RFP 16-106 Project Management Services for Fiber Optic Installation Brazos Valley Council of Government.
calc
calcDescripción completa
Descripción completa
An Architects Guide to Developing and Managing Apis for your organization - v2017
TemplateFull description
Quality Management Plan TemplateFull description
Full description
ISO 9001_2015 API Q1 Audit Checklist TemplateDescripción completa
ISO 9001_2015 API Q1 Audit Checklist TemplateFull description
DSA
McKinsey Response to RFP BPSDescripción completa
Reply for Request to proposal of application software services for leading Bank.
RFP for Metro Rail
Descrição completa
En este documento se muestra un ejemplo sobre cómo elaborar un RFP herramienta util para solicitar una propuesta de royecto
Updated 4/4/2016
Overview A
Vendor Experience
B
Arcitecture
C
API !atewa"
D
API Anal"tics and #onitoring
E
API $ecurit"
%
Developer Portal
$ection A - Vendor Experience
A&
Requirement Please descri/e "our compan"7s strateg" around API management8 (at percentage of "our compan"7s revenue is derived from API #anagement)
A'
(en was "our API API management product !A)
A*
(at + of te %ortune &,, uses te product) Is te product telco grade) (at + of te largest &' glo/al telcos use "our product)
A A. A0
A1 A2 A4 A&, A&& A&& A&' A&* A& A&. A&0 A&1
Is te product in production wit wit large retail /rands) Can "ou provide examples of "our tougt leadersip in te API space) (at 9ind of experience do "ou ave running a managed cloud solution at scale for "our cloud customers) (o are "our largest customers in te3 Retail sector %inancial sector 5elecommunications 6ealtcare (o are "our most significant :E( customers ;of "our API API products< in te past 0 monts) 6ow do "ou on/oard and partner wit customers for success) Do "ou provide free training for arcitecture= development= and operations on "our we/site) Do "ou provide online tutorials to elp us learn "our product) communit"
$ection B - Arcitecture Requirement
B*
Does "our product support pu/lic cloud= private cloud and "/rid deplo"ments) Is "our Private Cloud full" supported On-Premises ;does not ave an" dependencies on ma9ing calls externall"<) Does "our private and pu/lic cloud offering use te same code /ase)
B
Does te solution support a "/rid solution= were traffic management and securit" policies can /e colocated wit te API applications= wile oter API functions run on te core API management platform ;enterprise gatewa"< in te managed cloud or onpremises deplo"ment
B.
Does te platform a rcitecture support multi-tenanc" /ot for /ot pu/lic and private Cloud deplo"ments)
B0
Can multiple teams wor9 independentl" wit runtime isolation)
B1
6ow does te platform support a multi-region= multidata center deplo"ment to ensure te igest level of availa/ilit" and distri/ution)
B&
B'
B2
B4
B&,
B&& B&&
B&'
6ow does "our platform integrate into continuous development and deplo"ment practices) Explain ow "our solution supports a scala/le environment and descri/e wat is needed to provision additional capacit" per API API > per team > per region > per organi?ation8 Does "our solution provide a centrali?ed @I for multiDC deplo"ments or do we need to manage tem independentl") Does te solution support ?ero downtime patcing and updates) Does te solution ave te a/ilit" to do intelligent traffic routing to give users te closest point of presence over wide geograpical areas)
$ection C - API !atewa"
C& C'
C* C
C.
C0 C1 C2
C4 C&, C&& C&'
C&* C&
C&. C&0
Requirement Does te product support OpenAPI ;formerl" 9nown as $wagger< to design APIs and generate documentation) Does te product facilitate rapid protot"ping of moc9 APIs) Does te product elp create u niform= consistent= well-formed APIs= even if te underl"ing /ac9end s"stems weren7t /uilt tat wa")
6ow are existing $OAP services added) Can deplo"ments of assets /e automated for te development lifec"cle) Can "our platform reference existing assets suc as encr"ption li/raries= scema validation tools= data validation li/raries= etc8 6ow does "our product support treat detection /" detecting fraudulent data inections at te API level) Please descri/e "our a/ilit" to protect from traffic spi9es8 Please descri/e "our a/ilit" to manage API consumption troug uotas8 Can uotas /e setup /ot /" developers as well as /" product managers post-development) Can te" /e adusted at runtime) Can uotas /e s"ncroni?ed across multi-region deplo"ments) Does te platform support pu/lising $OAP= RE$5= $O:= and #F st"le services as APIs as well as #$) Please descri/e process flows f or discovering services in te runtime environment8
Does te product support API masups) Please descri/e "our a/ilit" to enance Prox" functionalit" troug /ot configuration and code8 Please descri/e an" out of te /ox functions for doing traffic mediation= transformation= and securit" at te API Fevel8 Are standard transformations included) ;#F to $O:= $O: to #F= $OAP to RE$5= RE$5 to $OAP<
C&1
Does te prox" support compression)
C&2
Does te prox" support 655P 655P$) (en necessar"= can te prox" tal9 to #$ /ased s"stems)
C&4
C',
C'&
C''
C'*
C' C'.
C'0
C'1
C'2
Are streaming connections supported) Please descri/e te de/ugging tools /uilt into te platform8 Can te de/ugging tool sow a G/eforeG and GafterG of eac polic" during repla") Also can te de/ugging /e performed in an off-line mode to minimi?e an" overead to te runtime API traffic8
6ow is versioning supported) Are all policies and s"stem configurations stored in standards /ased #F wit well pu/lised scemas for eas" migration>promotion) Does te prox" support cacing) In addition to an expiration= can te cace /e manipulated programmaticall") Do "ou support a multi-level cace model ) %or example= is te in-memor" cace a/le to spill over to te dis9) Does te product support cacing /ased on pa"load information and 655P eaders) Is tis availa/le via /uilt-in policies)
C**
Does te prox" rate limiting= uotas= and spi9e arrests) Can /eavior cange d"namicall" /ased upon factors suc as user credentials= location= device t"pe=888) Does te prox" support d"namic routing ;orcestrationHor intelligent routing to a second s"stem /ased upon te response from a first s"stem<) Please descri/e te out-of-te-/ox /ac9end service APIs for common application functionalit" suc as user management= data storage and s"ncroni?ation= messaging= and locations8 Does te platform support identit" integration wit popular social networ9s and Internet services and if so= wic ones)
C*
Does te solution allow te storing and uer"ing of ar/itrar" scema-less $O: data)
C'4
C*,
C*&
C*'
C*. C*0 C*1
Can data /e tagged and ueried /" location) Can /inar" o/ects suc as files and images /e stored in te platform) Please provide examples of large-scale deplo"ments using tis capa/ilit"
C*2
Does te platform provide user management and social relationsip functionalit" for /uilding personali?ed applications)
C*4
Can te platform support pus notifications across various mo/ile platforms)
C, C&
C'
C* C C. C0
C1
Can te core functionalit" of te p latform /e extended /" te customer) Does te platform support extensions using common languages li9e ava= P"ton= or ava$cript) Can te platform ost and run unmodified :ode8s applications in order to implement custom APIs witout te need for a se parate application server)
Does te platform ave wi?ards to generate APIs from $wagger= $OAP services= and oter / ac9end services) (at are te standard governance features availa/le in te product) 6ow does te product support API Fifec"cle governance) Can "our product pu/lis APIs for external and internal consumers) 6ow are tese managed independentl") 6ow do "ou manage API visi/ilit" and restrict access to consumers) Is tis configuration in te platform or /uilt as part of te APIs ena/lement)
Does te @I allow for drill down on eac o f te carts) Does te tool provide a wi?ard for creating custom reports) Are tere maps for detailing geo-location of API calls)
D.
Are te anal"tics collected as"ncronousl" ;so as not to impede runtime traffic<)
D' D*
D0 D1
D2
Does te anal"tics data= once collected= provide an API for eas" access and export) Can te solution /e used to provide /usiness level visi/ilit") (at level of operational visi/ilit" can te solution provide /ased on API traffic flowing troug te s"stem)
D4
D&,
(at tools are availa/le out of te /ox to do various 9inds of trend anal"sis and inspection o f anomalies)
D&&
Can reports /e created on-demand) Does te tool support predictive and trend-/ased anal"tics)
D&'
Descri/e ow te product gaters contextual information ;information a/ove and /e"ond te /asic transaction details wic elps te /usiness to understand te transaction in dept<8 Please specif" tird-part" APIs and internal enterprise data sources8
D&* D& D&.
D&0 D&1 D&2 D&4
D', D'& D'' D'*
D' D'.
D'0
D'1
D'2
Is tere a service for attaining /usiness level insigts /ased on te contextual data) (at metrics and dimensions are supported /" te tool) Do "ou provide service performance monitoring= reporting= and anal"sis)
If pa"load data is captured= can tis data /e used for reporting) (at are te exception management reporting capa/ilities) Does "our product provide end-end visi/ilit" and trending performance statistics) Does "our solution support /illing /ased on 5P$ and>or aggregate transactions for eac developer>application8 $olution must provide performance management data wit counters per application t"pe and per API message t"pe8 (at level of reporting is availa/le to te developer) ;call latenc"= $FA provide compliance= oter metrics< Does te product eas"-to-use custom reporting capa/ilities over multiple dimensions and filters) Does "our product provide te a/ilit" to report using te pa"load of te messages) Does "our product provides te a/ilit" to easil" integrate wit oter s"stems= for instance troug API calls) Does "our product provide capa/ilities to create custom das/oards to perform root-cause a nal"sis) Does "our product provide flexi/ilit" to extend te functionalit" and implement attri/ute specific runtime enforcements for API) Are all of "our /illing and developer usage data availa/le via an API to allow an e as" integration wit existing s"stems) Does te product provide te a/ilit" to inspect te pa"load and retrieve pa"load data to create custom metrics to /e included in custom reports)
D'4
Does te solution provide te a/ilit" to perform s"ntetic transaction testing from different glo/al locations)
$ection E - API $ecurit"
E.
Requirement 6ow is single-sign on supported across all te roles involved in te lifec"cle in "our product) (at are te standard industr" securit" certifications availa/le for "our product) Do "ou use open standards to delegate autentication capa/ilities to "our tenants) Explain te mecanisms "ou use to supp ort API securit" ;e8g8 to9ens= encr"ption= polic" s"stems<8 Please descri/e te securit" > polic" enforcement options wen some assets migt reuire additional securit" in a cloud>on-premises infrastructure8
E0 E1
Please descri/e "our expertise wit OAut ;including maor customers "ou ave supported<8 (ic versions of OAut are supported)
E2
Are FDAP and AD supported)
E4
Does te product support /ot secure cannels and secure pa"loads)
E& E' E* E
E&, E&&
Does te prox" provide support for COR$) Does te prox" protect against #F or $O: attac9s)
E&'
Are all of tese securit" features availa/le as selfservice via configuration ;not coding<)
E&* E& E&. E&0 E&1
6ow does te solution andle role /ased access controls to ensure different mem/ers of te API team can perform teir roles effectivel" witout affecting oter teams) Is "our pu/lic cloud offering PCI D$$ level & and level ' certified) Is "our pu/lic cloud offering 6IPAA compliant) Can te product /e extended to support custom>proprietar" implementations) Can APIs /e secured at te operation level) ;Ex3 can do !E5= /ut not PO$5 or P@5<
$ection % - Developer Portal
%&
%' %* %
%. %0
%1
Requirement 6ow are assets manifested in te developer po rtal for developer use) Please descri/e ow te tool facilitates on-/oarding8 Is tis portal availa/le as a completel" on-premises solution) Does te solution provide interactive documentation to allow API consumers to easil" tr" out pu/lised APIs) Does eac developer ;or team< get teir own personali?ed metrics)
Is te registration form customi?a/le) Can te customer customi?e= s9in= and modif" te portal witout vendor involvement) Does te portal leverage standard C#$ tecnologies to ensure eas" to find s9ill sets and pre-existing modules)
%&,
Does te tool provide te a/ilit" to revo9e or suspend developer 9e"s) Does te solution support a B'B'D t"pe mode l wic allows enterprises to let teir partners manage teir own pool of developers and teir access to te enterprises APIs) Please descri/e te a/ilit" for te platform to supp ort moneti?ation8 (at are te various revenue models supported)
%&&
Are te pricing models configura/le witout coding)
%&'
Does te platform integrate wit tird-part" pa"ment s"stems)
%2
%4
Review Criteria for API-powered Digital Busin
Details APIs are a critical part of our compan" strateg" moving forward8 It is important to us tat woever we partner wit considers API management a core part of teir /usiness8 (e7re interested in te trac9 record of "our compan" in API management8 In addition to te product features mentioned a/ove= would li9e to understand te real world experience "ou ave ad wit large scale deplo"ments on "our API management platform8 Jnowing te uptime reuirements of a telco= it is important to 9now tat te platform meets tese stringent criteria8 6ig-profile /rands tat trust "our platform would sa" a lot for te ro/ustness and performance of "our product8 APIs= social= and mo/ile are fast moving topics8 (e would li9e to wor9 wit a vendor wo leads te space8 (ile man" vendors are now offering cloud-/ased versions of teir products= it is critical tat te cosen vendor as demonstrated real world experience wit large scale customers running in te cloud8 (e would li9e to 9now more a/ out "our real world experience8
(e would li9e to 9now more a/ out "our mar9et momentum8
Details Depending on present and f uture proect reuirements= we ma" need one or /ot of te deplo"ments to /e supported8 In tis case= cloud is understood to mean a vendor managed cloud8 6"/rid is defined as a local gatewa" wit management functions and anal"tics in te cloud8
5o elp wit a flexi/le deplo"ment model tat reduces latenc" since traffic management and securit" appens closer to te application= avoids s"ncronous call-outs in te main message pat= and protects te last mile8 5e a/ilit" to run a multi-tenant environment can /e important wen dealing wit multiple lines of /usiness and>or partners8 Is te cloud installation a true multi-tenant environment) Does te exact same functionalit" exist wen deplo"ed on premises) An enterprise $DFC ;software development life c"cle< can /e a complicated process wit man" constituents8 5e a/ilit" for diverse teams to ave teir own view of te platform wit logical separation of all policies and configurations is ver" important8 5e ideal tool will allow a centrall" managed platform to support development teams across te enterprise8 5e ideal tool will wor9 wit industr" popular CI>CD tools suc as #aven or en9ins8 !eograpical redundanc" is important /ot for ig availa/ilit" and also for latenc" and performance considerations8 (e need to understand ow an instance deplo"ed in one p"sical data center interacts and colla/orates wit an instance deplo"ed at an oter data center8 5e operations teams alread" ave wor9flows= processes= and scripts to perform teir wor98 Does "our platform integrate well wit tese existing tools) Can te platform /e run via te command line) Via scripts)
In toda"7s world= traffic /ursts appen8 (e nee d to 9now tat our capacit" can scale along wit tese d"namic fluctuations in traffic8 Ease of management is one of te da"-to-da" considerations in coosing a platform suc as tis8 6ow can te tool ease management over and contri/ute to overall productivit") %or critical applications and geograpicall" dispersed user /ase= ow can te platform /e administered so as not to incur an" downtime for developers= partners= and users) %or latenc" sensitive applications= intelligent routing to te nearest point of presence can /e ver" important8
Details
Can te services support oter protocols and ow is complex data transformation andled) 6ow ard is it to incorporate into existing development standard tools) (at development tools are reuired to develop and deplo" wit "our platform) I5 as invested in middleware= and ow can "our platform use tese assets)
%or example getCustomerInfo API would reuire multiple /ac9-end calls to /e made to multiple s"stems and eac s"stem supports different protocols ;for example $OAP we/ service= $O: service and direct data/ase call<8 Does tis reuire custom development or is it supported /" configurations) Please igligt wic prox" features cannot /e accomplised via simple configuration8
In order to reuse existing s"stems or to tal9 wit legac" s"stems= it is important tat te platform can perform tese transformations8 Can messages /e /ot sent and received /" te prox" in a compressed format) 5is will save /andwidt and reduce latenc" in some situations8 Previous generations of software /uilt ard-wired connectors into teir tools8 5o avoid tese /rittle connections= can te platform perform all functionalit" over standard 655P) In te event of te existence of /ac9-end s"stem /ased upon #$= can reuests /e placed into te correct ueue)
%or long running transactions or large pa"loads= can te prox" stream traffic) Distri/uted s"stems are more complex tan client server s"stems8 (at tools does te platform possess wic will elp us to isolate issues and solve tem faster)
5is functionalit" can /e crucial during forensics or during preproduction polic"8 5o minimi?etesting impactoftoa developers and users= versioning needs to /e flexi/le8 Versioning refers to /ot te version on te API ;as part of te @RI< as well as te versions of te policies temselves8 Fastl"= versioning refers to minimi?ing te impact on operations troug o/viating te need to maintain multiple versions of a service8 A standard format li9e #F allows for eas" transformation and manipulation in a variet" of tools8 Cacing at te prox" minimi?es its against te /ac9 end s"stems8 (ile it is important to /e a/le to set a cace to expire a certain point in time= it is also necessar" to invalidate or refres te cace via standard API calls to reflect canges in /ac9 end s"stems8 In-memor" cace is ver" fast= /ut as limitations of si?e8 5e a/ilit" to perform multi-level cacing is important for eav" cacing situations8 5o optimi?e cacing= te platform sould /e a/le to cace /ased on man" t"pes of information= including data contained witin te pa"loadto ofdata te message8 Access and load on /ac9-end s"stems must /e configura/le and controlla/le8 5e a/ilit" to /loc9 /ased on seer traffic volume is important as are te finer grained controls of rate limits ;messages>time interval< and uotas ;raw K of reuests permitted<8 In te d"namic world of APIs and mo/ile applications it is often necessar" for te platform to ma9e d"namic decisions /ased upon various pieces of information contained witin te in/ound reuest8 In te d"namic world of APIs and mo/ile applications it is often necessar" for te platform to ma9e d"namic decisions /ased upon te current conditions8 #ost modern apps reuire functionalit" tat is missing from existing /ac9end s"stems8 B" providing tis f unctionalit" out-of-te-/ox= te platform speeds time to mar9et for all apps and reduces complexit" in te environment8 #ost apps reuire some social component8 B" providing tis functionalit" out-of-te-/ox= te platform speeds time to mar9et for all apps and reduces complexit" in te environment8 5o acieve maximum flexi/ilit"= does te platform allow for ar/itrar" ueries and storing d"namic data ;/e"ond pre-configured $LF-li9e scemata<) Focation /ased service are /ecoming more and more prevalent8 !eotagging data provides great power to te platform and covers a gap in most legac" s"stems8 (ile it is crucial to store p lain text= man" modern apps allow for image uploads ;and oter /inar" t"pes<8 (e would li9e to understand more a/out te real world experience wit tis part of te platform8
5is t"pe of functionalit" is often a/sent from legac" s"stems= "et reuired modernisapplications8 5is t"pe/" of most functionalit" often a/sent from legac" s"stems= "et reuired /" most modern applications8 It is crucial for te s"stem to /e a/le to communicate wit users in a manner in wic te" are familiar8 In te interest of minimi?ing professional services and increasing time to mar9et= can te a/ove mentioned data/ase functionalit" /e acieved via configuration ;not coding<) If we are to perform tese activities ourselves= te platform needs to support commonl" used tecnologies8 (it te increasing popularit" of :ode8s= it would /e useful to ave tis capa/ilit" /uilt into te platform and not reuire "et anoter tool to introduced into te In /e order for API teams to environment8 /e agile= rapidl" configure>/uild and deplo" APIs= it7s important to ave OO5B wi?ards tat can generate APIs from $wagger docs= $OAP services and oter /ac9-end APIs8 It sould provide for cec9-/ox capa/ilit" to secure APIs using API 9e"s= OAut and /e a/le to enforce COR$ and oter commonl" expected policies8
Details 5e reports in tis list sould reuire no conf iguration8 :ormall" tese will include /asic traffic= usage= and performance information8 Drill down anal"tics allows for uic9 triage of te ealt of an API program and assists in rapid trou/lesooting during anomalous conditions8 :o vendor can provide ever" report we need o ut of te /ox8 5e platform sould ave a wi?ard for eas" creation of custom reports8 #an" decisions in an API program are /ased upon te location of users8 5e platform sould ave geo-location reporting /uilt in8 5e single greatest factor in te user satisfaction of an app is its response time8 Are te anal"tics collected in suc a wa" as to not impact response time) (e are not interested in creating a data silo8 5e collected anal"tics data must /e accessi/le for merging wit oter /usiness intelligence tools8 Be"ond operational level and developer level metrics= ow does te platform provide visi/ilit" to te /usiness)
Be"ond simple graps of traffic= wat visi/ilit" would an ops team gain from using te platform)
5e tool needs to /ot provide visi/ilit" into trends ;to prepare for capacit" /ursts or product demand= for e xample< and to allow inspection if anomalies are detected8 Do reports need to configured /efore launcing te s"stem) Can reports /e constructed on demand as te need arises ;li9e after viewing surprising traffic<) After te fact forensics are important= /ut te a/ilit" to spot trends in advance is crucial in toda"7s environment8
5ransaction data= viewed in a vacuum= is of limited use8 Customer /eavior canges greatl" /ased upon teir location= te weater= te t"pe of device /eing used = etc8888 If needed= do "ou provide te services of data scientists to anal"?e tis contextual information and report /ac9 to te /usiness wit actiona/le insigts) 5e tool must support a variet" of anal"tics use cases witout reuiring additional programming
%or example= can tis data uer" /e completed3 uer" te list of customer ids ;part of te API pa"load< tat falls into segment vegi ;again part of API pa"load< tat called te order>create API ;API metadata< during te last seven da"s8
Details
OAut is one of te most widel" used forms of autentication for consumer or partner facing apps8 (e would li9e to understand /ot te product capa/ilities wit regards to OAut as well as real world experience8 FDAP and active director" are te most common forms of autentication in use toda"8 5is functionalit" sould /e accessi/le wit no coding8 Different t"pes of APIs and different t"pes of data reuire different t"pes of securit"8 $ometimes a secure $$F connection will /e sufficient8 $ometimes te pa"load will need to /e encr"pted as well8 COR$ ;Cross-origin resource saring< is a standard mecanism tat allows ava$cript #F6ttpReuest ;6R< calls executed in a we/ page to interact wit resources from non-origin domains8 COR$ is a commonl" implemented solution to te Gsame-origin polic"G tat is enforced /" all /rowsers8 As part of a defense in dept strateg"= does te platform elp in protecting against modern attac9 vectors suc as #F) In an effort to minimi?e te need for professional services and to accelerate time to mar9et= are all of te a/ove mentioned securit" features availa/le via standard policies>configuration) Auditing and compliance processes dictate tat RBAC ;Role Based Access Control< is supported /" enterprise platforms8 5e allows for an audit trail and administrative accounta/ilit"8 It also aids in te $DFC /" limiting te potential for one team7s wor9 to interfere wit te wor9 of anoter team8 #an" APIs reuire ;or eventuall" reuire< pa"ment processing as part of te moneti?ation strateg"8 PCI certification is necessar"8
Details (at additional development is reuired and wat features are supported)
Developer and partner productivit" depends on an e fficient on /oarding experience8 6ow does te tool ease tis friction) (ile documentation is important= experience sows tat a developer7s time to value is greatl" improved wit interactive tools8 5o assist developers and teams= will te" get teir own view of te metrics related to an" wic te" ave registered) Corporate policies ma"application dictate tat we collect certain pieces of information wen on/oarding a new developer8 5e data fields in te registration process need to /e configura/le to capture tese fields8
As a follow up to te previous uestion= if we are to /e a/le to perform tis wor9 on our own= te portal will need to /e /ased on standard tecnologies8 In te event of an expired contract wit a developer or wen an a/normal situation occurs= te platform must allow for /ot te disa/ling and revocation of individual app 9e"s8 Farge partners reuire te a/ilit" to maintain te existing relationsips wit teir own developers8 6ow does te platform support tis second-level relationsip) $ome of te APIs will need to /e moneti?ed8 !iven tat tere are multiple wa"s to moneti?e an API= does te platform allow for mixing and matcing of tese models) Can te financial models /e created troug configuration onl" or do te" reuire custom coding) Once te metering as /een performed= it will /e necessar" to pass te transaction to a pa"ment processor8 5e platform sould /e a/le to connect to tese processors ;including CDRs<8