Frequently Asked Questions (FAQ) Guidelines for quality compliance of. eprocurement System?



Similar documents
Guidelines for compliance to. Quality requirements of eprocurement Systems

Procedure for Assessment of System and Software

C1 India. Leader in e-procurement

Response to Queries Received for RFP of Security Integrator - Tender No. 63

Guidelines for Independent Third Party Audit and Performance Monitoring Of SWAN. Draft for discussion

PRELIMINARY GUIDELINES E-PROCUREMENT MODULE OF NIC

Security Control Standard

Outsourcing of Metering and Billing. 14 th September 2015

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Guidelines to bidders for participation e-taps (e-tender And Procurement System) of Airports Authority of India (AAI).

PRELIMINARY GUIDELINES E-PROCUREMENT MODULE OF NIC

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

GoodData Corporation Security White Paper

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Testing and Vulnerability Management Process. e-governance

allowed. Request for inclusion and consideration of ISO 2008:9001 quality certification. CMMI Level 5 : 10 Marks CMMI Level 3 : 07 marks ISO: 05

ELECTRONIC TENDERING SYSTEM FOR RFQ

esign Online Digital Signature Service

Security aspects of e-tailing. Chapter 7

Frequently Asked Questions Please read this document before using this application.

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

E-Tendering Requirements for MDB Financed Procurement October 2005

F. No. E 12020/03/2015-E&A Food Safety and Standards Authority of India

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Certification Practice Statement

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

Annexure1: Pre-qualification criteria for Common SOC RFP

Malta Resources Authority Millennia, Aldo Moro Road, Marsa MRS 9065 Malta Telephone: (356) Fax: (356) Call for Quotations

Managing Cloud Computing Risk

PROCUREMENT is one of

December 21, The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS.

Frequently Asked Questions

HIPAA: Compliance Essentials

E-Tendering Requirements for MDB Financed Procurement November 2009

Request For Quotation from Service Providers. for. Web Security & Performance Testing for Web-based Applications for UTIITSL

Outsourcing and Information Security

Internet Banking Internal Control Questionnaire

ANNEXURE - I MPD/EPC/TIC/ NR logo web application development dated: Page 1

TENDER FOR ANNUAL MAINTENANCE CONTRACT OF WEBSITEs OF O/O DIRECTORATE OF FILM FESTIVALS.

Company Name Query Response. Systems Pvt. Ltd. the Bid in spite of neither being an ISO 9001:2008 nor a CMMI L3 certified company with a valid

Project Management Guidelines

Aadhaar. Security Policy & Framework for UIDAI Authentication. Version 1.0. Unique Identification Authority of India (UIDAI)

Security and Security Certificates for OpenADR systems. Background. Content:

Central Agency for Information Technology

Revision History Revision Date Changes Initial version published to

Invitation for Expression of interest : e-maintenance management system

Digital Signature Application

TENDER FOR ANNUAL MAINTENANCE CONTRACT & CREATION OF WEBSITES OF O/o DIRECTORATE OF FILM FESTIVALS.

Spillemyndigheden s change management programme. Version of 1 July 2012

SECURITY GUIDELINES INFORMATION SECURITY MANAGEMENT SYSTEM FOR COMPUTERISATION OF LAND RECORD

ONGC Guidelines to Bidders for E-Procurement Application

QUALITY MANAGEMENT SYSTEM REQUIREMENTS General Requirements. Documentation Requirements. General. Quality Manual. Control of Documents

Attachment A. Identification of Risks/Cybersecurity Governance

PUNJAB NATIONAL BANK EXPRESSION OF INTEREST (EOI) FOR EARLY WARNING SYSTEM LOAN ACCOUNTS

Cloud Computing Governance & Security. Security Risks in the Cloud

COMESA Guidelines on Free and Open Source Software (FOSS)

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Validating Enterprise Systems: A Practical Guide

ISMS Implementation Guide

TENDERS INVITED FOR DESIGN, DEVELOPMENT, HOSTING AND MAINTENANCE OF WEBSITE FOR ICAR - CENTRAL CITRUS RESEARCH INSTITUTE LOCATION: OPP. N.B.S.S.

National Cyber Security Policy -2013

TCIL/61/12/IT/ /12/2014. Expression of Interest for Identifying Partner for development and Integration of IT enabled Software Services

ASSAM POWER GENERATION CORPORATION LIMITED

INVITATION FOR EXPRESSION OF INTEREST SYSTEM INTEGRATOR- SUPPLY AND IMPLEMENTATION OF ERP BASED CGLMS

White Paper How Noah Mobile uses Microsoft Azure Core Services

Procurement Policy Note Use of Cyber Essentials Scheme certification

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Service Level Terms Inter8 Cloud Services. Service Level Terms Inter8 Cloud Services

EXPRESSION OF INTEREST. for. Selection of Software Development Agency for MCA SPV

A Decision Maker s Guide to Securing an IT Infrastructure

SCHEDULE 25. Business Continuity

Concepts of e-procurement

Amendment 1 - Annexure 5 (C) Technical Criteria

HINDUSTAN AERONAUTICS LIMITED (BANGALORE COMPLEX) FACILITIES MANAGEMENT DIVISION BANGALORE E-TENDER NOTICE FM/NEP/INT/27/14-15 Date:

EXIN Cloud Computing Foundation

NOTICE INVITING PROPOSAL

Expression of Interest (EOI) For. End to End Solution For Enterprise Data Warehouse Solution In Punjab National Bank

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Tender No. CWC/RO-CNI/H&T-MDU I & II (Adhoc) / / Date: Tender notice

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Building A Secure Microsoft Exchange Continuity Appliance

Request For Quotation from Service Providers. for. ISO/IEC 27001:2013 Certification for UTIITSL

1 ST CORRIGENDUM - RFP For Procurement Of Web Application Firewall (Subscription Model) RFP No. IDBI/PCell/RFP/ /18 dated 24 th January 2015

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

itac solutions for the medical industry Quality assurance of the highest standard FDA-compliant. Reliable. Productive.

(Instructor-led; 3 Days)

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Challenges and Role of Standards in Building Interoperable e-governance Solutions

Transcription:

Frequently Asked Questions (FAQ) Guidelines for quality compliance of eprocurement System 1. What is eprocurement? Electronic Procurement (eprocurement) is the use of Information and Communication Technology (specially the Internet) in procurement processes for the acquisition of goods (supplies), works and services. 2. What are the benefits of eprocurement? The benefits of eprocurement are: Reduced purchasing cost and improved efficiency Standardized purchasing processes across the organization Reduced administrative costs with better effectiveness Significant reduction in the procurement cycle Reduced discretion & increased transparency 3. What are the components of eprocurement System? The components of eprocurement are: e Tendering, (Mandatory) e Auction or Reverse Auction, e Catalogue, emarket Place, e Invocing etc. 4. What is STQC and its role in eprocurement? STQC (Standardization Testing and Quality Certification) is an attached office under Deptt. of Information Technology, Ministry of Communications and IT, Govt. of India. The role of STQC is to undertake testing & audit of the eprocurement System to verify compliance as per the requirements mentioned in Guideline for Compliance to Quality Requirements of eprocurement System and to certify the systems conforming to the essential requirements of the above guideline. 5. What is Guideline for Compliance to Quality Requirements of eprocurement System? This is a guideline document comprises of various essential requirements related to functionality, security, transparency and efficiency that should be implemented in e Procurement systems designed/developed/maintained for Government & Public sector organizations.

6. What are the key requirements in the guideline document? The key requirements given in the guidelines for eprocurement System address the GFR requirements, Information Security requirements, CVC Guidelines and IT ACT. 7. What is the approach for eprocurement system evaluation? The eprocurement system (Including data, software, hardware, network, process) shall be evaluated for: Correct & complete implementation of organizational procurement policies & procedures Compliance to GFR rules, CVC guidelines, IT Act (including amendments) Assuring Security by suitable Design & Development (ie some critical security and transparency related functionality has to be built into the e procurement system), Implementation, Deployment & Use. Security of Data Storage and Communication Performance of eprocurement system Usability (optional) Interoperability (optional) Assessment of identified risks and concerns of the e procurement systems & verification of the risk treatment actions. 8. Is the quality compliance requirement different for different outsourcing models of eprocurement systems? The requirements for quality compliance are same for all outsourcing models of the eprocurement systems. The evaluation depth and approach may vary from one model to another. 9. Is there any requirement for use of some specific technology and standard? There is no requirement for use of any specific technology or standard for eprocurement system. However, it is recommended and desirable to use the latest prevalent technology and standard. 10. What will be the test setup for the testing & evaluation of eprocurement system? The testing & evaluation of eprocurement system will be done preferably in production environment (Just before Go Live). In case of difficulty in providing the above environment

as an alternative the test/evaluation may be conducted on the exact replica of the system complete with customization and database in a staging environment. 11. What will be audited to have the compliance for security requirements? The whole eprocurement System consisting of network, infrastructure, database, application software, associated processes and people will be under the scope of the compliance audit. 12. If the EPS is already certified as per ISO 27001 then the third party agency will recognize it or it will be again audited? The third party agency may review relevant documents e.g. scope, security policy, procedures, SOA(statement of Applicability), and records e.g. external and internal audit/review findings, audit trails, logs etc. to verify that adequate information security measures are in place for the target eprocurement system. 13. Who will monitor the SLAs and what will be the frequency? The SLAs shall be monitored on continuous basis. The frequency of monitoring will depend upon the type of SLA. The SLA shall be monitored by developer himself or any other party as decided by the User organization. The third party agency (STQC) will do the audit of the monitored SLAs for their compliance to the requirements and methodology used for monitoring. 14. What are the different layers of quality Evaluation Model? The Quality & Security evaluation model consist of four layers namely, Data, Application, Infrastructure and Process. Brief description of the layers (from outermost to inner) is as given below: Process Layer ISO 27001 Processes Audit # Monitoring against agreed SLAs # Infrastructure Layer Architecture Review # Vulnerability Assessment (Servers & Network Devices) # Penetration Testing of the System # Performance Testing of the System # Application Layer Application Design Review # Application Code review * Application Functional Testing #

Application Security Testing # Application Usability Testing * Application Interoperability and Compatibility Testing * Data Layer Data Storage Security Audit # Data Communication Security Audit# Note: # means Mandatory & * means Optional. 15. Whether this evaluation model will ensure the compliance to legal & regulatory requirements? Yes. The Layer by layer assessment will also ensure the compliance with applicable requirements such as CVC, IT Act, GFR 2005 and concerns of other stakeholders. 16. What is the approach for getting the system certified? The applicant shall submit the request to Testing and auditing agency (like STQC) to get e procurement System assessed and certified. During the application the applicant shall clearly mention the scope of certification (i.e. the application system along with the associated infrastructure). The applicant shall also submit necessary inputs as mentioned in 17 below. The audit team nominated by STQC will conduct formal audit as per the defined criteria and submit a report to the applicant highlighting the non compliances. The applicant shall submit his closure report after taking necessary corrective measures to STQC. The team of auditors will verify the closure and submit its final report along with its recommendations to the STQC Certification body. A certificate of compliance will be issued by STQC if it is satisfied with the compliance status of the eprocurement System. 17. What are the inputs required by the STQC for the EPS certification? The Inputs required by the STQC are: RFP of the e Procurement System Software Requirements Specification (SRS) addressing functional and non functional requirements including business functions and applicable regulations, standards and policies. User manual (operational instructions). Traceability matrix for RFP vs SRS Software High Level Design Document Software test reports complete with test cases and test logs/screenshots etc demonstrating the compliance to the functional and non functional requirements as specified in the RFP/SRS Hardening guide/standard for critical server and network devices Vulnerability Assessment report of the critical servers and network devices

Application Vulnerability Assessment report indicating that the application is free from OWASP top 10 and other known vulnerabilities. Remote penetration testing report indicating the system is reasonably immune to the hacking attacks from the untrusted networks/internet. Performance and stress testing report indicating its capability to serve specified no. of simultaneous transactions and immunity to Denial of Service attacks. Software Application Source Code (if the need is to assess to all desirable requirements) 18. What are the essential requirements to demonstrate the conformity? The ESSENTIAL Quality and Security requirements which need to be complied are: Evidence of compliance to implementation of ISO 27001 Information Security Management System The risk analysis, mitigation methodology and techniques implemented should ensure eprocurement Information System is secure. The service provider shall demonstrate that the requirements of vigilance administration (CVC) are adequately addressed in the Information Security Management System. The software shall be tested for functionality, workflow and other essential requirements (like CVC Guidelines, GFR & IT Act). The application hardening shall ensure the addressal of Top 10 vulnerabilities defined by OWASP Network is assessed for adequate security through penetration testing and vulnerability assessment as per NIST 800 115. 19. Are there any desirable requirements to demonstrate the conformity? Yes. The desirable requirements are as follows: The software source code shall be evaluated for detecting malicious codes/ Trojan/backdoor etc. To ensure Interoperability and Compatibility of various solutions both at buyer and supplier end Workflow shall be in line with the requirement of standardized Business Processes and ebxml Core Components Technical Specification for Data Structure The solution shall be tested to Usability requirements. 20. What is the criterion to define the scope of certification? The applicant can define any module as a part of scope of certification however the etendering module is the essential requirement to obtain the certification. Depending on the complexity of the module and the scope identified by the applicant the Certification Body/Test Agency will charge for testing and certification.

21. What is the significance of audit trail in e procurement systems? The e procurement system should have audit trail facilities. These audit trails are complex but dependable. The audit trails reports provide useful information about the instructions which take place in the system both at operating system and application software. This information is necessary to analyze nature of intrusion, vulnerabilities exploited and to track the perpetrators. It also helps in taking steps in preventing future intrusion. 22. How the multiple encryption /decryption feature can be used to protect the bid in e procurement systems? Application of multiple encryption of the bid document using the public keys of the authorized officers of the tendering organization could be used in a predefined order. Decryption will have to be carried out in the reverse order using the multiple decryption keys (i.e. private keys of the above officers). 23. What are the Concerns/ clarifications based on the IT Act 2000 relating to Digital Signatures? Under the IT Act, 2000 any holder of a Digital Signature, who s issued a Digital Signature Certificate by a licensed CA, is responsible for protecting the corresponding private key. Unless the certificate validity has expired or the certificate has been revoked by the issuing CA, any digital signature will be legally valid and will be attributed to the person listed in the Digital Signature Certificate. 24. What is the role of time stamping facility in e procurement systems? Any e procurement/e tendering services must provide the facility of Time Stamping which is critical for establishing date and time of document submission and its acknowledgement. Time Stamping feature should be built within the application and synchronisation of e tendering/ e procurement server should be done with master server at the data center where the e procurement system is hosted. Alternatively; the e procurement service provider can take Time Stamping services being provided by licensed CAs. 25. What are the requirements of GFR in e procurement systems? The GFR requires that tenders be opened in public in the presence of the authorized representatives of the bidders. The Finance Ministry Manual on procurement procedures

outlines the details on the requirements of a transparently conducted Public Tender Opening Event. 26. Who will approach the STQC for certification of e procurement systems? The owner of e procurement systems will approach for certification. The owner may be 1) User (Govt Deptt. /PSU) In case Govt /PSU is the owner & sole user of the entire EPS including application, infrastructure, Policies & procedure & Service levels. 2) Service Provider Who owns the EPS & provides services to multiple govt. /PSU. 27. What will be the cost of STQC certification? Certification Fee: Rs 1 lakh 1) This fee includes application fee & audit fee of EPS. This includes one cycle of audit (one initial audit followed by closure verification). It doesn t include the testing/assessment charges for functional, application security, VA/PT, SLA/Performance etc. 2) Travel, stay & logistic arrangement for auditors shall be borne by the applicant extra. 3) Applicant should get the above tested (before approaching for certification) at extra cost from any recognized body (e.g. any STQC IT Centre /CERT IN empanelled agency for application security and network security). 28. What will be the validity period of STQC certification? The validity of certification shall be one year provided no major change in the EPS is carried out. 29. What are the criteria for STQC certification? The certification is based on Quality & Security evaluation of EPS. STQC will be auditing the EPS against the criterion of ISMS (based on ISO/IEC 27001), CVC guideline, GFR & IT act. The details requirements are provided in guidance documents (Guideline for Compliance to Quality Requirements of eprocurement System). The applicant shall submit a compliance document against these four categories of criteria. At the time of audit STQC will look for the artifact like compliance test report (for functional, application security, VA/PT, SLA/Performance) which consists of Application, Infrastructure and Processes of EPS. 30. If one service provider provides the services to multiple users, whether he needs multiple certifications?

Yes, separate certificate is required for each user because of customization/modification in the EPS. Each certificate issued to service provider will be in context of application & the user. 31. What is the time period required for certifications? Minimum one month time is required after the application is accepted by STQC. The application will be accepted based on compliance to criterion (Ref. Question no. 29). 32. What approach STQC follows if user organization requires certification of the e procurement solution as a pre requisite for placing purchase order to potential e procurement service provider? The User organization in their acceptance criteria while placing the PO, shall mention the certification as a mandatory requirement after deployment. The User organization shall advise service provider to approach STQC to demonstrate his capability by getting acceptance test report for Functional, application security & demonstrating compliance to GFR, CVC & IT act requirements (in staging/test environment). STQC will advise user organization accordingly. Note: Final certificate shall be issued after deployment of e procurement solution in the actual user environment & after successful completion of the activities as mentioned in Question no. 29. 33. Who is the Nodal authority for E procurement System Certification? The nodal authority for e Procurement system certification is STQC HQ, Delhi. The contact details are: Sh. U. K. Nandwani, Senior Director Phone no. : 011 24301382, 24362381 E Mail: uknandwani@stqc.nic.in 34. Is the EPS Certification Scheme applicable to only Govt and Public Sector Organizations or Private Sector too? The present scope of EPS certification scheme is only for Govt & Public sector organizations.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information