2014/2015 (rfi) summary -...

1

Community

Shared

Services

2014/2015

IT Managed Services

Request for Information

(RFI) Summary

2

Table of Contents

1. Project Background 3

2. RFI Process 4

3. Overview of Findings 5

4. RFI Findings 6

Organization Overview 6

Helpdesk and Technical Support 12

IT Planning and Strategy 15

Colocation and Cloud Hosting

Services

17

Feedback 21

Innovation 23

5. Pricing Methodology 24

6. Next Steps 25

3

Project Background

IT Managed Services Project Background

With the requirements of technology and infrastructure continually evolving, the Toronto

Central Local Health Integration Network (TC LHIN) determined there was a need to im-

prove upon information infrastructure capacity within the Community Addictions, Com-

munity Mental Health, Community Support Services and Community Health Centres. An

assessment of Information Management and Information Technology (IT-IM Assessment)

was conducted with a group of HSPs from October 2013 to June 2014 to acquire a better

understanding of the current state environment.

The IT-IM Assessment provided an overview of how HSPs’ IT infrastructure is performing

compared to standards established by the Assessment Team. The assessment found that

HSPs were experiencing common challenges within their organizations. These included

issues such as the age of their computer equipment, the need for reliable and robust in-

ternet connectivity, as well as the desire for centralized management of IT related poli-

cies and procedures.

A Request for Information (RFI) was issued by Reconnect Mental Health Services in Feb-

ruary 2015 for the purposes of gathering information from the marketplace for an IT Man-

aged Services provider that could support the needs of the Community Sector within the

Toronto Central Local Health Integration Network. The RFI was intended to assist in help-

ing shape future strategic direction and/or requirements as they relate to Information

Technology and associated support services within the Community Mental Health, Com-

munity Addictions, Community Support Services and Community Health Centre sectors.

The desired outcome of the RFI was to assist the requirements gathering process for the

possible release of a future procurement and to better understand the current market of

IT Managed Services providers as it relates to Help Desk and Technical Support, IT Best

Practices and Colocation/ Cloud Hosted Services for the community sector

4

RFI Process

RFI Process An RFI Committee was developed to outline the scope and development of the IT Managed Ser-vices RFI. The committee was comprised of a Technical Expert, a Sector Representative, a Project Advisor and a Director of IT and Shared Services. The committee took the findings from the IT-IM Assessments and current industry trends into consideration when developing the scope of the RFI

RFI Schedule

All of the responses were reviewed individually and summarized into a chart for-mat for discussion amongst the RFI Committee. A meeting was held to review the information summarized to ensure completeness and accuracy. This infor-mation was used to determine next steps and create recommendations going for-ward.

Activity Date

RFI Issued Monday, February 9, 2015

Respondent Question Deadline to the RFI Monday, February 23, 2015

Answers to Respondent Questions Wednesday, February 25, 2015

Submission Deadline Monday, March 2, 2015

5

Overview of Findings

Responses Received Reconnect received a total of 5 responses to the RFI from the following vendors;

CGI Compucom Hudson Technology Pathway QLogiteck

Overview of Findings The ITMS RFI responses found that all respondents are able to offer the services request-ed, with the exception of one not offering Managed PaaS and Managed SaaS services. A “menu of services” are a standard practice amongst respondents and are customized on a per client basis. Pricing is subscription based and can be fixed, usage based or on a per user / device / month / annum basis. All respondents outlined the use of ITIL-based ITSM software tool for their ticketing system to track and monitor Help desk and Technical Support needs. Ticketing systems include client portals to review open tickets and access reports. Help Desk and Technical support was highlighted as one of the main service of-ferings provided and requested by respondents, and it was recommended that Help Desk be a part of a managed services offering, bundled with complementary services to meet the needs of HSPs. All respondents identified the decentralization of HSPs IT processes and procedures to be a key challenge, and recommend that the centralization of these processes and procedures.

6

RFI Responses

Overview of Vendor Responses The following is a summary and not an evaluation of responses received from vendors to the questions that were included as a part of Appendix A of the RFI. Respondent Service Overview - Please provide an overview of the Product/Service offer-ing, specifically addressing the following: 1. Organization Overview

1.1 Main Products/Services (components offered) in comparison to the services re-quested in section 2 of the RFI. Not all respondents identified “main” products service offering, but rather that

they were able to support all the service we requests Of those that did provide main service offerings the following were identified;

24 x 7 Help Desk Support Managed Servers & desktops Security Services Managed Networks Data Centre Outsourcing IT Strategy & Planning; Colocation / Cloud Hosted Services.

Dedicated Infrastructure

1.2 Staff structure and solution delivery – support capacity and bench strength (front-line staff, technicians) how do you staff & hire? How do you handle clients’ management incident resolution? ITIL? What certifications does your staff have?

All respondents employ rigorous staffing and recruiting strategies to ensure

their team’s have the technical expertise and certifications required to support the business model

Respondents sizes varied in sizes from small local organization to large global corporations

Majority of respondents outlined detailed incident resolution practices, with most employing ITIL v3 strategies

Certifications highlighted by respondents included;

Cisco Certified Internetwork Expert (CCIE) Certified Information Systems Security Professional (CISSP) Microsoft Certified Solutions Expert (MCSE) Microsoft Certified IT Professional (MCITP) A+ Certified VSP VTSP VCP 5 Data Center Compellent McAfee EPO Falconstor CDP

7

Hyper V Certified MCP CCNP CCDP WatchGuard Admin CAPM

MSP – Hyper-V LabTech/ConnectWise System Administrator HP Channel Partner (HPCP) Microsoft Mobile Certified,

1.4 Licensing model (e.g. how are the software/services packaged?)

Some respondents did not provide licensing information as they felt further in-

formation would be required, but work to tailor service packages to the client environment

All reference packaged service agreements Other respondents discussed their Managed service offerings Some pricing discussed as annual fees and one time fees for specific projects One respondent outline 3 levels of licensing models

Service Provider License Agreement (SPLA) model Purchasing from us Buy your own

1.5 Describe the enterprise operating systems your organization support the most frequently.

Most frequently respondents stated that they service Microsoft, Apple and

Linux Operating systems, but that they are capable and have experience servic-ing all desktop, server, tablet and mobile devices operating systems.

Systems supported that respondents listed were as follows; Windows Based operating systems Linux Open Source; Apple Macintosh. Z-VM, Z-OS, Z-Linux for IBM mainframe AIX for IBM P systems Solaris for Oracle-Sun systems VMware Citrix

Most of the mobile OS available for smartphones and tablets (iOS, An-droid, Symbian, Windows, etc.)

Server OS: MS Windows Server,

UNIX, Microsoft Hyper-V

8

1.6 Pricing Model – How are your services priced? (I.e. subscription, hourly, or other model) how do you invoice for your services not included in your model? Is there a minimum charge per ticket/issue? (i.e. ¼ hour)

Majority of respondents outlined subscription based pricing that are either fixed, priced per month, per device or usage based

Respondents outlined service not included within subscription are charges on a per in-cident basis, i.e. special projects

Most respondents referenced Managed Services subscriptions and pricing and con-tracts are created based on customer volumes

Some respondents did not want to provide pricing information

Respondents outlined the use of ITIL based ticketing system and that minimum time per ticket was 15 minutes.

1.7 What is your process to become an expert on client software that your staff is currently not certified on?

Respondent outlined that there are certified with the most up to date certifications hat encompass infrastructure, middleware and software and that they provide staff with training opportunities on an ongoing basis

Respondents also outlined that they train staff on client software as needed.

1.8 Description of past/current clients – Please describe 3 projects within the last 3 years, and projects with clients who did not have a lot of technical expertise. How do you help these clients be more effective? Have you previously provided ser-vices to a dispersed organization with different sizes and needs? Where available, please include healthcare or community based references.

All respondents provided 3 or more past clients with details on the challenges

and solutions employed. Majority of respondents had at least one past client within the Health Care sec-

tor Health Care Sector clients included;

CAMH UNH eHealth Ontario Toronto LHIN Schizophrenia Ontario GTA West Diagnostic Imaging Repository

1.9 What are the top 3 services demanded most by your clients?

Majority of respondents stated that they are able to service all the of the ser-vices we requested within the RFI

Most demanded services listed included; Help desk and Technical Support Service Cloud services Consulting – architecture, software development and governance Service Desk

9

End User Computing Data Centre Services practice Monitoring (System Health, upgrades/updates) Backups / Disaster Recovery Infrastructure as a Service Application Hosting

Service Desk Managed connectivity Colocation

1.10 Have you implemented “a menu of services” in the past? If not, can you offer a menu of services, and ensure they best meet client needs? If yes, how was it ac-complished?

Majority of respondents outlined that menu of services is their standard pricing

model Respondents stated that they work with clients in order Tailor services to their

specific needs.

1.11 What are your recommended mandatory services bundled together?

Some respondents did not provide feedback as bundles will be based on clients

individual needs. Respondents outlined that they would conduct comprehen-sive requirements gathering of client’s needs, analyze their IT roadmaps, risks, challenges, and mandates against the services available

One respondents recommended the following based on the information provid-ed in the RFI

Managed desktop support utilizing a virtual desktop infrastructure Managed server support running in a virtual server infrastructure Help desk support that includes an ITIL-based ticketing system that re-

ports SLAs Network and Security management.

Other respondents outlined the following services be bundled together Help Desk Email and Spam Filtering Email Archiving and Backups/Disaster Recovery Infrastructure Monitoring and Management Service Desk and End User Computing

1.12 Support Best Practices / Methodology – Describe how you implement best practices to ensure the efficiency in the provision of your service offerings, and recommend improvements where identified to the HSP.

Respondents outlined that they work with the clients at the beginning of the

relationship to analyze current best practices and recommend opportunities for improvements.

Continuous monitoring and analysis help to identify areas of improvement.

10

Where identified, respondents work with their clients to inform and plan for change

All respondents employ one or more of the following support / best practices methodologies

ISO 9001:2008 Quality Management Six Sigma Process SOC and ISO Security Best Practices

1.13 Do you have different levels of SLAs for different IT services and what are they? Description of kinds of SLA’s for the different service levels.

Respondents listed varying SLA’s, with the majority outlining coverage, re-

sponse and resolution time Some respondents outlined that SLA’s are agreed upon from the onset of ser-

vice with the customer and ITIL-based Service Catalogue to help define the lev-el of service clients desire

An example SLA Critical Priority – Extreme Business Impact Outage to a production server or system requiring Coverage: 7x24x365 Response to call: 20 min Resolution / Resolution plan: 4 hours SLA Attainment: 90%

High Priority – High Business Impact Problem affecting an entire department or multiple users Coverage: 7x24x365 Response to call: 1 hour Resolution / Resolution plan: 8 hours SLA Attainment: 90% Medium Priority – Moderate business Impact Problem has affected client’s productivity, but there is a workaround to

allow client to continue to work Coverage: 7x24x365 Response to call: 3 hours Resolution / Resolution plan: 16 hours SLA Attainment: 90% Low Priority – No Business Impact Little or no operational impact, request for information are included here. Coverage: 5 days x 9 hours Response to call: 4 hours Resolution / Resolution plan: 32 hours SLA Attainment: 90%

11

1.14 Do you have a relationship with particular hardware/ software provider(s)? Respondents listed having relationships with a wide variety of vendor and soft-

ware providers which included some of the following; Microsoft Cisco IBM

HP Del Nexsan Ruckus Sophos Veeam VMware Citrix Falconstor Labtech Eset (Nod32)

Acronis Trend Micro Avaya Allstream Etc…

1.15 Do you outsource to any third parties? Please explain.

Majority of respondents do not outsource to third parties as they have the in-

house capacity Some stated that they do partner or outsource with third parties for services

like; Vendor Support and Maintenance Service Plans Physical Data Centre Infrastructure Telecommunications Services (Circuits, Internet, Wireless Voice & Data Plans) Certain hosted Software as a Service (SaaS) Offers (OEM vendors and special-

ists)

1.16 Are you a certified partner of any technology company (i.e., Microsoft, Dell, Cisco etc.)? Or have a preferred list of equipment/software suppliers?

Similar to the relationships with software and hardware providers, all respondent

have varying certified partnerships with technology companies Examples include, but are not limited to;

Microsoft Oracle SAP Hitachi

Cisco

12

Dell OpenText IBM Dell Cisco VMware

Citrix IBM Trend Micro Avaya Etc…

1.17 Where are your staff / call centres located? Where would HSPs be receiving service from?

All respondents are located within the GTA Some respondents have offices and data centres in other regions of the prov-

ince and country 2. Help Desk & Technical Support

2.1 Describe how your services would support HSP’s Help Desk and Technical Sup-port Needs? What methods would you provide support through?(i.e., Phone, ticket system, etc.)

Majority of respondents use and ITIL-based ITSM software tool for their ticket-

ing system to track and monitor Help desk and Technical Support needs Majority of respondents support help Desk and technical support needs via

phone, email, live chat, knowledge base and online ticket submission portals

2.2 Are there any portions of the Help Desk & Technical Support services that your organization currently does not service? Network Services General Support Information Security Hardware / Software Deployment Business Continuity System Management Storage All respondents stated that they have the capacity and services available to

support all the requirements

13

2.3 Please provide framework of your escalation process. Respondents listed various strategies that outline the levels of escalation, and

depending on the issue and its impact on business activity, how fast it gets es-calated and its priority

Different levels of management are incorporated at different stages of the es-calation process

Some respondents stated that incident management is also customizable with the clients

Most respondents use the ticket management tool to also track incidents as they move through the escalation process to completed / resolved.

2.4 Do you have any product and service preferences? Do you support hardware/software outside of these? Do you have experience servicing others? All respondents stated that they will work with all client software and hardware

needs, and ensure that their staff has the technical expertise required to service them

Some stated preference towards some of the following; Microsoft VMware Linux open Source Apple

2.5 What is your process to assure resolution meet SLA’s requirement? AS with the SLA’s themselves, respondents outlined the resolution and efficient

response times can be agreed upon from the onset of service. Respondents use their ticketing too to monitor, communicate and report on

SLA progress . Respondents outlined the use of effective communication with client during the

service or incident, oversight of management at each stage, along with contin-uous monitoring and improvements tracking reporting to ensure resolutions are met.

2.6 Ticketing System How does your solution track, monitor and report on IT issues received through Help Desk? How does it categorize request priority? Do you have a ticketing system in place? Is there a customer portal to access your ticketing system for reports, or issues tracking? What type of reporting and analysis is available to the client?

All respondents have some form of ticketing system in place to track monitor

and report on IT issues that come through the help desk All respondents stated that there is portal access for customers available to log

in a view ticket progress. Some even stated that their portals also offered a managerial view, where higher level details would be available.

All respondents stated that there systems including reporting on various

14

metrics Respondents outlined that Ticketing systems allow for the determination of re-

quest priority based on impact and criticality Respondents outlined various workflows for categorizing and responding to

ticket items Ticketing systems offer reports that are out of the box, but there is also the

ability to customize reports based on customer needs Report types include

Structured reporting (as part of management process) Service Level Agreement (SLA) reporting Balance Scorecard reporting

Activity reporting Pricing details - impact of demand SLA and KPI targets Agent utilization, time of day/week/month/year ticket type, contact channel Governance objectives.

Some respondents highlighted various features available on their ticketing sys-

tems including; Knowledge Management Search Engine Artificial Intelligence (AI) Workflow Management Customer Surveys Real Time Artificial Intelligence: Service Level Agreements

2.7 Project Management 2.7.1 What is your methodology?

All respondents employ one or more of the following support / best practices

methodologies PIMBOK PRINCE 2 ITIL v3 ISO 9001:2008 Quality Management Six Sigma Process SOC and ISO Security Best Practices

2.7.2 How do you identify the need and implement upgrades to existing solutions or hardware? Ticketing systems are used to alert respondents when new hardware or soft-

ware upgrade is required The ticketing systems monitor and track license management and renewal, as-

15

set management and asset renewal, Commercial Software maintenance, update of security certificates and systems and recommendations for hardware re-fresh/maintenance.

Respondents also use Asset inventory tracking databases to ensure technical infrastructure is up to date and to plan for upgrades and maintenance

Respondents also indicated that they use performance monitoring and capacity management tools to consistently gather key performance indicators that are made available in reports.

The Program Manager will typically conduct Quarterly and Annual Business Re-views with the customer on the status of hardware and software

Respondents use change management teams when / if upgrades are required to analyze the scope, risks, impacts, scheduling, and outcomes of any change.

2.7.3 How do you escalate if and when additional issues arise? What is your change management process?

Respondents use various methods of escalation and change management. Most respondents employ ITIL methodology or RACI models, while others de-

scribed internal Change Advisory Boards Change management processes consider the impact of change and prioritize

changes under various levels. Change management processes include consultation with clients and daily in-

ternal meetings 3. IT Planning & Strategy

3.1 How would your services support HSPs in employing IT Best Practices? Majority of respondents identified their certification in PMP for Project Manage-

ment, ITIL for ITSM and technical certifications including CCNA, Respondents also outlined the that apply the best practices outlined by ITIL,

PIMBOK, SOC 2 Type II, SOC 1 Type II, CSAE 3416, ISO 9001:2008, and ISO 27001:2013 for compliance standards and certifications for all security, privacy, and quality management controls and processes

Some respondents outlined that they have host monthly internal Best Practice sessions to keep staff up to date on any changes or new methodologies

Respondents also stated that they participate in industry and vendor confer-ences and associations to receive a current-view of best-practices evolving in the industry

One respondent outlined the use of different strategies for our various types of organizations. (i.e. A vs D) that included different standards based on their basic needs

3.2 How do you maintain the consistency of IT Best Practices provided/applied by your organization’s personnel? Yearly audits, use of ticketing system / monitoring tool Appliance of IT best practices / methodology described in 3.1, and adherence

to SLA’s set out at the onset of service

16

3.3 What is your onboarding process for new clients? What do you do to ensure this is done effectively?

Respondents’ onboarding processes very, but all start with “kick-off” type

meetings where project expectations will be discussed as well as duties, roles and responsibilities for each of the team members as well as a high-level plan for each of the phases of the project including project approach, key mile-stones, deliverables and expected timelines.

3.4 How do you identify risks in an organization, or across organizations? Do you proactively monitor and resolve issues? How do you do this? (I.e. what are your processes?)

Monitor using ticketing/ monitoring too Risk Management plans are outlined at the onset of the work and is revised reg-

ularly to ensure the appropriate identification, assessment and mitigating mechanisms are established

The risk management plan looks at risk assessment, risk control and ongoing risk management

A failure modes and effects analysis (FMEA) is used for analysis of potential failures within a system for classification by severity, or determination of the effect of failures on the system

3.5 How does your organization stay informed on trends in technology and best practices? How / when do you decide to make recommendations to an organiza-tion? Communication with external advisory boards Subscribes to third-party industry research from Gartner, IDC and Aberdeen

Group One respondent stated that they are a distributor of technology trends and cre-

ates annual Technology plan Another respondent outlined that they internally have divisions dedicated to

keeping an eye on industry trends and the creation of solutions for our custom-ers around them

Attendance of Trade conferences, Training session, use Labs, testing, market analysis and audits

Update clients in monthly, bi-annual, annual meetings Critical issues recommended through the usual recommendation process

3.6 Initial and Ongoing Assessments – Do you offer initial assessments of IT infra-structure? All respondents conduct IT assessment at the onset of service Ongoing assessment are a part of service offerings

Assessments look for understanding of the following; Risks Constraints Timelines Technology

17

Facilities Roles and responsibilities Current processes Dependencies

3.7 Does your organization deliver IT Service Reports related to internal statistics, performance, issues or trends?

All provide reports Some provide monthly reports that may include performance statistics, perfor-

mance, issues and trends, Service Level metrics including system availability, throughput and performance, summary of the number of support incidents opened within a month broken down by category, severity and type

3.8 Do you create annual reports that outline current IT issues, recommendations for improvement and current technology trends? Will you provide estimation of costs? When providing information to clients on new products of services how you do show ROI to clients? Majority create annual reports that will outline IT issues, recommendations for

improvement and current technology trends Some create quarterly reports or monthly reports Reports outline; Costs, Benefits, Risks and dependencies, Proposed timeline and

implementation steps, Issues with continuing to use current systems/processes/hardware

3.9 Does your organization provide privacy training to staff at your organization? (Ex. FIPPA) Majority of respondents have their staff trained on privacy, either internally or

on FIPPA, ISO certified Client Partner Membership Framework (CPMF) . All understand and comply with both internal and client obligations with re-

spect to Privacy Legislation including the Personal Health Information Protec-tion Act, Ontario, 2004, Freedom of Information and Protection of Privacy Act, Ontario and the Personal Information Protection and Electronic Documents Act, Canada.

Some have staff participate in Freedom of Information and Protection of Priva-cy Act (FIPPA) or Personal Health Information Protection Act (PHIPA) training courses.

4. Colocation and Cloud Hosted Services

4.1 Do you deliver managed colocation or cloud services? Please describe your ex-perience with either/both solutions.

All provide this service Varying degrees of experience in this One respondent leverages a partnership with a datacentre, while other use their

own Service offered -

18

Email-as-a-Service, Instant Messaging-as-a-Service, Centralized File Stor-age, Desktop Data Backup-as-a-Service, VPN-as-a-Service, Endpoint Se-curity-as-a-Service

Migration, procurement, and implementation services Construction of secure cages and private data suites Server monitoring and management Operating system and hypervisor management Application management (MS SQL, Exchange, SharePoint, CRM, and oth-

ers) Network and security management (Cisco, Fortinet, and others) High availability cloud and virtualization services Disaster recovery planning, implementation, testing, and management

services Backup and restoration services Compliance, security, privacy, and performance audits and recommenda-

tions

4.2 How would your solution support HSPs Colocation and Cloud service’s needs? Respondents stated that they would work to ensure that HSPs can work with-

out worrying about backups, security and high availability. Deliverane of both a virtual server infrastructure and a virtual desktop environ-

ment. Encrypted storage would be available to both servers and desktops while keeping each business entity federated. The managed network and security service would ensure that all access to services and data are properly protect-ed.

Respondents stated that they would offer\s a fully range of planning, design, build, transition, disaster recovery/business continuity, and management ser-vices for our colocation services

Managed services include server management, operating system management, network management, security management, and application management. Managed PaaS services include all monitoring and support of CRM, OSS from Oracle, databases, Microsoft Exchange/SharePoint, CMS, web hosting, monitor-ing systems, cloud storage, and disaster recovery as a service (DRaaS).

Through the use of Cloud Advisory/Consultative Services

4.3 What is your SLA for colocation or cloud service? 99.99% uptime – required maintenance periods not covered. client-specific and are derived from an ITIL-based Service Catalogue specifying

the detailed services to be provided as well as the target performance metrics associated with each service area item.

Example of Cloud SLA Server Availability:

Gold: 99.9% Silver: 99.5% Bronze: 98.0%

Data Centre Network Availability: 99.99% Storage – LUN uptime:

19

Tier 1: 99.9% Tier 2: 99.5% Tier 3: 99.0%

Backup Services:

Daily Backup completion: 99% Weekly Backup completion: 99% Backup Success Rate: 100% Restore Success Rate: 100%

4.4 What kind of SaaS services does your organization or your technology partner(s) provide? ConnectWise as a SaaS so that clients can manage their own IT Help Desk. typically very customized for each customer depending on their needs,

Examples; Email – Data Loss & Archiving Collaboration and Document Management Endpoint Security (AntiVirus-as-a-Service) VPN (with web content filtering) Databases (MS SQL, MySQL, and Oracle): Provisioning and deployment Monitoring and reporting Operational visualization as a service Backup and Disaster recovery as a service (DRaaS) Patch management and upgrades Automated managed services

CRM Operational Support Systems (OSS) Databases (MS SQL, MySQL, and Oracle) Microsoft Exchange/SharePoint Email and web hosting platforms Monitoring systems Cloud storage

4.5 If your organization provided colocation or cloud service, how can your coloca-tion and/or cloud services scale to meet the needs from various sizes of HSP?

Unlimited data center capacity, redundancy, rack space, increase blades for our

cloud service, etc. Ability to scale to whatever size is required as this would be a single solution

that is federated for each HSP. Additional servers, desktops, network, security and storage can be added to the cloud pool as required. Each HSP instance can be enlarged or reduced to match their sizes as they change, just as HSP’s can be added or removed

20

4.6 Have you worked with Health care providers in supporting their cloud services? If so, what security features do you put in place to ensure information is kept pri-vate? Do you provide different grades/levels of cloud services? Are they provided directly, or through a third party? One respondent did not Majority have had experience with this Different security zones in its infrastructure: Zone 1 (Basic), Zone 2 (PCI) and

Zone 3 (PHIPA). Health care providers are always hosted in Zone 3, PHIPA - Health Care providers must have security requirements established – especially when transferring data.

Ability to securely and logically separate cloud tenants. Each tenant is assigned its own VRF (Virtual Routing and Forwarding domain) that only allows traffic to route within one tenant environment and resolves any concern of having over-lapping IP address space from one tenant to another. Each tenant environment is also firewalled and protected with intrusion detection services; policing all traffic that is allowed in or out of the tenant’s virtual environment

Some respondents outlined the use of these security features to ensure PHI and PI is kept private:

Solutions based on the NIST guide to security for virtualization technologies ICSA certified firewalls, IDS/IPS systems, threat management and unified re-

porting Private VLANs for secure, encrypted access Virtual server segregation using VLAN Canadian only primary and secondary data centres. Access to all server and application logs, on request, for audit compliance. ISO 27001:2013, SOC 2 Type II, SOC 1 Type II and CSAE 3416 Type II compliant

systems, controls, and processes. Physical data centre security: CCTV Monitoring, 24x7x365 on-site security, 3-

level authentication (access card, pin code and biometrics), man traps, individu-ally locked cabinets, escorted access to critical areas, 24x7x365 facility moni-toring with sensors, alarms and audit logs, and private suites with custom secu-rity controls.

Fully documented Threat Risk Assessments, IT Security Policies, and Privacy and Security Standards for Service Providers and Third parties servicing healthcare solutions.

At a minimum, these key frameworks should be in place:

A Security Accreditation Framework A Data Classification (criticality / sensitivity) Framework

A standard cloud service taxonomy A Cloud Decision Framework

4.7 If your company provides some form of cloud services (Iaas, SaaS, PaaS), are they hosted in Canada?

Yes to all

21

4.8 Do you resell or directly operate a colocation and cloud hosted service? Please provide details.

All directly operates, and none resell One respondent stated that they leverage a partner for colocation Some listed the use of Managed Hosted Microsoft Exchange services / ShoreTel

or Avaya VoIP solutions where modern, high availability communications suites are required / Private data suites for larger Type C or Type D HSPs with specific security, privacy, and facility requirements

5. Feedback

5.1 Based on the service requirement outline, are there any services that you rec-ommend above and beyond those that have been requested?

Recommend our Virtual CIO/CTO service to assist the smaller HSPs which

make up the majority of the HSPs. hosted unified communication solution can be added to the services being pro-

posed to further reduce operating expenses

5.2 What is your take away from our IT-IM Assessment outcomes?

Reconnect requires a technology partner to assist in correcting and improving the HSPs as it relates to services such as backups, help desk, monitoring, securi-ty and processes as well as consistency across the HSPs.

A common managed service needs to be deployed in order to standardize each location, once a standard IT model is deployed in each location it will become much easier to manage, secure and control infrastructure in a cost effective manner.

There is so much more to consider than just the traditional approach to infor-mation technology. Physical attributes such as an HSP's information through-put / flow, case cost tracking considerations, asset management are key. Equal-ly important are ways to deal with unexpected emergency situations and opti-mise the overall environment to respond accordingly

5.3 Based on the complexity and varied nature of our organizations what challeng-es do you see? Do you see any opportunity for improvements?

A key challenge will be having policy enforced as part of a managed service.

The smaller locations will be happy to have someone supply IT services while the larger locations may not want to release control of their environments. Set-ting a common set of standards and policies will greatly improve productivity, security, supportability and reduce costs. Making sure each location has the same user experience through a managed server and desktop environment will alleviate the IT burden from the part-time or volunteer IT staff and allow dedi-cated IT staff to focus on delivering better services.

Improvements to Reconnect could include: Centralize as much as possible Minimize the number of components for all 135 community HSPs with a central

provisioning office

22

Virtualize all desktop and minimize the numbers of images required by the thousands of employees

Centrally managed and distributed VDI components Run everything from a central location (Cloud, private or dedicated) For remote sites, a WIFI facilities with a router and Internet access should be-

come the standard (e.g., lower cabling cost, lower number of network compo-nents)

5.4 HSPs to common standards in order to increase security and achieve overall cost efficiencies. We anticipate that the main challenges will be related to the re-quirement for changes in behaviour by the HSPs as well a change in how they will pay for IT support.

Major Challenges will be in relation to;

Standards across HSPs for: Hardware; Software; Base image. Standards for Connectivity Data communications;

Voice communications. Centralized server an network monitoring and management Security:. Infrastructure: Complexity of support: Relationships: Efficiency: Documentation:

5.5 What model would you propose to support our service needs?

Model which includes Help Desk, Monitoring, and Cloud and Colocation ser-vices.

Managed cloud-based platform-as-a-service model would be most suitable for Reconnect.

A model that include Connectivity Centralized IT Help Desk (service Desk) Consolidated Hosting of the standardized infrastructure Remote Monitoring and Management Remote Desktop Management Software as a Service IT Strategy Services

23

6. Innovation

6.1 Irrespective of the requirements listed within this RFI, if you could propose any IT Managed Services model to meet HSP requirements based on the findings of the IT-IM Assessment, what model would you propose to meet HSP’s current and future needs?

On respondent proposed Managed Desktop Services, Managed Infrastructure (Network &

Server Environment), Managed Print Services, Backup and Disaster Recovery, Hardware & Software Vendor Management, Business Technology Optimization and Consulting Services, and Cloud Services.

Recommendation to have one (1) common IT group manage each element of the environment as a common platform. This will allow the network to be managed in a consistent manner ac-cording to best practices. The security aspects of the platform could be deployed to ensure maximum protection of the organization’s IT assets and the data it collects. The desktops could be managed to ensure corporate policies are maintained while allowing secure access from any device. The servers must be operated in such a manner to maximize the performance of the resources they provide.

Standardizing IT policies and services and moving to a centralized model, presents the follow-ing benefits:

Management of multiple HSPs with common standards is operationally more cost effective;

The HSPs’ can collectively gain savings from economies of scale through power in numbers;

The HSPs will enjoy larger influence as a unified community than as autonomous entities.

Efficiencies found in improved IT processes benefit the HSP community;

Allow HSPs to realize cost savings by sharing common services (maintaining and managing one or a few apps is easier and cost effective than operating 135 instances of the same applica-tion);

Leverage centralized state-of-the-art monitoring and management tools (rather than individual investments in tool sets);

Improve security landscape;

collecting and correlating security events from a larger community (higher volume of sources) will enhance security posture of individual HSPs

Allow HSPs to move workloads to Community Cloud environment – shared (cost of) infrastruc-ture and security compliance requirements;

Option to securely share/integrate systems between HSPs (we are seeing our larger hospital clients taking on collaborative initiatives that require the secure sharing of data more readily);

Shared pool of hardware spares (less idle inventory).

24

Pricing Methodology

Respondents were asked to provide pricing information as it related to packaged service models, and individual services. From those who provided pricing infor-mation it was found that vendors pricing models vary and can fixed or priced on an hourly, monthly, per device or user basis. Respondents also outlined that a “menu of services” is a common practise where pricing is dependent on client’s capacity and services selected. The pricing information was summarized and ana-lyzed in a spreadsheet. The following chart summarizes average monthly costs per agency type based on information received from two vendors. Agency capacity was estimated in order to create this pricing model.

.

Agency

A

Monthly / Recurring Users / Desktop =

12 Nodes = 6

Router/ FW = 1 Switches = 4

Wireless AP = 1 Physical Servers = 1 Virtual Server = 3

B


45 Nodes = 10

Router/ FW = 1 Switches = 8

Wireless AP = 1 Physical Servers = 2

Virtual Server = 5

C


100 Nodes = 15 Router = 1

FW = 1 Switches =9

Wireless Controller = 1


D


150 Nodes = 20 Router = 1

FW = 1 Switches = 13

Wireless Controller = 1


Vendor A $3,064.00 $3,440.00 $3,594.00 $3,985.00

Vendor B $2,142.00 $3,362.00 $4,039.00 $5,703.00

25

Next Steps

The information gathered from the IT/IM Assessment and the IT Managed Ser-vices RFI begins to illustrate the complexities of the current landscape. HSPs range in size and complexity and so do the vendors that can support them. The RFI highlighted that there are many vendors that are able to support with some or all of the needs. However, it is the recommendation that more information is gath-ered specifically relating to HSPs current/potential budget for IT. This additional information will support in better understanding requirements for a potential larg-er procurement. Detailed next steps will be discussed with the Toronto Central LHIN, with a final recommendation being made on how to move forward.

.

26

Mohamed Badsha

Chief Operating Officer

416-558-6892

[email protected]

Contact Us

[email protected]

416-461-2729

Jennifer Wilkie

Director of IT and

Shared Services

416-738-6815

[email protected]