IT- MetaDefender Secure Managed File Transfer Services

Supplement A:

State IT Policy, Standard and Service Requirements

Revision History:

Date:	Description of Change:
1/01/2019	Original Version
10/18/2019	Updated to modify service descriptions, include new services, and remove older services. A new Appendix A - Request for Variance to State IT Policy, Standard or Service Requirements was added.
12/15/2020	Updated to align with current service offerings, to incorporate the Cloud Smart strategy, and to clarify the variance request requirements.
5/13/2021	Updated to align with current Infrastructure as a Service (IaaS) Frameworks service offering.
7/19/2021	Updated to modify service descriptions, include new services, and remove older services.
02/07/2022	Updated Section 4.1. State IT Cloud Smart Strategy to clarify the scope, intent, and requirements of the service. Also, reorganized the public and private cloud information.
05/03/2022	Updated Section 4.3.6 ePayment Business Solutions audit standard. Modified Section 3. State IT Policy and Standard Requirements to remove the references to State of Ohio IT Bulletins and revise hyperlinks.
07/10/2024	Updated the format, structure, and terminology to reflect current practices. Modified the services to align with current offerings.

1. Contractor Identification and Supplement Definitions

Active Directory means the “directory service” portion of the Windows operating system. Active Directory manages the identities and relationships of the distributed resources that make up a network environment. It stores information about network-based entities (e.g., applications, files, printers, and people) and provides a consistent way to name, describe, locate, access, manage and secure information about these resources.

Agency means State of Ohio agency.

Contractor for the purposes of this supplement, includes subcontractors or other personnel under the authority or control of the Contractor performing the work or providing the services under this Contract.

Please provide the following information in the space below: Contractor name, Contractor address, associated Contract or RFP number, and solution/product/service(s) being proposed in response to the Contract or RFP.

Contract means the contract or RFP listed above under Contractor.

Customer means the Agencies, boards, commissions, institutions of higher education or local government entities that are authorized to leverage State of Ohio IT services.

DataOhio Portal established by Executive Order 2019-15D, the DataOhio Portal (DOP) displays public datasets and facilitates the request, approval, and delivery of secured datasets, providing for public access to information with transparency and ease. The portal improves Ohioan and customer interactions with Agencies.

State means the State of Ohio.

User is the individual or (system) process authorized to access a system.

2. Overview of Supplement and Requirements

This State IT Policy, Standard and Service Requirements Supplement (“Supplement”) applies to any and all work, services, locations and computing elements that a Contractor performs, provides, occupies or utilizes in conjunction with the delivery of work to the State and any access to State resources in conjunction with delivery of work.

This Supplement specifically applies to:

A. Major and minor projects, upgrades, and other software and systems inclusive of all State elements or elements under a Contractor’s responsibility utilized by the State;

B. Any systems development and integration activities performed by a Contractor; and

C. Any authorized change orders, change requests, Statements of work, extensions or amendments to a Contract.

The terms in this Supplement are in addition to any Contract terms and conditions. In the event of a conflict between this Supplement and a Contract, the strictest standard prevails.

3. Proposed Variances to Supplement Requirements

Contractors performing the work under the Contract are required to comply with this Supplement unless the State has approved a variance.

Any proposed variances to the requirements outlined in this supplement MUST be identified in Appendix A - Request for Variance to State IT Policy, Standard or Service Requirements. CONTRACTORS MUST not make any changes to the language contained within this supplement. In the event a Contractor finds it necessary to deviate from any of the IT Policies, or Standards referenced in this Supplement, a variance may be requested, and the requesting Contractor must provide a sufficient business justification for the variance request. In the event that a variance is requested post Contract award (e.g., a material change to the architecture), the Ohio Department of Administrative Services (DAS) Office of Information Technology (OIT) IT Strategic Investment and Architecture Team will engage with the Contractor and appropriate State stakeholders to review and approve or deny the variance request.

4. State and DAS IT Policies and Standards

A Contractor must comply with all State and DAS IT Policies and Standards. For the purposes of convenience, a compendium of IT Policy and Standard links is provided in the table below.

Table 1 – State and DAS IT Policies and Standards

Item	Link
State IT Policies and Standards (Please note: The documents appear under the topics Statewide Policy and Statewide Standard in the Policy Finder .)	Policy Finder: https://das.ohio.gov/technology-and-strategy/policies
DAS IT Policies and Standards (Please note: The documents appear under the topics DAS Policy and DAS Standard in the Policy Finder .)	100-11 Protecting Privacy 700-00– Technology / Computer Usage Series 2100 – IT Operations and Management Series Policy Finder: https://das.ohio.gov/technology-and-strategy/policies
Please affirm compliance with State and DAS IT Policies and Standards. If this section, or portions of this section are not applicable, please explain and note as N/A. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified.

5. State IT Services

DAS OIT delivers IT and telecommunication services. DAS OIT is responsible for operating and maintaining IT and telecommunication hardware devices, as well as the related software. This Supplement outlines a range of service offerings from DAS OIT that enhance performance capacity and improve operational efficiency. Explanations of each service are provided and are grouped according to the following solution categories. Where applicable, Contractors are required and expected to incorporate these services into their solutions or provided services.

5.1. State IT Cloud Smart Strategy

Executive Order 2019-15D, “Modernizing Information Technology Systems in State Agencies,” required all cabinet Agencies, boards and commissions to migrate information technology systems to the State’s cloud environment managed by DAS OIT. From this Executive Order, the State IT Cloud Smart Strategy (“Strategy”) evolved to support Customer cloud service needs. This Strategy is designed to provide a value-driven, dynamic, and cost-effective set of differentiating core Statewide services and innovative technologies from public and private clouds that will improve State operations and the quality of services to Ohioans.

As part of the Strategy, DAS OIT operates a Cloud Center of Excellence (“CCoE”) to focus on leveraging the State’s investment in the private cloud, while incorporating efficiencies from public cloud providers. The CCoE provides guidance that will assist in realizing the value of a multi-cloud investment. The goal is to evaluate and provide the most optimal hosting environment in the State’s public and/or private clouds. The CCoE offers a Cloud Brokerage Service (“Brokerage Service”) that supports and guides Agencies as they look to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) application and solution modernization opportunities.

Any proposed Statewide or individual Customer solution must comply with the Strategy.

The following graphic illustrates Agency, DAS OIT, cloud service provider (i.e., cloud vendor), and vendor managed responsibilities for each of the cloud services offered through the Brokerage Service, including the private cloud. These service offerings are described in further detail in the sections below. Please note that some solutions may span more than one of these categories, depending on the Agency’s business need.

Cloud Services Responsibility Matrix

(Please Note: If the Contractor feels that these requirements cannot be accommodated, an explanation must be provided at the end of this section and a proposed variance needs to be defined in Appendix A.)

Public Cloud Brokerage Service

DAS OIT is leading the effort to transform how IT services are delivered, maintained, and consumed in the State. A key outcome of this digital transformation is the development of cloud-based capabilities that will improve the quality of services, agility, and foster a culture of collaboration, accountability, and innovation.

Within the Public Cloud Brokerage Service model, DAS OIT offers IaaS, PaaS, and vendor managed frameworks. These services are available on multiple public clouds: Microsoft Azure, Amazon Web Services, Oracle Cloud Infrastructure, Google Cloud Platform and IBM Cloud. The Cloud Smart Strategy requires any proposed customized applications running on an IaaS or PaaS public cloud from any of these providers to reside in the Brokerage Service.

IaaS Cloud Brokerage Service

IaaS is the capability to provision processing, storage, networks, and other fundamental computing resources to deploy and run software, which can include operating systems and applications. The Customer does not manage or control the underlying cloud infrastructure but has control over the applications and databases. Depending on the domain, there could be limited control over selecting certain networking components (e.g., host firewalls).

The goal of the IaaS Cloud Brokerage Service is to evaluate and provide the most optimal hosting environment in the State’s public and/or private clouds. In an IaaS scenario, the State would provision infrastructure assets, such as virtual servers, that are hosted in the State’s private or public cloud tenants. The Customer would then install operating systems and application software on that infrastructure and use it.

IaaS Cloud Brokerage Service offers:

• Configuring network security groups and backups;

• Performing restores;

• Storage;

• Providing a direct network connection to the State of Ohio Computer Center from public cloud vendor locations;

• Managing and monitoring using the same tools as the private cloud;

• Patching of the operating system;

• Cloud utilization / cost analysis;

• Design consultation;

• Education; and

• Offering specific cloud expertise, when needed.

Any activity at or above the middleware layer, including the application layer, is the responsibility of the Customer and is not covered under IaaS Cloud Brokerage Service. Please refer to the Cloud Services Responsibility Matrix above on page 6 for further details.

PaaS Cloud Brokerage Service

PaaS is an offering where a cloud service provider maintains the operating system and hosts a software platform (i.e., software that can be used to build and run applications). The Customer installs or creates applications on that platform, maintains the data, and uses the application.

The capability provided by PaaS is the ability to deploy Customer-created or acquired applications onto the cloud infrastructure using programming languages and tools supported by the cloud service provider. In a PaaS scenario, the State would not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage. The Customer has control over the deployed applications, application data, and possibly application hosting environment configurations.

PaaS Cloud Brokerage Service offers:

• Vendor management of cloud service provider, who is responsible for all layers of the technology stack through middleware (refer to the Cloud Services Responsibility Matrix above on page 6 for further details);

• Providing the initial framework for build and configuration;

• Service provisioning, implementation, monitoring and alerting;

• Role-based access control security;

• Enforcing base compliance policies;

• Active directory account integration, when appropriate;

• Assistance in service request resolution via the native cloud portal and the DAS OIT Customer Service Center;

• Cloud utilization / cost analysis;

• Design consultation;

• Education; and

• Offering specific cloud expertise, when needed.

Any activity at or above the database layer is the responsibility of the Customer and not covered under the PaaS Cloud Brokerage Services. Please refer to the Cloud Services Responsibility Matrix above on page 6 for further details.

Software-as-a-Service (SaaS)

SaaS is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted on the cloud service provider’s infrastructure. For State solicitations, procurements, and contracts, only established solutions will be considered as “SaaS” and thus be exempt from hosting in the State environment. Solutions that are purpose-built specifically for an Agency will not be considered SaaS, even if the Contractor offers it in a SaaS model where it is hosted in their environment.

To meet the State’s definition of SaaS, the solution must be largely “out of the box,” meaning that limited configuration and customization is required for the application to meet the Customer’s business needs.

The Customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, except for limited user-specific application configuration settings. The SaaS provider is responsible for maintaining the infrastructure (includes patching, upgrades, etc.), keeping software current, and providing customer support. Please refer to the Cloud Services Responsibility Matrix above on page 6 for further details.

Vendor Managed Maintenance and Support within State Tenant

Vendor Managed Maintenance and Support within State Tenant (Vendor-Managed) refers to cases where a Customer needs a Contractor to manage all operational aspects of an application: development of new features and capabilities, application and infrastructure security, application maintenance, and infrastructure operations. The solution must be hosted in the State’s cloud tenant unless an exception is approved.

The State is responsible for the vendor management of the cloud service provider for contractual matters; however, the Contractor providing the application service is responsible for interacting with the cloud service provider for daily operational matters.

The Contractor must seek approval for architectural or service utilization decisions that will have cost impacts. The threshold for what requires approval will be defined with the Customer prior to the initiation of the Contractor application service.

This is a vendor-managed solution within the State’s public cloud tenant pursuant to a Contract entered into between a Customer and the managing Contractor. The underlying infrastructure of vendor-managed solutions must contain both IaaS and PaaS components, not just IaaS only.

Operating within this environment helps to ensure that the State’s Data remains in the U.S., the initial build and configuration is within the State’s framework and overlap is avoided in the internet protocol space through network addressing standards.

In terms of the Vendor Managed Cloud Brokerage Service, the Brokerage Service is responsible for:

• Monitoring and setting standards (e.g., security, tagging);

• Providing tools (vendor must use State standard tools);

• Vendor management of cloud service providers;

• Providing the initial framework for build and configuration;

• Role-Based access control security;

• Design consultation;

• Cloud utilization / cost analysis; and

• Offering specific cloud expertise, when needed.

In the event that a vendor-managed solution leverages IaaS components, the Contractor is responsible for patching and maintaining the operating system for servers, which must reside in the State’s vendor-managed tenant. Maintenance of all underlying servers, network components, middleware, databases, and application-level controls are the responsibility of the Contractor; the customer is solely responsible for data classification and interfaces with other systems. Please see the Cloud Services Responsibility Matrix above on page 6 for further details. Please note that the State reserves the right to evaluate and approve any architectural changes the Contractor may recommend.

If the proposed solution cannot accommodate the State’s Strategy, CCoE requirements, and public cloud brokerage service listed above, please provide a justification for the exception in the space below. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified.

Private Cloud Data Center Services

Server Virtualization

Server Virtualization is the practice of abstracting the physical hardware resources of compute, storage and networking of a host server and presenting those resources individually to multiple guest virtual servers contained in separate virtual environments. DAS OIT leverages the VMware vSphere platform to transform standardized hardware into this shared resource model that is capable of providing solutions around availability, security and automation.

Server Virtualization includes OIT-managed basic Server Virtualization where DAS OIT hosts the virtual server and manages the hardware/virtualization layer. DAS OIT is also responsible for managing the server’s operating system. This service includes 1 virtual CPU (vCPU), 1 GB of RAM and 50 GB of General Disk Storage used for the operating system.

AIX Systems

Advanced Interactive Executive (AIX) is a proprietary version of the UNIX operating system developed by IBM. The AIX Systems Service enables Customers to develop and run applications and/or databases without incurring the cost of setting up, administering and maintaining an operating system environment. DAS OIT runs the AIX operating system on IBM Power hardware, as a physical server or logical partition (LPAR)/virtual server. All of the AIX systems are connected to the DAS OIT Enterprise Storage Area Network (SAN) for performance, general purpose or capacity-based storage. All systems are also provided backup and recovery services.

Enterprise Backup Services

The Enterprise Backup service uses IBM Tivoli Storage Manager Software and provides for nightly backups of Customer data. It also provides for necessary restores due to data loss or corruption. The option of performing additional backups, archiving, restoring or retrieving functions is available for Customer data. DAS OIT backup facilities provide a high degree of stability and recoverability as backups are duplicated to the alternate site.

Data Center Co-Location Service

The DAS OIT Co-Location service offers Customers a Tier 3 capable secure data center environment with reliable uptime, power redundancy and redundant cooling to ensure uninterrupted access of critical data and applications in the State of Ohio Computer Center (SOCC). The SOCC is staffed and available to authorized personnel 24 x 7 x 365 and is accessible via electronic card key only.

Enterprise Data Storage

DAS OIT will work with the Contractor and Customer to determine the optimal data storage solution, if applicable. The services covered under Enterprise Data Storage include:

A. High Performance Disk Storage service offers high-performance, high-capacity, secure storage designed to deliver the highest levels of performance, flexibility, scalability and resiliency. The service has fully redundant storage subsystems, with greater than five-nines availability, supporting mission critical, Customer-facing and revenue-generating applications 24x7x365. High Performance Disk Storage is supplied as dual Enterprise SAN fiber attached block storage.

B. General Purpose Disk Storage service offers a lower-cost storage subsystem for Customers not requiring high performance disk. This service supports a wide range of applications, including email, databases and file systems. General Purpose Disk is also flexible and scalable and highly available. General Purpose Disk Storage is supplied as dual Enterprise SAN fiber attached block storage.

C. Capacity Disk Storage service is the least expensive level of disk storage available from DAS OIT. Capacity Disk is suitable for large capacity, low performance data, such as test, development and archival. Capacity Disk Storage is supplied as dual Enterprise SAN fiber attached block storage or as file-based storage.

Open Systems Disaster Recovery as a Service

A. Open Systems Disaster Recovery as a Service (DRaaS) offers server imaging for Windows and AIX and storage at a geographically disparate site from Columbus, Ohio. The service provides Customers with a private DRaaS solution connected to the SOCC via the Ohio One Network that consists of the following:

• Compute to allow expected performance in the event of a complete failover;

• 24vCPU per host with 32 host in the environment all licensed with VMware;

• Support of the orchestration and replication environment;

• Site connectivity; and

• Stored images available upon demand.

This service is provided through a contracted third party who is responsible for all management and equipment at the facility.

Metro Site Facility

The Metro Site Facility Service provides a secondary, near real-time (measured in milliseconds) failover from the SOCC. This service provides for the facility, site connectivity, ongoing support of server images for DRaaS, and associated services. Metro Site Facilities are offered to support Virtual Server and Data Storage Customers providing Global/Metro Mirroring at a secondary near real time failover site. This service provides duplicative server facilities to match Server Virtualization and Data Storage Rates. Storage necessary for support of the disaster recovery image will be billable at the standard storage rates.

Mainframe Disaster Recovery

Mainframe Disaster Recovery services are offered to Customers of DAS OIT’s IBM mainframe environment. Services are made available via IBM’s Business Continuity and Resiliency Services, which provides hot site computer facilities at a remote location.

Tests are conducted bi-annually at IBM’s hot site location, during which DAS OIT’s mainframe computer infrastructure is restored. Once the mainframe system is operational, participating Customers restore their production applications and conduct extensive tests to ensure that those applications have been successfully recovered and would be available in the event of an actual disaster.

Mainframe Systems

DAS OIT’s Mainframe Systems services offer an IBM mainframe computer sysplex with a processing speed rating at 5,700 million instructions per second (MIPS). This mainframe uses the z/OS operating system and the Job Entry Subsystem 3. Additionally, the system is connected via fiber to DAS OIT’s High Performance Disk Storage, which affords reliable and fast disk access and additional storage capacity when needed.

The Mainframe Virtual Tape service option is available that optimizes batch processing and allows for better tape utilization using the EMC Disk Library for Mainframe virtual tape.

If the proposed solution cannot accommodate the State’s Private Cloud Data Center Services listed above, please provide a justification for the exception in the space below. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified.

5.2. InnovateOhio Platform (IOP)

Executive Order 2019-15D, “Modernizing Information Technology Systems in State Agencies,” established the IOP initiative. IOP focuses on digital identity, the User experience, analytics and data sharing capabilities. The IOP provides integrated and scalable capabilities that better serve Ohioans.

IOP Identity Service Offerings for Ohioans and Workforce

IOP consists of a full-suite Identity Provider (IdP) service in which applications connect through Security Assertion Markup Language (SAML)/ OpenID Connect (OIDC) protocols. Using an IdP allows Customers to focus on their application without having to worry about account management, roles, and account recovery. OHID for Ohioans is a self-service platform where Customers can create/manage their own accounts and request access to Agency applications. OHID for workforce integrates User lifecycle management with the Ohio Administrative Knowledge System (OAKS) and Active Directory. OHID’s identity service also includes multifactor authentication, identity proofing, single sign-on, and coarse-grained access control.

IOP User Experience Service Offerings

IOP centralizes website hosting and maintenance throughout the State on a single platform. The portal contains out-of-the box page templates and resources that are customizable to the Customer’s needs. Workflows allow Customers to delegate authority for managing and updating their website.

IOP Web Forms

IOP hosts a self-service web form building tool using Form.io’s web form technology. This tool enables Agencies to quickly build webforms, embed them on their existing website or applications, and access their data through a secure API.

IOP Data and Analytics Products

IOP Data Analytics provides the ability to build analytical and reporting solutions and deploy them in the most impactful manner possible by putting data in the hands of Customers in their natural workflow. The data analytics platform and supported applications enable Customers to move from concept to results. The service features include:

• Analytical Reporting Outputs; • Artificial Intelligence and Machine Learning; • Data Science; • Developer Portal; • Embedded Analytics; • Query Exploration; and • Visual Analytics.

IOP Data Integration provides the capability to combine information from a wide array of sources, applications and formats so that it can be analyzed to derive valuable business insights. Furthermore, data ingestion pipelines can be automated and governed, while ensuring secured access to the data. The service features include:

• API (Application Programming Interface) Data Gateways; • Data Ingestion; • Enhanced Streaming; • Internet of Things; and • Workload Automation.

IOP Data Management provides rich and secure capabilities to harness the power of the analytics platform, leveraging Customer friendly and pre-configured technologies. Additionally, the product supports a bring-your-own-tool approach, allowing analysts and data scientists to work on the platform with the technologies they are most comfortable using. The service features include:

• Data Usage and Access Audit; • Cloud Data Analytics Platform; • Data Warehouse (Cloud and On-Premises); • Common Tool Integration; • Containerization; • Data Anonymization and Tokenization; • Data Catalog; • Data Lineage; • Data Quality and Profiling; • Data Sharing; • Data Transformation; • Entity Resolution; • Graph Framework; • Library and Code Management; and • Relational Search.

IOP Data Analytics service offerings include the support and training necessary to successfully engage and onboard Customers to perform applied analytics work on the platform. The service offerings include: • Application Labs; • Data Onboarding; • DataOhio Portal; • Development Services; • Engagement; • Project Support; • Solution Design and Architecture; • Training Resources; • Use Case Development; and • Data Analytics Advisory and Guidance. The Enterprise Tableau Service provides a leading data visualization tool used for reporting and analyzing data. It offers data visualization and dashboard solutions, making it easier for Agencies to understand their data and achieve their data goals. The service features include: • Integration with Data Sources; • Enterprise Server Supported by IOP; • Data Interaction Capabilities; • Dashboard publishing and/or sharing on a site; • Secure content via permission-based access; • Automated data refreshes; • Embedded dashboards; and • Agency site hosting, maintenance, and upgrades by IOP Data Analytics Team. Please explain how the IOP Identity Service Offerings will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified.

Please explain how the IOP User Experience Service Offerings will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified.

Please explain how the IOP Data and Analytics Service Offerings will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified.

5.3. Enterprise Application Services

Artificial Intelligence Capabilities

Please explain if your proposal contains any Generative or Conventional Artificial Intelligence capabilities. For example, machine learning, deep learning, biometric recognition, summarization, or natural language processing. If so, please detail the proposed architecture elements in the space provided below.

Enterprise Hosted Document Management

The Enterprise Hosted Document Management is a standardized, integrated solution for document and content management. The core components of the solution include:

Document Management core capabilities such as: secure check-in / check-out, version control, and index services for business documents, audio / video files, and Environmental Systems Research Institute / Geographic Information Systems (GIS) maps.

Image Processing for capturing, transforming and managing images of paper documents via scanning and / or intelligent character recognition technologies such as Optical Character Recognition.

Workflow / Business Process Management for supporting business processes, routing content, assigning work tasks and creating audit trails.

Records Management for long-term retention of content through automation and policy, ensuring legal, regulatory and industry compliance.

Electronic Data Interchange (EDI) Application Integration

The EDI Application Integration service is a combination of Application Integration, Data Exchange and EDI functionality. This service provides application to application connectivity to support interoperable communication, data transformation, and business process orchestration amongst applications on the same or different computing platforms. Business process orchestration between many data formats may be supported including Web Services, XML, PeopleSoft, SFTP, MFT, HTTPS, MSMQ, SQL, Oracle, Flat File, SAP, DB2, CICS, EDI, HIPAA, HL7, Rosetta Net, etc.

The Data Exchange component allows unattended delivery of any electronic data format to a Customer via encrypted files over public FTPS, SFTP, VPN.

eLicense Ohio Professional Licensure

eLicense Ohio Professional Licensure is the State’s online system used to manage the issuance, certifications, inspections, renewals and administration of professional licenses across the State. The eLicense application is a public/business facing system that is designed to foster the creation and growth of businesses in the State and is the mechanism through which Agencies, boards, and commissions support Ohioans. The system is a central repository for license and certificate data, in addition to managing the generation and storage of correspondence. Secure fee collection is performed through an online payment processor, which includes bank transfers, credit cards, and other payment types.

ePayment Business Solutions

DAS OIT’s ePayment Business Solution allows State Agencies as well as boards and commissions to accept electronic credit card and Automated Clearing House (ACH) payments from Customers. The ePayment solution is a highly flexible payment engine supporting a wide range of payment types: credit cards, debit cards, electronic checks, as well as recurring, remote capture and cash payments.

The solution utilizes a single, common gateway to permit the acceptance of payments from multiple client application sources: Web, IVR, kiosk, POS, mobile, over the counter, etc. Payment processing is supported through multiple credit card gateway options, ACH bank processing, and check acceptance services.

The ePayment solution is compliant with the Payment Card Industry Data Security Standard, the Electronic Fund Transfer Act and is audited to the standards of Statement on Standards for Attestation Engagements 18 SOC 1 Type II.

Enterprise eSignature Service

The State of Ohio’s eSignature solution is a FedRAMP SaaS solution, which offers a standardized approach to cloud security. The solution functions include workflows, tracking, audit logs and protection against forgery/non-repudiation.

IT Service Management Tool (ServiceNow)

DAS OIT offers ServiceNow, a cloud-based IT Service Management Tool that provides internal and external support through an automated service desk workflow-based application which provides flexibility and ease-of-use. The IT Service Management Tool provides workflows aligning with Information Technology Infrastructure Library processes such as incident management, request fulfillment, problem management, change management and service catalog. These processes allow Customers to manage related fields, approvals, escalations, notifications, and reporting needs. Customers have the option of provisioning the entire suite of service features or selecting those features best suited for their needs.

The following modules are currently in use on the enterprise platform:

• IT Service Management;

• IT Operations Management;

• IT Business Management;

• Governance, Risk and Compliance;

• Security Operations; and

• Intelligent Applications.

Automated Ticketing

DAS OIT offers Watson Automated Ticketing in the State of Ohio Customer Service Center that integrates with ServiceNow for Agencies interested in having incidents and requests in their UNASSIGNED queue that comes through email assigned to the proper resolver queue. This service will route these incidents to the appropriate queue based on historical data and optionally provide other use cases as well. Watson is a cognitive automation platform that leverages machine learning, natural language processing, deep learning, semantic ontologies, pattern recognition, etc. It automates processes to provide more efficient operation with higher quality results compared to manual performance.

Ohio Benefits

Ohio Benefits provides a comprehensive and effective platform for planning, designing, development, deployment, hosting and ongoing maintenance of State Health and Human Services Public Assistance Services and Programs.

Ohio Benefits provides superior eligibility services including self-service for Ohioans, efficient workflow management and coordination, an agile and easily manageable rules engine, improved data quality and decision support capabilities. Ohio Benefits supports improvement in State and county productivity, capability, and accessibility of benefits to Ohioans through a robust enterprise system.

The Ohio Benefits platform provides four distinct technology domains:

Common Enterprise Portal: User Interface and User Experience Management, Access Control, Collaboration, Communications and Document Search capability;

Enterprise Information Exchange: Discovery Services (Application and Data Integration, Master Data Management, Master Person Index and Record Locator Service), Business Process Management, Consent Management, Master Provider Index and Security Management;

Analytics and Business Intelligence: Integration and delivery of analytics through alerts, notifications and reports; and

Integrated Eligibility: A common Enterprise Application framework and Rules Engine to determine eligibility and benefits for Ohio Public Benefit Programs.

Privacy and security are the foundational blocks of the platform which is compliant with all State and federal standards.

Ohio Business Gateway

The Ohio Business Gateway (OBG/Gateway) is a collaborative initiative of state and local government Agencies under Ohio Revised Code 125.30. Ohio businesses use the Gateway to access various services and submit transactions and payments for seven state agencies and 300+ Ohio municipalities.

By offering a single website for electronic filing, the Gateway provides businesses with an easier means to comply with multiple regulatory requirements. The Gateway directly benefits government by helping to reduce administrative costs and lowering the need for Agencies to develop and maintain online applications.

Additional information on the OBG is available at https://gateway.ohio.gov/ .

OAKS

OAKS is the State’s Enterprise Resource Planning system which provides central administrative business services such as financial management, human capital management, talent management, enterprise learning management and Customer relationship management.

Core system capabilities include Financials (FIN), Human Capital Management (HCM), Customer Relationship Management (CRM), Business Intelligence, Ohio Pays, Ohio Learn, Ohio Recruit, and Timekeeping.

Enterprise Geographic Information Systems (GIS)

Enterprise GIS delivers dynamic maps, spatial content, and spatial analysis via the Internet. It can also provide static digital or printed maps or simply just tabular results from spatial analysis. Customers can integrate their own data with enterprise-level GIS data and display it as an interactive map. These interactive maps can be stand-alone applications or embedded within new or existing websites.

DAS OIT offers the following GIS services, Geodata Hosting, Geoprocessing, GIS Map Application Hosting, and Enterprise Geocoding.

OhioBuys

The State of Ohio’s online eProcurement system. It provides the primary platform for Agency employees to perform procurement activities, including purchasing goods and services provided by supplier partners, releasing bid opportunities, and managing contract events.

Please explain how the State’s Enterprise Application Services will be incorporated into the proposed solution. If this section, or portions of this section, are not applicable, please explain and note as N/A. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified.

5.4. Application Security Architecture

If a Contractor is proposing the development or modification of an application as part of their response, the solution must align with IT security and privacy contract terms and conditions specified by the State. This applies regardless of whether the application is hosted in the cloud, on-premises, or is hybrid based.

In the response box below, please describe the proposed application security architecture. Listed below are a few examples of the items that should be addressed:

• Application security testing;

• System hardening controls (as indicated by applicable regulatory requirements);

• Auditing and logging;

• Web application and service protection;

• API security and API gateways;

• Security of data at rest and in transit;

• Mobile application security (if applicable);and

• Cloud application protection and compliance (if applicable).

Please describe the proposed application security architecture or provide supplemental architecture design diagrams. The response should include sufficient detail for the State to identify the application architecture elements that are in place to help prevent security vulnerabilities and protect against threats that can compromise data or services. If this section is not applicable, please explain and note as N/A. Please note that any proposed variances must be identified in Appendix A – Request for Variance to State IT Policy, Standard or Service Requirements. The language within the Supplement shall not be modified. ...