Guidelinesforcomplianceto QualityrequirementsofeProcurementSystems

STQCDirectorate
DepartmentofInformationTechnology, MinistryofCommunications&InformationTechnology, ElectronicsNiketan,6CGOComplex,LodhiRoad, NewDelhi110003

Dt:31.08.2011

 CONTENTS
1.0 2.0 3.0 4.0 5.0 SpecificrequirementsofeProcurementSystem RequirementsofConformity OperatingModelsofeProcurementSystem Introduction

TestingframeworkforQualityandSecurityCharacteristics 6.0Evaluation&Certificationprocess Annexures AnnexureI :RisksofeProcurementSystemsandrelatedISO27001controls AnnexureII :ChecklistforeSecurityCompliance(includingCVCGuidelines) AnnexureIII:ChecklistforcompliancetoGOIprocurementprocedures(GFR) AnnexureIV:Checklistforlegalcompliance(ITActAmendment2008) AnnexureV :DefinitionsandReferenceDocuments Referencedocuments: 1. eTenderingProcess 2. eTenderingGlossary 3. eProcurementIntegrityMatrix 4. OWASP(OpenWebApplicationSecurityProject)Top10ApplicationSecurityRisks 2010 5. BusinessrequirementsspecificationcrossindustryeTenderingprocess(Source CWA15666) Forms&Templates: TemplateI:TemplatefordefiningUsabilityRequirementsSpecificationsof theSoftwareproduct TemplateII:TemplateforPerformanceSpecification FormI:ApplicationformforapplyingforTestingtoSTQC


1.0 1.1 Introduction Background The public sector is one of the biggest purchasers of goods & services in the economy. The Government of India acknowledges that automating procurement process using electronic tools/techniques and enabling opportunities to suppliers fully supports the objective of nondiscrimination, fair & open competition. eProcurement is identified as a mission mode project under national eGovernance plan. The objective is to transform public sector purchase activity from labor intensivepaperbasedtoefficienteProcurementprocess. Electronic Procurement (eProcurement) is the use of Information and Communication Technology (specially the Internet) by the buyer (in this case Government) in conducting their procurement processes with supplier for the acquisitionofgoods(supplies),worksandservices.UseofInformationTechnology promotes the aims of open, nondiscriminatory and efficient government procurement through transparent procedures.It is the technologyenabled acquisition of goods and services, required by an organisation, at the best value obtainableinthemostefficientmannerpossible. ThefactorsdrivingtheadoptionofeProcurementare: Reducedpurchasingcostandimprovedefficiency Standardizedpurchasingprocessesacrosstheorganization Reducedadministrativecostswithbettereffectiveness Significantreductionintheprocurementcycle Reduceddiscretion Atthesametimetheinhibitorstoadoptionare: Lackofsupplierreadiness Systemintegrationissues(compatibilityandinteroperability) Confidenceonthesystem(Security,FunctionalityandPerformance) Insufficientskilledstaff eProcurementinvolvesasetoftechnologysolutionwhichconcentrateondifferent keyareasofprocurementsuchas eTendering, eAuctionorReverseAuction, eCatalogue/Purchasing, eMarketPlace, eInvocingetc.,. ThefocusofthecurrentGuidelinesismainlyoneTendering,(i.e.tendering withencryptedbids,theequivalentofwhichinthemanualcontextwouldbe sealedbids). Thisdocumentprovidestheguidelineforcompliancetoqualityrequirements of eProcurement systems. The essential quality characteristics of eProcurementsystemcoverSecurity,Transparency&Functionality.

1.2

GeneralRequirementsofeProcurementSystem The basic requirements of any eProcurement system are to achieve the goal of Government procurement, standardisation of procurement processes and informationentitiesinanefficientandtransparentway.Hencethekeyrequirements areto: AddresstherequirementofGFR Forpublicprocurementofgoods,services,works(e.g.construction)compliance withGFRrules,processes,roles(purchasingofficer,localpurchasingcommittee etc) are mandatory requirements. The GFR rules needs to be applied into the application workflow of etendering process. eProcurement System should be designedasperdefinedworkflowwithadequatesecuritymeasures. ConfidentialityandIntegrityofInformation Thekeyrequirementofprocurementinpublicserviceorganisationistomaintain the confidentiality & integrity of the information in procurement life cycle to protecttheinterestofbuyer&supplierandtoencouragethecompetitivenessin the business. The eprocurement platform transacts confidential procurement data and is exposed to several security threats. This requires employing a combinationofsecuritytechnologiesandsecuritybestpracticeswhichresultin reducedthreatofdataloss,leakageormanipulation. AddressVigilanceGuidelines Thesystemshouldmeettherequirementsofguidelinesissuedfromtimetotime byCentralVigilanceCommission. SystemAdaptability&customisation eTendering System need to have templates to offer flexibility in bidding methodologies as prevailing and followed currently in the manual process. Further,systemshouldhavetemplatestoadoptbiddingmethodologiesasmay beprescribedbyrespectiveauthorities.

1.3

The aim of this document is to provide guidelines that could be followed for designing/developingsomecriticalfunctionalityinaneProcurementsystemaswell as the necessary process for monitoring adherence to the security and transparencyrequirementsofaneprocurementsystemduringtheimplementation andpostimplementationbythe eprocurement application developers, service providersandotherstakeholders. Objective ToprovideGuidelinesforassuringQualityandSecurityofaneProcurementsystem so that confidence can be provided to its stakeholders that the system is secure, transparent,auditable&compliantwithgovernmentprocurementprocedures. TargetAudience Purchase/HeadofPublicServiceOrganization eProcurementServiceProvider eProcurementSolutionProvider/ApplicationDeveloper ThirdPartyTestingandAuditOrganization
4

1.4

1.5. Approach Toachievetheaboveobjectivethefollowingapproachisrecommended. Evaluation of eProcurement System (including data, software, hardware, network,process)toensure Correct&completeimplementationoforganisationprocurementpolicies& procedures CompliancetoGFRrules,CVCguidelines,ITAct(includingamendments) Assuring Security by Design & Development (ie some critical security and transparency related functionality has to be built into the eprocurement softwareapplication),Implementation,Deployment&Use SecurityofDataStorageandCommunication Performance Usability Interoperability Identificationofrisksandconcernsofeprocurementsystem&providingthe guidelinesformitigatingtheidentifiedrisks. 2.0 OperatingModelsofeProcurementSystem TherearefouroperatingmodelsforeProcurement(Referencedoc1) i) DedicatedeProcurementSystem:theGovernmentorganizationwishingtodoe Procurement,ownsandcontrolsthesysteminfrastructure,andalsocontrolsall theprocurementactivitiescarriedout. ii) OutsourcingModel1(PartialOutsourcingManagedServices):TheGovernment organization procures and owns the system, which is managed by service provider with adequate security controls. There is a risk that service providers may get access to vendor data. Issues relating to Official Secrets Act shall be consideredforthismodel. iii) Outsourcing Model2 (Partial Outsourcing Infrastructure Support): The Government organization uses the eProcurement system of a Service Provider. The Service Provider also owns and controls the infrastructure. There is a risk that service providers may get access to vendor data & service provider start participatingincoreprocurementprocess,IssuesrelatingtoOfficialSecretsAct shallbeconsideredforthismodel. iv) Outsourcing Model3 (Full Outsourcing (ASP) Model): Multiple Government organizationscanregisterandthemselvesusetheASPsportalfortheirvarious etendering/ eauction activities with complete control of the all the core tendering activities in their hands, without any intervention from the service provider.Theregistration/deregistrationactivities,andtheportalinfrastructure ismanagedbytheserviceproviderwithadequatesecuritycontrols.Inthiscase, essentially the Service Provider is only a platformprovider. The powers and responsibility of the tendering process remains in the hands of the duly authorized officers of the government organizations, and does not get transferred to third party service providers as in Outsourcing Model2 (Full Outsourcing). So while there is some outsourcing in respect of infrastructure, there is no outsourcing of the actual tendering/ procurement activities by the concerneduserGovernmentorganizations.

All models of eprocurement system must incorporate functionality, processes and technologiesoutlinedin(AnnexureI,II,IIIandIV),andespeciallyapplycountermeasuresto mitigateknownrisks(AnnexureI) 3.0 SpecificrequirementofeProcurementSystem 3.1 The service provider in consultation with the Purchase Officer shall establish the followingprocess: Business Process Reengineering switching from Manual Procurement to eProcurement. (Since Government tendering processes falls within a standard framework, only limited options should be given to the Purchase Officer. The service Provider/ Purchase Officer should not be able to reduce the essential securityandtransparencyaspectsofthesystemonthepretextofreengineering andcustomization]). ImplementationofBidEncryptionatclientend(iebidderscomputer)using SymmetricKey,orAsymmetricKey(PKIbased)subjecttoissuesraisedin AnnexureIandIIbeingsuitablyaddressed Bidsbeforetransmissionfromthebidderscomputershouldbeprotectedwith SSLEncryption. Functionality/Security/TransparencyrelatedRequirementsofaManual TenderingSystemandConformanceitsAvailabilityintheOfferedeProcurement system(functionalityrequirementsofGFR&CVCguidelines) eProcurementSystemmusthavetemplatestoofferflexibilityinbidding methodologyasprevailingandfollowedcurrentlyinthemannerofprocessing. Further,thesystemshouldhavetemplatestoadoptbiddingmethodologyasmay beprescribedbythepurchaser,aslongasthemethodologyisalegally acceptablemethodology. eProcurement System should deploy PKI based technologies for authenticating thebids,andopeningelectronictenderbox.Securemethodologyfordecrypting bidsshouldbedeployedcorrespondingtotheencryptionmethodologydeployed (vizsymmetric,orPKIbasedasymmetric).TheentireIThardwareinfrastructure of EProcurement System which includes application software, hardware, and systemsoftwarebehardenedasrelevant.Thesystemmustdeployantispyware and antispam with a provision to update regularly. The updation of these softwareontheEProcurementSystembedoneusingtheofflineupdationmode. The EProcurement System must have software tools to protect the operating system from injection of spyware. The entire infrastructure be protected and secured at the perimeter level by installing firewalls and Intrusion Prevention System.ThesystembeconfiguredproperlysoastodetectanykindofIntrusion intoITsystem. eProcurement System can be further secured by installing suitable security incident and event management mechanisms SIEM (Security Incident Event Management). eProcurementapplicationshouldhaveaudittrailfacilities. ThePKIKeyManagementSystemforauthenticatingthebidsorotherpurposes mustspecifytheholderofprivatekeyandpublickey.Theprocedureinthiscase maybeprescribed. eProcurement System should not provide read access to password to the Administrator. EProcurement System further should not have forgot passwordfeaturewhichprovidesadministratorgeneratedorsystemgenerated temporarypassword.Oncethepasswordisforgotten,anewpasswordmaybe
6

3.2

allotted following a set of processes needed for allotment of password. The forgetpasswordrequestshallbedigitallysigned. The Purchase Officer of a Public Service Organisation (Government Department) musttoensurethateProcurementsystemwhichheintendstousecomplieswithall theapplicablerequirementslistedinSections3and4. ThePurchaseOfficermustanalysetheriskarisingoutofestablishmentofabove mentionedprocessesandapplysuitablecontrols.TheannexureI,II,IIIandIVmaybe followed EscrowingofSourceCode Thesourcecodeoftheeprocurementapplicationsoftwarealongwiththe modification/changes/patcheswhichisimplementedbytheagencyfromtimeto timeshallbeescrowedwiththeagencynominatedbytheuserorganizationsor governmentincaseofdedicatedportals. An MOU would be entered between purchase officer/ purchaseorganization and serviceprovider.

3.3

3.4

4.0 RequirementsofConformity 4.1 eProcurerementsystemsmustaddress: Eprocurement application should have provisions of ensuring validation of PKI signaturethroughCertificaterevocationlist(CRL)andvalidityofcertificate. Shall have mechanism for time synchronisation by using time synchronisation service(TSS)athostinglevel,orsynchronisationwithmasterserveratthedata centrewheretheeprocurementsystemishosted Time Stamping [facility should be there in the eprocurement application for timestampingofallimportanteventslikecreationoftendernotice,approval oftendernotice/tenderdocuments,submissionofbidsandsupplementarybids (likemodification,substitution,alternatives),etc] ThesystemmustconfirmtoGFRrules,processes,roles(purchasingofficer,local purchasing committee etc.), compliance to CVC guidelines and Information TechnologyAct(includingamendments)andotherlawsofthelandasapplicable. 4.2 OtherRequirementsforQualityandSecurityEvaluation : Thefollowingconditionsshallbeagreedinwritingbyserviceprovider ForDedicatedportalandASPModel,theeprocurementapplicationshouldhave facilityforgeneratingauditlogs,whichshouldbeaccessible(indownloadable suchform)toaspeciallydesignatedofficerofthePurchaseorganization.For OutsourcingModels1and3,eprocurementserviceprovidershallsubmitallthe logsoftransactioncreatedbytheeprocurementsolutionincludingforensic imageonquarterlybasisorasprescribedbytheuserorganizationregularlyand asandwhendemandedbythepurchasers.Thelogswillbedulysignedbythe administratoroftheserviceproviderbyhiselectronicsignature. Theauditforcertificationoftheentireeprocurementsolutionshallbe undertakenafteritsdeploymentandpriortoitsusage. Theeprocurementsolutionincludingthecomputerservershallbeinstalledin India.Nodataascaptured/storedintheeprocurementsolutionwillbetaken
7

outofIndia.However,bidderoutsideIndiashouldbeabletoquoteand downloadpermitteddata/information. Theauditofthecompleteeprocurementsystemshallbeundertakenonlyon the request of the organization/agency who wish to use/install the system. Softwareapplicationcanbetestedbasedontherequestofthedeveloper. Theeprocurementsolutionshallneedtobetestedandauditedagainafterithas been significantly modified (addition/ deletion of functions/ modules) or customizedforaneworganizationwhetherstandaloneorsharedmode The traffic emanating to and from eProcurement systems will be scanned if required by the authorised body. The traffic (netflow) emanating to and from eProcurementSystemmaybeprovidedtoCERTIN.

StorageofElectronicInvoices Itisassumedthatinvoicestransmittedelectronicallywillbestoredelectronically. Ifpublicserviceorganisationwishtostoreinvoiceinthepaperform,sameshall beprovisionedinlocalpurchaseprocedureapprovedfromcompetentauthority ForVATpurposerecordsmustberetainedforyearsasprovidedintherespective Act. The records may be stored anywhere State Data Centre/PSU own data center. The only requirement is that of security, strategic control and record must be made available to public service organisation on demand within two working days.

 5.0TestingframeworkforQualityandSecurityCharacteristics 5.1 eProcurementQualityandSecurityAssuranceModel AeProcurementQualityandSecurityAssuranceModelisdepictedbelow:

The Quality & Security evaluation model consist of four layers namely, Data, Application, Infrastructure and Process. Layer by layer assessment will ensure compliance with applicablerequirementssuchasCVC,ITAct,GFR2005andconcernsofotherstakeholders. 5.2 Descriptionofthemodel Briefdescriptionofthelayers(fromoutermosttoinner)isgivenbelow. ProcessLayer ISO27001ProcessAudit# VerificationoftheITsecurityprocessestoensurethatsecureandbestpractices arefollowedinoperationandmaintenanceoftheeProcurementSysteminline with international standard on Information Security Management System, ISO 27001/27002 Tosupplementthefunctionalitybuiltintotheeprocurementsystem,where somerequirementsoftheeprocurementsystemandalliedprocessesarebeing addressedthroughorganizationalproceduresunderISO27001/27002,these shouldbeexplicitlydefinedwithsatisfactoryexplanations.Atthetimeof certification/audit,suchproceduresasoutlinedbytheeprocurementvendor/ serviceproviderinresponsetoAnnexureI,II,IIIoftheseGuidelines,shallbe reviewedandevaluated. MonitoringagainstagreedSLAs# SLA monitoring shall ensure that the eprocurement system is adhering to the agreed upon service related (i.e., user centric) as well as system related (i.e.,
9

technology centric) service quality requirements such as availability, performance,problemresolution,etc.WhileservicerelatedSLAstakecareofthe services delivery issues, the system related SLAs address IT technology (hardware,softwareandnetwork)usedindeliveringtheservices. InfrastructureLayer ArchitectureReview# The review of eprocurement system shall be done to ensure that the defined architectureoftheeprocurementsystemisadequateandsuitableformeeting thevariousoperationalandservicedeliveryrequirementssuchasperformance, security,availability,etc. It is also recommended that once the eprocurement system is deployed, the deployed architecture should be audited to verify its compliance against the definedarchitecture.Theauditshouldcoverlogicalpositioningofvarioussystem componentssuchasfirewall,IDS/IPS,servers,loadbalancer,etc.Inaddition,end toendtransactionflowsshouldbeverifiedtoensurethattheyaregoingthrough thedefinedpathbyusingdummytesttransactionsandanalysisoflogsatvarious layers.Certificationbodyshallusestandardizedchecklistforthecriteria. VulnerabilityAssessment(Servers&NetworkDevices)# Systemconfigurationcheckingorverificationofhardeningandvulnerabilityscanning shall be performed to find out weaknesses, vulnerabilities and misconfiguration in the target hosts (Servers, Routers, Firewalls, Switches etc.) which hosts the e procurement application system. Certification body shall use standardized checklist forthecriteria. PenetrationTestingoftheSystem# Penetration Testing (PT) shall be normally done remotely from public domain (Internet) and also can be done from internal network to find out exploitable vulnerabilities. Series of testing conducted like information gathering from public domain,portscanning,systemfingerprinting,serviceprobing,vulnerabilityscanning, manual testing, password cracking etc. using stateoftheart tools (commercial and open source) and other techniques shall be used with the objective of unearthing vulnerabilities and weaknesses of the overall eprocurement system and its underlyingITinfrastructure.Certificationbodyshallusestandardizedchecklistforthe criteria. PerformanceTestingoftheSystem# Performance testing of the eprocurement system shall be done to ensure that system is capable of handling defined user as well as transactional load. The performance testing of the eprocurement system essentially means measuring the response time of the system for defined scenarios. While measuring the response time it is important to record the resource (CPU, Memory, etc.) utilization. The capacityoftheeprocurementsystemshouldbecheckedbysystematicallyincreasing theloadonthesystemtillperformancedegradationorsystemcrashisencountered. Alsothemanner/trendinwhichperformancechangeswithloadwilldeterminethe scalabilityoftheeprocurementsystem.

10

 ApplicationLayer ApplicationDesignReview# (Note: This would be applicable only where customized software development is being done for a specific organization. Furthermore, it should be noted that this review would not be a substitute for the review and testing of critical security and functionalityoutlinedinAnnexuresI,IIandIIIoftheseGuidelines) Designreviewcoversthehighleveldesignandthelowlevel(detailed)designofthee procurement software application. It will ensure that software has been designed using best practices and design rules. The review will verify that the design has modularity, flexibility, low complexity, structural fanin & fanout and it is loosely coupled & highly cohesive. The correctness of logics and algorithms used in the detailed design should be verified including any zero day vulnerability in the algorithm. ApplicationCodereview* (Note: This would be applicable only where customized software development is being done for a specific organization. Furthermore, it should be noted that this review would not be a substitute for the review and testing of critical security and functionalityoutlinedinAnnexuresI,IIandIIIoftheseGuidelines) Thecodereview(i.e.,staticanalysis)ofthesoftwareapplicationsourcecodeshallbe carriedoutusingtoolandmeasuremetricssuchaslinesofCode, CodeComplexity, Fanin & fanout, Application Call Graph, Dead Codes, Rule Violation, Memory leaks etc. It is also recommended to perform walk through of the source code with code developertoverifythelogicsandalgorithmsusedforcorrectnessandoptimization. Specialfocusshouldbegiventoidentifyanyunwantedfunctions(notrequiredbythe eprocurement software application), as these not to have functionalities can be potentialsecuritythreats. ApplicationFunctionalTesting# Thefunctionaltestingoftheeprocurementsoftwareapplicationshallbecarriedout tovalidatetheapplicationmeetsthespecifiedfunctionalrequirementscoveringthe work flows, navigations, and business & data Validation rules for the defined user categories with access rights. The functional testing should be done following black boxapproachandusingendtoenduserscenarios. (Note: Detailed scenarios would be prepared for each application software to be tested. This would include all important steps and scenarios of Government Tendering,aswellas,allissuesoutlinedinAnnexuresI,IIandIIIoftheseGuidelines) ApplicationSecurityTesting# The test is conducted to unearth various application security vulnerabilities, weaknesses and concerns related to Data /Input Validation, Authentication, Authorization /Access Control, Session Management, Error Handling, Use of Cryptography,etc.Typicalissueswhichmaybediscoveredinanapplicationsecurity
11

testing include Crosssite scripting, Broken ACLs/Weak passwords, Weak session management, Buffer overflows, Forceful browsing, Form/hidden field manipulation, Command injection, SQL injection, Cookie poisoning, Insecure use of cryptography,, Misconfigurations, Wellknown platform vulnerabilities, Errors triggering sensitive informationleaketc.OWASP(OpenWebApplicationSecurityProject)guidelinesare usedforthetesting. (Note: Detailed scenarios would be prepared for each application software to be tested.ThiswouldteststocoverallsecurityrelatedissuesoutlinedinAnnexuresI,II and III of these Guidelines, especially aspects related to bidencryption. In addition, standard security tests, viz CertIn, OWASP, FBI Top 20 (any other?) will be conducted) ApplicationUsabilityTesting* Usabilitytestingusuallyinvolvessystematicobservationundercontrolledconditions todeterminehowwellpeoplecanusetheproduct.eprocurementsystemisusedby users of different levels of computer knowledge. User expectation varies with different types of user. Usability testing will ensure that the all types of users are comfortable to use the system. This shall be done by using defined international standards which recommend extensive user interaction and analysis of user behaviourforadefinedtask. ApplicationInteroperabilityandCompatibilityTesting* Interoperability Testing shall be done to check if the software can coexist and interchangedatawithothersupportingsoftwareinthesystem.Compatibilitytesting shall check if the software runs on different types of operating systems and other hardware/software/interfaceaccordingtocustomerrequirements DataLayer DataStorageSecurityAudit# This is to be done to ensure the use of standard and strong cryptography while storing the sensitive data and user credentials in the application or associated data base.ItisalsoverifiedthatthecryptographyusediscompliantwiththeInformation TechnologyActandtheCVCguidelines DataCommunicationSecurityAudit# This is to be done to ensure that secure communication channel like SSL, TLS or equivalent is used for transmission of sensitive data and credentials by the e procurementsystem.Thecryptographicalgorithmsandthekeysizeimplementedby the system should be standard, strong and compliant with the IT ACT and the CVC guidelines. It is recommended that the complete data transmission to and from the e procurementwebsiteshouldbeSSL/TLSenabled. 6.0 EvaluationandCertificationProcess 6.1 TheapplicantshallsubmittherequesttoTestingandauditingagency(likeSTQC)to geteProcurementSystemassessed.Theapplicationshouldspecifywhethertestingis required only for the eprocurement application, or for the complete e
12

procurement system, viz the application along with the server in a specific hosting environment. Application for the former case can be made by the application software developer or licensor, and will cover only Part1 of the two scenarios outlined below. The application for the latter case can be made by the service provider,ortheorganizationwhichisprocuringthesystemforitsdedicateduse,and willcoverbothPart1and2ofthetwoscenariosoutlinedbelow. 6.2 Inputs&accessrequiredbyCertificationBody [ScenarioA: Where Customized Software Development of an eProcurement Systemisundertaken] (Part1) InputsrequiredforApplicationTesting o RFPoftheeProcurement o SoftwareRequirementsSpecification (SRS)addressingfunctionaland nonfunctional requirements including business functions and applicableregulations,standardsandpolicies. o Usermanual(operationalinstructions). o Software application related information such as Work flows/ Navigations,Businesslogics/Rules,ValidationRules,Screenshotsand User categories with roles & access rights. Specifically for testing, applicationrelatedinformationsuchasWorkflows/Navigationsfor creating comprehensive System Test Cases covering various tenderingscenarios,Usercategorieswithroles&accessrightswould berequired. o SoftwareDesignDocument o Software Application Source Code (if the need is to assess to all desirablerequirements) Theinputsshouldbeavailablealongwithaccesstotheapplicationhostedinastaging environmentwithtestdata. Note:Apartfromreviewofthedevelopmentalaspects,detailedscenarioswouldbe prepared for each application software to be tested. This would cover all security relatedissuesoutlinedinAnnexuresI,IIandIIIoftheseGuidelines,especiallyaspects relatedtobidencryption. (Part2) SystemArchitecture SecurityArchitectureforconductingVA&P ISMSofeProcurementInformationSystem(eSecurityManual) Access to eprocurement system/ test site with sample data (preferably fielddata). Accesstohardware,software,Network&ITinfrastructuretoconnecttest toolsontothesystem,whererequired. NondisclosureAgreement(NDA)willbesignedbySTQCtocovertheconfidentiality oftheinformationsubmittedbytheapplicant [ScenarioB:WhereReadytoUseeProcurementSoftwareLicenseistoprovided, oreProcurementServicesaremadeavailablethroughanASP]
13

Note: The focus Testing/ Certification here is on the Functionality, Security and Transparencyrelatedaspects. (Part1) o User Manual (operational instructions), or equivalent Guidelines for users providedonlineonthescreensoftheapplication o Softwareapplication relatedinformationsuchasWorkflows/Navigations for creating comprehensive System Test Cases covering various tendering scenarios,Usercategorieswithroles&accessrights. Theinputsshouldbeavailablealongwithaccesstotheapplicationhostedinastaging environmentwithtestdata Note: Detailed scenarios would be prepared for each application software to be tested.ThiswouldteststocoverallsecurityrelatedissuesoutlinedinAnnexuresI,II andIIIoftheseGuidelines,especiallyaspectsrelatedtobidencryption. (Part2) SystemArchitecture SecurityArchitectureforconductingVA&PT Accesstoeprocurementsystem/testsitewithsampledata(preferablyfield data). Access to hardware, software, Network & IT infrastructure to connect test toolsontothesystem,whererequired. NondisclosureAgreement(NDA)willbesignedbySTQCtocovertheconfidentialityofthe informationsubmittedbytheapplicant. 6.3 RequirementsofCompliancefordemonstration TestingandassessmentasspecifiedinSection4.0shallbecarriedout. To demonstrate conformity to the ESSENTIAL Quality and eSecurity assurance requirementsandminimumfunctionalitycompliancethefollowingshallbecomplied: Evidence of compliance to implementation of ISO 27001 Information Security Management System with applicable controls in all concerned entities. The Securityprocessesshallbeaudited aspercontrolsdefinedineSecurityManual providedbytheapplicant,and/orintheapplicantsresponsetoAnnexureI,II, III,andIV. The risk analysis methodology used by the service provider shall adequately address the concerns raised in this document (AnnexureI). Mitigation methodology and techniques implemented should ensure eProcurement InformationSystemissecure. Whileimplementingthesecuritycontrolstheserviceprovidershalldemonstrate that the requirements of vigilance administration (CVC) (AnnexureII) are adequately addressed in the Information Security Management System. Also whileimplementingISO27001,thesolutionprovidershallensurethatadequate controlshavebeenimplementedtoensurethatsecurityatdesignandoperation levelareaddressedadequately

14

The software shall be tested for functionality, workflow and other essential requirements (like Central Vigilance Commission Guidelines, GFR, Information TechnologyActAnnexureI,II,III,andIV). TheapplicationhardeningshallbeassessedforTop10vulnerabilitiesdefinedby OWASP(Referencedoc3) Network should be assessed for adequate security through penetration testing and vulnerability assessment as per NIST 800115.To demonstrate that the requirements are implemented and effective, the services of agencies empanelledbyCERTINcanbeused(http://www.certin.org.in). TodemonstratecompliancetotheDESIRABLErequirementsfollowingshallbe complied,whereapplicable: The software source code shall be evaluated using white box test approach through code review/ inspection process for identifying maliciouscodes/Trojanetc. Workflow shall be in line with the requirement of CWA 15666 to standardized Business Processes and Information Entities using UML Version1.4andebXMLCoreComponentsTechnicalSpecificationforData Structure (Reference doc 4). This will attain the objective of InteroperabilityandCompatibilityofvarioussolutionsbothatbuyerand supplierend The solution shall be tested to Usability requirements as per Usability informationdefinedinTemplateI. 6.4 If results are satisfactory and meet the requirements of this document, STQC shall issuealetterindicatingConformitywithspecifiedrequirements.

15

CertificationProcessFlowChart
Applicant Request STQC for Certification Contract Agreement Between STQC and Applicant STQC to evaluate evidence of conformity supplied by the Applicant No Satisfactory Assessment of Information System Testing of Application by test lab Result Satisfactory Grant of Certificate of approval for Update the record and maintenance of certificate

Refer to

Guidelines for Quality Requirements of eProcurement System

Non disclosure agreement Test Pre-requisites & Procedure Test Activities Test Records Test Reports

Corrective Action by Supplier

Intimate client for non compliance if minor discrepancy, ask client to provide the information/ If major and not able to close then close the job with intimation to Applicant

16

 ScopeofCertification eProcurementlifecycleconsistoffollowingactivities: Purchasetopay o Contractmanagement o Contentmanagement o Selection/requisition o Workflowapproval o order o receive o invoice o payment eSourcing o managementinformation o collaboration o specification/notice o expressionofinterest o invitationtotender o evaluate o negotiate/reverseauction o award Generally,theseactivitiesarecoveredindifferentmodulese.g. SupplierRegistration Etedenring eAuction ePayment Accounting ReverseAuction eCatalogueManagement MIS ContractManagement TheapplicantcandefineanymoduleasapartofscopeofcertificationwhiletheeTendering moduleistheessentialrequirementtoobtainthecertification.Dependingonthe complexityofthemoduleandthescopeidentifiedbytheapplicanttheCertification Body/TestAgencywillchargefortestingandcertification. Note:Foranymajorchangeinapplication(e.g.encryptionmethod,tenderopening event,processreengineering).Theapplicationrequirestobecompletelyretested.Itis furtheremphasizedtheserviceprovidershouldnothavesourcecodeandescrowing requirementmentionedearliershouldbestrictlyadheredto.

17

AnnexureIRisksofeProcurementSystemsandrelatedISO27001controls Sl. Risks/Concerns Control ISO27001 No. Identification Control Reference 1.ConcernsrelatedwithElectronicvs.ManualProcurement 1.1 WhileimplementingeProcurementsystemthe Identificationof A15.1.1 Allrelevant solutionprovidermaydobusinessprocessre applicable statutory,regulatory engineering to make the system efficient and legislation andcontractual effective.Thereisariskofcompromisingbasic compliance requirementsandthe organizations principlesofpublicprocurement approachtomeet theserequirements shallbeexplicitly defined,documented,
andkeptuptodate foreachinformation systemandthe organization.

1.2

Guidanceandrecommendedpractices The underlying principle of etendering and manual tendering process should be same in respect of guidelines of CVC, GFR, Legal and transparency related requirements.Whiledoingreengineeringtheserequirementsshallnotbenegotiated andcompromised. SincesectionA15.1.1ofISO27001demandsexplicitdefinitionoftherequirements, Annexures I, II, III of these Guidelines should be treated as a Checklist for this purpose: Identificationof A15.1.1 Incorporationofmultiplebidding Allrelevant applicable methodologiesineProcurementsolutionsas statutory,regulatory legislation provisionedinManualProcurementSystem andcontractual andtheflexibilityinthesolutiontotheextent compliance requirementsandthe organizations required approachtomeet theserequirements
shallbeexplicitly defined,documented, andkeptuptodate foreachinformation systemandthe organization.

GuidanceandrecommendedpracticeseProcurementSystem Depending upon the requirements of a tender any one of the multiple bidding methodologiesasoutlinedbelowshallbeprovisionedintheapplication: Singlestage,singleenvelope Singlestage,twoenvelope Two stage (with facility for technical conformance, and if required, revised tenderdocuments) Twostage, two envelope and requirement of Prequalification stage when requiredsubmissionofoneormoreAlternativebidsasapplicable. Each bid part (eg technical, financial) may be required to be submitted in a summary format along with a detailed bid. The latter could be a large file. There should be provision of appropriate file size (at least 10 MB) in the applicationwithdataencryptionasoutlinedelsewhereintheseGuidelines. Afterhavingsubmittedtheoriginalbidforeachbidpart,abidderhasarightto submit: Modificationbid
18

 Substitutionbid OrWithdrawalbidforallhisbidsubmissions. The etendering system must effectively cater to all these possibilities without compromisingsecurityandtransparencyinanymanneratanystage,foranybidpart (suchasPrequalification,Technical,andFinancial). The etendering system need to have templates to offer flexibility in bidding methodologiesasprevailingandfollowedcurrentlyinthemanualprocess.Further, systemshouldhavetemplatestoadoptbiddingmethodologiesasmaybeprescribed byrespectiveauthorities. 2.0ConcernsrelatingtoImplementationofeprocurementsystemsusingPKIbasedBid Encryption A12.3 2.1 A system in which Public Key of a Tender Cryptographic Objective:Toprotect OpeningOfficerorofany other officer of the controls theconfidentiality, purchase department, or of any person from Regulationof authenticityor theserviceprovidersorganization is used for cryptographic integrityof informationby bidencryption,andcorrespondingPrivateKey controls cryptographicmeans. usedforDecryption A.12.3.1:Apolicyon theuseof Many time bids are encrypted at the bidders cryptographic computerwithpublickeyasmentioned controlsfor above,andtheencryptedbids,withadditional protectionof informationshallbe SSL encryption, reach the etendering server developedand through fileupload and/ or filling of online implemented. forms. A.12.3.2:Key managementshallbe There are risks related to integrity of persons inplacetosupport in (a) purchase (buyer) organization & (b) e theorganizationsuse ofcryptographic Tendering Service Providers organization. As techniques. Typicalimplementationpracticesinclude A15.1.6 PrivateKeywithwhichdecryptionisdone, Cryptographic is available with the concerned officer controlsshallbeused incompliancewithall beforethePublicTenderOpeningEvent relevant Public Key with which bidencryption is agreements,laws, andregulations. doneisavailablepublicly. PublicKeyalgorithmsareslow. Copy of the decryptionkey (ie private key of the encryptioncertificate issued by a CA) is generally available (ie backed up) with the CA. Duplicate can generally be requested in case of loss, however, this canalsobemisused. GuidanceandrecommendedpracticesUseofPKItechnique If the eprocurement system uses PKI for bidencryption, it has to satisfactorily addresstheaboveissuesandconsequentconcerns(Ref2.2below)throughsuitable functionality built into the eprocurement application. Where, in addition, some issues are being further addressed through organizational procedures under ISO 27001, these should be explicitly defined with satisfactory explanations, otherwise certification process will become subjective. While doing this, the following can be keptinview:
19

2.2

Various techniques are available in market for improving implementation of PKI based encryption such as escrowing, splitting and repeated encryption to further strengtheningthesecurityofinformationandimplementation. If the eprocurement system uses any of the above techniques, it will have to be explained how the related concerns (Ref 2.2 below) have been addressed. Furthermore, practical procedures will have to be put in place which can be implementedatthe field levelindiverse locationsin thecountryina userfriendly manner. A12.6.1 (i)Whilealleffortsmustbemadetoensure Controlof Timelyinformationabout that no spyware is put in the server which technical technicalvulnerabilitiesof can make clandestine copies of a file or vulnerabilities information databeinguploadedtotheserver,andthen systemsbeingusedshall beobtained,the sending this clandestine copy to a secret Protection organization'sexposure destination,thepossibilityofsuchspyware against tosuchvulnerabilities being planted in the webserver cannot be maliciousand evaluated,and appropriatemeasures totally ruled out. This undesirable mobilecode takento eventuality could occur due to connivance addresstheassociated of the administrators of the Service OSAccess risk. Provider,oreventhroughremoteinjection. Control Forsecure&transparentfunctioningofthe A10.4 etendering system, it cannot be assumed Logmonitoring A.10.4.1 Detection,prevention, thattherewillneverbesuchapossibilityof andrecoverycontrolsto the spyware being planted in the e protectagainst tenderingserver. maliciouscodeand appropriateuser awarenessprocedures (ii) If the spyware is planted at the kernel shallbe level,theremaynotbeanyaudittrail. implemented. (iii)AuditTrails(bothapplicationlevel,and A.10.4.2 Wheretheuseofmobile Operating system level) are essentially codeisauthorized,the reports. To that extent it is possible to configurationshall fudge these. Also, other than application ensurethattheauthorized mobilecodeoperates levelaudittrailreports,theotheraudittrail accordingtoa reports can be quite complex and clearlydefinedsecurity impractical to analyze for ongoing policy,andunauthorized mobilecodeshall operations of this nature. In spite of this, bepreventedfrom audittrailreportsareusefulandshouldbe executing. thereassupportingevidence.However,in a sensitive application of this nature, audit A11.5 trailscannotbedependeduponasthesole A.11.5.1 protectionagainstanymalafideact. Accesstooperating
systemsshallbecontrolled byasecurelogon procedure.

A.11.5.2
Allusersshallhavea uniqueidentifier(userID) fortheirpersonal useonly,andasuitable authenticationtechnique shallbechosento

20

substantiatetheclaimed identityofauser. A.11.5.3 Systemsformanaging passwordsshallbe interactiveandshall ensurequalitypasswords. A.11.5.4 Theuseofutilityprograms thatmightbecapableof overriding systemandapplication controlsshallberestricted andtightly controlled.

A.11.5.5
Inactivesessionsshallshut downafteradefined periodofinactivity. A.11.5.6 Restrictionsonconnection timesshallbeusedto provideadditional securityforhighrisk applications.

A10.10 A.10.10.1
Auditlogsrecordinguser activities,exceptions,and information securityeventsshallbe producedandkeptforan agreedperiodto assistinfuture investigationsandaccess controlmonitoring.

A.10.10.2
Proceduresformonitoring useofinformation processingfacilities shallbeestablishedand theresultsofthe monitoringactivities reviewedregularly. A.10.10.3 Loggingfacilitiesandlog informationshallbe protectedagainst tamperingand unauthorizedaccess.

A.10.10.4
Systemadministratorand systemoperatoractivities shallbelogged. A.10.10.5 Faultsshallbelogged, analyzed,andappropriate actiontaken.

21

A.10.10.6 Theclocksofallrelevant informationprocessing systemswithinan organizationorsecurity domainshallbe synchronizedwithan agreedaccuratetime source

GuidanceandrecommendedpracticesSpyware/Trojan/BOTS Itisimportantthatevenifaclandestinecopyismadeandstolenasabove,thebid encryptionmethodologyshouldbesuchthatitshouldnotbepossibletodecryptthe bidsinconnivancewithanyofficeroftheBuyerorganizationortheServiceProvider organization.Whilethisissuebecomesirrelevantifbidencryptionisdoneatbidder endwithbiddercreatedsymmetricpassphrase,incasePKIbasedbidencryptionis done, the software functionality has to be suitably augmented to mitigate this security threat. This threat has also been explicitly mentioned in CVC guidelines (refersecuritycheckpointNo.14ofAnnexureII) a)Thecontrolsshouldbeplacedtoguardagainstthepossibilityofinjectingspyware formakingclandestinecopiesofasubmittedbidandthensendingthisclandestine copytoasecretdestination. Thespywarearethemalicioussoftwarecodeswhichcanbeinjectedintothesystem remotely.Toprotectthesystemfrominjectionofspyware,thesystemneedstobe secured.Thesystemneedtobesecuredandprotectedinthefollowingmanner; Hardening of hardware and software of the entire Information Technology infrastructure(whichincludecomputersystem,software,routeretc.) Installationofantispyware,antispamandantivirussoftware. Installation of software tools to protect the operating system from injection of spyware.Thesesoftwareneedtobeupgradedonacontinuousbasis. The entire infrastructure needs to be secured at the perimeter level by installing FirewallsandintrusionPreventionSystem. AfterinstallationofsoftwareandprotectingbydevicesastheentireITinfrastructure needs to be audited by the Information Technology Auditors. Indian Computer Emergency Response Team (CERTIN), Department of Information Technology has empanelledauditorsforauditingsystemsfromthepointofviewofcybersecurity.It isalwaysrecommendedthatsystemshouldbeauditedatleastonceinayearandas andwhentheinfrastructure(i.ehardwareandsoftware)isaugmentedbyadditions ofnewhardwareandsoftware. Further people operating these systems need to be trained in monitoring and detectinganyintrusioninthesystemandnetwork. b)ThekerneloftheoperatingsystemintheITinfrastructureshouldbesecuredfirst by hardening the operating system and installation of software which protects it frominjectofspywareoranykindofintrusion. c)Theeprocurementsystemshouldhaveaudittrailfacilities.Theseaudittrailsare complex but dependable. The audit trails reports provide useful information about the instructions which take place in the system both at operating system and
22

2.3

application software. This information is necessary to analyze nature of intrusion, vulnerabilitiesexploitedandtotracktheperpetrators.Italsohelpsintakingstepsin preventingfutureintrusion. The analysis of audit trail requires appropriate expertise both in respect of applicationandoperatingsystem.Suchexpertiseisavailableinthecountryatmany places.CERTInalsofacilitatestheuserorganizationinanalyzingtheaudittrails. Private Key with which decryption is done, Cryptographic A12.3 is available with the concerned officer controls A.12.3.1 beforethePublicTenderOpeningEvent Apolicyontheuseof Segregation cryptographiccontrolsfor a)Ifaclandestinecopyofabidismadeas ofduties protectionof describedabovebeforethetenderopening informationshallbe developedand event (TOE), and if the concerned tender implemented. opening officer (TOEofficer) connives in decrypting the bid before the TOE, the A.12.3.2 Keymanagementshallbein confidentialityofthebidiscompromised. placetosupportthe organizationsuse b) The above concern with the difference ofcryptographictechniques that the copy of the bid is made with the connivance of the Database Administrator A10.1.3 Dutiesandareasof (DBA). responsibilityshallbe segregatedtoreduce c) If the concerned TOEofficer(s) is/ are opportunitiesfor unauthorizedor absentduringtheTOE,howthebidswillbe unintentionalmodificationor decrypted especially keeping in view that misuseoftheorganizations theprivatekeysshouldnotbehandedover assets. toanybodyelse. Guidanceandrecommendedpractices Note:Whilesomeguidanceisprovidedbelow,itistheresponsibilityoftheindividual vendorstodesignanddeveloptheirapplicationsinamannerthataddressesthe outlinedconcerns.Theyshouldfirstconvincinglydemonstratethefullmethodology toDIT,andthenDITwilltransparentlyputthismethodologyonitswebsite,sothat bidderswhousesucheprocurementsystemsinfuturearefullyassuredagainst breachofconfidentialityoftheirbiddata. A process needs to be established and followed in respect of key management of encryption keys particularly the key with which the bid would be decrypted at the timeofopeningofthebids.Suchprocessshouldavoidcompromisingconfidentiality andpossibilityofdecryptingclandestinecopyofthebid.Inthisregardthefollowing three approaches may be adopted with proper checks while keeping in view the legalityoftheprocessforendusers.Furthermore,practicalprocedureswillhaveto beputinplacewhichcanbeimplementedatthefieldlevelindiverselocationsinthe countryinauserfriendlymanner. SplittingofKeys: Abidderwouldsubmitthebiddocumentafterencryptingitwiththepublickey of the tendering organization, so that the contents are encrypted and are decryptedbytheauthorizedofficialsatthetenderingorganization.Tominimize the risks associated with person of dubious integrity or collusion, private key decryption should be split into `M parts with the requirement of minimum `N
23

2.4

splitsbeingrequiredforitsuse.(`Nshould bemorethan1andlessthanorequal to M). `N and `M will be decided by the tendering organization and suitably configuredonthesystem. Multiple encryption of the bid document with multiple public keys and decryption of document with the multiple corresponding private keys of the tenderingorganization. Application of multiple encryption of the bid document could be prescribed in a predefined order by authorized officials of the tendering organization. Decryption willhavetobecarriedoutinthereverse order.The multipledecryptionkeys(i.e. private)maybeheldbydifferentofficialsofthetenderorganization.Encryptingthe bid document first with public key of the bidder and then by the public key of tenderingorganization.Thebiddocumentmaythenbedecryptedbytheprivatekey of the authorized official of tendering organization and then by the private key of bidder. It may be noted that the decryption keys are applied in reverse order in applicationofencryptionkeys. Theimplementationofthissystem,however,wouldrequirephysicalpresenceofthe bidder who encrypted the bid at the time of submission of bid. Preferably the person of bidding organization should be same who has signed the bid by digital signature.Therearelogisticissueswiththisapproach. A12.3 Public Key with which bidencryption is Cryptographic A.12.3.1 done is available publicly. The easy controls Apolicyontheuseof availability of the public key makes the cryptographiccontrolsfor data encrypted with it vulnerable to Regulationof protectionof ChosenPlaintextAttack cryptographic informationshallbe developedandimplemented. controls A.12.3.2 Keymanagementshallbein
placetosupportthe organizationsuse ofcryptographictechniques

A15.1.6
Cryptographiccontrolsshall beusedincompliancewith allrelevant agreements,laws,and regulations.

2.5

Guidanceandrecommendedpractices Note:Whilesomeguidanceisprovidedbelow,itistheresponsibilityoftheindividual vendorstodesignanddeveloptheirapplicationsinamannerthataddressesthe outlinedconcerns.Theyshouldfirstconvincinglydemonstratethefullmethodology toDIT,andthenDITwilltransparentlyputthismethodologyonitswebsite,sothat bidderswhousesucheprocurementsystemsinfuturearefullyassuredagainst breachofconfidentialityoftheirbiddata. Public Key algorithms are slow. As a result Capacity A10.3.1 many etendering systems which use PKI for management Theuseofresourcesshall bemonitored,tuned,and bidencryption, use mainly an encrypted projections onlineform for bid submission, and do not madeoffuturecapacity requirementstoensure havefacilityforanencrypteddetailedbid(eg therequiredsystem detailedtechnicalbidasafile),alongwiththe performance. online form. As a result, the detailed bid is either not submitted, or it is submitted in
24

unencryptedform. Guidanceandrecommendedpractices Note:Whilesomeguidanceisprovidedbelow,itistheresponsibilityoftheindividual vendorstodesignanddeveloptheirapplicationsinamannerthataddressesthe outlinedconcerns.Theyshouldfirstconvincinglydemonstratethefullmethodology toDIT,andthenDITwilltransparentlyputthismethodologyonitswebsite,sothat bidderswhousesucheprocurementsystemsinfuturearefullyassuredagainst breachofconfidentialityoftheirbiddata. 2.6 A system in which Public Key of a bidders representative is used for bidencryption at bidders office, and where decryption will be done by the bidders representative himself using his private key during the Online Public TOE. Concerns: a) Concerns outlined in 2.4 and 2.5 outlined above are applicable here also, and shouldbesuitablyaddressed. b) How would the bids be opened if the bidders representative with whose key bids have been encrypted is not available during the Online Public TOE ? The nonavailability could be due to leave, termination or any otherreason. c) Copy of the decryptionkey (ie private key of the encryptioncertificate issued by a CA) isgenerallyavailable(iebacked up)with theCA.Duplicatecangenerallyberequested in case of loss, however, this can also be misused. Note: Private key cannot be transmitted by the bidder over the internet. Furthermore, duringtheOnlinePublicTOE,bidscannotbe allowedtobedownloadedfromtheserverto the bidders computer. This would tantamount to the bids being taken away from the tenderbox back to the bidders office for opening. This cannot be allowed. Therefore the bidder will have to be physicallypresentduringthePublicTOE,and such a system will never be able to have a proper Online Public TOE. This would immediately remove one of the biggest benefitsofeprocurement.Assumingthatall other concerns are satisfactorily addressed, this would at best be a PARTIAL e procurementsystem. 3.Concernsrelatingtosituationswherebidsbeforebeingtransmittedfromthebidders
25

computerareprotectedwithonlySSLEncryptionandDatabaselevelEncryptionisdone beforethebidisstoredintheDatabaseServer 3.1 i)Forsecureandtransparentfunctioningof Cryptographic A12.3 A.12.3.1 the etendering system, it cannot be controls Apolicyontheuseof assumed that there will never be any cryptographiccontrolsfor persons of dubious integrity in the Regulationof protectionof Purchaseorganization cryptographic informationshallbe developedand ii)Forsecureandtransparentfunctioningof controls implemented. theetenderingsystem,itcannot be A.12.3.2 assumed that there will never be any Keymanagementshallbein placetosupportthe persons of dubious integrity in the e organizationsuse tenderingServiceProvidersorganization ofcryptographictechniques iii)Whilealleffortsmustbemadetoensure A15.1.6 thatnospywareisputintheserverwhich Cryptographiccontrolsshall beusedincompliancewith canmakeclandestinecopiesofafileordata allrelevant beinguploadedtothe server, and agreements,laws,and then sending this clandestine copy to a regulations. secret destination, the possibility of such spyware being planted in the webserver cannotbetotally ruled out. This undesirable eventuality could occur due to connivance of the administrators of the Service Provider, or even through remote injection. For secure and transparent functioning of the etendering system, it cannotbe assumedthattherewillnever be such a possibility of the spyware being plantedintheetenderingserver. iv) If the spyware is planted at the kernel level,theremaynotbeanyaudittrail. v) Audit Trails (both application level and Operatingsystemlevel)are essentially reports.Tothatextentitispossibletofudge these. Also, other than application level audit trail reports, the other audit trail reports can be quite complex and impractical to analyze for ongoing operations of this nature. In spite of this, audit trailreports are useful and should be thereassupportingevidence.However,ina sensitive application of this nature, audit trails cannot be depended upon as the sole protectionagainstanymalafideact. Guidanceandrecommendedpractices Securesubmissionofbidfrombidderscomputertotheservershouldbedoneafter the bid file/ data is encrypted (with symmetric or asymmetric encryption) at the bidders computer andfurthersubmitted to the eprocurementserverthroughSSL encryption. Only the encrypted file submitted by the bidder should be stored and shouldbedecryptedattheTenderOpeningEvent(TOE). A12.3 3.2 AssumingthatonlySSLencryptionisapplied Cryptographic A.12.3.1 toabidwhileitisbeingtransmittedfrom the controls Apolicyontheuseof bidderscomputertotheserver,itisafactthe
26

cryptographic role of SSL encryption is limited to the Regulationof controlsfor transmission phase (ie transportation to the cryptographic protectionof server), and that on reaching the server the controls informationshallbe developedand SSL encryption is removed. The bid is now implemented. presumably encrypted again with PKI or A.12.3.2 Symmetric Key. Albeit small, there is an Keymanagement shallbeinplaceto interim period before the bid is encrypted supportthe again.Intheinterimperiodthebidisactually organizationsuse in an unencrypted state and to that extent ofcryptographic techniques vulnerable. Irrespective of whether PKI or Symmetric Key A15.1.6 is used for encryption at Databaselevel, the Cryptographic encryptingkeyisavailable/accessibletosome controlsshallbeused officer of the purchase organization, or an incompliancewithall relevant administrator of the etendering Service agreements,laws, Provider,ortheDBA. andregulations. Theaboveissuesexistirrespectiveofwhether only select data is encrypted, or the entire databaseisencrypted. If a clandestine copy of a bid is made as described above in the interim period which would be before the tender opening event (TOE), and if the administrator connives, the confidentialityofthebidiscompromised. 1b. The above concern with the difference that the copy of the bid is made with the connivance of the Database Administrator (DBA)anddecryptiondoneinconnivancewith thepersonholdingthedecryptionkey. Guidanceandrecommendedpractices Securesubmissionofbidfrombidderscomputertotheservershouldbedoneafter thebidfileisencrypted(withsymmetricorasymmetricencryption)atthebidders computer and further submitted to the eprocurement server through SSL encryption. Only the encrypted file submitted by the bidder should be stored and shouldbedecryptedattheTenderOpeningEvent(TOE). The twoway process as suggested may be followed strictly. This will address the concerns raised. The information on reaching the server where eprocurement software is deployed through SSL mode will remain encrypted even after the SSL encryption is removed. Information will lie encrypted in the system hosting e procurementsoftware.DataBaseAdministrator(DBA)willnotbeabletodecryptthe informationashewillnotbehavingthedecryptionkeys.Itmaybementionedhere thatatnopointoftimetheSystemAdministratororDataBaseAdministratorshould be authorized to hold the private (decryption) key. The organization shall have a procedure which can include three differentapproachesto address three different scenarios. 4.ConcernaboutSymmetrickeybasedBidEncryptiondoneattheBidderscomputer 4.1 a) While bidders representatives should be Cryptographic A12.3 welcome during Online Public TOE, it should controls A.12.3.1

27

not be mandatory for them to be present if Regulationof theirbidsaretobeopened. cryptographic b)Howthesecurityofthesymmetrickey(i.e. controls thekeyusedforencryptionofeachbidpart)is ensured, between the period of bid submissionandtheOnlinePublicTOE,keeping inviewtheconcernsoutlinedabove. c) It should be allowed for a bidder to have different keys for bidencryption of each bid part (such as Prequalification, Technical, and Financial)hesubmits.

Apolicyontheuseof cryptographic controlsfor protectionof informationshallbe developedand implemented. A.12.3.2 Keymanagement shallbeinplaceto supportthe organizationsuse ofcryptographic techniques

A15.1.6
Cryptographic controlsshallbeused incompliancewithall relevant agreements,laws, andregulations.

Guidanceandrecommendedpractices Theorganizationshallhaveproceduretoaddressabove.EProcurementsystem shouldhavefunctionalitysuchthatthephysicalpresenceofbiddersshouldnotbe mandatoryduringOnlinePublicTOE. 5.Concerns/clarificationsbasedons42(1)oftheITAct2000relatingtoDigitalSignatures, aUserOrganizationsAdministrativeHierarchy,andsomerelatedaspects A12.3 5.1 In any large Government or PSU Purchase Cryptographic A.12.3.1 organization, there can be multiple indenting controls Apolicyontheuseof departments, multiple tendering authorities cryptographic (ie entities which can invite tenders in their Regulationof controlsfor name),andtens(andsometimeshundreds)of cryptographic protectionof Informationshallbe officers involved with different activities controls developedand relatingtovarioustenders. implemented. Asituationshouldnotariseintheetendering A.12.3.2 Keymanagement system where due to limitation of the e shallbeinplaceto tendering system, these departments and supportthe officers are not able to themselves execute organizationsuse ofcryptographic their duly assigned roles as in the manual techniques process, and are constrained to reassign/ abdicate their roles and responsibilities to a A15.1.6 fewtechsavvytechniciansorthepersonnelof Cryptographic the serviceprovider of the etendering controlsshallbeused incompliancewithall system. relevantagreements, laws,andregulations. Theconcernsinthisregardare: a) No such limitations exist in the offered e tenderingsystem,andthesystemsupports multiple departments and a comprehensivehierarchyofofficerswhich is such that each officer can continue to performhis/hertenderingrelatedroleina securemannerwithfullaccountability,and with no need for any reassigning of responsibilities.Itisbeingclarifiedthatthe objective here is not to provide a full
28

b)

c)

d)

e)

fledgedvirtualofficetotheofficers,butto provide adequate facilities within the applicationformultipleofficersofmultiple departments to carry out their respective tendering related activities with proper security and full accountability. Roles relating to various tendering activities within each department, and which could vary from tender to tender, would inter alia include deciding methodology and rules pertaining to a particular tender, creation of tender notice, approval/ rejection of tender notice, creation of corrigendum, approval of corrigendum, creationtenderdocumentforms,approval of tender document forms, overall approval/ rejection of tender documents, providing responses to clarification of tender documents, uploading minutes of prebid meeting, one or more officers conducting public online tender opening event (TOE), approving minutes of the public online TOE, shortlisting responsive bidders for the next stage (where applicable), managing roles of various personnel, and assigning alternative personnelincasetheoriginalassigneesare absent,etc. The offered etendering system has facility, such that roles with conflict of interest can be offered to different persons within the organization, so that conflictofinterestisavoided. Thereshouldbeoneauthorizedpersonas an overall coordinator and representative of that organization in the etendering system, with powers to delegate different rolestodifferentusersfromtimetotime, and all such rolechanges must be audit trailed in the application. The credentials of this overall coordinator must be verified. There should be provision for having separateauthorizeduser(atthecorporate level of each Buyer organization, i.e. externaltoitstenderingdepartments)who can access the applicationlevel audittrail (ie auditlog) reports. Other users of the organization should not have access to thesereports. Undernocircumstanceswillitberequired for any officer to hand over his/ her
29

5.2

privatekey(usedfordigitalsigning,orbid decryption if applicable in the offered system) to anyone else within the organization, or to anyone in the service providers organization, or to anybody else. f) There could be occasions when an authorized officer of a Purchase/Buyer organization is on leave, gets transferred, resignsorhis/herservicesareterminated. One example where such an eventuality mayariseisifthepublickeyofthetender opening officer is used for bid encryption, and his private key required for bid decryption during the online tender opening event. There should no limitation in the etendering system which may necessitatethattheprivatekeyofsuchan officerbehandedovertoanybodyelsefor the scheduled tendering processes to continueuninterrupted. Note:Theaboveisnecessaryforcompliance withs42(1)oftheITAct2000. Guidanceandrecommendedpractices Theeprocurementsystemshouldhavethefeaturestoaddressabove.UndertheIT Act, 2000 any holder of a Digital Signature, whos Digital Signature Certificate has beenissuedbyalicensedCA,isresponsibleforprotectingthecorrespondingprivate key.Unlessthecertificatevalidityhasexpiredorthecertificatehasbeenrevokedby theissuingCA,anydigitalsignaturewillbelegallyvalidandwillbeattributedtothe person listed in the Digital Signature Certificate. Similar mechanism measures shouldbeevolvedforencryptionkeypairaswell. Handing over of private (decryption) key by one officer to another officer both in caseofdigitalsignatureaswellasincaseofencryptionshouldnotbeallowed In case of digital signature, private key should be one of the two factor authentication method which must be implemented. The other could be Personal Identification Number (PIN) or biometric etc., so that nobody else can use the privatekeyforsigningthedocument. Further, it is the responsibility of the eprocurement system to reject the Digital Signature (except for verification) in case the corresponding Digital Signature Certificate has expired. It is suggested that eprocurement tendering system must havesigninginterfacewhichcankeeptrackofcorrespondingcertificateparticularly relating to expiry aspect of digital signature. There should also be a clause in the tender document stating that tender will not be considered for evaluation if the digitalsignaturecertificatehasexpired(exceptforverification). A12.3 In any large Supplier/ Vendor organization, Cryptographic A.12.3.1 controls therecanbemultiplesales departments Apolicyontheuseof which can bid for different tenders. Also cryptographic within each such department there can be Regulationof
30

many executives involved with different cryptographic controls activities relatingtovarioustenders. Asituationshouldnotariseintheetendering system where due to limitation of the e tendering system, these departments and executivesarenotabletothemselvesexecute their duly assigned roles as in the manual process, and are constrained to reassign/ abdicate their roles and responsibilities to a fewtechsavvytechniciansorthepersonnelof the serviceprovider of the etendering system.

controlsfor protectionof informationshallbe developedand implemented. A.12.3.2 Keymanagement shallbeinplaceto supportthe organizationsuse ofcryptographic techniques

A15.1.6
Cryptographic controlsshallbeused incompliancewithall relevant agreements,laws, andregulations.

Guidanceandrecommendedpractices Thishasimplicationonprocessandtechnology.Therewouldbescenariosregarding multipletenderingwithinorganization.eProcurementsoftwaremusthavefeatures toaddresssuchsuggestedissuesvizmultiplesalesdepartmentswithinabidder/ supplier organization, multiple executives (each with his own digital signature certificate) for performing various eprocurement related tasks within each such department;systemformanagingrolesandauthorizationsofsuchexecutivesincase of transfer, leave, termination etc; independent executive within each bidder/ supplier organization for accessing audit trails relating to that organization. Apart fromfromensuringsecuritywithinasupplier/bidderorganization,suchfunctionality is necessary to ensure that users within a supplier/ bidder organization do not handover their private keys to each other for completing an ongoing tendering process.Iftheseconcernsarenotaddressed,itwouldresultinviolationofs42(1)of theITAct. Further, it is suggested that organizations implementing eprocurement system shouldconducttrainingprogrammesforpersonswhohavebeenassignedrolesand areusingthesystemonfunctionalaspectrelatedtoprocessandtechnicalaspectsof thesystem.Thetrainingprogrammeshouldalsocoverdosanddontsforusingthe system. 6.Someotherfunctionality/Security/TransparencyrelatedrequirementsofaManual TenderingSystemandConformanceitsAvailabilityintheofferedetenderingsystem Cryptographic A12.3 6.1 Concern A.12.3.1 (Manual System)A Tender Notice is issued controls Apolicyontheuseof afterinternalclearance.OnceaTenderNotice cryptographiccontrolsfor is published in a newspaper, it becomes an Regulationof protectionofinformation cryptographic shallbedevelopedand authenticrecord. implemented. controls A.12.3.2 (ElectronicSystem) Keymanagementshallbe a)Atahigherlevel,thereshouldbeclearance inplacetosupportthe organizationsuse (which is audittrailed within the application ofcryptographic anddigitallysigned)beforeaTenderNoticeis techniques issued. A15.1.6 b) For authenticity and for assurance that it Cryptographiccontrols shallbeusedin hasnotbeentampered,theelectronicTender
compliancewithall

31

Notice (which is an electronic record), should haveanaudittrailwithintheapplicationofits creation/ approval/ posting. Also, the tender notice should be digitally signed by an authorized officer of the Purchase/ Buyer organization. Concern (ManualSystem) A Corrigendum is issued after internal clearance/approval.OnceaCorrigendumtoa Tender Notice is published in a newspaper, it becomesanauthenticrecord. (ElectronicSystem) a)Atahigherlevel,thereshouldbeclearance (which is audittrailed within the application and digitally signed) before a Corrigendum is issued. b) For authenticity and for assurance that it has not been tampered, the electronic Corrigendum (which is an electronic record), should have an audittrail within the applicationofitscreation/approval/posting. Also, the Corrigendum should be digitally signed by an authorized officer of the Purchase/Buyerorganization. Concern (ManualSystem) Once Tender Documents are published, and soldwithofficialreceiptandserialno.foreach copysold,thesebecomeanauthenticrecord. (ElectronicSystem) a) For authenticity and for assurance that it hasnotbeentampered,theelectronicTender Documents (which is an electronic record), should have an audittrail within the application of its posting. Also, the Tender Documents should be digitally signed by an authorized officer of the Purchase/ Buyer organization. b) At the time of online sale/ downloading of thetenderdocuments,officialserialnumber shouldbegivenalongwiththereceipt. Concern (ManualSystem) An Addendum is issued after internal clearance/ approval. Once Addendum to Tender Documents are published, and

relevantagreements, laws,andregulations.

32

distributed, these become an authentic record. (ElectronicSystem) a)Atahigherlevel,thereshouldbeclearance (which is audittrailed within the application and digitally signed) before an Addendum is issued. b) For authenticity and for assurance that it has not been tampered, the electronic Addendum (which is an electronic record), should have an audittrail within the applicationof itsapproval/posting. Also,the Addendum should be digitally signed by an authorized officer of the Purchase/ Buyer organization. Concern (ManualSystem) ClarificationofTenderDocuments.Inresponse toabiddersquery,anauthorized officer of thePurchase/Buyerorganizationrespondsto the querist with a copy to all other prospective bidders who have purchased tender documents (without revealing the identityofthequerist).Theresponseissigned bytheconcernedofficerforauthenticity. (ElectronicSystem) Theetenderingsystemshouldalsohavesuch afacilitywithallthefunctionalityasdescribed in the previous column. For authenticity and for assurance that it has not been tampered, the response from the authorized officer of thePurchase/Buyer organization should be digitallysignedbyhim. Concern (ManualSystem) PreBid meeting. The minutes of the Prebid meeting are signed for authenticity by an authorized officer of the Purchaser/ Buyer organization and made available to the prospectivebidders. (ElectronicSystem) Theetenderingsystemshouldalsohavesuch afacilitywithallthefunctionalityasdescribed in the previous column. For authenticity and for assurance that it has not been tampered, the Minutes should be digitally signed by an authorized officer of the Purchaser/ Buyer
33

6.2

organization. Concern (ManualSystem) BidMethodologies/Formats: Dependingonthecircumstancesandnatureof a tender, one of the many bidding methodologiesmaybeprescribedbyaBuyer, and the bidder would have to respond accordingly. Singlestage,singleenvelope Singlestage,twoenvelope Two stage (with facility for technical conformance, and if required, revised tenderdocuments) Twostage,twoenvelope Where required, the above may be combinedwithaPrequalificationstage In some cases, the Purchaser may allow submissionofoneormoreAlternativebids Each bid part (eg technical, financial) may berequiredtobesubmittedinasummary format along with a detailed bid. The lattercouldbealargefile. After having submitted the original bid for each bidpart, a bidder has a right to submit: Modificationbid Substitutionbid Or Withdrawal bid for all his bid submissions. (ElectronicSystem) Theetenderingsystemshould supportallthebiddingmethodologies/ formatsasoutlinedabovewithout sacrificinganyaspectof securityandtransparency includingthoselistedelsewhereinthisdocument. Guidanceandrecommendedpractices CVCCircularNo.OfficeOrderNo.43/7/04dated2ndJuly2004hadalsorequiredthat tender documents posted on an etendering/ eprocurement website should be digitallysignedbyanofficerofthetenderingorganization,andfortheassuranceof the bidder who is viewing or downloading the tender documents, the CVC circular required that facility be provided to verify the digital signature to ensure the authenticityandintegrityofthetenderdocuments. The eprocurement system should have functionality as outlined above under (ElectronicSystem),andtheBuyerorganizationshouldhaverelatedproceduresto implementthis. Concern Cryptographic A12.3
34

6.3

A.12.3.1 (ManualSystem) controls Apolicyontheuseof Signingofeachpageofeachbidpart(pre cryptographic qualification,technical,financial)especially Regulationof controlsfor thesummaryformatandthe cryptographic protectionof informationshallbe detailedbidincludingmodification, controls developedand substitution,withdrawal. implemented. A.12.3.2 Keymanagement The sealed bids are deposited securely in a shallbeinplaceto lockedtenderbox,andstoredsecurelytillthe supportthe box is opened during the public tender organizationsuse ofcryptographic openingevent. techniques A15.1.6 (ElectronicSystem) Cryptographic Theetenderingsystemshouldhavethe controlsshallbeused incompliancewithall correspondingfacilitieswithoutsacrificingany relevantagreements, aspectofsecurityandtransparencyincluding laws,andregulations. thoselistedelsewhereintheseGuidelines. It should not be possible to open the e tender boxes till the specified time has occurred or elapsed, and till all the authorized TenderOpening Officers have formally instructed the system to do so withPKIbasedDigitalSignatures Till the Public Tender Opening Event, security related features should be such that the contents of the bids which are being stored cannot be accessed and decryptedbyeventheauthorizedofficers of the Purchaser/ Buyer or the Administrators of the Service Provider (even if they wish to do so with malafide intentions). Guidanceandrecommendedpractices Theeprocurementsystemshouldhavefeaturestoaddressthesuggestionsmadein thisdocument. Anyeprocurement/etenderingservicesmustprovidethefacilityofTimeStamping which is critical for establishing data and time of document submission and its acknowledgement.TimeStampingfeatureshouldbebuiltwithintheapplicationand synchronisationofetendering/eprocurementservershouldbedonewithmaster serveratthedatacenterwheretheeprocurementsystemishosted(asmentioned insection4.1oftheseGuidelines).Alternatively,theeprocurementserviceprovider cantakeTimeStampingservicesbeingprovidedbylicensedCAs. Cryptographic A12.3 (ManualSystem) A.12.3.1 PublicTenderOpeningEvent(s)[PublicTOEs] controls Apolicyontheuseof cryptographiccontrolsfor For Transparency, there is an elaborate Regulationof protectionofinformation procedureforopeningofbidsinthepresence cryptographic shallbedevelopedand implemented. ofauthorizedbidders.Afewsalientaspectsof controls
A.12.3.2

35

thisare: Authorized representatives of bidder organizations a) Whohavesubmittedtheirbidsareentitled to be present and have to sign in their attendance. b) Eachbidisopenedoneatatimeinfrontof the participating bidders, and the concerned bidder is entitled to satisfy himselfthathisbidpacketisintactandhas notbeentamperedwith. c) If Bid security [earnest money deposit (EMD)] is applicable for a tender, then details of the EMD submitted, or exemption claimed with basis thereof is disclosedtotheparticipants. d) Salientpointsofeachopenedbidareread out aloud for the benefit of the participating bidders, and to ensure that nochangeismadeinthebidcontentslater onwithconnivance. e) Clarificationsmaybesoughtfromabidder whose bidhas been opened and record is madeofthequeryandtheresponse. f) Each page of the opened bid is countersigned during the TOE itself (by eachtenderopeningofficer(typicallyupto 3)toensurethatnochangeismadeinthe bidcontentslateronwithconnivance. g) After all the bids are opened and countersigned by the TOEofficers, the minutesofthemeeting(ieTOE)aretobe recorded. h) Eachbidpartmaybeopenedinaseparate tender opening event in which only the authorized bidders are allowed. This is supposedtobedoneinaverytransparent manner with proper scheduling of events and proper information to the concerned bidders. i) Bid parts which are due for opening in a subsequent tender opening event are securelystoredtillthatevent. j) IfinaparticularTOE,ifitisdecidednotto open the bid of a bidder, then such bids arereturnedopened. (ElectronicSystem) Facility for the authorized personnel to conduct Public Online Tender Opening Event with Bidders attending from remote

Keymanagementshallbe inplacetosupportthe organizationsuse ofcryptographic techniques

A15.1.6
Cryptographiccontrols shallbeusedin compliancewithall relevantagreements, laws,andregulations.

36

locations electronically with full security procedures.TenderOpeningEventshouldbe simultaneouslyviewablebyallattendeesfrom theirrespectivelocations Theetenderingsystemshouldsupportallthe salientaspects,viza,b,c,d,e,f,g,h,iaslisted inthepreviouscolumnwithoutsacrificingany aspect of security and transparency including those listed elsewhere in this matrix/ questionnaire. As soon as a bid is opened, participating bidders should be able to simultaneouslydownloadthesalientpoints(ie thesummaryinformation)oftheopenedbid. For (j) keeping in view the nature of the internet,suchbidsmaybearchivedunopened. Note:Inaddition,incaseswheresomebidders havebidoffline(iemanually),and this has been allowed, then the following should be ensured: - That the offline bids are opened first and theirsalientpointsenteredintothesystem beforetheonlinebidsareopened.Thisis all done in the presence of the online bidderswhoaresimultaneouslywitnessing thisexercise. Thecompiled/integrateddataoftheboth the online and offline bidders should be made available in the form of an online comparisoncharttoalltheparticipants. Guidanceandrecommendedpractices TheGFRrequiresthattendersbeopenedinpublicinthepresenceoftheauthorized representatives of the bidders. The Finance Ministry Manual on procurement proceduresoutlinesindetailstherequirementsofatransparentlyconductedPublic Tender Opening Event. CVC Guidelines on security aspects of eprocurement also staetherequirementofOnlinePublicTenderOpeningEvent.Merelyopeningbids online, and then separately making them available for display to the bidders subsequently, and/ or from a different location/ screen (ie user interface) without thesimultaneousonlinepresenceofbidders,doesnotfulfilltherequirementsofa proper and transparent online Public TOE. A comprehensive and transparent Public
Tender Opening Event is the backbone of transparency and fairness of the Public Procurementprocess,manualorelectronic. Thishasanimpactontechnicalaswellas proceduralaspects.

It must be ensured that etendering/ eprocurement has comprehensive functionality for a transparent Public Online Tender Opening Event (Public OTOE). Well established practices of manual tender opening (with legal and transparency related significance) should have corresponding electronic equivalents for transparent etendering/ eprocurement. Some relevant processes of a fair and transparentonlinepublicTOEshouldinclude:
37

 i.Openingofthebidsinthesimultaneousonlinepresenceofthebidderswithproper online attendance record of the authorized representatives of the bidders. Merely opening bids online, and then subsequently displaying some results to the bidders does not fulfill the requirements of a transparent Online Public Tender Opening Event ii.SecurityCheckstoassurebiddersofnontamperingoftheirbids,etalduringthe onlineTOEitself iii.Onebyoneopeningofthesealedbidsinthesimultaneousonlinepresenceofthe bidders iv.Onlineverificationofthe digitalsignaturesofbiddersaffixedtotheirrespective bids v.Readingout,ieallowingbidderstodownloadtheelectronicversionofthesalient points of each opened bid (opened in the simultaneous online presence of the bidders) vi.ThereshouldbeaprocedureforseekingclarificationsbytheTOEofficersduring online Public TOE from a bidder in the online presence of other bidders, and recordingsuchclarifications vii.Digitalcountersigning(byallthetenderopeningofficers)ofeachopenedbid,in thesimultaneousonlinepresenceofallparticipatingbidders viii.PreparationoftheMinutesoftheTenderOpeningEventanditssigningbythe concernedofficersinthesimultaneousonlinepresenceofthebidders WhilebiddersshouldbewelcometobepresentphysicallyduringtheTOE,itshould notbemandatoryforthemtodoso.Alltheaboveshouldbeachievedonlineina userfriendlymanner. Theeprocurementsystemhastosatisfactorilyaddresstheaboverequirements throughsuitablefunctionalitybuiltintotheeprocurementapplication.Where,in addition,someissuesarebeingfurtheraddressedthroughorganizationalprocedures underISO27001,theseshouldbeexplicitlydefinedwithsatisfactoryexplanations. 7.Concerns/clarificationsrelatingtopreventingotherBiddersfromBiddinginthee TenderingScenario,andMiscellaneousConcerns/Clarifications A12.6.1 7.1 Can the etendering prevent competitors/ Controlof Timelyinformationabout tendermafiafromlockingtheaccounts(target technical technicalvulnerabilities accounts) of other users/ bidders by vulnerabilities ofinformation deliberately entering incorrect authentication Cryptographic systemsbeingusedshall beobtained,the informationagainstusernames(whicharenot controls organization'sexposure secret)ofsuchbidders/users? tosuchvulnerabilities Regulationof evaluated,and cryptographic appropriatemeasures takentoaddressthe controls associatedrisk. A12.3 A.12.3.1
Apolicyontheuseof cryptographiccontrolsfor protectionof informationshallbe developedand implemented. A.12.3.2 Keymanagementshallbe inplacetosupportthe

38

organizationsuse ofcryptographic techniques

A15.1.6
Cryptographiccontrols shallbeusedin compliancewithall relevantagreements, laws,andregulations.

7.2

Guidanceandrecommendedpractices Generally any system are designed in such a manner that it gets locked/denied permission after repeated login attempts based on wrong passwords and user IDs. Such a scenario, if it exists, in eprocurement system may be exploited by the competitors/tendermafiatopreventthegenuinebidders.Toavoidsuchasituation the eprocurement system should not have features for locking the system on account of repetitive login attempts based on wrong passwords and user IDs and digitalsignatures.Itisalsosuggestedthatlogintotheeprocurementsystemshould bebasedondigitalsignatures.Ithasalsobeensuggestedthateprocurementsystem should have interface software to check the validity of digital signature/certificate. Otherinnovativemethodsmayalsobedevelopedtoaddressthisconcern. A12.6.1 For security reasons, Administrators of the e Controlof Timelyinformationabout tenderingapplication/portalshouldnot have technical technicalvulnerabilities any access to the passwords of the various vulnerabilities ofinformation Cryptographic systemsbeingusedshall users.Neithershouldthe Administrators beobtained,the controls beabletogeneratepasswordsfortheusers. organization'sexposure Regulationof tosuchvulnerabilities cryptographic evaluated,and appropriatemeasures controls
takentoaddressthe associatedrisk.

A12.3 A.12.3.1
Apolicyontheuseof cryptographiccontrolsfor protectionofinformation shallbedevelopedand implemented. A.12.3.2 Keymanagementshallbe inplacetosupportthe organizationsuse ofcryptographic techniques

A15.1.6
Cryptographiccontrols shallbeusedin compliancewithall relevant agreements,laws,and regulations.

Guidanceandrecommendedpractices TheAdministratorsoftheetenderingapplication/portalshouldnothaveanyaccess to the passwords of the various users. Neither the software should allow the Administratortogeneratepasswordfortheusers. Thedesigner/developershouldfactorthisatthedesignstage/developmentstage,ie the eprocurement system has to satisfactorily address the above requirements throughsuitablefunctionalitybuiltintotheeprocurementapplication.
39

7.3

The Forgot Password feature should not be based on some questions and answers which can be guessed by a competitor/ hacker. Pleaseexplainhowthisisachieved.

A12.6.1 Controlof Timelyinformationabout technical technicalvulnerabilities vulnerabilities ofinformation Cryptographic systemsbeingusedshall beobtained,the controls organization'sexposure tosuchvulnerabilities Regulationof evaluated,and cryptographic appropriatemeasures takentoaddressthe controls associatedrisk. A12.3 A.12.3.1
Apolicyontheuseof cryptographiccontrolsfor protectionofinformation shallbedevelopedand implemented. A.12.3.2 Keymanagementshallbe inplacetosupportthe organizationsuse ofcryptographic techniques

A15.1.6
Cryptographiccontrols shallbeusedin compliancewithall relevantagreements, laws,andregulations.

7.4

Guidanceandrecommendedpractices IftheeprocurementsystemhasForgotPasswordsfeature,itshouldaddress theseconcerns. ThereshouldbefacilityforComprehensive A10.10 Log ElectronicAuditTrail(ieAuditLog,or VigilanceReports)withintheapplicationwith monitoring A.10.10.1 Auditlogsrecordinguser provisionforArchiving. activities,exceptions,and information Specifically: securityeventsshallbe producedandkeptforan i) There should be audit trail reports for agreedperiodtoassistin eachtenderofeachBuyerorganization,as futureinvestigationsand well as, nontender specific activities (like accesscontrolmonitoring. creation of userhierarchy and role A.10.10.2 Proceduresformonitoring authorization), which is viewable only to useofinformation the authorized user of that Buyer processingfacilitiesshallbe organization. Other users of the establishedandtheresults ofthemonitoringactivities organization should not have access to reviewedregularly. theseaudittrailreports. A.10.10.3 ii) Similarly, there should be audit trail Loggingfacilitiesandlog informationshallbe reportsforeachtenderofeachSupplier/ protectedagainst Bidderorganization,aswellas,nontender tamperingand specific activities (like creation of user unauthorizedaccess. hierarchyandroleauthorization),whichis A.10.10.4 Systemadministratorand viewable only to the authorized user of systemoperatoractivities that Supplier organization. Other users of shallbelogged. theorganizationshouldnothaveaccessto A.10.10.5 Faultsshallbelogged, audittrailreports.
analyzed,andappropriate

40

7.5

7.6

actiontaken. iii) As backup, and as protection against A.10.10.6 tampering of audittrail reports saved by Theclocksofallrelevant an individual organization at its end, informationprocessing systemswithinan facility should be available for the organizationorsecurity authorized eprocurement application domainshallbe administrator to have parallel access to synchronizedwithan agreedaccuratetime such reports of both Buyer organizations, source as well as, Supplier organizations. Furthermore, information pertaining contentofbidsandBidSubmission[which is sensitive till the TenderOpening Event (TOE)], should not be accessible to the e procurement application administrator till thestartoftheTOE. iv) The authorized administrator of the e procurement/ etendering application should also have access to audit trail reports of other administrators within the application. v) The application should not provide any facility to modify or delete audit logs, or suspendloggingoperations Guidanceandrecommendedpractices The eprocurement system and software should have the facility and functionality. There should be facility for Reports relating to TenderingActivities, and correspondingMISReportswhichareaccessibletotherelevantauthorizedusersof thatorganization. CVCOrder NA AsrequiredinaCVCorder,theetendering systemshouldhavefacilityfordisplaying AwardofContracts Guidanceandrecommendedpractices Theapplicationshallhavethisfunctionality.Furthermore,thisinformationshouldbe digitallysignedbytheconcerneduseroftheBuyerorganizationwithfacilityfor verificationbytheviewer. A12.6.1 It is important that officers of a Buyer Controlof Timelyinformationabout organization involved in procurement related technical technicalvulnerabilities activities continue to perform their related vulnerabilities ofinformation roles without reassigning or abdicating systemsbeingusedshall beobtained,the responsibilities. A prerequisite to enable organization'sexposure officerstoperformtheirrolesistheexistence tosuchvulnerabilities of comprehensive virtual hierarchy and role evaluated,and appropriatemeasures authorizationasoutlinedabove. takentoaddressthe associatedrisk. Another requirement to enable this is that e Tendering Systems must design their user interfaces to be user friendly, and that all informationthattheuserneedsto perform eachtransactionisavailableeasilyandclearly fromthescreen Concern

41

TheeTenderingapplicationmustbedesigned, developed and deployed using reputed and secureplatformssuchas.DotNet,J2EEetc, that minimize defects like bugs and vulnerabilities. It is important to ensure that during deployment; only compiled codes of theetenderingapplicationsoftwareareused, with further protection to prevent runtime modifications in the code. Please clarify how thisisachieved. Concern It should not be possible to compromise the security of the etendering application, even withknowledgeofitsarchitecture,designand encryptionalgorithmused. Guidanceandrecommendedpractices The application shall be architectured, designed and developed (ie the required functionality should be inbuilt in the application) to address above concerns. The bestpracticesandprocessestodevelopsecuresoftwareshallbefollowed. 8.ConcernsrelatingtoBiddersmakingfalseassertionsbasedonnonexistingfunctionality intheiretenderingsoftware(ImportantEligibility/QualifyingCriteria) NA References may be given of various clients Quality who have used the etendering/ e assessment procurement software before the date of ofsolution submission of bids. Such references should Publically statewhetherornottheeTenderingsoftware available suppliedtoeachreference clientwas capable capability of handling each of the following No requirements:compositetechnical&financial monopolizati bids (single stage single envelope); technical on andfinancialbidsinseparateenvelopes(single stage two envelope); single stage two envelope preceded by prequalification; and various security and transparency related concerns outlined in this AnnexureI, AnnexureII (which is based on CVC Guidelines). Guidanceandrecommendedpractices The solution should be assessed in respect of various security and transparency relatedconcernsoutlineintheseGuidelines,anditsscopeofCapabilityshouldbein public domain, ie the functionality claimed should have references. This will discourage monopolizing a particular vendor and solution and will encourage new entrants from offering such systems thereby affecting the competitiveness of procurement of systems. To encourage new entrants, while there should be no compromise on security, transparency and crucial functionality related concerns highlightedherein,theeligibilitycriteriainrespectofnumberoftenders,revenue criteriafromeprocurement,etcshouldbeminimum.
42

SummaryAnalysisofRiskofeProcurementSystems SecurityRisks Security Availability Authentication Access AuditTrail Compromisethroughpotentialweaknessesinthesystem Theneedforservicestobe`onallthetime Masqueradingidentityorrepudiationofmessage Anypurchasingsystemmustsupportauthenticationofusersso thatindividualtransactioncanbetracedbacktotherelevant person.Generally,thisisbyusernameandpassword. Alternatively,theauthenticationmechanismcouldbenetwork loginorotherdirectoryservices,whilehighersecurity requirementmaydemandtokenbasedmethodsuchasdigital certificate,smartcardorbiometricsdevices. Toensureusersonlyhaveaccesstothefunctionsrequiredtodo theirjobs,aneProcurementsystemshouldincorporateroles basedaccesscontrolmechanism.Thisshouldallowaparticular roletobeassignedtoeachuseroftheapplication,andto determinewhichfunctionareasthisroleincorporates. ArobusteProcurementsolutionshouldincorporatea comprehensiveaudittrail,withrecordingofwhodidwhatand whenatvariouskeystagesofthepurchasingprocess.The systemshouldalsoallowrulestobeincorporated,examplethe personwhoapprovesarequisitionmustbedifferentfromthe requisitionoriginator.Settingsuchprincipleswithinthe purchasingapplicationcanbeausefulcountermajoragainst possiblefraud. Throughemploymentorlegalcontractualobligations Internalabuseandmisuse Externalattackbyvariousparties,whethercorporateespionage orterrorists EmailvirusessuchasNIMDAorMelissawhichhavecapabilityof cripplingsystems Floodingacomputersinternetconnectionwithrequeststo disrupttrafficflow Misappropriationorreleaseofintellectualproperty ControlofspendingtospecificsuppliersaspartofeCommerce Someapplicationswhichonlyrequireuserstohaveaccesstothe internetviaawebbrowsermayalsorequireadditionalsoftware tobeinstalledandrunonthelocalmachine,suchasActiveX components,JavaApplets,browserscriptandcookies.Security policyshouldallowthesesoftwarecomponentstobeinstalled andrun. Lackofinteroperabilitybetweenthesystemofthebidderand systemoftheprocurementbody Systeminteroperabilityisthesmoothtransitionofdatabetween systemsinternallywithinanorganisation,examplebetweenan
43

Liability ComputerFraud Breachbyexternal party Virusaffectingthe system Denialofservice Intellectualproperty SoftwareRisks SwitchingCostand compliancewithRules ofGovernment Procurement Applets,scriptingand punchout

Interoperability

eProcurementsystemandafinancesystemandexternally examplebetweenabuyerseProcurementsystemandsuppliers eCommerceSystem. ThepreferredmethodofdataflowtodayiseXtensibleMarkUp Language(XML).XMLisacceptedacorestandardfordata exchangebetweentheGovernmentandBusiness. ProjectRisks Competitive information Lackofrequiredskills Risktocustomerandsupplierdata,aswellasothercommercially sensitiveinformation Staffnotbeingproperlyequippedwiththecorrectskillset. Repercussionofnotadheringtoroles&responsibilitieswhile handlingprivatekey/usersecretofpersonnelinvolvedine procurementlifecycle. Investinginthewrongtechnology,thismayleadtogreatercosts thaninitiallyprojected,orbeingstuckwithavendor Increasingcomplexityoforganisation,systemsandmodels Theincreasingelectronicdeliveryofpublicservicestobusiness andcitizens,inturn,producingmoreelectronicrecords. Electronicrecordsunlockcontentpreviouslydifficulttoassessin paperform,enablemoreeffectivesharingofinformationand contributetoknowledgeexchange.However,theyneedtobe retainedandmaintainedoverthemediumtolongtermasthe recordsalsodemonstrateaccountability. Privacyandexcessissuesandparticularlyrighttoinformationact, VATandothertaxationactrequiredthatelectronicrecordsbe managedconstantlywithinregulatoryenvironment. Theriskofdamaginggoodwillorbrandequityasaresultofe Commercemishap Toprotecthistoricdataintheeventofasystemfailure,orto allowapurchasedepartmenttocontinueoffsiteintheeventof disaster,securityarrangementshouldalsoincludeabusiness continuityplan.Thisshoulddetail: Precautionstopreventdisasterfromoccurringsuchasvirus checking Physicalsecurityinthepremiseswheretheapplicationis heldand Duplicationofdataontomultiplestoragedevices Procedurestofollowintheeventofanunrecoverable disastere.g.retrievalofoffsitebackupsorrelocatingtoa warmrecoveryserverwhichcontainsallhistoricaldata. Finally,itisimportanttotestanycontinuityplansonaregular basis.Thetimetodiscoverthatnotallrelevantfilesarebacked upisduringatestdrill,notwhentryingtorecoveraftera catastrophicfailure. Becauseofinvolvementofremotelylocatedadditionalbody Rateofchangeoftechnologyprogressingaheadoftheabilityto secureit Procurementrisk,describingemployeesexpenditurevianon preferredsuppliers,resultinginablowoutincosts.

Wrongtechnology choice Complexityand Managementof electronicrecords

ReputationalRisk BusinessContinuity

EnvironmentalRisks Naturalhazard Changingtechnology Maverick Spend/compliance

44

AnnexureIIChecklistforeSecurityCompliance(includingCVCGuidelines) Table1:GeneralSecurityIssues Sl. IssuestobeChecked MeansofChecking No. 1 Whethertheapplicationissecurefrommakingany Functionality temporarydistortionintheelectronicposingoftender Verification/Testing notice,justtomisleadcertainvendors? (Applicationlevel) Functionality 2 Ifyesat2above,thenwhetheranyautomaticsystems Verification/Testing alertisprovidedintheformofdailyexceptionreportin (Applicationlevel) theapplicationinthisregards? Functionality 3 Whetherapplicationensuresthatthetenderdocuments Verification/Testing issuedto/downloadedbybiddersarecompleteinshape (Applicationlevel) aspertheapprovedtenderdocumentsincludingallits corrigendum? 4 Isthereanycheckavailableintheapplicationtodetect Functionality andalertaboutthemissingpagestothetenderer,ifany? Verification/Testing (Applicationlevel) Functionality 5 Whetherapplicationensuresthatallthecorrigendum Verification/Testing issuedbytheCompetentAuthorityarebeingfully (Applicationlevel) communicatedinproperfashiontoallbiddersincluding thosewhohadalreadypurchased/downloadedthebid documentswellaheadoftheduedateandbefore uploadingthecorrigendum? Functionality 6 Whethersystemissafefromsendingdiscriminatory Verification/Testing communicationtodifferentbiddersaboutthesamee (Applicationlevel) tenderingprocess? 7 Whethereprocurementsolutionhasalsobeen Functionality customizedtoprocessalltypeoftendersviz Verification/Testing Limited/Open/GlobalTenders? (Applicationlevel) 8 WhetheronlinePublicTenderopeningeventsfeatureare Functionality Verification/Testing availableintheapplication? (Applicationlevel) 9 Whetherfacilitiesforevaluation/loadingofbids,strictlyin Functionality termsofcriterialaiddowninbiddocumentsareavailable Verification/Testing intheapplication? 10 Whethersufficientsafeguardshavebeenprovidedinthe Functionality applicationtodealwithfailedattemptblocking? Verification/Testing (Applicationlevel) 11 Whetherapplicationissafefromsubmissionoffakebids? Functionality Verification/Testingto checkthatabidcanbe submittedonlybyaduly authorizeduserofthe bidderorganization,and thatallbidder organizationsare authenticated. (Applicationlevel) Application Vulnerability
45

12

Whetherencryptionsofbidsaredoneatclientsend?

13

Whethersafetyagainsttamperingandstealing informationofsubmittedbid,duringstoragebeforeits openingisensured?

14

Whetherapplicationissafefromsiphoningoffand decryptingtheclandestinecopyofabidencryptedwith Publickeyoftenderopeningofficer?

Assessment(Testfor OWASPTop10and otherknown vulnerabilities) (Applicationlevel) Functionality Verification/Testing (Applicationlevel) Functionality Verification/Testingof relatedfeaturesand explanationsgivenby theeprocurement/e tenderingsoftware/ serviceprovider againstrelevant sectionsandpointsof AnnexureI,viz sections2,3and4of AnnexureI. (Applicationlevel,as wellas,Networklevel) Application Vulnerability Assessment(Testfor OWASPTop10and otherknown vulnerabilities) (Applicationlevel,as wellas,Networklevel) Functionality Verification/Testingof relatedfeaturesand explanationsgivenby theeprocurement/e tenderingsoftware/ serviceprovider againstrelevant sectionsandpointsof AnnexureI,viz sections2,3and4of AnnexureI. (Applicationlevel) Application Vulnerability Assessment(Testfor OWASPTop10and otherknown vulnerabilities) (Applicationlevel)
46

15

Whetherapplicationissafefrommutilation/sabotageof otherwiserenderingtheencryptedbidintheetenderbox duringstorage,tomakeitunreadable/invalidinanyform, beforeopeningofthebids?

16

Whetherintroductionofspecialcharacters/executable filesetcbyusersarerestrictedintheapplication?

17

WhethervaliditycheckofDSCisbeingdoneatserver end? Whethersystemsupportsthefeaturethateventhoughif apublishedtenderisbeingdeletedfromtheapplication, doesnotallowpermanentdeletionofthepublished tenderfromtheDatabase? Whethersufficientsecurityfeaturesareprovidedinthe applicationforauthenticationprocedureofthesystem administratorlikeID,password,digitalsignature, biometricetc. Whetheraudittrailsarebeingcapturedintheapplication onmedianotpronetotampering,suchasopticalwrite once? Whetherlogshippingfeaturingavailable,wherea separatededicatedserverreceivesthelogsfromthe applicationoverwebserviceinrealtime? Whetherintegrityandnontamperingisensuredin maintainingtheserverclocksynchronizationandtime stamping? Whetherapplicationgeneratesanyexception report/systemalertsetctoindicatetheresettingofthe

18

Functionality Verification/Testingof relatedfeaturesand explanationsgivenby theeprocurement/e tenderingsoftware/ serviceprovider againstrelevant sectionsandpointsof AnnexureI,viz sections2,3and4of AnnexureI. (Applicationlevel,as wellas,Networklevel) Application Vulnerability Assessment(Testfor OWASPTop10and otherknown vulnerabilities) (Applicationlevel,as wellas,Networklevel) TestingofInputValidation (ReferOWASPTesting Guide) (Applicationlevel) Verificationofthe implementation (Applicationlevel) Verificationofthe implementation (Applicationlevel)

19

20

21

22

23

Reviewofthe authenticationmechanism implemented. (Applicationlevel,aswell as,Networklevel) Verificationofthe implementation (Applicationlevel,aswell as,Networklevel) Verificationofthe implementation (Networklevel) Verificationofthe implementation (Networklevel) Functionality Verification/Testing
47

24.

25

26

27

Functionality Verification/Testing (ReferGFRforthe requirements) (Applicationlevel) Verificationof Whetheranycomprehensivethirdpartyaudit(asper statutoryrequirementandalsoaspertherequirementsof records/reports/certificate s etenderprocessing(compliancetoITAct2000)wasgot (Applicationlevel,aswell conductedbeforefirstputtingittopublicuse? as,Networklevel) Coveredbelow WhetherapplicationcomplieswiththeCommission/s Guidelinesdated17.9.2009onSecurityconsiderationfor eprocurementsystems

clock,incasetheapplicationfortime stampingiskillingat theserverlevelandtimeismanipulated? Whetherapplicationensuresthatthequotesfromvarious bidderswiththeirnamearenotbeingdisplayedtoanyone includingtotheorganizationduringcarryingoutofthee reverseauctioningprocess? Whetherapplicationisfitforusagecomplyingwiththe requirementsoftenderprocessingvizauthenticityof tender,nonrepudiationandsecrecyofinformationtillthe actualopeningoftenders

(Networklevel) Functionality Verification/Testing (Applicationlevel)

Table2:InfrastructureSecurityIssues Sl. IssuestobeChecked No. 1 PerimeterDefence: Deploymentofrouters,firewalls.IPS/IDS,Remote Accessandnetworksegmentation.

MeansofChecking NetworkArchitecture Review Assessmentof vulnerabilitiesand hardening/configurationof networkandsecurity devicese.g.routers, switches,firewalls,IPS/IDS etc. (Networklevel) Reviewofauthentication policiesandmechanisms (Networklevel)

Reviewofloggingand monitoringpolicies, procedures&mechanisms (Networklevel) Assessmentofvulnerabilities Secureconfigurationofnetworkhost: andhardening/configuration Thesecurityofindividualservers&workstationsisa ofthehosts(servers,client criticalfactorinthedefenceofanyenvironment, workstationsetc.) especiallywhenremoteaccessisallowed workstationsshouldhaveSafeguardsinplacetoresist (Networklevel) commonattacks. Systempatching: ReviewofPatch Asthevulnerabilityofthesystemisdiscoveredalmost ManagementProcedure
48

Authentication: Networkauthenticationthroughdeploymentof passwordpolicyforaccessingthenetworkresources. Tominimizeunauthorisedaccesstothee procurementsystem,atsystemlevel. Monitoring: DeploymentofloggingatOS/networkleveland monitoringthesame.

regularlyandthesystemvendorsarealsoreleasing thepatches,Itisexpectedthatthehostarepatched withlatestsecurityupdates. 6 ControlofMalware: Suitablecontrollikeantivirus,antispywareext. shouldbedeployedonthehostassociatedwithe procurementsystem.However,optionforrunningthe servicesatnonprivilegeduserprofilemaybelooked for.Otherwisesuitableoperatingsystemwhichis immunetovirus,Trojanandmalwaremaybe deployed. Structuredcabling: Theavailabilityofthenetworkservicesiscritically dependentonthequalityofinterconnectionbetween thehoststhroughstructuredincludingtermination& marking.Itisexpectedtheeprocurementsystemhas implementedstructuredcablingandothercontrols relatedwithnetworkandinterconnection.

Verificationofthe systempatchingstatus (Networklevel) ReviewofMalwareControl policies,proceduresand mechanisms (Networklevel)

Verificationofthecabling (Networklevel)

Table3:ApplicationSecurityIssuesatDesignLevel Sl. IssuestobeChecked No. 1 Authentication: Theauthenticationmechanismoftheeprocurement applicationshouldensurethatthecredentialsare submittedonthepagesthatareservedunderSSL 2 AccessControl: Theapplicationshallenforceproperaccesscontrol modeltoensurethattheparameteravailabletothe usercannotbeusedforlaunchinganyattack. Sessionmanagement: Thedesignshouldensurethatsessiontokensare adequatelyprotectedfromguessingduringan authenticatedsession. Errorhandling: Thedesignshouldensurethattheapplicationdoes notpresentusererrormessagestotheoutsideworld whichcanbeusedforattackingtheapplication. Inputvalidation: Theapplicationmayacceptinputatmultiplepoints fromexternalsources,suchasusers,client applications,anddatafeeds.Itshouldperform validationchecksofthesyntacticandsemantic validityoftheinput.Itshouldalsocheckthatinput datadoesnotviolatelimitationsofunderlyingor dependentcomponents,particularlystringlengthand characterset. Allusersuppliedfieldsshouldbevalidatedatthe

MeansofChecking FunctionalityVerificationof theimplementation (Applicationlevel,andSSL verificationatNetworkLevel) Assessment/Testing(Refer OWASPTestingGuide) (Applicationlevel) Assessment/Testing(Refer OWASPTestingGuide) (Applicationlevel) Assessment/Testing(Refer OWASPTestingGuide) (Applicationlevel) Assessment/Testing(Refer OWASPTestingGuide) (Applicationlevel)

49

serverside. Applicationloggingandmonitoring: Loggingshouldbeenabledacrossallapplicationsin theenvironment.Logfiledataisimportantfor incidentandtrendanalysisaswellasforauditing purposes. Theapplicationshouldlogfailedandsuccessful authenticationattempts,changestoapplicationdata includinguseraccounts,serveapplicationerrors,and failedandsuccessfulaccesstoresources

FunctionalityVerificationof theimplementation (Applicationlevel)

Table4:ApplicationSecurityIssuesDuringDeployment&Use Sl. IssuestobeChecked MeansofChecking No. Verificationofthe 1 Availability/Clustering/Loadbalancing: implementation Dependingonthenumberofexpectedhitsand accesstheoptionforclusteringofserversandload (Networklevel) balancingofthewebapplicationshallbe implemented Reviewofbackuppolicies, 2 Applicationanddatarecovery: Suitablemanagementprocedureshallbedeployed proceduresandthebackup andrestorationrecords. forregularbackupofapplicationanddata.The regularityofdatabackupshallbeincommensurate (Networklevel) withthenatureoftransaction/businesstranslated intotheeprocurementsystem. 3 IntegrityoftheApplication,Controlofsourcecode. Reviewoftheconfiguration managementprocedure, Configurationmanagement: Suitablemanagementcontrolshallbeimplemented mechanismandits implementation onavailabilityofupdatedsourcecodeandits deployment.Strictconfigurationcontrolis (Networklevel) recommendedtoensurethatthelatestsoftwarein theproductionsystem. Table5:ApplicationSecurityIssuesduringDataStorage&Communication Sl. IssuestobeChecked MeansofChecking No. Verificationofthe 1 Encryptionfordatastorage: Sensitivedatashouldbeencryptedorhashedinthe implementation (Applicationlevel) databaseandfilesystem.Theapplicationshould differentiatebetweendatathatissensitiveto disclosureandmustbeencrypted,datathatis sensitiveonlytotamperingandforwhichakeyed hashvalue(HMAC)mustbegenerated,anddata thatcanbeirreversiblytransformed(hashed) withoutlossoffunctionality(suchaspasswords). Theapplicationshouldstorekeysusedfor decryptionseparatelyfromtheencrypteddata. Verificationofthe 2 Datatransfersecurity: implementation Sensitivedatashouldbeencryptedpriorto (Applicationlevel,aswellas, transmissiontoothercomponents.Verifythat Networklevel) intermediatecomponentsthathandlethedatain
50

cleartextform,priortotransmissionorsubsequent toreceipt,donotpresentanunduethreattothe data.Theapplicationshouldtakeadvantageof authenticationfeaturesavailablewithinthe transportsecuritymechanism. Specially,encryptionmethodologylikeSSLmustbe deployedwhilecommunicatingwiththepayment gatewayoverpublicnetwork. Accesscontrol: Applications should enforce an authorization mechanism that provides access to sensitive data andfunctionalityonlytosuitablypermittedusersor clients. Rolebased access controls should be enforced at the database level as well as at the application interface. This will protect the database in the eventthattheclientapplicationisexploited. Authorizationchecksshouldrequirepriorsuccessful authenticationtohaveoccurred. All attempts to obtain access, without proper authorizationshouldbelogged Conduct regular testing of key applications that process sensitive data and of the interfaces available to users from the Internet include both black box informed testing against the application. Determine if users can gain access to datafromotheraccounts.

Testing/Assessmentofthe accesscontrol implementationasper definedpolicies. (Applicationlevel)

51

AnnexureIIIChecklistforCompliancetoGOIprocurementprocedures GFR2005,GovernmentofIndia,MinistryofFinance,DepartmentofExpenditure ThecontentsofGFR2005areasfollows: Chapter NameoftheChapter 1. 2. Introduction GeneralSystemofFinancialManagement I.GeneralPrinciplesrelatingtoexpenditure&paymentofmoney II.Defalcationandlosses III.Submissionofrecords&information Budgetformulationandimplementation GovernmentAccounts Works ProcurementofGoodsandServices I.ProcurementofGoods II.ProcurementofServices InventoryManagement ContractManagement GrantsinaidandLoans BudgetingandAccountingforExternallyAidedProjects GovernmentGuarantees MiscellaneousSubjects I.Establishment II.Refundofrevenue III.Debtandmisc.obligationsofGovt. IV.Securitydeposits V.Transferoflandandbuildings VI.Charitableendowmentsandothertrusts VII.Localbodies VIII.DestructionofrecordsconnectedwithAccounts IX.ContingentandMiscellaneousExpenditure.

3. 4. 5. 6.

7. 8. 9. 10. 11. 12.

Chapter6,ProcurementofGood&ServicesisapplicableforeProcurementSystem(EPS). ThelistofGFRrequirementsgivenbelowprovidesgeneralguidelinesabouttheapplicability of the requirements in the EPS and the verification mechanism. The assumption has been made that in an ideal situation, all the GFR requirements will be applicable to the EPS. However,inactualsituation,dependingontheclients(buyerorganization)requirements,all the GFR requirements may not be applicable and hence not addressed by the EPS. Therefore, it is recommended that the EPS solution/ service provider uses this list as a guidelineandpreparessimilarlistfortheEPSbeingdevelopedaspertheapplicabilityofthe GFRrequirements. ThecompliancetoapplicableGFRrequirementsmaybeverifiedasfollows: In case of manual procurement system, compliance verification may be done through processauditofthepolicy&procedures oftheclients (buyer organization).Itisupto theclienttoperformtheprocessaudittoensurecompliance. Incaseofeprocurementsystem,complianceverificationshallbedonethroughtesting and audit of the functionalities in the EPS solution. It is recommended; that internal verificationmaybedonebytheEPSsolutionproviderandalsobeexternallyverifiedby ThirdPartyAgencyforclientsacceptance.
52

 Rule

Description General GFR covers Rules relating to Tenders relating to Works, Goods and Services. The eprocurement system should have functionality to cover all kinds of tenders, whether thetendersrelatetoWorks,GoodsorServices.Whilesome specific rules relating to procurement of Goods and Services are outlined below, corresponding functionality for Works tenders should also be implemented in the e procurementsystem.

ToBeAddressed By

Compliance Verification

Chapter6:ProcurementofGoodsandServicesGuidelines Rule Description ToBeAddressedBy Compliance Verification

A) ProcurementofGoods:Rule135to162 135 Thischaptercontainsthegeneralrulesapplicable to all Ministries or Departments, regarding procurement of goods required for use in the public service. Detailed instructions relating to procurement of goods may be issued by the procuring departments broadly in conformity withthegeneralrulescontainedinthisChapter. 136 DefinitionofGoodsTheterm'goods'usedinthis chapter includes all articles, material, commodities, livestock, furniture, fixtures, raw material, spares, instruments, machinery, equipment, industrial plant etc. purchased or otherwise acquired for the use of Government butexcludesbooks,publications,periodicals,etc. foralibrary. 137 Fundamentalprinciplesofpublicbuying: Functionality eprocurementSystem Every authority delegated with the financial shouldhavefunctionality Verification/Testing powersofprocuringgoodsinpublicinterestshall toensuretransparency, ofrelated havetheresponsibilityandaccountabilitytobring accountability,fairness featuresand efficiency,economy,andtransparencyinmatters andequitabletreatment explanations relating to public procurement and for fair and ofsuppliers.Thisshould givenbythee equitable treatment of suppliers and promotion beensuredbye procurement/e ofcompetitioninpublicprocurement. tendering procurementsystem The procedure to be followed in making public strictlyandsatisfactorily software/service provideragainst procurement must conform to the following addressingthevarious issuesespeciallyoutlined relevantsections yardsticks: andpointsof (i)Thespecificationsintermsofquality,typeetc., inAnnexureIofthese as also quantity of goods to be procured,should Guidelines.Specificallyfor AnnexureIof theseGuidelines be clearly spelt out keeping in view the specific fairnessitmustbe needs of the procuring organisations. The ensuredthatthee specifications so worked out should meet the procurementsystem
53

basicneedsoftheorganisationwithoutincluding supportsalllegitimate superfluous and nonessential features, which processesand may result in unwarranted expenditure. Care methodologiesfor should also be taken to avoid purchasing invitingbidsina quantities in excess of requirement to avoid transparentmanner,and undernocircumstances inventorycarryingcosts; (ii) Offers should be invited following a fair, shouldtheconfidentiality ofthebidbe transparentandreasonableprocedure; (iii) The procuring authority should be satisfied compromisedbeforethe that the selected offer adequately meets the OnlinePublicTender OpeningEvent. requirementinallrespects; (iv) The procuring authority should satisfy itself Importantly,aproperly that the price of the selected offer is reasonable conductedPublicTender andconsistentwiththequalityrequired; OpeningEventisthe (v) At each stage of procurement the concerned backboneoftransparency procuring authority must place on record, in inpublicprocurement. precise terms, the considerations which weighed Theeprocurement systemmusthaveavery withitwhiletakingtheprocurementdecision. transparentand comprehensiveOnline PublicTenderOpening Event.Foraccountability, thereshouldbea comprehensiveHierarchy andRoleAuthorizationof officerswithdetailed AuditTrailsasoutlinedin AnnexureIofthese Guidelines. Whererequired, functionalityofthee procurementsystem shouldbesupplemented withProcurementPolicy &Proceduresinternalto theBuyerorganization. eprocurementSystem 138 Authoritiescompetenttopurchasegoods: An authority which is competent to incur shouldhavefunctionality contingent expenditure may sanction the forRequisition purchase of goods required for use in public Management(ieIndent service in accordance with Schedule V of the Management)withdigital Delegation of Financial Powers Rules, 1978, signatures. followingthegeneralprocedurecontainedinthe followingrules. 139 Procurementofgoodsrequiredonmobilisation: ProcurementPolicy& Procurement of goods required on mobilisation Proceduresinternalto and/ or during the continuance of Military theBuyerorganization operationsshallberegulatedbyspecialrulesand orders issued by the Government on this behalf Note:Generallyno fromtimetotime. specificrequirementsfor eprocurement.

Functionality Verification/Testing &Audit

ProcessAudit

54

ProcurementPolicy& 140 Powersforprocurementofgoods: The Ministries or Departments have been Proceduresinternalto delegated full powers to make their own theBuyerorganization arrangements for procurement of goods. In case however,aMinistryorDepartmentdoesnothave Note:Generallyno therequiredexpertise,itmayprojectitsindentto specificrequirementsfor the Central Purchase Organisation (e.g. DGS&D) eprocurement. with the approval of competent authority. The indentformtobeutilisedforthispurposewillbe as per the standard form evolved by the Central PurchaseOrganisation. ProcurementPolicy& 141 Ratecontract: The Central Purchase Organisation (e.g. DGS&D) Proceduresinternalto shall conclude rate contracts with the registered theBuyerorganization suppliers,forgoodsanditemsofstandardtypes, which are identified as common user items and Note:Generallyno are needed on recurring basis by various Central specificrequirementsfor GovernmentMinistriesorDepartments. eprocurement. DefinitionofRegisteredsuppliersisgiveninRule 142 below. The Central Purchase Organisation willfurnishandupdatealltherelevantdetailsof the rate contracts in its web site. The Ministries or Departments shall follow those rate contracts tothemaximumextentpossible. 142 Registrationofsuppliers: ProcurementPolicy& With a view to establishing reliable sources for Proceduresinternalto procurement of goods commonly required for theBuyerorganization Government use, the Central Purchase Organisation (e.g. DGS&D) will prepare and Note:Generallyno maintain itemwise lists of eligible and capable specificrequirementsfor suppliers.Suchapprovedsupplierswillbeknown eprocurement. as "Registered Suppliers". All Ministries or Departments may utilise these lists as and when necessary. Such registered suppliers are prima facieeligibleforconsiderationforprocurementof goods through Limited Tender Enquiry. They are also ordinarily exempted from furnishing bid security along with their bids. A Head of Department may also register suppliers of goods which are specifically required by that DepartmentorOffice. (ii) Credentials, manufacturing capability, quality control systems, past performance, aftersales service, financial background etc. of the supplier(s) should be carefully verified before registration. (iii) The supplier(s) will be registered for a fixed period (between 1 to 3 years) depending on the natureofthegoods.Attheendofthisperiod,the registered supplier(s) willing to continue with registration are to apply afresh for renewal of registration. New supplier(s) may also be

Process Audit

Process Audit

Process Audit Functionality Verification/Testing

55

consideredfor registration at any time, provided theyfulfilalltherequiredconditions. (iv)Performanceandconductofeveryregistered supplier is to be watched by the concerned Ministry or Department. The registered supplier(s)areliabletoberemovedfromthelist of approved suppliers if they fail to abide by the termsandconditionsoftheregistrationorfailto supply the goods on time or supply substandard goods or make any false declaration to any Government agency or for any ground which, in the opinion of the Government, is not in public interest. Functionality eprocurementSystem 143 EnlistmentofIndianagents: AspertheCompulsoryEnlistmentSchemeofthe shouldhavefeaturefor Verification/Testing Department of Expenditure, Ministry of Finance, bidder(IndianAgent)to &Audit it is compulsory for Indian agents, who desire to beabletofurnishdetails quote directly on behalf of their foreign oftheirenlistingwiththe principals, to get themselves enlisted with the concernedCentral Central Purchase Organisation (eg. DGS&D). PurchaseOrganizationin However, such enlistment is not equivalent to thebid. registrationofsuppliersasmentionedunderRule 142above. 144 Reserveditems: eprocurementSystem Functionality The Central Government, through administrative shouldhavefeaturefor Verification/ instructions, has reserved all items of handspun TenderNoticetohighlight Testing and handwoven textiles (khadi goods) for suchspecialreservations. exclusive purchase from Khadi Village Industries Commission (KVIC). It has also reserved all items of handloom textiles required by Central Government departments for exclusive purchase fromKVICand/orthenotifiedhandloomunitsof ACASH (Association of Corporations and Apex SocietiesofHandlooms).TheCentralGovernment has also reserved some items for purchase from registered Small Scale Industrial Units. The Central Departments or Ministries are to make their purchases for such reserved goods and items from such units as per the instructions issuedbytheCentralGovernmentinthisregard. ProcessAudit 145 Purchase of goods without quotation (Upto ProcurementPolicy& Proceduresinternalto Rs.15,000/): PurchaseofgoodsuptothevalueofRs.15,000/ theBuyerorganization (RupeesFifteenThousand)onlyoneachoccasion maybemadewithoutinvitingquotationsorbids Note:Generallyno onthebasisofacertificatetoberecordedbythe specificrequirementsfor eprocurement. competentauthorityinthefollowingformat. "I,___________________,ampersonallysatisfied that these goods purchased are of the requisite quality and specification and have been purchasedfromareliablesupplieratareasonable price."
56

146 Purchase of goods by purchase committee ProcurementPolicy& (AboveRs.15,000/&uptoRs.1,00,000/): Proceduresinternalto Purchase of goods costing above Rs. 15,000/ theBuyerorganization (Rupees Fifteen Thousand) only and upto Rs. 1,00,000/ (Rupees One lakh) only on each Note:Generallyno occasion may be made on the recommendations specificrequirementsfor of a duly constituted Local Purchase Committee eprocurement. consisting of three members of an appropriate levelasdecidedbytheHeadoftheDepartment. The committee will survey the market to ascertain the reasonableness of rate, quality and specifications and identify the appropriate supplier.Beforerecommendingplacementofthe purchase order, the members of the committee willjointlyrecordacertificateasunder. "Certified that we _____________________, membersofthepurchase committee are jointly and individually satisfied thatthegoodsrecommendedforpurchaseareof the requisite specification and quality, priced at the prevailing market rate and the supplier recommended is reliable and competent to supplythegoodsinquestion." 147 Purchaseofgoodsdirectlyunderratecontract: ProcurementPolicy& (1) In case a Ministry or Department directly Proceduresinternalto procures Central Purchase Organisation (e.g. theBuyerorganization DGS&D) rate contracted goods from suppliers, the prices to be paid for such goods shall not Note:Generallyno exceed those stipulated in the rate contract and specificrequirementsfor the other salient terms and conditions of the eprocurement. purchaseshouldbeinlinewiththosespecifiedin the rate contract. The Ministry or Department shall make its own arrangement for inspection andtestingofsuchgoodswhererequired. (2) The Central Purchase Organisation (e.g. DGS&D)shouldhostthespecifications,pricesand other salient details of different rate contracted items,appropriatelyupdated,onthewebsitefor usebytheprocuringMinistryorDepartment. 148 A demand for goods should not be divided into ProcurementPolicy& smallquantitiestomakepiecemealpurchasesto Proceduresinternalto avoid the necessity of obtaining the sanction of theBuyerorganization higher authority required with reference to the estimatedvalueofthetotaldemand. Note:Generallyno specificrequirementsfor eprocurement. ProcurementPolicy& 149 Purchaseofgoodsbyobtainingbids: ExceptincasescoveredunderRule145,146and Procedures 147(1), Ministries or Departments shall procure goods under the powers referred to in Rule 140 eprocurementsystem above by following the standard method of shouldhavefunctionality obtainingbidsin: forcreatingand

Process Audit

ProcessAudit

ProcessAudit

Process Audit Functionality Verification/Testing ofrelated

57

managingTenderNotices, featuresand explanations Corrigenda,Tender givenbythee Documents,Addenda; floatingOpenTenders,as procurement/e wellas,LimitedTenders tendering (SingleTendersbeinga software/service specialcaseofLimited provideragainst Tenders); relevantsections andfunctionalityfor andpointsof otherassociated AnnexureI processes 150 Advertisedtenderenquiry: eprocurementSystem Functionality (i) Subject to exceptions incorporated under shouldhavefunctionality Verification/Testing ofrelated Rules 151 and 154, invitation to tenders by forcreatingand advertisementshouldbeusedforprocurementof managingTenderNotices, featuresand goods of estimated value Rs. 25 lakh (Rupees Corrigenda,Tender explanations Twenty Five Lakh) and above. Advertisement in Documents,Addenda; givenbythee such case should be given in the Indian Trade floatingOpenTenders procurement/e Journal(ITJ),publishedbytheDirectorGeneralof withfunctionalityfor tendering software/service Commercial Intelligence and Statistics, Kolkata otherassociated and at least in one national daily having wide processes.Costofpriced provideragainst relevantsections TenderDocuments circulation. (ii)Anorganisationhavingitsownwebsiteshould shouldbepayableonline andpointsof AnnexureI. alsopublishallitsadvertisedtenderenquirieson atthetimeof thewebsiteandprovidealinkwithNICwebsite. downloadingtender Inaddition,auditof It should also give its web site address in the documents,orpayable theProcurement offlineparalleltothe advertisementsinITJandnewspapers. Policy& (iii) The organisation should also post the onlinebidsubmission complete bidding document in its web site and beforethebidsubmission Proceduresofthe concernedBuyer permit prospective bidders to make use of the deadline.Inthelatter documentdownloadedfromthewebsite.Ifsuch case,provisionshouldbe organizationcanbe a downloaded bidding document is priced, there theretotaketheoffline carriedout. shouldbeclearinstructionsforthebiddertopay paymentonrecordduring the amountby demanddraftetc.alongwiththe thePublicTOE. bid. (iv)WheretheMinistryorDepartmentfeelsthat Inaddition,the the goods of the required quality, specifications concernedBuyer etc.,maynotbeavailableinthecountryanditis organizationshouldhave necessary to also look for suitable competitive ProcurementPolicy& offers from abroad, the Ministry or Department Procedurestoimplement may send copies of the tender notice to the theotherrequirements Indianembassiesabroadaswellastotheforeign embassiesinIndia.Theselectionoftheembassies willdependonthepossibilityofavailabilityofthe requiredgoodsinsuchcountries. (v) Ordinarily, the minimum time to be allowed for submission of bids should be three weeks fromthedateofpublicationofthetendernotice or availability of the bidding document for sale, whichever is later. Where the department also contemplates obtaining bids from abroad, the minimumperiodshouldbekeptasfourweeksfor (i)AdvertisedTenderEnquiry; (ii)LimitedTenderEnquiry; (iii)SingleTenderEnquiry.
58

bothdomesticandforeignbidders. 151 Limitedtenderenquiry: eprocurementSystem Functionality (i)Thismethodmaybeadoptedwhenestimated shouldhavefunctionality Verification/Testing valueofthegoodstobeprocuredisuptoRupees forinvitingLimited ofrelated Twentyfive Lakhs. Copies of the bidding Tenders(Domestic,as featuresand documentshouldbesentdirectlybyspeedpost/ wellas,Global)withall explanations registeredpost/courier/emailtofirmswhichare relatedfeaturessuchas givenbythee borne on the list of registered suppliers for the creatingandmanaging procurement/e tendering goods in question as referred under Rule 142 TenderNotices, Corrigenda,Tender software/service above. provideragainst The number of supplier firms in Limited Tender Documents,Addenda, Enquiryshouldbemorethanthree.Further,web sendingInvitationLetters, relevantsections andpointsof based publicity should be given for limited etc.RelevantSupplier tenders. Efforts should be made to identify a organizationsregistered AnnexureI. higher number of approved suppliers to obtain bytheBuyerunderRule 142shouldbesent Inaddition,auditof moreresponsivebidsoncompetitivebasis. theProcurement (ii)PurchasethroughLimitedTenderEnquirymay InvitationLetters. be adopted even where the estimated value of ForwebpublicityTender Policy& theprocurementismorethanRupeestwentyfive NoticesofsuchLimited Proceduresofthe Lakhs,inthefollowingcircumstances. Tenders(orShortTerm concernedBuyer (a) The competent authority in the Ministry or tenders)shouldbeposted organizationcanbe carriedout. Department certifies that the demand is urgent ontheeprocurement and any additional expenditure involved by not websiteforgeneral procuring through advertised tender enquiry is publicity.Thisisalsoa justified in view of urgency. The Ministry or CVCrequirement. Departmentshouldalsoputonrecordthenature oftheurgencyandreasonswhytheprocurement Inaddition,the concernedBuyer couldnotbeanticipated. (b)Therearesufficientreasons,toberecordedin organizationshouldhave writing by the competent authority, indicating ProcurementPolicy& thatitwillnotbeinpublicinteresttoprocurethe Procedurestoimplement theotherrequirements goodsthroughadvertisedtenderenquiry. (c)Thesourcesofsupplyaredefinitelyknownand possibility of fresh source(s) beyond those being tappedisremote. (iii) Sufficient time should be allowed for submission of bids in Limited Tender Enquiry cases. 152 Twobidsystem: Functionality eprocurementSystem Forpurchasinghighvalueplant,machineryetc.of shouldhavefunctionality Verification/Testing a complex and technical nature, bids may be forinvitingSingleStage ofrelated obtainedintwopartsasunder: TwoEnvelopetendersor featuresand (a)Technicalbidconsistingofalltechnicaldetails TwoStagetenders(as explanations alongwithcommercialtermsandconditions;and mentionedinCVC givenbythee (b)Financialbidindicatingitemwisepriceforthe guidelines),withsecure procurement/e itemsmentionedinthetechnicalbid. methodologyforsealing tendering Thetechnicalbidand thefinancialbidshouldbe bids(iedataencryptionof software/service provideragainst sealed by the bidder in separate covers duly boththeTechnical,as relevantsections superscribedandboththesesealedcoversareto wellas,Financialbid andpointsof be put in a bigger cover which should also be partsbythebidder AnnexureI. sealed and duly superscribed. The technical bids himselfbeforebid are to be opened by the purchasing Ministry or submission.Inaddition,
59

Departmentatthefirstinstanceandevaluatedby thereshouldbe a competent committee or authority. At the functionalityforopening secondstagefinancialbidsofonlythetechnically onlythetechnicalbids acceptable offers should be opened for further first;functionalityfor evaluation and ranking before awarding the creatingashortlistof contract. technicallyresponsive bidders;functionalityfor asecondtenderopening eventforopeningthe financialbidsofthe technicallyresponsive bidders eprocurementSystem 153 Latebids: In the case of advertised tender enquiry or shouldhavefunctionality limited tender enquiry, late bids (i.e. bids forNotAcceptingLate received after the specified date and time for Bids receiptofbids)shouldnotbeconsidered. eprocurementSystem 154 Singletenderenquiry: Procurement from a single source may be shouldhavefunctionality resortedtointhefollowingcircumstances: forinvitingbidfromonly (i) It is in the knowledge of the user department onespecifiedSupplier thatonlyaparticularfirmisthemanufacturerof organizationwithall therequiredgoods. featuresapplicablefor (ii)Inacaseofemergency,therequiredgoodsare LimitedTendersas necessarily to be purchased from a particular highlightedabove. source and the reason for such decision is to be recorded and approval of competent authority Inaddition,the concernedBuyer obtained. (iii) For standardisation of machinery or spare organizationshouldhave parts to be compatible to the existing sets of ProcurementPolicy& equipment (on the advice of a competent Procedurestoimplement technicalexpertandapprovedbythecompetent theotherrequirements authority), the required item is to be purchased onlyfromaselectedfirm. Note: Proprietary Article Certificate in the followingformistobeprovidedbytheMinistry/ Department before procuring the goods from a singlesourceundertheprovisionofsubRule154 (i)and154(iii)asapplicable. (i) The indented goods are manufactured by M/s.... (ii)Noothermakeormodelisacceptableforthe followingreasons:. (iii) Concurrence of finance wing to the proposal vide:.. (iv) Approval of the competent authority vide: ________________________ (Signaturewithdateanddesignation oftheprocuringofficer)' 155 Contentsofbiddingdocument: eprocurementSystem Alltheterms,conditions,stipulationsand shouldhavefunctionality

Functionality Verification/Testing

Functionality Verification/Testing Inaddition,auditof theProcurement Policy& Proceduresofthe concernedBuyer organizationcanbe carriedout.

Functionality Verification/Testing
60

for GeneralTermsand Conditions,SpecialTerms Inaddition,auditof andConditions,Detailed theProcurement TenderDocumentsand Policy& Proceduresofthe ElectronicForm(for Technicaldetails)and concernedBuyer ElectronicForm(for organizationcanbe Financialdetails). carriedout. Inaddition,the concernedBuyer organizationshouldhave ProcurementPolicy& Procedurestoimplement theotherrequirements Functionality eprocurementSystem 156 Maintenancecontract: Dependingonthecostandnatureofthegoodsto shouldhavefunctionality Verification/Testing be purchased, it may also be necessary to enter forinvitingbidsforsuch into maintenance contract(s) of suitable period Maintenancecontracts. Inaddition,auditof theProcurement eitherwiththesupplierofthegoodsorwithany Policy& other competent firm, not necessarily the Inaddition,the Proceduresofthe supplier of the subject goods. Such maintenance concernedBuyer contracts are especially needed for sophisticated organizationshouldhave concernedBuyer and costly equipment and machinery. It may ProcurementPolicy& organizationcanbe however be kept in mind that the equipment or Procedurestoimplement carriedout. machinery is maintained free of charge by the theotherrequirements supplierduringitswarrantyperiodorsuchother extended periods as the contract terms may provide and the paid maintenance should commenceonlythereafter. Functionality 157 Bidsecurity: eprocurementSystem (i)Tosafeguardagainstabidderswithdrawingor shouldhavefunctionality Verification/Testing alteringitsbidduringthebidvalidityperiodinthe forpaymentofBid Inaddition,auditof case of advertised or limited tender enquiry, Bid Security(ieEarnest theProcurement Security (also known as Earnest Money) is to be MoneyDeposit)asper obtainedfromthebiddersexceptthosewho are instructionsoftheBuyer, Policy& registered with the Central Purchase eitheronlineatthetime Proceduresofthe Organisation, National Small Industries ofonlinebidsubmission concernedBuyer Corporation (NSIC) or the concerned Ministry or (subjecttothepayment organizationcanbe Department. The bidders should be asked to limitsofthePayment carriedout. furnishbidsecurityalongwiththeirbids.Amount Gateway),orpayable of bid security should ordinarily range between offlineparalleltothe two percent to five percent of the estimated onlinebidsubmission value of the goods to be procured. The exact beforethebidsubmission amount of bid security should be determined deadline.Inthelatter accordingly by the Ministry or Department and case,provisionshouldbe indicated in the bidding documents. The bid theretotaketheoffline securitymaybeacceptedintheformofAccount paymentonrecordduring Payee Demand Draft, Fixed Deposit Receipt, thePublicTOE. Banker's Cheque or Bank Guarantee from any of the commercial banks in an acceptable form, Inaddition,the safeguarding the purchaser's interest in all concernedBuyer informationtobeincorporatedinthebidding documentaretobeshownintheappropriate chaptersasbelow: Chapter1:InstructionstoBidders. Chapter2:ConditionsofContract. Chapter3:ScheduleofRequirements. Chapter4:SpecificationsandalliedTechnical Details. Chapter5:PriceSchedule(tobeutilisedbythe biddersforquotingtheirprices). Chapter6:ContractForm. Chapter7:OtherStandardForms,ifany,tobe utilisedbythepurchaserandthebidders.
61

respects. The bid security is normally to remain organizationshouldhave valid for a period of fortyfive days beyond the ProcurementPolicy& finalbidvalidityperiod. Procedurestoimplement (ii) Bid securities of the unsuccessful bidders theotherrequirements should be returned to them at the earliest after expiry of the final bid validity and latest on or before the 30th day after the award of the contract. eprocurementSystem 158 Performancesecurity: (i) To ensure due performance of the contract, shouldhavefunctionality Performance Security is to be obtained from the forrecordingimportant successful bidder awarded the contract. milestonesofContract Performance Security is to be obtained from Executionwhichwould every successful bidder irrespective of its includesubmissionof registration status etc. Performance Security PerformanceSecurityby shouldbeforanamountoffivetotenpercent.of thesuccessfulbidder(s) the value of the contract. Performance Security maybefurnishedintheformofanAccountpayee Inaddition,the Demand Draft, Fixed Deposit Receipt from a concernedBuyer Commercial bank, Bank Guarantee from a organizationshouldhave Commercial bank in an acceptable form ProcurementPolicy& safeguarding the purchasers interest in all Procedurestoimplement theotherrequirements respects. (ii)PerformanceSecurityshouldremainvalidfora period of sixty days beyond the date of completion of all contractual obligations of the supplierincludingwarrantyobligations. (iii) Bid security should be refunded to the successful bidder on receipt of Performance Security. 159 (1) Advance payment to supplier: Ordinarily, eprocurementSystem paymentsforservicesrenderedorsuppliesmade shouldhavefunctionality should be released only after the services have forrecordingimportant beenrenderedorsuppliesmade.However,itmay milestonesofContract becomenecessarytomakeadvancepaymentsin Executionwhichwould thefollowingtypesofcases: includeAdvance (i) Advance payment demanded by firms holding Paymentsandother maintenance contracts for servicing of Air paymentsmadetothe conditioners,computers,othercostlyequipment, successfulbidder(s)/ suppliers. etc. (ii)Advancepaymentdemandedbyfirmsagainst Inaddition,the fabricationcontracts,turnkeycontractsetc. Such advance payments should not exceed the concernedBuyer organizationshouldhave followinglimits: (i)Thirtypercent.ofthecontractvaluetoprivate ProcurementPolicy& Procedurestoimplement firms; (ii)Fortypercent.ofthecontractvaluetoaState theotherrequirements orCentralGovernmentagencyoraPublicSector Undertaking;or (iii)Incaseofmaintenancecontract,theamount should not exceed the amount payable for six monthsunderthecontract.

Functionality Verification/Testing Inaddition,auditof theProcurement Policy& Proceduresofthe concernedBuyer organizationcanbe carriedout.

Functionality Verification/Testing Inaddition,auditof theProcurement Policy& Proceduresofthe concernedBuyer organizationcanbe carriedout.

62

Ministries or Departments of the Central Governmentmayrelax,inconsultationwiththeir Financial Advisers concerned, the ceilings (including percentage laid down for advance payment for private firms) mentioned above. While making any advance payment as above, adequate safeguards in the form of bank guaranteeetc.shouldbeobtainedfromthefirm. (2)Partpaymenttosuppliers:Dependingonthe termsofdeliveryincorporatedinacontract,part paymenttothesuppliermaybereleasedafterit dispatches the goods from its premises in terms ofthecontract. 160 Transparency, competition, fairness and eprocurementSystem Functionality elimination of arbitrariness in the procurement shouldhavefunctionality Verification/Testing process: toensuretransparency, All government purchases should be made in a accountability,fairness Inaddition,Audit transparent, competitive and fair manner, to andeliminationof oftheProcurement securebestvalueformoney.Thiswillalsoenable arbitrarinessinthe Policy& the prospective bidders to formulate and send procurementprocess. Proceduresofthe their competitive bids with confidence. Some of Thisshouldbeensuredby concernedBuyer the measures for ensuring the above are as eprocurementsystem organizationcanbe strictlyandsatisfactorily carriedout. follows: (i) The text of the bidding document should be addressingthevarious selfcontained and comprehensive without any issuesespeciallyoutlined ambiguities. All essential information, which a inAnnexureIofthese bidder needs for sending responsive bid, should Guidelines.Specificallyfor be clearly spelt out in the bidding document in fairnessitmustbe simple language. The bidding document should ensuredthatthee contain,interalia; procurementsystem (a)Thecriteriaforeligibilityandqualifications supportsalllegitimate to be met by the bidders such as minimum processesand level of experience, past performance, methodologiesfor technical capability, manufacturing facilities invitingbidsina andfinancialpositionetc.; transparentmanner,and (b) Eligibility criteria for goods indicating any undernocircumstances legalrestrictionsorconditionsabouttheorigin shouldtheconfidentiality ofgoodsetc.whichmayberequiredtobemet ofthebidbe compromisedbeforethe bythesuccessfulbidder; (c) The procedure as well as date, time and OnlinePublicTender OpeningEvent. placeforsendingthebids; (d)Date,timeandplaceofopeningofthebid; Importantly,aproperly conductedPublicTender (e)Termsofdelivery; OpeningEventisthe (f)Specialtermsaffectingperformance,ifany. (ii) Suitable provision should be kept in the backboneoftransparency biddingdocumenttoenableabiddertoquestion inpublicprocurement. the bidding conditions, bidding process and/ or Theeprocurement rejectionofitsbid. systemmusthaveavery (iii)Suitableprovisionforsettlementof disputes, transparentand if any, emanating from the resultant contract, comprehensiveOnline shouldbekeptinthebiddingdocument. PublicTenderOpening (iv)Thebiddingdocumentshouldindicateclearly Eventwithsimultaneous
63

that the resultant contract will be interpreted onlinepresenceof underIndianLaws. authorized (v) The bidders should be given reasonable time representativesof tosendtheirbids. bidders,andtoeliminate (vi) The bids should be opened in public and arbitrarinesseachopened authorised representatives of the bidders should bidshouldbe bepermittedtoattendthebidopening. countersignedbythe (vii) The specifications of the required goods TOEofficersinthe shouldbeclearlystatedwithoutanyambiguityso simultaneousonline thattheprospectivebidderscansendmeaningful presenceofthe bids. In order to attract sufficient number of authorizedbidders. bidders, the specification should be broad based to the extent feasible. Efforts should also be Inaddition,authorized made to use standard specifications which are representativesof biddersmayalsobe widelyknowntotheindustry. (viii) Prebid conference: In case of turnkey presentofflineduringa contract(s) or contract(s) of special nature for TOE.However,to procurement of sophisticated and costly eliminateany equipment, a suitable provision is to be kept in arbitrarinessandany the bidding documents for a prebid conference doubtabouttampering, for clarifying issues and clearing doubts, if any, thesimultaneousonline aboutthespecificationsandotheralliedtechnical presenceofbidders details of the plant, equipment and machinery duringTOEisimportant. projected in the bidding document. The date, Biddersmayhavedoubts time and place of prebid conference should be aboutthetransparencyof indicated in the bidding document. This date theprocessifthebidsare shouldbesufficientlyaheadofbidopeningdate. openedbytheBuyer (ix) Criteria for determining responsiveness of independentlyinthe bids, criteria as well as factors to be taken into backend(iewithoutthe account for evaluating the bids on a common simultaneousonline platform and the criteria for awarding the presenceofbidders),and contract to the responsive lowest bidder should thensubsequently beclearlyindicatedinthebiddingdocuments. displayedtothebidders. (x)Bidsreceivedshouldbeevaluatedintermsof Forcomparison,this the conditions already incorporated in the wouldtantamounttobids biddingdocuments;nonewconditionwhichwas beingopenedbythe not incorporated in the bidding documents Buyerinanotherroom should be brought in for evaluation of the bids. (wherethebiddersare Determination of a bid's responsiveness should notpresent),andthen bebasedonthecontentsofthebiditselfwithout broughttoasecondroom wherethebiddersare recoursetoextrinsicevidence. (xi) Bidders should not be permitted to alter or waiting.Thisisobviously modifytheirbids afterexpiry of the deadlinefor notatransparentpublic receiptofbids. opening,andsoitisnot (xii) Negotiation with bidders after bid opening acceptable. must be severely discouraged. However, in exceptional circumstances where price Furthermore,e negotiation against an adhoc procurement is procurementsystem necessary due to some unavoidable shouldallowsubmission circumstances,thesamemayberesortedtoonly ofModification/ withthelowestevaluatedresponsivebidder. Substitution/Withdrawal (xiii)Intheratecontractsystem,whereanumber ofbidsonlytillthebid
64

offirmsarebroughtonratecontractforthesame submissiondeadline. item, negotiation as well as counter offering of ratesarepermittedwiththebiddersinviewand Tofurthereliminate for this purpose special permission has been arbitrariness,thee given to the Directorate General of Supplies and procurementsystem Disposals(DGS&D). shouldhave (xiv)Contractshouldordinarilybeawardedtothe comprehensive lowest evaluated bidder whose bid has been electronicformsfor found to be responsive and who is eligible and capturingspecificdata qualifiedtoperformthecontractsatisfactorilyas requirementsofeach perthetermsandconditionsincorporatedinthe tender,anddetailed corresponding bidding document. However, responsefromeach where the lowest acceptable bidder against ad biddertoGeneralTerms hocrequirementisnotinapositiontosupplythe &Conditions(GTC)and fullquantityrequired,theremaining quantity,as SpecialTerms& far as possible, be ordered from the next higher Conditions(STC). responsive bidder at the rates offered by the Whererequired, lowestresponsivebidder. (xv) The name of the successful bidder awarded functionalityofthee the contract should be mentioned in the procurementsystem Ministries or Departments notice board or shouldbesupplemented withProcurementPolicy bulletinorwebsite &Proceduresinternalto theBuyerorganization. 161 Efficiency,EconomyandAccountabilityinpublic Foraccountability,e procurementsystem: procurementsystem Public procurement procedure is also to ensure shouldhavea efficiency, economy and accountability in the comprehensiveHierarchy system. To achieve the same, the following keys andRoleAuthorizationof areasshouldbeaddressed: officerswithdetailed (i) To reduce delay, appropriate time frame for AuditTrailsasoutlinedin each stage of procurement should be prescribed AnnexureIofthese bytheMinistryorDepartment.Suchatimeframe Guidelines. will also make the concerned purchase officials Whererequired, morealert. (ii) To minimise the time needed for decision functionalityofthee making and placement of contract, every procurementsystem Ministry/ Department, with the approval of the shouldbesupplemented competent authority, may delegate, wherever withProcurementPolicy necessary, appropriatepurchasingpowers to the &Proceduresinternalto lowerfunctionaries. theBuyerorganization. (iii)TheMinistriesorDepartmentsshouldensure placement ofcontract withinthe originalvalidity of the bids. Extension of bid validity must be discouraged and resorted to only in exceptional circumstances. (iv) The Central Purchase Organisation (e.g. DGS&D) should bring into the rate contract systemmoreandmorecommonuseritemswhich are frequently needed in bulk by various Central Government departments. The Central Purchase Organisation (e.g. DGS&D) should also ensure

Functionality Verification/Testing Inaddition,Audit oftheProcurement Policy& Proceduresofthe concernedBuyer organizationcanbe carriedout.

65

162

163

164

165

166

167

that the rate contracts remain available without anybreak. eprocurementSystem Buybackoffer: When it is decided with the approval of the shouldhavefunctionality competent authority to replace an existing old whereBuyBackPrice item(s) with a new and better version, the shouldalsobecaptured departmentmaytradetheexistingolditemwhile intheFinancialBidand purchasing the new one. For this purpose, a provisionshouldbethere suitable clause is to be incorporated in the forNetProcurement bidding document so that the prospective and Priceaftertakinginto interested bidders formulate their bids accounttheBuyBack accordingly. Depending on the value and Price conditionoftheolditemtobetraded,thetimeas wellasthemodeofhandingovertheolditemto the successful bidder should be decided and relevant details in this regard suitably incorporated in the bidding document. Further, suitable provision should also be kept in the biddingdocumenttoenablethepurchasereither totradeornottotradetheitemwhilepurchasing thenewone. B) ProcurementofServicesRule163to177 TheMinistriesorDepartmentsmayhireexternal ProcurementPolicy& professionals, consultancy firms or consultants Proceduresinternaltothe foraspecificjob,whichiswelldefinedinterms Buyerorganization ofcontentandtimeframeforitscompletionor Note:Generallynospecific outsourcecertainservices. requirementsfore procurement. Thischaptercontainsthefundamentalprinciples applicable to all Ministries or Departments regarding engagement of consultant(s) and outsourcingofservices. IdentificationofWork/Servicesrequiredtobe eprocurementSystem shouldfunctionalityfor performedbyConsultants: Engagement of consultants may be resorted to obtainingapprovalofan in situations requiring high quality services for IndentorRequisitionNote whichtheconcernedMinistry/Departmentdoes forengagementof not have requisite expertise. Approval of the consultantswithprovision competentauthorityshouldbeobtainedbefore forrecordingrelevant engagingconsultant(s). justification. Preparation of scope of the required work/ eprocurementSystem service: shouldfunctionalityfor The Ministries/ Departments should prepare in obtainingapprovalofan simple and concise language the requirement, IndentorRequisitionNote objectivesandthescopeoftheassignment.The forengagementof eligibilityandprequalificationcriteriatobemet consultantswithprovision by the consultants should also be clearly forrecordingrelevant identifiedatthisstage. justification. Estimatingreasonableexpenditure: eprocurementSystem Ministry or Department proposing to engage shouldfunctionalityfor

Functionality Verification/Testing

Process Audit

Functionality Verification/Testing

Functionality Verification/Testing

Functionality Verification/Testing
66

consultant(s) should estimate reasonable obtainingapprovalofan expenditure for the same by ascertaining the IndentorRequisitionNote prevalent market conditions and consulting forengagementof otherorganisationsengagedinsimilaractivities. consultantswithprovision forrecordingrelevant justificationwithestimated expenditure. eprocurementSystem Functionality 168 Identificationoflikelysources: (i) Where the estimated cost of the work or shouldhavefunctionality Verification/Testing service is upto Rupees twentyfive lakhs, forinvitingExpressionof ofrelated featuresand preparationofalonglistofpotentialconsultants Interest(EOI)through maybedoneonthebasisofformalorinformal LimitedorOpenInvitation, explanations enquiries from other Ministries or Departments withotherfunctionalityas givenbythee or Organisations involved in similar activities, applicableforLimitedand procurement/e ChambersofCommerce&Industry,Association OpenTenders.Thiscould tendering software/service bedonethroughfirst ofconsultancyfirmsetc. provideragainst (ii) Where the estimated cost of the work or InvitingApplicationsfor service is above Rupees twentyfive lakhs, in Prequalificationfollowed relevantsections andpointsof addition to (i) above, an enquiry for seeking byBidding,ordirectly Expressionof Interestfrom consultantsshould invitingBidsinoneortwo AnnexureI. be published in at least one national daily and envelopes. Inaddition,Audit the Ministry's web site. The web site address oftheProcurement should also be given in the advertisements. Whererequired, Policy& EnquiryforseekingExpressionofInterestshould functionalityofthee include in brief, the broad scope of work or procurementsystem Proceduresofthe service,inputstobeprovidedbytheMinistryor shouldbesupplemented concernedBuyer Department, eligibility and the prequalification withProcurementPolicy& organizationcanbe criteria to be met by the consultant(s) and Proceduresinternaltothe carriedout. consultants past experience in similar work or Buyerorganization. service. The consultants may also be asked to send their comments on the objectives and scope of the work or service projected in the enquiry. Adequate time should be allowed for gettingresponsesfrominterestedconsultants Functionality eprocurementSystem 169 Shortlistingofconsultants: On the basis of responses received from the shouldhavefunctionality Verification/Testing interested parties as per Rule 168 above, forshortlistingconsultants consultantsmeetingtherequirementsshouldbe whohavebeenfoundto Inaddition,Audit oftheProcurement short listed for further consideration. The beeligibleafterthefirst numberofshortlistedconsultantsshouldnotbe round/prequalification. Policy& Proceduresofthe lessthanthree. concernedBuyer Whererequired, functionalityofthee organizationcanbe procurementsystem carriedout. shouldbesupplemented withProcurementPolicy& Proceduresinternaltothe Buyerorganization. Functionality eprocurementSystem 170 PreparationofTermsofReference(TOR): shouldhavefunctionality Verification/Testing TheTORshouldinclude: forincludinginthe 1. Precisestatementofobjectives; RequestforProposal(RFP) 2. Outlineofthetaskstobecarriedout;
67

documents,thedetailed 3. Scheduleforcompletionoftasks; 4. Thesupportorinputstobeprovidedbythe TermsofReference(TOR) Ministry or Department to facilitate the consultancy; 5. Thefinaloutputsthatwillberequiredofthe Consultant. Functionality 171 Preparation and issue of Request for Proposal eprocurementSystem shouldhavefunctionality Verification/Testing (RFP): ofrelated RFPisthedocumenttobeusedbytheMinistry/ forcreatingdetailed Department for obtaining offers from the RequestforProposal(RFP) featuresand consultants for the required work/ service. The andpostingthisonthee explanations givenbythee RFP should be issued to the shortlisted procurementsystem procurement/e consultantstoseektheir technicalandfinancial websitewithallied tendering functionalityfor proposals. CorrigendaandAddenda software/service TheRFPshouldcontain: toRFP.Thefunctionality provideragainst 1. AletterofInvitation relevantsections 2. Information to Consultants regarding the shouldalsoinclude andpointsof creationofElectronic procedureforsubmissionofproposal Formstocaptureprecise AnnexureI. 3. TermsofReference(TOR) 4. Eligibility and prequalification criteria in dataintheapplication/bid Inaddition,Audit case the same has not been ascertained submittedbyeach oftheProcurement through Enquiry for Expression of Interest consultant. Policy& (EOI) 5. ListofkeypositionwhoseCVandexperience Whererequired, Proceduresofthe functionalityofthee concernedBuyer wouldbeevaluated organizationcanbe 6. Bid evaluation criteria and selection procurementsystem procedure shouldbesupplemented carriedout. 7. Standard formats for technical and financial withProcurementPolicy& proposal Proceduresinternaltothe 8. Proposedcontractterms Buyerorganization. 9. Procedure proposed to be followed for midtermreviewoftheprogressofthework andreviewofthefinaldraftreport Functionality 172 Receiptandopeningofproposals: eprocurementSystem Proposals should ordinarily be asked for from shouldhavefunctionality Verification/Testing consultants in Twobid system with technical forinvitingSingleStage ofrelated and financial bids sealed separately. The bidder TwoEnvelopetenders,or featuresand should put these two sealed envelopes in a TwoStagetenders(as explanations biggerenvelopdulysealedandsubmitthesame mentionedinCVC givenbythee to the Ministry or Department by the specified guidelines),withsecure procurement/e tendering dateandtimeatthespecifiedplace.Onreceipt, methodologyforsealing the technical proposals should be opened first bids(iedataencryptionof software/service provideragainst by the Ministry or Department at the specified boththeTechnical,as date,timeandplace. wellas,Financialbidparts relevantsections andpointsof bythebidderhimself beforebidsubmission.In AnnexureI. addition,thereshouldbe functionalityforopening onlythetechnicalbids first;functionalityfor creatingashortlistof technicallyresponsive
68

173

174

175

176

177

bidders;functionalityfora secondtenderopening eventforopeningthe financialbidsofthe technicallyresponsive bidders Latebids: eprocurementSystem Late bids i.e. bids received after the specified shouldhavefunctionality date and time of receipt should not be forNotAcceptingLate considered. Bids Intheeprocurement Evaluationoftechnicalbids: Technicalbidsshouldbeanalysedandevaluated SystemaftertheTOEin by a Consultancy Evaluation Committee (CEC) whichtheTechnicalBids constitutedbytheMinistryorDepartment.The areopened,functionality CEC shall record in detail the reasons for shouldexistformembers acceptance or rejection of the technical ofConsultancyEvaluation proposalsanalysedandevaluatedbyit. Committee(CEC)toaccess theTechnicalBidsfor evaluationwithprovision torecord recommendations. Evaluation of financial bids of the technically Intheeprocurement SystemaftertheTOEin qualifiedbidders: The Ministry or Department shall open the whichtheFinancialBidsof financial bids of only those bidders who have thetechnicallyqualified been declared technically qualified by the biddersareopened, functionalityshouldexist ConsultancyEvaluation69 Committee as per Rule 174 above for further formembersof analysisorevaluationandrankingandselecting ConsultancyEvaluation the successful bidder for placement of the Committee(CEC)toaccess theFinancialBidsfor consultancycontract. evaluationwithprovision torecord recommendations. Consultancybynomination: ProcurementPolicy& Under some special circumstances, it may Proceduresinternaltothe become necessary to select a particular Buyerorganization consultant where adequate justification is available for such singlesource selection in the Note:Generallynospecific contextoftheoverallinterestoftheMinistryor requirementsfore Department. Full justification for single source procurement. selection should be recorded in the file and approval of the competent authority obtained beforeresortingtosuchsinglesourceselection. eprocurementSystem Monitoringthecontract: The Ministry/ Department should be involved shouldhavefunctionality throughout in the conduct of consultancy, formonitoring preferably by taking a task force approach and performanceofa continuouslymonitoringtheperformanceofthe consultant,whichwould consultant(s) so that the output of the includerecordingof consultancy is in line with the Ministry importantparameters/

Functionality Verification/ Testing Functionality Verification/ Testing

Functionality Verification/ Testing

ProcessAudit

Functionality Verification/Testing Inaddition,auditof theProcurement Policy& Proceduresofthe

69

/Departmentsobjectives.

concernedBuyer milestonesrelatingthe consultantsperformance. organizationcanbe carriedout. Inaddition,theconcerned Buyerorganizationshould haveProcurementPolicy& Procedurestoimplement theotherrequirements

C) OutsourcingofServices:Rule178to185 ProcurementPolicy& Process 178 OutsourcingofServices: AMinistryorDepartmentmayoutsourcecertain Proceduresinternaltothe Audit services in the interest of economy and Buyerorganization efficiency and it may prescribe detailed instructions and procedures for this purpose Note:Generallyno without, however, contravening the following specificrequirementsfor basicguidelines. eprocurement. Functionality eprocurementSystem 179 Identificationoflikelycontractors: TheMinistryorDepartmentshouldpreparealist shouldhavefunctionality Verification/Testing oflikelyandpotentialcontractorsonthebasisof forcreatingClassifiedLists formal or informal enquiries from other oflikelyandpotential Ministries or Departments and Organisations contractors.Also involved in similar activities, scrutiny of Yellow functionalityshouldexist pages,andtradejournals,ifavailable,website foraBuyerorganization etc. toCreate/Manage Contractororganizations underdifferentHeadsand Grades Functionality eprocurementSystem 180 PreparationofTenderenquiry: MinistryorDepartmentshouldprepareatender shouldhavefunctionality Verification/Testing forcreatingandmanaging ofrelatedfeatures enquirycontaining,interalia: andexplanations (i) The details of the work or service to be TenderNotices, givenbythee Corrigenda,Tender performedbythecontractor; procurement/e (ii) The facilities and the inputs which will be Documents,Addenda; provided to the contractor by the Ministry or floatingOpenTenders,as tenderingsoftware/ Department; wellas,LimitedTenders; serviceprovider (iii)Eligibilityandqualificationcriteriatobemet andfunctionalityforother againstrelevant sectionsandpoints by the contractor for performing the required associatedprocesses ofAnnexureI work/service;and (iv)Thestatutoryandcontractualobligationsto Inaddition,theconcerned becompliedwithbythecontractor. Buyerorganizationshould Inaddition,Auditof haveProcurementPolicy theProcurement &Proceduresto Policy&Procedures implementtheother oftheconcerned requirements Buyerorganization canbecarriedout. eprocurementSystem Functionality 181 InvitationofBids: (a) For estimated value of the work or service shouldhavefunctionality Verification/Testing forcreatingandmanaging ofrelatedfeatures uptoRupeestenlakhsorless: andexplanations The Ministry or Department should scrutinise TenderNotices, givenbythee the preliminary list of likely contractors as Corrigenda,Tender procurement/e identified as per Rule 179 above, decide the Documents,Addenda;
70

182

183

184

185

primafacieeligibleandcapablecontractorsand floatingOpenTenders,as tenderingsoftware/ issue limited tender enquiry to them asking for wellas,LimitedTenders; serviceprovider theiroffersbyaspecifieddate andtimeetc.as andfunctionalityforother againstrelevant sectionsandpoints per standard practice. The number of the associatedprocesses ofAnnexureI contractors so identified for issuing limited tenderenquiryshouldnotbelessthansix. Inaddition,theconcerned (b) For estimated value of the work or service Buyerorganizationshould Inaddition,Auditof haveProcurementPolicy theProcurement aboveRupeestenlakhs: Policy&Procedures The Ministry or Department should issue &Proceduresto oftheconcerned advertised tender enquiry asking for the offers implementtheother byaspecifieddateandtimeetc.inatleastone requirements Buyerorganization popular largely circulated national newspaper canbecarriedout. andwebsiteoftheMinistryorDepartment. Functionality eprocurementSystem LateBids: Late bids i.e. bids received after the specified shouldhavefunctionality Verification/Testing date and time of receipt should not be forNotAcceptingLate Bids considered. Intheeprocurement EvaluationofBidsReceived: Functionality The Ministry or Department should evaluate, SystemaftertheTOEin Verification/Testing segregate, rank the responsive bids and select whichtheBidsare the successful bidder for placement of the opened,functionality shouldexistformembers contract. oftheEvaluation Committee(EC)toaccess theBidsforevaluation withprovisiontorecord recommendations. Testing&Audit ProcurementPolicy& OutsourcingbyChoice: Should it become necessary, in an exceptional Proceduresinternaltothe situation to outsource a job to a specifically Buyerorganization chosen contractor, the Competent Authority in the Ministry or Department may do so in Note:Generallyno consultation with the Financial Adviser. In such specificrequirementsfor cases the detailed justification, the eprocurement. circumstances leading to the outsourcing by choiceandthespecialinterestorpurposeitshall serveshallformanintegralpartoftheproposal. eprocurementSystem Functionality MonitoringtheContract: The Ministry or Department should be involved shouldhavefunctionality Verification/Testing throughout in the conduct of the contract and forrecordingimportant Inaddition,auditof continuously monitor the performance of the milestonesofContract Execution. theProcurement contractor. Policy&Procedures Inaddition,theconcerned oftheconcerned Buyerorganizationshould Buyerorganization haveProcurementPolicy canbecarriedout. &Proceduresto implementtheother requirements

71

AnnexureIVChecklistforCompliancewithITACT(ITACT2000andAmendment2008) Sl. IssuestobeChecked ITACT MeansofChecking No. Reference 1 ElectronicSignatureImplementation: 3,3A,5,6, Verificationof i) ESC(ElectronicSignatureCertificate)usedfor 15,42,Ch Implementation/ theeProcurementSystembytheusersare Functionalityand VI; IssuedbyCC(CertifyingAuthority)recognized Sch2,13 theESCused. byGovt.ofIndiaCCA(ControllerofCertifying Authority). ii) Theprivatekeyorthesignaturecreationdata shouldnotbestoredintheeProcurement Systemorkeptunderthecontrolofthee ProcurementServiceProvider. iii) Bytheuseofapublickeyofthesubscriber/ signer,itshouldbepossibletoverifythe electronicrecord.Thismaybereadin conjunctionwithSch2,1385B(2)(b)except inthecaseofasecureelectronicrecordora securedigitalsignature,nothinginthis sectionshallcreateanypresumptionrelating toauthenticityandintegrityoftheelectronic recordoranydigitalsignature. (Explanation:Thisimpliesthatimportant electronicrecordsofaneprocurement application,likeTenderNotice,Corrigenda, TenderDocuments,Addenda,Clarifications toTenderDocuments,Bids,etcshouldnot onlybeelectronicallysigned,thereshould alsobeprovisionintheeprocurement applicationtoverifytheelectronic signatures). iv) Everysubscribershallexercisereasonable caretoretaincontroloftheprivatekey correspondingtothepublickeylistedinhis DigitalSignatureCertificateandtakeallsteps topreventitsdisclosure(Explanation:There shouldbenolimitationinthefunctionalityof theeprocurementsystemwhichmay necessitateforthetenderingprocessesto continueuninterruptedthattheprivatekey ofanyofficerbehandedovertoanybody else(whomaybeabsentorunavailable),or whereaprivatekeyissharedbymultiple usersduetoanyreasonsuchasabsenceof detailedhierarchywithinauserorganization, ormultipleusersofagroupusingacommon key. v) Similarly,functionalityoftheeprocurement systemshouldcoverotheraspectsoutlined invarioussections(specifiedintheadjacent
72

column)oftheITAct. ElectronicDocument&RecordControl: Suitablecontrolsareestablishedforelectronic documents/recordsgenerated,processed,stored, disposedofbytheeProcurementSystemtocomply i) Theinformationcontainedine Documents/eRecordsremains accessible/usableforsubsequentreference; ii) TheeRecordsareretainedintheoriginal format,itwasgenerated,toaccurately demonstratehowitwas generated/sent/received. iii) TheeRecordsshouldbemaintainedwith identificationoforigin,destination,dateand timeofdispatchorreceipt. iv) TheretentionperiodoftheeRecordsshould becompliantwiththelegalandcontractual requirements. DataProtection: i) Adequateandreasonablesecuritypractices andproceduresareinplacetoprotect confidentialityandintegrityoftheusersdata andcredentials ii) Theeprocurementsystemhasto satisfactorilyaddresstheabove)through suitablefunctionalitybuiltintothee procurementapplication.Where,in addition,someissuesarebeingfurther addressedthroughorganizational procedures,theseshouldbeexplicitly definedwithsatisfactoryexplanations. Thereasonablesecuritypracticesand proceduresfollowedshouldbedocumented inlinewiththeinternationalstandard ISO/IEC27001. Duediligenceexercise: i) TheServiceProvidershallpublishtheterms andconditionsofuseofitseProcurement System,useragreement,privacypolicyetc. ii) TheServiceProvidershallnotifyusersnotto use,display,upload,modify,publish, transmit,update,shareorstoreany informationthat: (a) belongstoanotherperson; (b) isharmful,threatening,abusive, harassing,blasphemous,objectionable, defamatory,vulgar,obscene, pornographic,pedophilic,libelous,

Verificationof policies, procedures, mechanismsand relevantrecords, andfunctionalityof theeprocurement system.

43A, Draftrule under Section 43A

Verificationof policies, procedures, mechanismsand relevantrecords, andfunctionalityof theeprocurement system. (Somechecksare coveredin AnnexureI,IIand III)

79, Draftrule under Section79

Verificationofthe termsand conditionsofuseof theeProcurement System,user agreement,privacy policy,andother notificationsas mentioned.

73

iii)

iv)

v)

invasiveofanother'sprivacy,hateful,or racially,ethnicallyorotherwise objectionable,disparaging,relatingor encouragingmoneylaunderingor gambling,orotherwiseunlawfulinany mannerwhatever; (c) harmminorsinanyway; (d) infringesanypatent,trademark, copyrightorotherproprietaryrights; (e) violatesanylawforthetimebeingin force; (f) disclosessensitivepersonalinformation ofotherpersonortowhichtheuserdoes nothaveanyrightto; (g) causesannoyanceorinconvenienceor deceivesormisleadstheaddresseeabout theoriginofsuchmessagesor communicatesanyinformationwhichis grosslyoffensiveormenacinginnature; (h) impersonateanotherperson; (i) containssoftwarevirusesoranyother computercode,filesorprograms designedtointerrupt,destroyorlimitthe functionalityofanycomputerresource; (j) threatenstheunity,integrity,defence, securityorsovereigntyofIndia,friendly relationswithforeignstates,orpublic orderorcausesincitementtothe commissionofanycognizableoffenceor preventsinvestigationofanyoffenceoris insultinganyothernation. TheServiceProvidershallnotitselfhostor publishoreditorstoreanyinformationor shallnotinitiatethetransmission,selectthe receiveroftransmission,andselectormodify theinformationcontainedinthe transmissionasspecifiedin(ii)above. TheServiceProvidershallinformitsusers thatincaseofnoncompliancewithtermsof useoftheservicesandprivacypolicy providedbytheServiceProvider,ithasthe righttoimmediatelyterminatetheaccess rightsoftheuserstotheeProcurement System. TheServiceProvidershallpublishonthee Procurementwebsiteaboutthedesignated agenttoreceivenotificationofclaimed infringements.

74

ReferenceDocuments

75

ReferenceDocument1 eTenderingProcesses etenderingportal anetenderingportal,oranetenderingwebsite,referstoaninternetbasedportalon whichanetenderingapplicationsoftwareishostedinasecuremanner.Oneormore Government organizations register on the portal (as Buyer organizations). Various vendors also register on the portal (as Supplier organizations). A Buyer organization floats (i.e. invites) a tender on the portal, and Supplier organizations respond to such tenders. Depending on the functionality offered by an etendering portal, all the tenderingrelatedactivities,fromIndentManagement(orRequisitionManagement)to Award of Contract can be carried out Online over the Internet by a Buyer organization,andrelatedactivitiesbySupplierorganizations. NonnegotiablefoundingprinciplesofPublicProcurementliketransparency,encouraging competitivenessandfairtreatmenttoalletc. Switchover from manual system of tendering to electronic tendering or etendering is major change. Some process reengineering (i.e. change or improvement in the methodology of conducting various activities) becomes inevitable when changeover is made to a new technology, or a new method of working is adopted. However, while switching over to etendering, no compromise should be made by the Government organization on `Security and Transparency related aspects of the Government TenderingPolicyandRulesonthepretextofreengineering. Whileswitchingovertoetendering,aGovernmentorganization(intheroleofaBuyer) whichurgesitsSuppliers/Vendorstochangeovertoetendering,shouldensurethatthe etendering portal also takes care of the Supplier organizations needs for security and transparency,andthatsuppliersaregivenreasonabletimetochangeoverinaphased manner. coreactivitiesrelatedtotendering FromaBuyersperspective,`coreactivitiesrelatedtotenderingreferstoactivitieslike raising indents (or requisitions) for procuring some item or service, approving such requisitions, configuring the etendering system to act as per that organisations tenderingpolicy,creatingahierarchyofofficerswithspecificauthorizationstomanage and control activities related to etendering for various tenders, configuring the e tenderingsystemtoactasperspecificrulesforagiventender,creatingalistofbidders tobeinvitedfora`limitedtender,creatingatendernotice,approvingatendernotice, authorizing issue of corrigenda , creating corrigenda, approving tender documents, authorizing issue of addenda, approving addenda, furnishing clarifications to tender documents,conducingonlinepublictenderopeningevent(s)andsharingsalientpoints ofeachbidwithallparticipatingbidders,countersigningeachopenedbidduringtender openingevent,evaluatingthebidswhichhavebeenopened,creatingalistofbiddersfor the next stage (where applicable). From a Suppliers (or Vendors perspective), `core tenderingactivitiesor`coreactivitiesrelatedtotenderingreferstoactivitiesrelatingto responding to various tenders. These includecreating a hierarchy of executives with specific authorizations to manage and control activities related to etendering for various tenders, procuring tender documents for a tender, seeking clarifications to tender documents, preparing a bid in multiple parts(as required by the Buyer) and required),attendingonlinepublictenderopeningevent(s).
76

OperatingModelsforeTendering A variety of `Operating Models have emerged through which etendering services arecurrently beingoffered.Someprominent modelsare`DedicatedeTendering Portals (also referred to as Captive eTendering Portals), `Shared eTendering Portals[whereservicesareofferedinASP(ApplicationServiceProvider)mode/SaaS (SoftwareasaService)mode,anddifferenttypesof`OutsourcingModels.Also,itis important to differentiate between the concepts of the portal. In view of the emphasis on Security and Transparency in PublicProcurement, the acceptability of thesemodelsvaries.Guidelinesareasfollows: A)(DedicatedeTenderingPortals)wheretheGovernmentorganization wishing to do etendering, owns and controls the portal infrastructure, and alsocontrolsallthecoretenderingactivitiescarriedoutontheportal. AGovernmentorganizationwishingtosetupadedicatedetenderingportal foritstenderingrequirementsshouldfloatan`OpenTenderforselectinga suitablevendor.Itshouldnotresorttobypassingofthetenderingprocess onthegrounds,thatasaBuyerorganizationithasbeenofferedtheservice free of charge or at nominal charge, and only Suppliers or Vendors have to paytotheServiceProviderortheSupplieroftheetenderingsoftware,asthe casemaybe.Insituationslikethis,asinthecaseofinfrastructureprojects, the total revenue which accrues to the Service provider of the etendering portal should be considered, viz revenue from the Buyer organization(s), revenuefromregistrationofSupplierorganizationswhichwillregisteronthe portal at the behest of that Buyer organization, and any other sources of revenue. B) (Use of a Shared eTendering Portal) where the Government organization wishingtodoetenderingcontrolsallthecoretenderingactivitiesofits organization carriedoutontheportal,butwhereownershipandcontrolof theportalinfrastructureiswiththeServiceProvider. AGovernmentorganizationwishingtouseanexistingetenderingportalon shared basis for its tendering requirements may float a tender for the purpose of selecting a suitable Service Provider. In such situations, the nominationroutemaybeusedifboththefollowingconditionsaresatisfied. i) ThetotalannualrevenuewhichaccruestotheServiceProviderfrom that Government organization and its Suppliers who register specificallyatthebehestofthatGovernmentorganizationislessthan Rs. Five/ten lakhs a year. (Note: Limit to be defined by the appropriate Govt body keeping in view Finance Ministrys current limitofRs.Tenlakhsforconsultancyservicethroughthenomination route). For this purpose, revenue should include registration and portalusagechargesoftheBuyer organization, registrationcharges of supplier organizations which register at the behest of that buyer organization, and portalusage charges of the aforesaid supplier organizations specifically in respect of responding to tenders of that Buyerorganization. ii) The arrangement of that Government organization with the Service Providerisona`nonexclusivebasis.
77

C)

(OutsourcingModel1):TheGovernmentorganizationoutsourcesits tenderingactivitiestoaServiceProvider.Thecontrolofallormostofthe coretenderingactivitiesisinthehandsoftheServiceProvider.TheService Provideralsoownsandcontrolstheportalinfrastructure.

(OutsourcingModel2):Thegovernmentorganizationprocuresandownspartiallyor fully the portal infrastructure, but does not manage it. Furthermore, the Government organization outsources the management and control of its tendering activitiestoaServiceProvider. Itisimportanttonotethat`Outsourcingasoutlinesaboveissubstantivelydistinct from`UseofaSharedeTenderingPortalasoutlinedin(ii)Babove.Incaseofthe `SharedeTenderingPortal,theGovernmentorganizationwishingtosoetendering controlsallthecoretenderingactivitiesofitsorganizationcarriedoutontheportal. In case of `outsourcing since `complete control is in the hands of a third party ServiceProvider,numberof`legaland`securityrelatedissuesarise.Someofthese issuesare: i) `Tenderingisasensitiveactivity,whereintegrityandtransparencyofthe procurementprocessisonparamountimportance.Cansuchasensitive activitybeoutsourcedtoathirdpartyServiceProvider(whointurnmay beapublicsectorentity,oraprivateentity)where`completecontrolisin thehandsofthethirdpartyServiceProvider? ii) In case of a Government organization, the officers authorized for `tenderingarelegallyaccountableundertheofficialSecretsAct.Certain Standards of propriety, integrity and confidentiality are expected of Government officers and Government departments. How will this be ensured from personnel of a third party private Service Provider, who would gain complete control of the tendering activities under the outsourcingcontract? iii) Accessshallbeprovidedtothegeneralpublicforviewing`tendering opportunities (i.e. Tender Notices) posted on the etendering portal forall`OpenTenders,aswellas`LimitedTenders(theexceptionin caseofLimitedTendersiswhereduetoreasonsofnationalsecurityit is expedient not to do so). Access shall implyviewing a Tender Notice,searchingaTenderNoticewithitsreferencenumber,orname oftheBuyerorganization. Accessshallbeprovidedtothegeneralpublicforaccessinganyother `Public Information sections of the etendering portal, such as Information pertaining to forthcoming Tendering Opportunities, Informationpertainingto`AwardofContractsi.e.PurchaseOrders. GuidelinespertainingAccesstotheeTenderingPortal:

iv) GuidelinespertaininguseofDigitalSignatures,ITAct2000andPhased Approach: AnyetenderingportaltobeusedbyaGovernmentorganizationmust allowtheusersoftheportaltouseanyoneDigitalCertificate(Digital Signature) issued by any Certifying Authority licensed by the CCA subjecttootherconditionsoftheDigitalCertificateissuingauthority.
78

TheDigitalSignature(i.e.PrivateKey)cannotbehandedoverbythe ownerofthatkeytoanyotherperson.(Ithasbeenobservedthatin some etendering portals, the private digital keys of the authorized officers are handed over to the staff of the service provider, or the keysarefreelyexchangedamongsttheusers.Thispracticeshouldbe stoppedforthwith). No technology should be forced on the users suddenly. A phased approachmustbeadopted.Specificallyincaseofetendering,unless a large number of users are comfortable with use of Digital Signatures, there is no point forcing them to deal with more sophisticatedfeatureslikeonlinebidsubmissioninvolvingencryption of bids etc. (It has been observed that in some etendering portals that the staff of the Service Provider have been encrypting bids on behalf of the bidders and conducting the Tender Opening Events on behalfoftheauthorizedGovernmentofficers. AllDigitalSignatureCertificatesshouldbePKIbasedandissuedbya CertifyingAuthoritydulylicensedbytheCCA. Compliance with IT Act 2000: Vendors of etendering portals, or tenderingsoftware,shouldbespecificallyinstructedtokeepinviews 42(1),ands85B2(b)oftheITAct2000whilegivinga`confirmationof compliancewiththeITAct2000. To avoid compromise of security (i.e. compromise of private key in this context), users of an etendering portal should not obtain `pre prepared digital certificates through the service provider or any other source. The digital certificate should be generated by the concerned user (i.e. the applicant of the digital certificate) himself, preferably on his own computer, and securely stored under a password

79

ReferenceDocument2 ElectronicTenderingGlossary

InformationEntity Definition Goods ThesupplyofGoodswithminimalLabour InvitationtoTender Arequestbyprocuringentitytocontractorsofcommercialofferfor theentitytoappointacontractortoexecutetheworks OpenTender Allinterestedsuppliersmaysubmitatender Openingoftenders Tendersshallbeopenedunderproceduresandconditions guaranteeingtheregularityoftheopenings OptionalContract Procuringentityidentifiesatendererwhohassuitableassets, reputeandabilityandthencontractswithitasitsdiscretion Registration Asystemtoensurethattendersaresoughtonlyfromcontracts whomtheprocuringentityhasalreadyestablishedashavingthe requisiteresourcesandexperiencetoperformtheintendedwork satisfactorily. PublicInvitation Aninvitationtoparticipateinintendedprocurementpublishedby procuringentities.Thenoticeshallbepublishedintheappropriate publication SelectiveTender Suppliersinvitedtodosobytheprocuringentitymaysubmita tender Services ThesupplyofServices,mainlyIntellectuallybasedLabour Tender TheletterofTenderandallotherdocumentswhichtheContractor submittedwiththeLetterofTender,asincludedintheContract. TenderDocuments Documentswhichshouldbeissuedbytheprocuringentitytothose firmswhohavebeenselectedtotender,orwhowishtotenderin caseofanOpentender Tenderer Firmansweringaninvitationtotender TenderResult Procuringentitycreatestenderresultnotice,issuesittotenders Notice ContractAward Procuringentitypublishesthecontractaward Publication Qualification Procuringentityverifiestenderparticipationqualificationof tenders Works ThesupplyofLabour,MaterialsandassociatedPlant.

80

 ReferenceDocument3 OWASP(OpenWebApplicationSecurityProject)Top10ApplicationSecurityRisks2010

A1Injection Injectionflaws,suchasSQL,OS,andLDAPinjection,occurwhenuntrusted dataissenttoaninterpreteraspartofacommandorquery.Theattackers hostiledatacantricktheinterpreterintoexecutingunintendedcommands oraccessingunauthorizeddata.

XSSflawsoccurwheneveranapplicationtakesuntrusteddataandsendsit A2CrossSiteScripting to a web browser without proper validation and escaping. XSS allows (XSS) attackers to execute scripts in the victims browser which can hijack user sessions,defacewebsites,orredirecttheusertomalicioussites. Application functions related to authentication and session management A3Broken are often not implemented correctly, allowing attackers to compromise Authenticationand passwords, keys, session tokens, or exploit other implementation flaws to SessionManagement assumeotherusersidentities. A4InsecureDirect ObjectReferences Adirectobjectreferenceoccurswhenadeveloperexposesareferenceto aninternalimplementationobject,suchasafile,directory,ordatabasekey. Without an access control check or other protection, attackers can manipulatethesereferencestoaccessunauthorizeddata.

A CSRF attack forces a loggedon victims browser to send a forged HTTP request, including the victims session cookie and any other automatically A5CrossSiteRequest included authentication information, to avulnerable web application.This Forgery(CSRF) allowstheattackertoforcethevictimsbrowsertogeneraterequeststhe vulnerableapplicationthinksarelegitimaterequestsfromthevictim. Goodsecurityrequireshavingasecureconfigurationdefinedanddeployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, andmaintainedasmanyarenotshippedwithsecuredefaults.Thisincludes keeping all software up to date, including all code libraries used by the application.

A6Security Misconfiguration

Many web applications do not properly protect sensitive data, such as A7Insecure credit cards, SSNs, and authentication credentials, with appropriate CryptographicStorage encryptionorhashing.Attackersmaystealormodifysuchweaklyprotected datatoconductidentitytheft,creditcardfraud,orothercrimes. ManywebapplicationscheckURLaccessrightsbeforerenderingprotected A8FailuretoRestrict links and buttons. However, applications need to perform similar access URLAccess controlcheckseachtimethesepagesareaccessed,orattackerswillbeable toforgeURLstoaccessthesehiddenpagesanyway. A9Insufficient TransportLayer Protection A10Unvalidated Redirectsand Forwards Applications frequently fail to authenticate, encrypt, and protect the confidentialityandintegrityofsensitivenetworktraffic.Whentheydo,they sometimessupportweakalgorithms, useexpired orinvalidcertificates,or donotusethemcorrectly. Webapplicationsfrequentlyredirectandforwarduserstootherpagesand websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malwaresites,oruseforwardstoaccessunauthorizedpages.

81

Referencedocument4 BusinessrequirementsspecificationcrossindustryeTenderingprocess(SourceCWA 15666)

Toattaintheobjectiveofinteroperabilityandcompatibilityofvarioussolutions,bothat buyerandsupplierenditisrequiredthatprocessesandinformationentitiesshallbe standardizedacrossindustrialelectronictendering.Followingarethebusiness requirementsforthesame. BusinessProcessElaboration ETendering Registration PublicInvitation Tender/OpeningofTenders PublicationofAward BusinessInformationFlowDefinition SubmitRegistrationApplication IssueExaminationResultNotification Publishpriorinformationnotice Publishinvitationtotender Submitprequalificationapplication Issueletterofinvitationtotender RequestTenderInformation Issuetenderinformation Issuetenderguaranty Submittheresponseoftenderguaranty Submittender Submitqualificationandapplication Issuequalificationresultnotice Issuetenderresultnotice Followingaretheprocessdetails: Registration Preconditions None BeginsWhen Tenderersapplyforregistration Definitions Tenderersapplyforregistration Procuringentityreceivesregistrationapplication Procuringentityexaminesregistrationapplication Procuringentitynotifiestenderersofexaminationresult Tenderersreceiveexaminationresult PublicInvitation Preconditions Procuringentityhasatenderingsubjectreleaseinvitationtotender BeginsWhen Procuringentityestablishesprojectstrategy Definition Procuringentityestablishesprojectstrategy Procuringentitypublishesinvitationtotender Ifnecessary,tenderersshouldbeprequalified Ifnecessary,procuringentityselectstenders
82

EndsWhen Exceptions

Postconditions Tender/OpeningofTenders Preconditions Targetedtenderingsubjectiswithinsubmissionperiodoftenders Tenderersreceivedetailedinformationofthetenderingsubject BeginsWhen Tendererssubmittenders Definitions Tendererssubmittenders Procuringentityreceivestenders Procuringentityopenstenders Ifnecessary,procuringentityverifiesqualificationofthetenderer Procuringentitynotifiestenderresult Tendersreceivetenderresult EndsWhen Tenderersreceivetenderresult Exceptions Procuringentitydoesnotreceivetendersfromtenderers Tenderersdonotreceivetenderresultfromprocuringentity Postconditions Tenderersgetdetailsoftenderresult. PublicationofAward Preconditions Procuringentitynotifiestenderresulttotenderers Beginswhen Procuringentitypublishestenderresult Definitions Procuringentitypublishestenderresult Note:Thisdefinitionsareexampleofexecutingbusinesscollaborations withinthisbusinessprocess EndsWhen Procuringentitypublishestenderresult Exceptions None Postconditions Procuringentityprovesthatthetenderhasbeenperformedwithout injustice.

Whentenderershaveintentiontosubmittenders Tenderersrequestdetailedinformationofthetenderingsubject Procuringentityreceivesrequestfordetailedinformationofthe tenderingsubject Procuringentityissuesdetailedinformationofthetendering subjecttotenders Tendersreceivedetailedinformationofthetenderingsubject Tenderersreceivedetailedinformationofthetenderingsubject Procuringentitydoesnotreceiverequestfordetailedinformationofthe tenderingsubjectbytenderers Tenderersdonotreceivedetailedinformationofthetenderingsubject fromprocuringentity Tenderershavenointentiontoparticipateintender Tenderersgetdetailedinformationofthetenderingsubject

83

 Templates&Forms
84

Template1:DefiningUsabilityRequirementSpecificationsoftheSoftware Product

USABILITYREQUIREMENTSSPECIFICATIONSOF<>SOFTWAREPRODUCT Note:Thisisanillustrationonly.Applicantshallspecifytheparameterslikefilessize(MB), time(secondandbandwidthforeachitem).Onlyapplicableclausesofthistemplateshould beused. 1. NAMEANDPURPOSEOFTHEPRODUCT: <>isawebbasedeGovernancesolutiondesignedanddevelopedforcomplete automation of the tendering/ procurement of materials, components, contracts, worksandservices. ThisspecificationdefinestheUsabilityrequirementsfor<>softwareapplication 2. CONTEXTOFUSE < >has the capability to support the complete tendering process which includes placingofonlinetechnicalbids,commercialbids,facilityforepaymentandsecure opening of vendor bids with provision for interface to epayment gateways and incorporatingPKIenableddigitalsignatures. Finedetailsoftenderinglikecreationofvendordatabase,tenderannouncementand corrigendum; tender offer processing, opening, negotiation, dynamic pricing mechanism, automatic generation of comparative statement of bids received tenderawardingandmanagementoftendercontractoperationandretenderingare supported in a real time interactive environment. This system enables both procurersandvendorstointeractwitheachotherandtransactbusiness. a. Specificationofusers: Basedontheanalysisoftheproduct,themainclassesofusersare Departmentusers(ieBuyersorPurchasers) Portal/eProcurementApplicationAdministrators(forDedicatedPortalofa Buyer) Registeredsuppliers/contractors/vendors Portal/eProcurementApplicationAdministrators(forServiceProviders) Registeredsuppliers/contractors/vendors i. Skills&knowledge Shouldbecomputerliterateandinthehabitofsurfingthenet ShouldhaveKnowledgeabouttenderingprocess ii. Trainingontheusageofsoftwaremandatory iii. ProductExperienceNil iv. OrganizationalexperienceNil v. PhysicalattributesNormal DepartmentUsers(ieBuyersorPurchasers) i. Skills&knowledge Shouldbecomputerliterateandinthehabitofsurfingthenet ShouldhaveKnowledgeabouttenderingprocess ii. Trainingontheusageofsoftwaremandatory iii. ProductExperienceNil
85

iv. v.

OrganizationalexperienceRequired PhysicalattributesNormal

86

 b. BroadSpecificationoftasks Themajorworkflowsanalysedintermsofseverity,criticalityandfrequencyof usefortherespectiveusersareasgivenbelow: DepartmentUsers 1. VendorRegistrationspecifictoaparticularBuyer/DepartmentAnyperson whowantstobidforanytenderofthatBuyer/Department,hasfirstto registerwiththedepartment(afterhavingregisteredontheportal).Where required,DepartmentAdministratorcancreatevendors a. Theyreceivefilledinapplicationwithcredentialsofthevendors, andthenregisterthemforaparticularclassificationandgrade 2. TheTenderingCreation:Creation,UploadingoftenderandAuthorizingthe tender 3. TenderOpeningTenderOpeninginthesimultaneousonlinepresenceof authorizedbidderrepresentativeswithadditionaloptionalofflinepresence, EMDAuthorisation,countersigningofeachopenedbidinthesimultaneous onlinepresenceofauthorizedbidderrepresentatives,Downloadingof submittedvendordocuments,Disqualificationofavendor(i.e.archivinga bidunopened)andComparativestatementgeneration Subactivities:verificationofdocumentsandEMD/Bank Guarantee Suppliers/contractors/vendors a. SelfRegistrationontheeprocurementbythefirstuserofan organization,andsubmissionhisPublicKey Subactivities: i. Whererequired,registrationbyanauthorizeduserfor particularDepartment/Buyerforaparticularclassificationof trade,regionandvendorclassforaparticularduration ii. Attachmentofsupportingdocumentsrequiredforthe registration b. PKIbasedloginandRequest/Procurementoftenderdocuments c. Prequalificationbasedonprojects/tenders d. Downloadtenderdocuments/addenda e. Uploadfilledtenderdocuments(iebids,inenvelopesandstagesas instructedinthetenderdocuments) Subactivities: i. Attachmentofsupportingdocumentsrequiredforthetender ii. Submission c. Specificationofenvironment Asthisapplicationisgenerallyusedinanofficeenvironment,testingcanbe doneinanofficeambience. SotheUsabilityLabat<>canbeusedforcarryingouttheusertests. 3. SPECIFICATIONOFMEASURESOFUSABILITYFORPARTICULARCONTEXTS DepartmentUsers 1. VendorRegistration a. Effectiveness(Accuracy&Completeness):AllVendorRegistrationshave beencompletedsuccessfully.
87

b. Efficiency:Registrationtobecompletedbytheuserwithin <10minutes>. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe vendorregistrationprocedures. 2. GenerationofatenderCreation a. Effectiveness(Accuracy&Completeness);AllTendershavebeen completedcorrectlyandsuccessfully. b. Efficiency:TenderCreationtobecompletedbytheuserwithin10 minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe tendergenerationprocess. 3. Uploadingoftender a. Effectiveness(Accuracy&Completeness):Alltendershavebeen uploadedsuccessfully. b. Efficiency:Uploadingtobecompletedbytheuserwithin3minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe uploadingprocedures. 4. OpeningofTenders a. Effectiveness(Accuracy&Completeness):Theopeningofalltenders havebeencompletedsuccessfully. b. Efficiency:Openingoftenderstobecompletedbytheuserwithin5 minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe tenderopeningprocedures. 5. EMDAuthorisation, a. Effectiveness(Accuracy&Completeness):TheEMDAuthorisationofall tendershasbeencompletedsuccessfully. b. Efficiency:EMDAuthorisationtobecompletedbytheuserwithin1 minute c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththeEMD Authorisationprocedures. 6. Downloadingofsubmittedvendordocuments, a. Effectiveness(Accuracy&Completeness):Thedownloadingofall submittedtendershavebeencompletedsuccessfully. b. Efficiency:Downloadingofsubmittedvendordocumentstobe completedbytheuserwithin5minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe Downloadingprocedures. 7. Disqualificationofonevendor a. Effectiveness(Accuracy&Completeness)VendorDisqualificationhas beencompletedsuccessfully. b. Efficiency:Disqualificationofonevendortobecompletedbytheuser within3minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe disqualificationprocedures.
88

8. Comparativestatementgeneration a. Effectiveness(Accuracy&Completeness)GenerationofComparative statementhasbeencompletedsuccessfully. b. Efficiency:Comparativestatementgenerationtobecompletedbythe userwithin2minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe Comparativestatementprocedures. Suppliers/contractors/vendors 1. SelfRegistrationwithPKI a. Effectiveness(Accuracy&Completeness)SelfRegistrationwithPKIhas beencompletedsuccessfully. b. Efficiency:Registrationtobecompletedbytheuserwithin12minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththePKI registrationprocedures. 2. PKIbasedloginandRequestfortenderdocumentation a. Effectiveness(Accuracy&Completeness)AllVendorrequestshavebeen completedsuccessfully. b. Efficiency:Tenderrequesttobecompletedbytheuserwithin5 minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe Tenderrequestprocedures. 3. Downloadingoftenderdocuments a. Effectiveness(Accuracy&Completeness)Allthetenderdocuments havebeendownloadedsuccessfully. b. Efficiency:Downloadingoftenderdocumentstobecompletedbythe userwithin3minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe downloadingprocedures. 4. Uploadfilledtenderdocuments,SupportingdocumentsandSubmissionof tender a. Effectiveness(Accuracy&Completeness)Allthetenderdocuments havebeenuploadedandsubmittedsuccessfully. b. Efficiency:TenderSubmissiontobecompletedbytheuserwithin15 minutes. c. Satisfaction:Lessthan10%ofusersreportdissatisfactionwiththe wholetendersubmissionprocedures. 4. Usabilityobjective:Overallusability 1. Effectivenessmeasures a. Percentageofgoalsachieved100% b. Percentageofuserssuccessfullycompletingtask100% 2. Efficiencymeasures a. Averagetimetocompleteatasklessthan40mts b. Averagenooftaskscompletedperunittime0neper10mts 3. Satisfactionmeasures a. Ratingscaleforsatisfactionmorethan90% b. Noofcomplaintslessthan10%

89

Template2:DefiningPerformanceSpecifications
Tobeprovidedbydeveloper/user Theapplication<Briefaboutapplication> Thedatamodel<UseofDatabaseandDataArchitecture> Thetechnology<UseofTechnologye.g.Net,Oracle,SQL,Softetc) TheuserprofilesTypeofUser(Internal,Externaletc) Thebusinessrequirements Sl. Characteristic/requirement No. 1. Typeofusers(e.g.administrator/poweruser/user/guestetc.onthebasis ofaccessrights&frequencyofuse. 2. Typeofactivitiestobeperformedbytheusers(Identifyeach activity/function) 3. No.ofusersforeachactivity/function/scenario (withconcurrentusers/activities) 4. Responsetimeforeachactivity/scenario (a) Atnormalload (b) Atmax.load 5. Totalno.ofTask(identify&listeachtask) 6. Responsetimeforeachtask (c) Atnormalload (d) Atmax.load 7. Throughput(foreachactivity)intermsofBytes/secondortask/secondor no.oftaskstobecompletedwithinaspecifiedperiod (a) Atnormalload (b) Atmax.load 8. TurnAroundTime(activitywise) (a) Atnormalload (b) Atmax.load 9. I/ODevices(e.g.printer,Keyboard,Mouse,scanner,Modemetc.) (a) UtilizationtimeforI/Odevices (b) I/Oerrormessages/warning/failuremessagesatmax.load (c) WaitingtimeforI/Outilizationatmax.load 10. MemoryUtilization (a) Memoryutilizationatmax.load (b) Memoryrelatederrormessages/warning/failuremessagesatmax.load 11 Transmissionresourcesutilization (a) Specifythefollowings: i) Datatransferspeedofnetworkcable ii) NICcard iii) Modem iv) Hub,SwitchandRouter (b) InternetServiceprovider(e.g.ISDNdialup/leaselinewith64/128KBPS) (c) No.oferrormessagesatmax.load (d) Transmissioncapacityatmax.load 12. Compliance: Identifytheactivities/functionsrequiringconformancetostandard (Organizationspecific/national/international),rules&regulations. Signatureofsupplier/user: Place:Dated:

Supplied DataValue

90

AnnexureV DefinitionsandReferenceDocuments

EProcurement: Electronic procurement (eprocurement) is use of electronic tools and systems to increase efficiency and reduce costs during each stage of thepurchasingprocess Amendments/ModificationstoTenders Thetender,aftersubmittingitstender,ispermittedtosubmit alterations/modificationstoitstendersolongsuchalterations/modificationsare receiveddulysealedandmarkedlikeoriginaltender,uptothedateandtimeof receiptoftender.Anyamendment/modificationreceivedaftertheprescribed dateandtimeofreceiptoftendersarenottobeconsidered. Source:ManualonPoliciesandProceduresforpurchaseofgoods(Ministryof Finance) Withdrawal,substitutionandmodificationofBids STANDARDBIDDINGDOCUMENT ProcurementofGoodsUsersGuideAsianDevelopmentBank 26.1ABiddermaywithdraw,substitute,ormodifyitsBidafterithasbeensubmitted bysendingawrittenNotice,dulysignedbyanauthorizedrepresentative,and shallincludeacopyoftheauthorizationinaccordancewithITB22.2(exceptthat WithdrawalNoticesdonotrequirecopies).Thecorrespondingsubstitutionor modificationoftheBidmustaccompanytherespectivewrittenNotice.All Noticesmustbe: a)submittedinaccordancewithITBClauses22and23(exceptthatWithdrawal Noticesdonotrequirecopies),andinaddition,therespectiveenvelopesshall beclearlymarkedWithdrawal,Substitution,Modificationand b)receivedbythePurchaserpriortothedeadlineprescribedforsubmissionof bids,inaccordancewithITB24. 26.2BidsrequestedtobewithdrawninaccordancewithITB26.1shallbe returnedunopenedtotheBidders. 26.3NoBidshallbewithdrawn,substituted,ormodifiedintheintervalbetween thedeadlineforsubmissionofbidsandtheexpirationoftheperiodofbid validityspecifiedbytheBidderontheBidSubmissionSheetoranyextension thereof. ESourcing:Electronicsourcing(esourcing)isthe useofinternettechnologyto establish,manageandmonitorcontracts.Itincludes: *eTendering *eEvaluation *eCollaboration,and *eContractManagement PublicServiceOrganization(PSO):Anorganizationwhichprovidesservice(s)to publicatlargeand/orwhoseactivitiesinfluencesinfluencepublicinterest. eg: Government ministries and departments, Regulatory bodies, Public utility serviceproviders,etc.

91

Purchase Officer: A Purchase officer is an employee within Public service organization(Govt. Department/ Public Service Undertaking) who is responsible at some level for buying or approving the acquisition of goods and services needed by the organization. A Purchase Officer may oversee the acquisition of materials, general supplies for offices and facilities or equipment. The term Purchase Officer is also known as Procurement Manager. They are overall responsibleforbuildingandmanagingtheirorganizationsupplychains. ServiceProvider:Aserviceproviderisanentitythatprovidesservicestoother entities. In the context of this document Service Provider refers to a business that provides eprocurement services to the Public service organization (Govt. Department/PublicSectorUndertaking). SolutionProvider:Asolutionproviderisavendor,aserviceprovideroravalue added reseller (VAR) that comprehensively handles the project needs of their client from concept to installation through support. This process normally involvesstudyingtheclient'scurrentinfrastructure,evaluatingtheclient'sneeds, specifying the mix of manufacturers' hardware and software required to meet projectgoals,installingthehardwareandsoftwareattheclient'ssite(s).Inmany cases,the"solution"alsoincludesongoingserviceandsupportfromtheVAR. SeniorAdministrators:EmployeewithinPublicserviceorganizationchargedwith improvingtheircompanysprofits,responsiveness,andstandinginthemarket. They are also termed as (Executive Director, Material Management or Chief ExecutiveOfficer)dependingonthesizeoftheorganization. Financial Advisor (CFO): Employee of Public service organization focused on controlling costs and optimizing their organization resources. They are also designatedasChieffinancialAdvisors(CFO). Head IT:Employee of Public Service Organization involved in selecting and implementingeGovernanceintheP.S.OalsoKnownaschiefinformationofficer. He is also responsible for managing consultants and system integrators (SI) taskedwithidentifyingleadingeProcurementsolutions. FacilityManagementPartner(FMP):InsomecasesPSOstakeservicesofFront end FMPs for implementation, operation, management and training of eProcurement Solution. PSOs outsourced the operation of the eprocurement solutionthroughfrontendfacilitymanagementpartner

92

 2.0 ReferenceStandardsandNormativedocuments ApplicationSecurity:OWASP10,2010 NetworkSecurityasperNIST800115TechnicalGuidetoInformationSecurity TestingandAssessment CWA(CENWorkshopAgreement15994eTenderingProcess) CWA(CENWorkshopAgreement15666Businessrequirementsspecification CrossIndustryeTenderingProcess) eProcurementIntegrityMatrixfromTransparencyInternationalIndia ISO/IEC27001InformationSecurityManagementSystemRequirements ISO/TS15000ElectronicbusinesseXtensibleMarkupLanguage(ebXML) ITAct2000withamendments2008 GeneralFinancialRules,2005 RelevantCVCGuidelines

93