopardize your consideration for receiving future RFP’s.
3.11 Withdrawal of Proposal:
Respondents may withdraw Proposals at any time prior to the Due Date/Time with written notification to the
University Contact listed on the Cover Sheet.
3.12 Cancellation of the RFP:
The University reserves the right to cancel this RFP, in whole or in part, at any time before the opening of the
proposals. Should it become evident during the evaluation of the proposals that it is no longer in the best interest
of the University to make an award under this solicitation, the University reserves the right to cancel this RFP.
The University shall not be responsible for any costs incurred due to the cancellation of the RFP.
3.13 Respondent Presentations:
Respondents may be required to make an oral presentation and product/service demonstration to clarify their
Proposal or to further define their offer. Respondents should be prepared to send qualified personnel to the
University campus, at the Respondent’s sole expense, to discuss technical and contractual aspects of the Proposal.
The Respondent may be required to provide a trial implementation of the proposed solution prior to award of the
3.14 Alternative Proposals:
Respondent may offer alternative Proposals; in which case each Proposal will be evaluated by the University as a
separate option. Alternative proposals must be clearly marked.
Proposal must include a minimum of three (3) client references where the Respondent has successfully
implemented a Data Loss Prevention System over the last three (3) calendar years. References need to be
similar in size and scope.
The University may contact these references to verify Respondent’s ability to perform.
Respondents must clearly identify the following for all references:
contact name, title, and telephone
contact’s email address
contact’s mailing address
the size of the organization
RFP FY09-042 Data Loss Prevention 5 of 25
dates and performance
3.16 Minority Business Participation:
The University of Toledo has a goal consistent with the State of Ohio legislative mandate to procure a percentage
of its goods and services from State Certified Minority Vendors (CMV) and/or Encouraging Diversity Growth and
Equity (EDGE) vendors. The University of Toledo reserves the right to award a CMV or EDGE vendor, at its sole
discretion, in order to meet said goal.
3.17 Service Guarantees:
Final acceptance and approval of the work performed lies with the University. Please detail your service
guarantees, including the coverage time frames and any exclusions or University performance requirements.
SECTION 4: GENERAL INFORMATION AND NOTICE TO RESPONDENTS
The Respondent whose Proposal, in the sole opinion of the University, represents the best overall value to the University
will be selected. Factors which determine the selection include but are not limited to: the Proposal’s compliance with the
RFP; quality of the Respondent’s products or services; ability to perform the Scope; and general responsibility as evidenced
by past performance. Price/Discounts, although a factor, will not be the sole determining factor in the award of an
4.1 Rights Reserved:
The University, at its sole discretion and upon its determination that such actions would be in its best interest,
reserves the right to:
Accept or reject any or all Proposals, or any part thereof, or to withhold the award and to waive, or decline to
waive, irregularities, informalities, and technicalities in any Proposal when determined that it is in its best
interest to do so;
Hold all Proposals for a period of up to ninety (90) days after the Due Date/Time and to accept a Proposal not
withdrawn before the scheduled Due Date/Time;
Cancel and/or reissue this RFP at any time;
Invite some, all, or none of the Respondents for interviews, demonstrations, presentations, and further
Negotiate a possible contract and may solicit “best and final offers” from some or all Respondents prior to or
during this negotiation process;
Choose to not evaluate, may deem non-responsive, and/or may disqualify from further consideration any
Proposals that do not follow the RFP directives, are difficult to understand, are difficult to read, or are missing
any requested information;
Make an Award by items, groups of items, or as a whole, whichever is deemed most advantageous to the
University. The University also reserves the right to make multiple awards when it is deemed in the best
interest of the University.
4.2 Right to Investigate and Reject:
The University may make such investigations as deemed necessary to determine the ability of the Respondent to
provide the supplies and/or perform the services specified. The University reserves the right to reject any Proposal
if the evidence submitted by, or investigation of, the Respondent fails to satisfy the University that the Respondent
is properly qualified. This includes the University’s ability to reject the Proposal based on negative references
4.3 Purchase Orders, Invoicing & Cash Discounts:
University purchases will be procured through University authorized personnel on a valid purchase order or
procurement card. Purchase Order numbers are required on all invoices to ensure proper payment. Payment terms
are NET 30 days. Any cash discounts offered will be accepted and the University will endeavor to use in the
evaluation, if possible.
4.4 Incurred Expenses:
The Respondent, by submitting a Proposal, agrees that any cost incurred by responding to this RFP, or in support
of activities associated with this RFP, will be born by the Respondent and may not be billed to the University. The
University will incur no obligation or liability whatsoever to anyone resulting from issuance of, or activities
pertaining to, this RFP, including samples. Respondents submit Proposals at their own risk and expense.
4.5 Resulting Contract(s):
RFP FY09-042 Data Loss Prevention 6 of 25
This RFP, any addenda, the Respondent’s Proposal, any addenda or exhibits, best and final offer, and any
clarification question responses may be included in any resulting contract(s).
4.6 Evaluation Process and Contract Term:
All proposals submitted by the due date/time deadline will be evaluated by a committee designated by the
University, who will be responsible for the selection of a firm (or firms) to which a contract may be awarded.
If an award of contract is made, the respondent whose proposal, in the sole opinion of the University, represents
the best overall value to the University will be selected.
Evaluation Criteria for this RFP include, but not limited to:
Technical Proposal & Requirements
Functionality and Features
Service & Support
Installation & Implementation
Fulfilling the request for information per each section of this RFP
The initial term of this agreement will be for (1) one year with annual software maintenance renewals upon mutual
agreement of all parties, for a maximum total of (5) five years.
4.7 Declaration Regarding Material Assistance/Non-assistance to a Terrorist Organization (D.M.A.):
• If required as indicated in the Attachments/Exhibits, the Respondent is responsible for reviewing, completing,
signing, and including Attachment C within their Proposal to certify that they have not provided “material
assistance” to a terrorist organization.
• The DMA was created to provide the state with an additional tool to deter and prosecute acts of terrorism within
the state. The Declaration is a part of Senate Bill 9, which is Ohio's homeland security and anti-terrorism
legislation. The revised version of the bill was signed into law by Governor Taft on January 11, 2006. Sections
2909.32, 2909.33, and 2909.34 of the Ohio Revised Code officially defined and created the DMA. Compliance
with the DMA will take effect on Friday, April 14, 2006.
• Additional information is available at http://www.homelandsecurity.ohio.gov/DMA_forms.asp
[The balance of this page is left blank intentionally]
RFP FY09-042 Data Loss Prevention 7 of 25
SECTION 5: SCOPE OF SERVICES
5.1 Background information:
The University of Toledo and the Medical University of Ohio at Toledo were combined by law effective July 1,
2006. The new University of Toledo is the third largest university in the state in terms of operating budget and
one of 17 public universities in the country that has colleges of business, education, engineering, law, medicine
and pharmacy. The new University now has:
• An enrollment of 23,000 students;
• Research funding approaching $60 million;
• A work force of more than 7,000;
• An economic impact in northwest Ohio of more than $700 million; and more than 100,000 alumni.
The University of Toledo is an institution of excellence committed to improving the human condition through
learning, discovery and engagement. The University of Toledo has six campuses – Bancroft, Scott Park, the
Health Science Campus, the Center for the Visual Arts, the R.A. Stranahan Arboretum and the Lake Erie Research
Center – located throughout Northwest Ohio and is one of the premier academic health care centers in the
Midwest. The University has a spectrum of colleges, departments and professional programs matched only by a
handful of public institutions nationwide. The University has world-renowned faculty and staff experts and $60
million in funded research and grants. UT has more than 20,000 students, 7,000 employees and 100,000 alumni.
In addition to Main Campus, which features many arts, athletics and alumni events, the Health Science Campus at
The University of Toledo houses many of the University’s health sciences programs and research. It is also home
to The University of Toledo Medical Center, renowned for its facilities, physicians and innovative and patient-
focused care and treatments.
The University of Toledo’s mission: The mission of The University of Toledo is to improve the human condition; to
advance knowledge through excellence in learning, discovery and engagement; and to serve as a diverse, student-centered
public metropolitan research university. For more information: www.utoledo.edu/
A University of Toledo Map of all locations can be found on the University’s website via the following link:
5.2 Project Overview:
The UNIVERSITY OF TOLEDO (UT) located in Toledo, Ohio, is looking for a highly reputable firm which has
extensive experience in a data loss prevention system that will assist the Information Security Office in identifying
where sensitive data (PHI, PII, SSN, etc) resides and when it is moving off the university network. Further, the
system is intended to offer opportunities to alert, restrict, redirect, or otherwise manage the access or transfer of
This RFP Contains the minimum specifications and requirements which must be satisfied in order for a proposal to
be considered; the instructions governing the proposal format; statements concerning the respondent’s
responsibilities before, during and after services are rendered; and other general requirements which must be
included in the proposal.
RFP FY09-042 Data Loss Prevention 8 of 25
5.3 Scope of Bid:
Upon award, the vendor will provide implementation, documentation, training and support for the proposed
5.4 Technical Specifications:
Technical Specifications listed under Exhibit D; Proposal Response Sheet.
SECTION 6: THE UNIVERSITY OF TOLEDO TERMS AND CONDITIONS
Contractor agrees to indemnify the University, its governing board, officers, employees, agents, students and the
State of Ohio from and against any and all costs, losses, damages, liabilities, expenses, demands, and judgments,
including court costs, and attorney’s fees, which may arise out of Contractor’s performance of this Agreement,
except to the extent such are caused by the sole fault or negligence of the University. Contractor agrees to
indemnify the University, its governing board, officers, employees, agents, students and the State of Ohio from
and against any and all costs, losses, damages, liabilities, expenses, demands, and judgments, including court
costs, and attorney’s fees, suffered by failure to perform this Agreement according to its provisions and in
accordance with the Statement of Services.
6.2 Governing Law:
All questions relating to the validity, interpretation, performance or enforcement of this Agreement, and any
claims arising from or related to this Agreement, will be governed by and construed in accordance with the laws of
the State of Ohio, without regard to the principle of conflict of laws. Any litigation arising from or related to this
Agreement may be brought only in the federal or state courts of Ohio with appropriate jurisdiction, and the parties
irrevocably consent to the jurisdiction and venue of such courts.
6.3 Contingent upon Appropriation:
It is understood that any and all expenditures of State funds are contingent on the availability of lawful
appropriations by the Ohio General Assembly. If the General Assembly fails at any time to continue funding for
the payments and/or other obligations that may be due hereunder, then the State of Ohio’s obligations under this
Contract are terminated as of the date that the funding expires without further obligation of the State.
The University of Toledo, as an instrumentality of the State of Ohio, is exempt from Ohio sales tax and Federal
excise tax, including Federal transportation tax. An exemption certificate is available, upon request, from the
University Purchasing office.
6.5 Unresolved Findings:
Vendor warrants that it is not subject to an “unresolved” finding for recovery under Ohio Revised Code Section
9.24. If the warranty is deemed to be false, the Agreement is void ab initio and the Contractor must immediately
repay to the State any funds paid under this Agreement.
6.6 Suspension or Debarment:
Vendor certifies that it is not suspended or debarred by the Federal Government or State of Ohio from
participating in Federal or State funded projects.
Neither party may assign its right or obligation hereunder without the prior written approval of the other party.
6.8 Absence of Sanctions:
Contractor represents that neither it nor any of its owners, officers or employees have been sanctioned by or
excluded from participation in any federal or state health care program, including Medicare and Medicaid.
RFP FY09-042 Data Loss Prevention 9 of 25
Contractor agrees that if it or any such individual associated with it should become the subject of an investigation
relating to health care fraud, abuse or misconduct, or should be sanctioned by or excluded from participating in
any federal or state health care program, including Medicare and Medicaid, it will immediately notify the Medical
University of such event and the Medical University will have the right to immediately terminate this Agreement
without penalty or cost.
6.9 Compliance with Law and Policies
Contractor hereby covenants and agrees that in the course of Contractor’s performance of its duties hereunder,
Contractor will comply with all applicable federal, state and local government statutes, ordinances and
regulations, and University policies and procedures.
If professional licensing or certification constitutes a qualification for Contractor’s performance under this
Agreement, Contractor will make immediately available, at the University’s request, a copy of said
certification or licensure.
The Contractor warrants that it has complied with all federal, state and local laws regarding business permits
and licenses of any kind, including but not limited to:
o Family Educational Rights and Privacy Act (FERPA)
o Gram-Leach-Bliley (GLB) Act
o Health Insurance Portability and Accountability (HIPAA) Act of 1996
o Privacy Act of 1974
o OSHA Compliance
The Contractor agrees to comply with all applicable Federal, State and Local laws regarding smoke-free and
drug-free workplaces and shall make a good faith effort to ensure that any of its employees or permitted
subcontractors engaged in any work being performed hereunder do not purchase, transfer, use or possess
illegal drugs or alcohol or abuse prescription drugs in any way.
Pursuant to R.C. §125.111, and Executive Order 11246, Laws and Regulations of the State of Ohio, the Vietnam
Era Veterans Readjustment Assistance Act and policy of the University, the Contractor agrees that Contractor, and
any Sub-supplier there of, or any person acting on behalf of Contractor or a Sub-supplier, will not discriminate, by
reason of race, creed, color, religion, sex, age, handicap, national origin, or ancestry, or status as a disabled veteran
or Vietnam era veteran against any citizen of this state in the employment of any person qualified and available to
perform the work under the agreement. The successful Contractor further agrees that every sub-contract for parts
and/or service for any ensuing order will contain a provision requiring non-discrimination in employment as
specified above. Any breach thereof may be regarded as material breach of contract or purchase order. The
Contractor further agrees that Contractor, any Sub-supplier, and any person acting on behalf of Contractor or its
Sub-supplier, will not in any manner, discriminate against, intimidate, or retaliate against any employee hired for
the performance of work under the agreement on account of race, creed, color, religion, sex, age, handicap,
national origin, or ancestry, or status as a disabled veteran or Vietnam era veteran. Contractor represents that it
has a written affirmative action program for the employment and effective utilization of economically
disadvantaged persons and annually will file a description of that program and a progress report on its
implementation with the Equal Employment Opportunity Office of the Department of Administrative Services.
6.11 Limitation of Liability:
The University’s liability for damages, whether in contract or in tort, will not exceed the total amount of
compensation payable to Contractor under this Agreement.
IN NO EVENT WILL THE UNIVERSITY BE LIABLE FOR ANY INDIRECT OR CONSEQUENTIAL
DAMAGES, INCLUDING LOSS OF PROFITS, EVEN IF THE UNIVERSITY IS ADVISED, KNEW OR
SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES.
NOTWITHSTANDING ANY LANGUAGE TO THE CONTRARY, THE CONTRACTOR WILL BE
LIABLE FOR ANY PERSONAL INJURY OR DAMAGE TO THE UNIVERSITY IN PERFORMING THE
SERVICES, INCLUDING DAMAGE TO REAL PROPERTY OR TANGIBLE PERSONAL PROPERTY,
CAUSED BY ITS FAULT OR NEGLIGENCE.
Contractor (“Contractor”) shall purchase and maintain liability insurance which will protect the Contractor from
claims which may arise out of or result from the Contractor’s performance or obligations under the contract,
whether due to action or inaction by the Contractor, or any person for whom the Contractor is responsible.
Refer to the following website for information:
RFP FY09-042 Data Loss Prevention 10 of 25
6.13 Suspension and Termination Provisions:
The University reserves the right to terminate this Agreement for any reason and at any time upon 30 days
written notice to Contractor. In the event of termination prior to completion of all Services described within
this RFP, the amount of the total fee to be paid the Contractor will be determined by University on the basis of
the portion of the total Services actually completed up to the time of such termination.
If either party fails to perform any of the requirements of this Agreement, or is in violation of a specific
provision of this Agreement, then the non-breaching party may suspend or terminate this Agreement if the
breaching party fails to cure such non-performance or violation within ten (10) business days following
delivery of written notice of the breach.
6.14 Customer Service:
It is expected that all Contractors working with the University associates maintain a professional and
courteous nature and that phone calls and order confirmations be promptly returned.
It is the desire of the University that a dedicated Customer Service Representative, or team thereof, be
placed on the University account during regular business hours with e-mail capabilities.
It is the Contractor’s responsibility to communicate changes in representatives and coordinate
introductions to key personnel at the University. This includes sales and internal customer service reps.
The Contractor is required to meet with the University to resolve technical or contractual problems that may occur
during the term of the contract or to discuss the progress made by Contractor and the University in the
performance of their respective obligations, at no additional cost to the University.
6.16 Conflict of Interest:
Contractor acknowledges that no conflict of interest exists between the Contractor and the University, or
Contractor and its employees, or any members of their families in relation to any University policies or guidelines
or state laws. Any person who acquires a conflicting personal interest as of the date the services begin must
immediately disclose such interest to the University in writing. Contractor will not participate in any action
affecting the services of this Agreement unless the University has determined that such participation would not be
contrary to the public interest.
6.17 Ethical Conduct:
It is expected once an agreement is issued, Suppliers (awarded or not awarded) will not undertake any actions that
might interfere with, or be detrimental to, the contractual obligations of The University of Toledo. University
reserves the right to take any and all actions deemed appropriate in response to unethical conduct by a Supplier.
Such actions include, but are not limited to: establishing guidelines for campus visits by Supplier, and/or removal
of a Supplier from University’s supplier list.
6.18 Public Records:
Contractor understands that any records kept or maintained by the University, including any quotes or pricing of
Contractor, may require disclosure under Ohio’s Public Records Act, R.C. § 149.43 and Ohio law and Contractor
consents to such disclosure.
No Contractor providing products or services to the University will appropriate or make use of the name or other
identifying marks or property in its advertising.
Either party may terminate this agreement without cause by giving other party thirty (30) days written notice.
Any proposal by the contractor to cancel must include provisions for a transition period to a replacement program.
In the event that either party is in default under any of the terms of this Agreement, they shall be entitled to
terminate this Agreement by giving the other party seven (7) days written notice. It is understood that any and all
expenditures of State funds are contingent on the availability of lawful appropriations by the Ohio General
Assembly. If the General Assembly fails at any time to continue funding for the payments and/or other obligations
that may be due hereunder, then the State of Ohio’s obligations under this Contract are terminated as of the date
that the funding expires without further obligation of the State.
RFP FY09-042 Data Loss Prevention 11 of 25
Contractor warrants that the work performed and equipment supplied hereunder will be of first quality, in full
compliance with the requirements of the Agreement, and free from defects in material, workmanship and design
for one year from initial operations. If any aspect of the above warranty will be breached, Contractor shall, upon
receipt of notice thereof from University and at Contractor’s sole cost and expense, promptly repair or replace the
defective materials, workmanship, or design or pay the University the costs and expenses incurred by University in
conducting such repair and replacement.
6.22 Force Majeure:
Neither party will be liable or deemed in default for any delay or failure in performance under an Agreement or
interruption of service resulting directly or indirectly from acts of God, civil or military authority, acts of the
public enemy, war, riots, civil disturbances, insurrections, accidents, fires, explosions, earthquakes, floods, the
elements or any other cause beyond the reasonable control of such party.
6.23 HB694 Campaign Contributions:
The Contractor hereby certifies that all applicable parties listed in Division (I) (3) or (J) (3) of ORC Section
3517.13 are in full compliance with Divisions (I) (1) and (J) (1) of ORC Section 3517.13.
ATTACHMENT A – RFP OFFER SHEET
Data Loss Prevention System
THE UNIVERSITY OF TOLEDO
TO: Sharon Hunt
The University of Toledo
Purchasing Services Department
Learning Resource Center, 2170C, MS#400
2225 Nebraska Ave
Toledo, Ohio 43607
By signing this document I am agreeing, on behalf of my firm, to the specifications of this RFP and accepting, without
exception or amendment the University of Toledo’s RFP Project Overview, General Information, Scope of Project, and
Agreement Terms and Conditions. Any contract resulting from this RFP shall be subject to these instructions, terms, and
requirements incorporated herein.
Contractors are further advised that in accordance with the provisions of January 27, 1972, Executive Order by the Governor of
Ohio, equal employment opportunity conditions are applicable to this proposal invitation. The contractor shall not discriminate
against any employee or applicant for employment because of age, race, ethnicity, religion, national origin, ancestry, gender or
handicap. The contractor shall take affirmative action to ensure that applicants are employed and that employees are treated
during employment without regard to their age, race, ethnicity, religion, national origin, ancestry, gender or handicap. The
contractor shall conform to all provisions of law relating hereto. Documents containing all pertinent requirements are on file
with the Department of Administrative Services, Division of Public Works, 30 East Broad Street, Columbus, Ohio 43215.
Proposer understands that the University of Toledo reserves the right to reject any and all proposals, waive irregularities or
technicalities in any proposal, and accept any proposal in whole or in part which is deemed to be in its best interest.
Proposer agrees that this proposal may not be withdrawn for a period of sixty (60) calendar days after due date of the proposal.
Proposer hereby certifies: (a) that this proposal is genuine and is not made in the interest or on behalf of any undisclosed person,
firm, or corporation; (b) that proposer has not directly or indirectly included or solicited any other firm to put in a false or sham
proposal; (c) that firm has not solicited or induced any person, firm, or corporation to refrain from sending a proposal and (d)
this proposal is in all respects fair and in good faith without collusion or fraud.
RFP FY09-042 Data Loss Prevention 12 of 25
Printed Name Title
RFP FY09-042 Data Loss Prevention 13 of 25
ATTACHMENT B - DECLARATION OF MATERIAL ASSISTANCE
Senate Bill 9, which is Ohio’s homeland security and anti-terrorism legislation, requires all vendors receiving orders with
an aggregate of $100K or more to fill out a D.M.A. questionnaire form (Declaration Regarding Material Assistance/Non-
assistance to a Terrorist Organization) before issuance of an order.
Enclosed is the D.M.A. Form which must be filled out and faxed back to my attention at 419-383-6250. Please fill out the
appropriate form and fax back as soon as possible.
If you have questions regarding Senate Bill 9, please go to http://www.homelandsecurity.ohio.gov/dma.asp for further
explanation. Failure to comply may jeopardize future business with your company.
RFP FY09-042 Data Loss Prevention 14 of 25
RFP FY09-042 Data Loss Prevention 15 of 25
RFP FY09-042 Data Loss Prevention 16 of 25
ATTACHMENT C - BUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT is an exhibit to and is hereby made part of and incorporated
into that certain agreement (“Agreement”) entered into between THE UNIVERSITY OF TOLEDO, (“Covered Entity”),
and (“Business Associate”).
WHEREAS, Business Associate provides said goods or services to Covered Entity pursuant to a contract entitled
(“Services Contract”) which has an effective date of ; and
WHEREAS, Covered Entity permits Business Associate to have access to and/or receive from Covered Entity
certain information, in conjunction with goods or services that are being provided by Business Associate to Covered Entity
that is confidential and must be afforded special treatment and protection; and
WHEREAS, Business Associate can use or disclose such information only in accordance with this Agreement and
the HHS Privacy and Security Regulations of the Health Insurance Portability and Accountability Act of 1996.
NOW, THEREFORE, Covered Entity and Business Associate agree as follows:
1. Definitions. The following terms shall have the meaning ascribed to them in this Section. Other capitalized terms
shall have the meaning ascribed to them in the context in which they first appear.
A. “Agreement” refers to this document.
B. “Business Associate” means the vendor/contractor identified in the first paragraph above.
C. “Covered Entity” means the THE UNIVERSITY OF TOLEDO.
D. “Electronic media” means the mode of electronic transmission. It includes, but not limited to, the Internet
(wide-open), Extranet (using Internet technology to link a business with information only accessible to
collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically
moved from one location to another using magnetic tape, disk, compact disk or optical media.
E. “HHS Privacy Regulations” means the Code of Federal Regulations (“CFR”) at Title 45, Sections 160 and
164, Subparts A and E.
F. “HHS Security Regulations” means the Code of Federal Regulations (“CFR”) at Title 45, Section 164,
G. “Individual” means the person who is the subject of the Protected Health Information. (Ref 45 CFR 160.103)
H “Protected Health Information” means any individually identifiable health information that is transmitted by
electronic media, maintained in any medium described as electronic media, or transmitted or maintained in
any other form or medium. (Ref 45 CFR 160.103) It includes:
RFP FY09-042 Data Loss Prevention 17 of 25
(ii) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip
code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current
publicly available data from the Bureau of the Census;
(a) The geographic unit formed by combing all zip codes with the same three initial digits contains
more than 20,000 people; and
(b) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer
people is changed to 000.
(iii) All elements of dates (except year) for dates directly related to an individual, including birth date,
admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year)
indicative of such age, except that such ages and elements may be aggregated into a single category of age 90
(iv) Telephone numbers;
(v) Fax numbers;
(vi) Electronic mail addresses;
(vii) Social Security Numbers;
(viii) Medical record number;
(ix) Health plan beneficiary numbers;
(x) Account numbers;
(xi) Certificate/license numbers;
(xii) Vehicle identifiers and serial numbers, including license plate numbers;
(xiii) Device identifiers and serial numbers;
(xiv) Web Universal Resource Locators (URLs);
(xv) Internet Protocol (IP) address numbers;
(xvi) Biometric identifiers, including finger and voice prints;
(xvii) Full face photographic images and any comparable images.
I. “Parties” means Business Associate and Covered Entity.
J. “Secretary” means the Secretary of the Department of Health and Human Services (“HHS”) and any other
officer or employee of HHS to whom the authority involved has been delegated.
2. Limits On Use and Disclosure Established by Terms of Agreement. Business Associate hereby agrees that it
shall be prohibited from using or disclosing Protected Health Information provided or made available by Covered
Entity for any purpose other than as expressly permitted or required by this Agreement. (Ref 164.504(e)(2)(i))
3. Stated Purposes For Which Business Associate May Use Or Disclose Protected Health Information. The
Parties hereby agree that Business Associate shall be permitted to use and/or disclose Protected Health Information
on behalf of or to provide services to Covered Entity for the following stated purposes, if such use or disclosure
would not violate the HHS Privacy Regulations if done by Covered Entity: (Ref 164.504(e)(2)(i))
[Include a general statement describing the stated purposes that Business Associate may use or disclose the
Protected Health Information of the Covered Entity. These uses and disclosures must be within the scope of the
Business Associate’s agreement or representation of the Covered Entity]
4. Additional Purposes For Which Business Associate May Use Or Disclose Protected Health Information. In
addition to the Stated Purposes for which Business Associate may use or disclose Protected Health Information
RFP FY09-042 Data Loss Prevention 18 of 25
described in clause 3, Business Associate may use or disclose Protected Health Information provided or made
available from Covered Entity for the following additional purpose(s):
A. Use of Protected Health Information for Management, Administration and Legal Responsibilities.
Business Associate shall be permitted to use Protected Health Information if necessary for the proper management
and administration of Business Associate or to carry out legal responsibilities of Business Associate. (Ref
B. Disclosure of Protected Health Information for Management, Administration and Legal
Responsibilities. Business Associate shall be permitted to disclose Protected Health Information received from
Covered Entity for the proper management and administration of Business Associate or to carry out legal
responsibilities of Business Associate, provided: (Ref 164.504(e)(4)(ii))
(1). The disclosure is required by law; (Ref. 164.504(e)(4)(ii)(A)) or
(2). The Business Associate obtains reasonable assurances from the person to whom the Protected
Health Information is disclosed that it will be held confidentially and used or further disclosed only as required by
law or for the purposes for which it was disclosed to the person, the person shall use appropriate safeguards to
prevent use or disclosure of the Protected Health Information, and the person immediately notifies the Business
Associate of any instance of which it is aware in which the confidentiality of the Protected Health Information has
been breached. (Ref 164.504(e)(4)(ii)(B))
C. Data Aggregation Services. Business Associate shall be also permitted to use or disclose Protected
Health Information to provide data aggregation services, as that term is defined by 45 CFR 164.501, relating to the
health care operations of Covered Entity. (Ref 164.504(e)(2)(i)(B))
5. Business Associate Obligations.
A. Limits on Use and Further Disclosure Established by Agreement and Law. Business Associate
hereby agrees that the Protected Health Information provided or made available by Covered Entity shall not be
further used or disclosed other than as permitted or required by the Agreement or as required by law. (Ref
B. Appropriate Safeguards. Business Associate shall establish and maintain appropriate procedural,
physical and electronic safeguards to prevent any use or disclosure of the Protected Health Information, other than
as provided for by this Agreement. (Ref 164.504(e)(2)(ii)(B))
C. Reports of Improper Use or Disclosure. Business Associate hereby agrees that it shall report to Covered
Entity within five (5) days of discovery any use or disclosure of Protected Health Information not provided for or
allowed by this Agreement or any security incident of which it becomes aware. (Ref 164.504(e)(2)(ii)(C) and
D. Subcontractors and Agents. Business Associate hereby agrees to ensure that any agent, including a
subcontractor, to whom it provides Protected Health Information received from, or created or received by Business
Associate on behalf of Covered Entity, agrees to the same terms, conditions and restrictions on the use and disclo-
sure of Protected Health Information as contained in this Agreement and to implement reasonable and appropriate
safeguards to protect the Protected Health Information. (Ref 164.504(e)(2)(ii)(D) and 164.314(a)(i)(B))
E. Right of Access to Protected Health Information. Business Associate hereby agrees to make available
and provide a right of access to Protected Health Information by the Covered Entity or an Individual. This right of
access shall conform with and meet all of the requirements of 45 CFR 164.524. (Ref 164.504(e)(2)(ii)(E))
RFP FY09-042 Data Loss Prevention 19 of 25
F. Amendment and Incorporation of Amendments. Business Associate agrees to make Protected Health
Information available for amendment and to incorporate any amendments to Protected Health Information in
accordance with 45 CFR 164.526. (Ref 164.504(e)(2)(ii)(F))
G. Provide Accounting. Business Associate agrees to document such disclosures of Protected Health
Information and information related to such disclosures as would be required by Covered Entity to respond to a
request by an Individual for an accounting of disclosures in accordance with 45 CFR 164.528. (Ref 164.504(e)(2)
H. Access to Books and Records. Business Associate hereby agrees to make its internal practices, books,
and records, including policies and procedures, relating to the use or disclosure of Protected Health Information
received from, or created or received by Business Associate on behalf of the Covered Entity, available to the
Secretary or the Secretary’s designee for purposes of determining compliance with the HHS Privacy Regulations.
I. Minimum Necessary. Business Associate will limit any use, disclosure to the minimum amount
necessary to accomplish the intended purpose of the use, disclosure or request in accordance with the requirements
of the HHS Privacy Regulations. The Covered Entity may, pursuant to the HHS Privacy Regulations, reasonably
rely on any requested disclosure as the minimum necessary for the stated purpose when the information is
requested by Business Associate. (Ref. 164.514(d))
J. Return or Destruction of Protected Health Information. At termination of this Agreement, Business
Associate hereby agrees to return or destroy, at its expense, all Protected Health Information received from, or
created or received by Business Associate on behalf of Covered Entity. Business Associate agrees not to retain any
copies of the Protected Health Information after termination of this Agreement. If return or destruction of the
Protected Health Information is not feasible, Business Associate agrees to extend the protections of this Agreement
for as long as necessary to protect the Protected Health Information and to limit any further use or disclosure. If
Business Associate elects to destroy the Protected Health Information, it shall certify to Covered Entity that the
Protected Health Information has been destroyed. (Ref 164.504(e)(2)(ii)(I))
K. Security Safeguards. Business Associate agrees to implement administrative, physical and technical
safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic
Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity as
required by HHS Security Regulations. (Ref 164.314(a)(2)(i)(A))
6. Covered Entity Obligations.
A. Notice of Limitations. Covered Entity shall notify Business Associate of any limitation(s) in its notice of
privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may
affect Business Associate’s use or disclosure of Protected Health Information.
B. Notice of Change or Revocation. Covered Entity shall notify Business Associate of any changes in or
revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such
limitation may affect Business Associate’s use or disclosure of Protected Health Information.
C. Notice of Restrictions. Covered Entity shall notify Business Associate of any restrictions to the use or
disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522,
to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health
RFP FY09-042 Data Loss Prevention 20 of 25
7. Term and Termination.
A. Term. The term of this Agreement shall commence as of , and shall expire when all of the
Protected Health Information received from, or created or received by Business Associate on behalf of Covered
Entity is destroyed or returned to Covered Entity pursuant to Paragraph 5.J above.
B. Termination for Cause. Business Associate agrees that Covered Entity has the right to immediately
terminate this Agreement, and the aforementioned Services Contract, if Covered Entity determines that Business
Associate has violated a material term of this Agreement or failed to comply with the HHS Privacy and/or Security
Regulations. (Ref 164.504(e)(2)(iii) and 164.314(a)(2)(i)(A))
C. Cure of Breach. The Covered Entity may, but is not obligated, provide an opportunity for Business
Associate to cure a breach.
D. Reporting to Secretary. It is acknowledged by the parties that if neither termination nor cure is feasible,
the Covered Entity will be required to report the violation to the Secretary. (Ref. 164.504(e)(1)9ii)(B))
8. Notices. Whenever under this Agreement one Party is required to give notice to the other, such notice shall be
deemed given if mailed by First Class United States mail, postage prepaid, and addressed as follows:
Covered Entity: Administrative Director
Health Information Systems
THE UNIVERSITY OF TOLEDO
3000 Arlington Avenue
Toledo, OH 43614-2598
Business Associate: Name/Address
Either Party may at any time change its address for notification purposes by mailing a notice stating the change
and setting forth the new address.
A. Property Rights. The Protected Health Information shall be and remain the property of Covered Entity.
Business Associate agrees that it acquires no title or rights to the Protected Health Information, including any de-
identified Protected Health Information, as a result of this Agreement.
B. Choice of Law. This Agreement shall be governed by the laws of the State of Ohio and, with respect for
purposes of privacy rights, the HHS Privacy and Security Regulations.
C. Regulatory References. A reference in this Agreement to a section of the HHA Privacy and Security
Regulations means the section as in effect or as amended.
D. Binding Nature and Assignment. This Agreement shall be binding on the Parties hereto and their
successors and assigns, but neither Party may assign this Agreement without the prior written consent of the other
which consent shall not be unreasonably withheld.
E. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to
time as is necessary for Covered Entity to comply with the requirements of the Health Insurance Portability and
Accountability Act of 1996 and the rules and regulations promulgated thereunder.
RFP FY09-042 Data Loss Prevention 21 of 25
F. Article Headings. The article headings used are for reference and convenience only, and shall not enter
into the interpretation of this Agreement.
G. Non-Waiver. Failure by any Party to insist upon strict compliance with any term or provision of this
Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of the other
Party shall not affect nor constitute a waiver of, any Party’s right to insist upon such compliance, exercise
that right, or seek that remedy with respect to that default or an prior, contemporaneous, or subsequent
H. Counterparts. This Agreement may be executed simultaneously in one or more counterparts, each of
which shall be deemed an original, but all of which shall constitute one instrument
I. Severability. With respect to any provision of this Agreement finally determined by a court of
competent jurisdiction to be unenforceable, such court shall have the jurisdiction to reform such provision so that
it is enforceable to the maximum extent permitted by applicable law. If any provision of this Agreement shall be
deemed unenforceable, such provision shall not affect the enforceability of the other provisions of this Agreement,
which can be given effect without the unenforceable provision.
J. Survival. All representations, covenants and agreements in or under this Agreement or any other
documents executed in connection with the transactions contemplated by this Agreement, shall survive the
termination of this Agreement and such other documents.
10. Entire Agreement. This Agreement constitutes the entire agreement between the Parties concerning the subject
matter herein. There are no understandings or agreements relating to this Agreement which is not fully expressed
in this Agreement and no change, waiver or discharge of obligations arising under this Agreement shall be valid
unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be
IN WITNESS WHEREOF, Business Associate and Covered Entity have caused this Business Associate d
Agreement to be signed and delivered by their duly authorized representatives.
BUSINESS ASSOCIATE: THE UNIVERSITY OF TOLEDO:
By: ___________________________ By: ___________________________
Print Name: _____________________ Print Name: ____________________
Title: __________________________ Title: _________________________
Date: __________________________ Date: _________________________
RFP FY09-042 Data Loss Prevention 22 of 25
ATTACHMENT D – TECHNICAL CRITERIA
Scope and Objectives
The University of Toledo is currently looking for a data loss prevention system that will assist the Information
Security Office in identifying where sensitive data (PHI, PII, SSN, etc.) resides and when it is moving off the
university network. Further, the system is intended to offer opportunities to alert, restrict, redirect, or otherwise
manage the access or transfer of this data.
The bidders on this request should propose a solution that provides data loss prevention technologies as
described above. Further the scope of the product set proposed must address at a minimum:
• data in motion across the University’s internet connection (1 connection).
• data at rest on enterprise servers and file storage locations.
• Data on endpoint computers (desktops, laptops).
The proposed system must be able to identify at a minimum:
• Social Security Numbers
• Personal Identification Information
• Personal Health Information
• Credit Card Information and other personal financial information
• Any other information required for HIPAA, FERPA, and PCI compliance
The proposed system should be licensed to include all UT faculty, staff, students, and University-owned
computing/network devices. The current quantities of each are reasonably estimated at:
• Full time students (both campuses) 16,389
• Part Time Students (both campuses) 4,739
• Full time Faculty (both campuses) 1,178
• Part Time Faculty (both campuses) 450
• Full time staff ( both campuses) 2,044
• Part time staff ( both campuses) 1,291
• Hospital staff full time 676
• Hospital Staff part time 188
• University-owned computing devices 7,500
RFP FY09-042 Data Loss Prevention 23 of 25
ATTACHMENT E – PROPOSAL RESPONSE
In responding, it is feasible to propose multiple configurations. If doing so, it is necessary to clearly identify the
various proposals, the respective costs, and any variance in answers from sections 1 through 12 of the RFP.
Incomplete responses will be eliminated from further consideration.
Company Information (including resellers)
Please answer the following quantitative or qualitative questions regarding the solution that has been
1. Proposed solution
1.1. Please itemize the solution(s) being proposed including itemized cost
1.1.2.Software (perpetual license)
1.1.4.Support & Maintenance for 5 days x 8 hrs minimum (annual maintenance cost for each of the next
3 years; annual maintenance cost escalation caps, etc.)
2.1. Which lexicons do you support out of the box?
Some examples are HIPPA, FERPA, PII, PCI, GLBA
3.1. Is your management console Web based on Client software based?
3.2. If client software based which client OS’s are supported?
3.3. If web based which browsers are supported?
3.4. Will your product prioritize and push important events up to the top? If so, how are priorities
3.5. Can incidents be re-sorted easily by the console user based on varying criteria?
3.6. When you present data at rest incidents do you display file owners and/or ACL’s of the offending file?
3.7. Do you have dashboards and if so are they customizable?
3.8. Are you able to have user specific dashboards for various administrator types such as Help Desk,
Auditor, and Security Team?
4.1. What is your out of the box accuracy as to false positives and false negatives?
4.2. Have any third party evaluations been done on your product to rate the precision?
4.3. If so who did them and what were the results (include copies of results if possible)?
5. Environment Compatibility
5.1. Does your product support Active Directory integration / security?
5.2. Which OS, database or other storage platforms do you support with you r product?
(i.e. Unix, Linux, AIX, Macintosh, Windows, MS SQL, Oracle)
6. Support / Maintenance
6.1. What support options (24x7, 8x5, etc.) are available?
6.2. What types of support are available? (i.e. E-mail, phone, web)
7. Impact on system / network performance
7.1. What bandwidth can you support on the data in motion piece?
7.2. What kind of load is put on the servers / endpoints when scanning data at rest?
7.3. What reports are provided?
7.4. Are the reports customizable?
7.5. Can user-defined reports be developed? If so, can third party report writers (e.g. Crystal, Access, etc.)
be used to develop them or is there a report writing utility provided with the product?
RFP FY09-042 Data Loss Prevention 24 of 25
8. Policy Enforcement
8.1. What methods of data policy enforcement are available at all 3 layers?
8.2. Does your endpoint support removable media, printing or copy and paste checking and enforcement?
8.3. Do you support mail redirect of SMTP traffic, for mail that trips a policy, to an encryption gateway?
8.4. What actions can the system take to enforce violations?
8.5. What alerting, notification or workflow processes can be initiated when a policy infraction is detected?
8.6. Do you support paging / alerting of offences to an external system (remedy, exchange, what’s up, etc)?
9. Data Retention Management
9.1. What are the estimated storage requirements for your product?
9.2. If you need parameters to calculate this, what are they?
9.3. Can you have different retention parameters for different types of data policies? HIPPA PII PCI
9.4. What types of storage do you support with your devices?
10. Rule Complexity
10.1.How easy is it to create custom rules/policies?
10.2.How are your custom rules defined? (i.e. point and click, scripts)
10.3.Are scripts supported?
10.4.Is there training available if necessary for writing rules?
11. Product Distinction
11.1.What do you consider distinguishes your product from other DLP products?
11.2.Are there any other technical differentiators that you think we should consider as we compare DLP
12. Vendor demonstration and proof of concept implementations
12.1.The university may require on-site vendor presentations and/or a trial implementation of the proposed
solution prior to awarding a bid. This is at the discretion of the University as to whether this is
RFP FY09-042 Data Loss Prevention 25 of 25