Frequently Asked Questions (FAQ) Guidelines for quality compliance of. eprocurement System?

Transcription

1 Frequently Asked Questions (FAQ) Guidelines for quality compliance of eprocurement System 1. What is eprocurement? Electronic Procurement (eprocurement) is the use of Information and Communication Technology (specially the Internet) in procurement processes for the acquisition of goods (supplies), works and services. 2. What are the benefits of eprocurement? The benefits of eprocurement are: Reduced purchasing cost and improved efficiency Standardized purchasing processes across the organization Reduced administrative costs with better effectiveness Significant reduction in the procurement cycle Reduced discretion & increased transparency 3. What are the components of eprocurement System? The components of eprocurement are: e Tendering, (Mandatory) e Auction or Reverse Auction, e Catalogue, emarket Place, e Invocing etc. 4. What is STQC and its role in eprocurement? STQC (Standardization Testing and Quality Certification) is an attached office under Deptt. of Information Technology, Ministry of Communications and IT, Govt. of India. The role of STQC is to undertake testing & audit of the eprocurement System to verify compliance as per the requirements mentioned in Guideline for Compliance to Quality Requirements of eprocurement System and to certify the systems conforming to the essential requirements of the above guideline. 5. What is Guideline for Compliance to Quality Requirements of eprocurement System? This is a guideline document comprises of various essential requirements related to functionality, security, transparency and efficiency that should be implemented in e Procurement systems designed/developed/maintained for Government & Public sector organizations.

2 6. What are the key requirements in the guideline document? The key requirements given in the guidelines for eprocurement System address the GFR requirements, Information Security requirements, CVC Guidelines and IT ACT. 7. What is the approach for eprocurement system evaluation? The eprocurement system (Including data, software, hardware, network, process) shall be evaluated for: Correct & complete implementation of organizational procurement policies & procedures Compliance to GFR rules, CVC guidelines, IT Act (including amendments) Assuring Security by suitable Design & Development (ie some critical security and transparency related functionality has to be built into the e procurement system), Implementation, Deployment & Use. Security of Data Storage and Communication Performance of eprocurement system Usability (optional) Interoperability (optional) Assessment of identified risks and concerns of the e procurement systems & verification of the risk treatment actions. 8. Is the quality compliance requirement different for different outsourcing models of eprocurement systems? The requirements for quality compliance are same for all outsourcing models of the eprocurement systems. The evaluation depth and approach may vary from one model to another. 9. Is there any requirement for use of some specific technology and standard? There is no requirement for use of any specific technology or standard for eprocurement system. However, it is recommended and desirable to use the latest prevalent technology and standard. 10. What will be the test setup for the testing & evaluation of eprocurement system? The testing & evaluation of eprocurement system will be done preferably in production environment (Just before Go Live). In case of difficulty in providing the above environment

3 as an alternative the test/evaluation may be conducted on the exact replica of the system complete with customization and database in a staging environment. 11. What will be audited to have the compliance for security requirements? The whole eprocurement System consisting of network, infrastructure, database, application software, associated processes and people will be under the scope of the compliance audit. 12. If the EPS is already certified as per ISO then the third party agency will recognize it or it will be again audited? The third party agency may review relevant documents e.g. scope, security policy, procedures, SOA(statement of Applicability), and records e.g. external and internal audit/review findings, audit trails, logs etc. to verify that adequate information security measures are in place for the target eprocurement system. 13. Who will monitor the SLAs and what will be the frequency? The SLAs shall be monitored on continuous basis. The frequency of monitoring will depend upon the type of SLA. The SLA shall be monitored by developer himself or any other party as decided by the User organization. The third party agency (STQC) will do the audit of the monitored SLAs for their compliance to the requirements and methodology used for monitoring. 14. What are the different layers of quality Evaluation Model? The Quality & Security evaluation model consist of four layers namely, Data, Application, Infrastructure and Process. Brief description of the layers (from outermost to inner) is as given below: Process Layer ISO Processes Audit # Monitoring against agreed SLAs # Infrastructure Layer Architecture Review # Vulnerability Assessment (Servers & Network Devices) # Penetration Testing of the System # Performance Testing of the System # Application Layer Application Design Review # Application Code review * Application Functional Testing #

4 Application Security Testing # Application Usability Testing * Application Interoperability and Compatibility Testing * Data Layer Data Storage Security Audit # Data Communication Security Audit# Note: # means Mandatory & * means Optional. 15. Whether this evaluation model will ensure the compliance to legal & regulatory requirements? Yes. The Layer by layer assessment will also ensure the compliance with applicable requirements such as CVC, IT Act, GFR 2005 and concerns of other stakeholders. 16. What is the approach for getting the system certified? The applicant shall submit the request to Testing and auditing agency (like STQC) to get e procurement System assessed and certified. During the application the applicant shall clearly mention the scope of certification (i.e. the application system along with the associated infrastructure). The applicant shall also submit necessary inputs as mentioned in 17 below. The audit team nominated by STQC will conduct formal audit as per the defined criteria and submit a report to the applicant highlighting the non compliances. The applicant shall submit his closure report after taking necessary corrective measures to STQC. The team of auditors will verify the closure and submit its final report along with its recommendations to the STQC Certification body. A certificate of compliance will be issued by STQC if it is satisfied with the compliance status of the eprocurement System. 17. What are the inputs required by the STQC for the EPS certification? The Inputs required by the STQC are: RFP of the e Procurement System Software Requirements Specification (SRS) addressing functional and non functional requirements including business functions and applicable regulations, standards and policies. User manual (operational instructions). Traceability matrix for RFP vs SRS Software High Level Design Document Software test reports complete with test cases and test logs/screenshots etc demonstrating the compliance to the functional and non functional requirements as specified in the RFP/SRS Hardening guide/standard for critical server and network devices Vulnerability Assessment report of the critical servers and network devices

5 Application Vulnerability Assessment report indicating that the application is free from OWASP top 10 and other known vulnerabilities. Remote penetration testing report indicating the system is reasonably immune to the hacking attacks from the untrusted networks/internet. Performance and stress testing report indicating its capability to serve specified no. of simultaneous transactions and immunity to Denial of Service attacks. Software Application Source Code (if the need is to assess to all desirable requirements) 18. What are the essential requirements to demonstrate the conformity? The ESSENTIAL Quality and Security requirements which need to be complied are: Evidence of compliance to implementation of ISO Information Security Management System The risk analysis, mitigation methodology and techniques implemented should ensure eprocurement Information System is secure. The service provider shall demonstrate that the requirements of vigilance administration (CVC) are adequately addressed in the Information Security Management System. The software shall be tested for functionality, workflow and other essential requirements (like CVC Guidelines, GFR & IT Act). The application hardening shall ensure the addressal of Top 10 vulnerabilities defined by OWASP Network is assessed for adequate security through penetration testing and vulnerability assessment as per NIST Are there any desirable requirements to demonstrate the conformity? Yes. The desirable requirements are as follows: The software source code shall be evaluated for detecting malicious codes/ Trojan/backdoor etc. To ensure Interoperability and Compatibility of various solutions both at buyer and supplier end Workflow shall be in line with the requirement of standardized Business Processes and ebxml Core Components Technical Specification for Data Structure The solution shall be tested to Usability requirements. 20. What is the criterion to define the scope of certification? The applicant can define any module as a part of scope of certification however the etendering module is the essential requirement to obtain the certification. Depending on the complexity of the module and the scope identified by the applicant the Certification Body/Test Agency will charge for testing and certification.

6 21. What is the significance of audit trail in e procurement systems? The e procurement system should have audit trail facilities. These audit trails are complex but dependable. The audit trails reports provide useful information about the instructions which take place in the system both at operating system and application software. This information is necessary to analyze nature of intrusion, vulnerabilities exploited and to track the perpetrators. It also helps in taking steps in preventing future intrusion. 22. How the multiple encryption /decryption feature can be used to protect the bid in e procurement systems? Application of multiple encryption of the bid document using the public keys of the authorized officers of the tendering organization could be used in a predefined order. Decryption will have to be carried out in the reverse order using the multiple decryption keys (i.e. private keys of the above officers). 23. What are the Concerns/ clarifications based on the IT Act 2000 relating to Digital Signatures? Under the IT Act, 2000 any holder of a Digital Signature, who s issued a Digital Signature Certificate by a licensed CA, is responsible for protecting the corresponding private key. Unless the certificate validity has expired or the certificate has been revoked by the issuing CA, any digital signature will be legally valid and will be attributed to the person listed in the Digital Signature Certificate. 24. What is the role of time stamping facility in e procurement systems? Any e procurement/e tendering services must provide the facility of Time Stamping which is critical for establishing date and time of document submission and its acknowledgement. Time Stamping feature should be built within the application and synchronisation of e tendering/ e procurement server should be done with master server at the data center where the e procurement system is hosted. Alternatively; the e procurement service provider can take Time Stamping services being provided by licensed CAs. 25. What are the requirements of GFR in e procurement systems? The GFR requires that tenders be opened in public in the presence of the authorized representatives of the bidders. The Finance Ministry Manual on procurement procedures

7 outlines the details on the requirements of a transparently conducted Public Tender Opening Event. 26. Who will approach the STQC for certification of e procurement systems? The owner of e procurement systems will approach for certification. The owner may be 1) User (Govt Deptt. /PSU) In case Govt /PSU is the owner & sole user of the entire EPS including application, infrastructure, Policies & procedure & Service levels. 2) Service Provider Who owns the EPS & provides services to multiple govt. /PSU. 27. What will be the cost of STQC certification? Certification Fee: Rs 1 lakh 1) This fee includes application fee & audit fee of EPS. This includes one cycle of audit (one initial audit followed by closure verification). It doesn t include the testing/assessment charges for functional, application security, VA/PT, SLA/Performance etc. 2) Travel, stay & logistic arrangement for auditors shall be borne by the applicant extra. 3) Applicant should get the above tested (before approaching for certification) at extra cost from any recognized body (e.g. any STQC IT Centre /CERT IN empanelled agency for application security and network security). 28. What will be the validity period of STQC certification? The validity of certification shall be one year provided no major change in the EPS is carried out. 29. What are the criteria for STQC certification? The certification is based on Quality & Security evaluation of EPS. STQC will be auditing the EPS against the criterion of ISMS (based on ISO/IEC 27001), CVC guideline, GFR & IT act. The details requirements are provided in guidance documents (Guideline for Compliance to Quality Requirements of eprocurement System). The applicant shall submit a compliance document against these four categories of criteria. At the time of audit STQC will look for the artifact like compliance test report (for functional, application security, VA/PT, SLA/Performance) which consists of Application, Infrastructure and Processes of EPS. 30. If one service provider provides the services to multiple users, whether he needs multiple certifications?

8 Yes, separate certificate is required for each user because of customization/modification in the EPS. Each certificate issued to service provider will be in context of application & the user. 31. What is the time period required for certifications? Minimum one month time is required after the application is accepted by STQC. The application will be accepted based on compliance to criterion (Ref. Question no. 29). 32. What approach STQC follows if user organization requires certification of the e procurement solution as a pre requisite for placing purchase order to potential e procurement service provider? The User organization in their acceptance criteria while placing the PO, shall mention the certification as a mandatory requirement after deployment. The User organization shall advise service provider to approach STQC to demonstrate his capability by getting acceptance test report for Functional, application security & demonstrating compliance to GFR, CVC & IT act requirements (in staging/test environment). STQC will advise user organization accordingly. Note: Final certificate shall be issued after deployment of e procurement solution in the actual user environment & after successful completion of the activities as mentioned in Question no Who is the Nodal authority for E procurement System Certification? The nodal authority for e Procurement system certification is STQC HQ, Delhi. The contact details are: Sh. U. K. Nandwani, Senior Director Phone no. : , E Mail: uknandwani@stqc.nic.in 34. Is the EPS Certification Scheme applicable to only Govt and Public Sector Organizations or Private Sector too? The present scope of EPS certification scheme is only for Govt & Public sector organizations.