ERP Software Product and System Integration Services

The Vendor is required to provide enterprise resource planning (ERP) systems migrated from the mainframe around 2005 and has been on the current commercially-off-the-self software to present time.
- The Auditor and Controller Department (A&C) owns and manages the Oracle E-Business Suite, PeopleSoft payroll, UKG Timekeeping, Oracle Data Warehouse, Essbase and Oracle Fusion Middleware.
- Solution must be able to provide Unique User IDs for each individual accessing ACH information
- Solution must limit access for all individuals to access provisioning only if there is a need-to-know/need-to-access requirement for the successful execution of an individual's job/role 
- Solution must change all vendor supplied default passwords
- Solution shall use strong password or password phrase that is unique to each user
- Solution shall be able to set at a minimum an 8 character password, upper and lower case, with special characters and remember at least last 10 passwords"
Solution shall be able to change password at least every 90 days
Solution shall have a written incident response plan and procedures
- Solution shall provide 
•    Up-to-date anti-virus
•    Anti-malware/spyware
- Solution shall provide automatic log-outs after a certain amount of inactivity
- Solution shall encrypt all data when in transit and when at rest
- Solution shall protect against anticipated threats or hazards to the security or integrity of protected information by ensuring the use of automated software patches or upgrades, including operating system and application updates
- Solution shall Ensure ACH information on electronic devices are erased/wiped after the retention period has expired with an approved method of destruction.
- The solution shall have all actions with the software application log for attribution to a specific user. 
- Solution shall allow for the collection and consumption of generated audit logs such as SIEM Connector, Syslog, WEF.
- Solution shall use SFTP for file transfers if APIs are not available. 
- Solution shall have a tool and documented process for data conversion and migration. 
- Solution must provide high availability for the database/data store.  
- High availability is accomplished. 
- Solution must use a responsive UX design pattern to render on a variety of devices and window or screen sizes from minimum to maximum display size to ensure usability and satisfaction.
- Solution must ensure the information system uniquely identifies and authenticates all users
- Solution should provide multi-factor authentication (MFA)
- Solution must ensure information system default account passwords are changed prior to release to production
- Solution must not store passwords or API keys inside source code
- Solution must support periodic application and service account password changes including changing all default administrator passwords, at least annually
- Solution must store and transmit passwords in an encrypted format so that passwords do not display in a clear text
- Solution provider must have a published breach disclosure policy
- Solution must be supported by a 24x7x365 Security Operations Center
- Solution provider must maintain and regularly test an Incident Response Plan and provide investigation support in a breach
- Solution provider must perform Penetration Testing annually 
- Solution provider must ensure vendor-defined high severity and above information system vulnerabilities are remediated prior to release to production
- Vulnerability scanning is performed at least weekly for operating systems, system components, dynamic web applications and static code analysis
- Security patches for vendor-defined high severity and above vulnerabilities must be implemented within 30 days of availability
- Vulnerability mitigations must be put in place for vendor-defined high and above severity vulnerabilities while a full patch is being developed
- Solution adheres to a privacy policy that discloses the ways the provider gathers, uses, discloses and manages customer data
- Solution provider must not share County data with another party without explicit permission of the customer.

- Contract Period/Term: 5 years
- Pre-Proposal Conference Date: December 11, 2025
- Questions/Inquires Deadline: December 16, 2025