NTPC Limited

(A Government of India Enterprise)

EXPRESSION OF INTEREST (EOI)

FROM INDIAN FIRMS

FOR

DEVELOPMENT OF NTPC’S OWN

E-PROCUREMENT SOLUTION

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

 

 

 

 

TABLE OF CONTENTS

 

 

 

 

Part-I

 

 

 

 

 

 

 

 

1.0

 

DISCLAIMER

 

 

 

 

 

 

 

 

 

2.0

 

BACKGROUND

 

 

 

 

 

 

 

 

 

3.0

 

PURPOSE OF THE EOI

 

 

 

 

 

 

 

 

 

4.0

 

SCOPE OF WORK

 

 

 

 

 

 

 

 

 

5.0

 

INFORMATION REQUIRED AS PART OF EOI

 

 

 

 

 

 

 

 

 

6.0

 

INSTRUCTIONS TO THE APPLICANTS

 

 

 

 

 

 

 

 

 

7.0

 

DEADLINE FOR SUBMISSION OF EOI

 

 

 

 

 

 

 

 

 

8.0

 

SIGNATURE AND SUBMISSION

 

 

 

 

 

 

 

 

 

9.0

 

RIGHT TO ACCEPT OR REJECT APPLICATION

 

 

 

 

 

 

 

 

 

 

 

 

Part-II

 

 

 

 

 

PROFORMA

 

LETTER OF APPLICANT

 

ANNEXURE I

Company Profile

 

ANNEXURE II

Financial Information

 

ANNEXURE III

Implementation Methodology

 

ANNEXURE IV

Quality Assurance System/Certification

 

ANNEXURE V

Additional Information

 

ANNEXURE VI

Details Of Available Technical Manpower

 

ANNEXURE VII

Past Experience

 

ANNEXURE VIII

Acceptance of Fraud Prevention Policy

 

 

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

1.0DISCLAIMER

1.1NTPC, reserves the right not to proceed further, to change the process or procedure to be applied. It also reserves the right to decline to discuss further with any party expressing interest.

1.2No reimbursement of cost of any type will be paid to persons, entities, or consortiums expressing interest.

2.0BACKGROUND

NTPC is India’s largest power utility with an installed capacity of 62,110 MW (including JVs) comprising 24 coal based, 7 gas based, 1 Hydro 1 Wind 11 Solar and 1 Small hydro plant, plans to become a 130 GW company by 2032. Established in 1975, NTPC aims to be the world’s largest and best power major. NTPC has taken various digital initiatives which interalia includes implementation of SAP ERP, paperless office and e tendering mainly through SRM, GePNIC (Government E procurement NIC) and ETS portal for faster exchange of information, uniform business process, better control of operation, decision etc.

3.0PURPOSE OF THE EOI

3.1NTPC presently carrying out e tendering through GePNIC (Government E procurement NIC) portal for simple and low value tenders and SRM portal for large and complex tenders. In order to obviate the need of separate portals to deal with different requirement of tendering processes, NTPC desires to explore the possibility of developing comprehensive portal catering to the requirements of complete procurement cycle of both simple and complex packages from issuance of NIT to completion of Reverse/ forward Auction (wherever applicable) and its forward and backward integration with existing SAP ERP system of NTPC.

3.2NTPC invites ‘Expression of Interest’ (EOI) from all reputed Indian firms who have experience of successful design/ develop/customize/ implement e-tendering solutions or similar features type of software applications for industrial/Services /government sector. The details received in EOI shall be used to set the qualification criteria for agencies, Subsequently competitive bidding shall be carried out for selection of agency for development of NTPC’s own e procurement solution.

4.0SCOPE OF WORK

4.1 The e procurement portal should be able to cater following types of tenders:

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

(i)Single tender/Limited tender/Open Tender

Domestic Competitive Bidding/International Competitive Bidding

(ii)Tender in both Indian Rupees and Multiple currencies

(iii)Single Stage Single Envelope/ Single Stage Two Envelope/Two Stage Bidding

(iv)Reverse Auction /Forward Auction.

(v)Tenders of Rate Contract.

(vi)Tenders for Enlistment of agencies

4.2The e-procurement system shall be integrated with existing SAP-ERP system of NTPC to exchange various information related to tendering as forward and backward linkage.

4.3The retention of documents on portal shall be for a period of 15 years

4.4The system shall be designed for uploading of tender/bid upto 500 MB size.

4.5The e procurement portal should handle approx. 18 to 20 thousand tenders per annum

4.6The e-procurement system should cater the requirements of complete procurement cycle from issuance of NIT to completion of Reverse/ forward Auction along with bucket filling, dynamic/ static loading as applicable.

4.7It should have functionality for payment of Tender fee, Bid Security (ie Earnest Money Deposit) as per instructions of the Buyer, either online at the time of online bidsubmission (subject to the payment limits of the Payment Gateway), or payable offline parallel to the online bidsubmission before the bidsubmission deadline.

4.8It should have functionality for recording important milestones of Contract Execution which would include submission of Performance Security by the successful bidder(s).

4.9NTPC in future may also allow other organizations to use this e procurement portal for tendering. According, the portal should have system provisions to enable tendering by users of other organizations.

4.10The e-Procurement/ e-tendering solution to be designed/ developed and implemented for NTPC Limited should be fully compliant with DeitY- Guidelines dated 31-08-2011. In order to conform to the quality requirements of e-procurement solution, bidder shall get the e-procurement system audited & certified by STQC & obtain STQC Compliance certificate.

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

Salient features based on DeitY-Guidelines are as follows: (Applicants may refer the Deity Guidelines for details):

i)Fully Compliant with IT Act 2000 (and its Amendment 2008) and CVC Guidelines.

ii)Implementation of Bid Encryption at Client End (i.e. Bidder’s Computer) using symmetric key or asymmetric key (PKI based).

iii)Bids before transmission from Bidder’s computer should be protected with SSL Encryption.

iv)E-procurement system should deploy PKI based technologies for authenticating the bids & opening electronic tender box. Secure methodology for decrypting the bids should be deployed corresponding to encryption methodology deployed (viz. Symmetric or PKI based asymmetric).

v)E-procurement Application should have audit trail facilities.

vi)E-procurement system should not provide read access to password to the Administrator. E-procurement system further should not have “forgot password” feature which provides administrator generated or system generated temporary password. Once password is forgotten, a new password may be allotted following a set of processes needed for allotment of password.

vii)E procurement application should have provisions of ensuring validation of PKI signature through Certificate revocation list and validity of certificate.

viii)Time stamping facility should be there in the e-procurement application for time stamping of all important events like – creation of tender notice, approval of tender notice/tender documents, submission of bids & supplementary bids.

ix)Opening of the bids in the simultaneous online presence of the bidders with proper online attendance record of the authorized representatives of the bidders. Merely opening bids online, and then subsequently displaying some results to the bidders does not fulfil the requirements of a transparent Online Public Tender Opening Event. While bidders should be welcome to be present physically during the TOE, it should not be mandatory for them to do so. All the above should be achieved online in a user friendly manner.

x)Security Checks to assure bidders of nontampering of their bids, et al during the online TOE itself.

xi)Onebyone opening of the sealed bids in the simultaneous online presence of the bidders.

xii)Online verification of the digital signatures of bidders affixed to their

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

respective bids

xiii)The audit for certification of the entire e-procurement solution shall be undertaken from STQC after its deployment & prior to its usage .

4.11Scope of IT Infrastructure

1.The scope involves supply , installation , commissioning , monitoring and maintenance of all IT hardware and software necessary for the solution.

2.The Infrastructure can be provided in two options

Option 1

i)All the hardware needed but not limited to Servers, Storage, Network equipments, Load balancer, backup devices etc shall be supplied, installed, commissioned and maintained in both DC and DR .

ii)All the software and software licenses needed but not limited to Operating System, application software, databases, backup, replication, load balancer etc shall be supplied, installed, commissioned and maintained in both DC and DR.

iii)Data replication for all databases will be done between DC and DR and necessary tools for replication and monitoring shall be supplied,installed , commissioned and maintained .The RPO will be 15 minutes and RTO 6 hours

iv)There will be no single point of failure in the solution .

v)The infrastructure will be supplied , installed, commissioned and maintained with a warranty for a period of 6 years.

vi)The bidder to carry out the sizing of the hardware and software required for the solution.

vii)The complete system will be maintained with 99.5 % availability throughout the period of the contract.

Option 2

i)All the hardware needed but not limited to Servers, Storage , Network equipments , Load balancer, backup devices etc shall be supplied, installed, commissioned and maintained in a private cloud

ii)All the software licenses needed but not limited to Operating System , application software, databases , backup ,replication , load balancer etc shall be supplied ,installed, commissioned and maintained in a private cloud.

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

iii)The bidder shall be responsible for the tie up with the cloud service provide for a period of at least 6 years. The cloud service provider shall be MEITY certified with data centre in India.

iv)There will be no single point of failure in the solution.

v)The bidder will carry out the sizing of the hardware and software required for the solution to be hosted in the private cloud

vi) The complete system will be maintained with 99.5 % availability throughout the period of the contract.

vii)All the necessary steps to ensure security of data will be carried out by the bidder.

viii)The bidder shall provide the details of the back to back agreement of the tie up with cloud service provider.

ix)The bidder shall clearly provide the exit plan from the cloud service provider. The bidder will be responsible for migration, installation and commissioning of the system, in case of change of service provider, to the new cloud service provider.

5 INFORMATION REQUIRED AS PART OF EOI

5.1Prospective parties are required to submit the information as mentioned below along with their EOI in the attached Formats:

Company profile

Annual Report including Balance sheets for last five years.

Past Experience details.

Implementation methodology

Financial Capability

Quality Assurance System/Certification

Qualification and Experience of Technical & skilled manpower

Any other relevant information in this regard.

6 INSTRUCTIONS TO THE APPLICANTS

6.1All costs incurred by Applicant for preparing and submitting the EOI, in providing clarification or attending discussion/ meeting or for site visits, stationery, or any other expenses whatsoever shall be borne by Applicant’s themselves.

6.2This Expression of Interest document is not transferable.

6.3The language for submission of document shall be English.

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

6.4The enclosed Annexures shall be filled in completely and wherever not applicable it should be written as “Not Applicable”.

6.5The person signing the document submission on behalf of the Applicant shall enclose Power of Attorney duly authorized and notarized for the same. The Power of Attorney shall be backed by copy of the board resolution of Company.

6.6Financial data should be given in Indian Rupees only.

6.7The information furnished with the EOI must be sufficient for processing and assessment.

6.8In case the Applicant intends to give additional information for which specified space in the given format is not sufficient, it can be furnished in enclosed sheets.

6.9All the pages of the EOI and Annexure should be signed and corrections and over writings should be countersigned by the authorized signatory.

6.10NTPC reserves the right to cross check and confirm the information details furnished by the Applicants in the document.

7 Deadline for Submission of EOI

7.1EOI must be submitted through email no later than 15:00 Hrs 02.07.2020. EOI received after aforesaid deadline shall not be entertained.

NTPC may, at its discretion, extend this deadline for submission of EOI in which case all rights and obligations of Employer and applicant will thereafter be subject to the deadline as extended.

8 SIGNATURE AND SUBMISSION

8.1All the Applications must be submitted duly signed by the Applicant under the format for the letter of application which is provided along with this document.

8.2The signed proposal along with all the documentary evidences and with all the Annexures filled and signed must be submitted through email on or before the prescribed date and time as per details given below:

DGM (Contract Services)

NTPC Ltd, Engineering Office Complex,

A-8A, Sector 24, NOIDA

Distt. Gautam Budh Nagar, U. P., PIN: 201 301

Tel.No : 9479496797 , 9650992301

Email: vipinsharma01@ntpc.co.in , abhishekjain02@ntpc.co.in

NTPC Limited

Corporate Contracts & Materials

EOC Noida

Ref No. : CS-0011-791E-9

11.06.2020

Expression Of Interest (EOI) From Indian Firms For Development of NTPC’s own E- Procurement Solution.

8.3NTPC may seek additional information from interested parties who respond to this EOI. However, NTPC reserves the right of not acting upon the EOI or asking for fresh EOI at a later date.

8.4Prospective parties may note that mere submission of EOI and/or submission of additional information do not automatically entitle them to claim for qualification. NTPC at its sole discretion may invite or modify or annul the process without assigning reason whatsoever.

9 RIGHT TO ACCEPT OR REJECT APPLICATION

9.1Not withstanding anything contained in this EOI, NTPC reserves the right to accept or reject any Application and annul the process and reject all Applications at any time without any liability or any obligation for such acceptance, rejection or annulment without any reasons.

(to be submitted by the agency on the Company’s Letter Head)

DGM (Contract Services)

NTPC Ltd, Engineering Office Complex,

A-8A, Sector 24, NOIDA- 201 301

(Applicant to Provide Date and Reference)

Dear Sir,

Sub: LETTER FOR APPLICATION – EXPRESSION OF INTEREST (EOI) FOR ‘DEVELOPMENT OF NTPC’S OWN E-PROCUREMENT SOLUTION

We, the undersigned, express our interest for the subject EOI and declare the following:

(a)We are duly authorized to represent and act on behalf of ________________

(hereinafter the “Applicant”)

(b)We have examined and have no reservations to the EOI Document including Amendment No(s) & Clarification No(s) __________________(if any).

(c)We are attaching with this letter, the documents defining: -

i)the Applicant’s legal status;

ii)its principal place of business; and

iii)its place of incorporation (if Applicants are corporations); or its place of registration (if Applicants are partnerships or individually owned firms).

(d)With reference to your invitation for EOI dated ________, we are furnishing herewith all the required details as per the prescribed formats along with the necessary documentary evidence in support of our Application.

(e)NTPC and/or its authorized representatives are hereby authorized to conduct any inquiries or investigations to verify the statements, documents and information submitted in connection with this application, and to seek clarification from our bankers and clients. This Letter of Application will also serve as an authorization for any individual or authorized representative of any institution referred to in the supporting information, to provide such information deemed necessary and as requested by NTPC.

(f)NTPC and/or its authorized representatives may contact the following nodal persons for further information on any aspects of the Application:

Name

ADDRESS

Telephone

E Mail

 

 

(g)This application is made in the full understanding that:

i)EOI process will be subject to verification of all information submitted at the discretion of NTPC.

ii)NTPC reserves the right to reject or accept any or all applications, cancel the EOI process without any obligation to inform the applicant about the grounds of same; and

iii)Mere submission of EOI and/or submission of additional information do not automatically entitle us to claim for qualification/enlistment.

(h)We declare that we have read and abide by the provisions of Fraud Prevention Policy of NTPC and submit the form of Acceptance of Fraud Prevention Policy duly filled in Employer’s format.

(i)We declare that we have not engaged any agent or middleman for this EOI process or any other part of the tendering process arising from it. We have not paid / will not be paying any commissions, gratuities or fees with respect to the ongoing EOI process.

(j)The undersigned declare that the statements made and the information provided in the duly completed application are complete, true, and correct in every detail. We also understand that in the event of any information furnished by us being found later on to be incorrect or any material information having been suppressed, NTPC may delete our name from the list of qualified Applicants:

NAME

In the Capacity of

Signed

Duly authorized to sign the Application for and on behalf of

Date

ANNEXURE -I

PAGE 1 of 2

(COMPANY PROFILE)

Agency’s Name & Address:

To:

 

Dy. General Manager (CS),

 

NTPC Ltd., Engineering Office Complex,

 

6th Floor,A-8A, Sector-24, NOIDA – 201301,

 

U.P., INDIA

Dear Sirs,

 

We are furnishing the company profile, in brief:

 

1.Name of the company / firm / organization

2.Postal address for communication

3.Contact Person & Designation :

E-mail address

:

Telephone No.

:

Mobile No.

:

Fax No.

:

4.Business Profile of the company (Enclosed)

5.Ownership structure of the company

6.Brief profile of the Board members/ Partners

ANNEXURE -I

PAGE 2 of 2

7.Following certificates as relevant are enclosed:

Certified Photocopy of the Partnership Deed, with upto date amendments (if any) (YES/NO)

Copy of Memorandum and Article of Association of Company duly certified as ‘True Copy’ by Company’s Secretary with Company seal. (YES/NO)

Copy of Firm Registration Certificate issued by the Registrar of Companies Concerned (YES/NO)

Copy of Certificate of Incorporation of the Company. (YES/NO)

Power of Attorney executed by Competent Officer under the common seal of the Company duly authorizing the signee to submit ‘Expression of Interest’ (YES/NO)

Date :

Signature

……………………………

Place:

Name

………………….…………

 

Designation

……………………………

 

Common Seal ……………………………

ANNEXURE -II

PAGE 1 of 2

(DETAILS OF FINANCIAL STATUS)

Agency’s Name & Address:

To:

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

A)Please furnish the following financial figures in Rupees for preceding five financial years:

Item

FY 2019 FY 2018 FY 2017 FY 2016 FY 2015

Gross Turnover

 

Profit before Tax

 

Profit after Tax

 

Net Worth

 

B)Annual Reports including Balance Sheet and Profit & Loss Account duly Certified by

a Chartered Accountant for the preceding 5 financial years is to be submitted.

Enclosed at Appendix : ----

ANNEXURE -II

PAGE 2 of 2

D)Details of all pending court/arbitration cases of the applicant as on 31.03.2020

1)Number of cases:_________________________

2)Aggregate value of claims/disputed amount on account of such cases (in Rs. Cr.):____________________

Date :

Signature

……………………………

Place:

Name

………………….…………

 

Designation

……………………………

 

Common Seal ……………………………

*Please specify the foreign exchange rate considered for the conversion purpose.

**If the financial year of accounting for a agency is other than April to March, the facts may accordingly be mentioned based on its accounting year clearly bringing out the period.

Note : Continuation sheets of same size and format may be added

ANNEXURE -III

PAGE 1 of 1

IMPLEMENTATION METHODOLOGY FOR DEVELOPMENT OF E PROCUREMENT SOLUTION

(If required , applicants can be asked for a Presentation / discussion wrt scope of work and past experiences and implementation methodology)

Agency’s Name & Address

To:

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

We hereby furnish the following details: (use additional sheets if required)

------------------------------------------------------------------------------------------------------------

Sl

Event

Timeline ( Months)

Details

No.

 

 

 

1

Design

 

 

2

Development

 

 

3

Testing

 

 

4

Rollout

 

 

5

STQC certification

 

 

6

Any other

 

 

Overall

------------------------------------------------------------------------------------------------------------

Date :

Signature

……………………………

Place :

Name

………………….…………

 

Designation

……………………………

 

Common Seal …………………………..

ANNEXURE -IV

PAGE 1 of 1

(QUALITY ASSURANCE SYSTEM/CERTIFICATION)

Agency’s Name & Address:

To:

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

We hereby furnish the following details:

------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------

Date :

Signature

……………………………

Place :

Name

………………….…………

 

Designation

……………………………

 

Common Seal …………………………..

ANNEXURE -V

PAGE 1 of 1

(ADDITIONAL INFORMATION SCHEDULE)

Agency’s Name & Address:

To:

Dy. General Manager (CS),

NTPC Ltd., Engineering Office Complex,

6th Floor,A-8A, Sector-24, NOIDA – 201301,

U.P., INDIA

Dear Sirs,

We hereby furnish the following additional information:

------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------

Date :

Signature

……………………………

Place :

Name

………………….…………

 

Designation

……………………………

 

Common Seal …………………………..

ANNEXURE -VI

PAGE 1

 

(DETAILS OF AVAILABLE TECHNICAL MANPOWER)

Agency’s Name & Address:

To:

 

Dy. General Manager (CS),

 

NTPC Ltd., Engineering Office Complex,

 

6th Floor,A-8A, Sector-24, NOIDA – 201301,

 

U.P., INDIA

Dear Sirs,

 

1.0The details of the technical manpower in different areas on rolls with us are as under:

(a)Total technical manpower on rolls with us (with qualification details) are as under

Technical Manpower

Nos.

Post Graduate/Post Graduate diploma in

 

Engineering/IT

 

MCA

 

Graduate in Engineering/IT

 

Diploma in Engineering/IT

 

BCA

 

Any other specialized degree not covered

 

above

 

(b)The experience details of the above technical manpower on rolls with us in different areas are as under:

Sl.

DESCRIPTION

 

No. of Technical Personnel

 

No.

 

Experience 0-5

Experience

Experience

Experience

 

 

Years

>5 to 10

>10 to 15 Years

more than 15

 

 

 

Years

 

Years

1

Team Leader/Project Managers (>= 10 years)

-

-

 

 

2Other areas (To be mentioned by Bidders)

3

4

5

..

….

….

2.0We confirm that we have appropriate qualified manpower required to undertake the subject work . The details of the individual technical manpower on rolls with us are as under:

Sl.

Qualification

Total

Area of specialization

Any other

No. Name Designation No. of

(Pl. specify Post

Experience in

 

Information

years

Graduate/Deg./Diplom

years

 

 

with the

a or any other degree

 

 

 

current

and name of

 

 

 

company

University)

 

 

 

Note: 1) Use additional sheets with above format, if required.

2) Agency to furnish details of only those personnel who are on the rolls of the company for one or more than one year.

Date :

Signature

……………………..………

Place:

Name

…………………………….

 

Designation

……………………………

 

Common Seal

…………………………

ANNEXURE VII

Page 1 of 1

Agency's Name & Address:

To,

 

DGM (CS)

 

NTPC Limited, Engineering Office Complex,

 

Plot No. A-8, Sector-24, NOIDA-201301

 

Distt. Gautam Budh Nagar (U.P.)

Details of works related to e-procurement solution designed/ developed/customized/executed or similar works during last 10 years is as given below:

Sl.

Name of

Order No. &

Brief

Total

Total

Worked as

Whether

Client

Time

Schedule

 

Remarks

No.

Package/

Date

Scope of

Value as

Value of

Main

work

Certificate

Date of

Date of

 

 

Project/

 

Work

awarded

work

Contractor

executed

Enclosed

commencement

completion

 

Owner/Client,

 

 

( Rs. in

completed

to the

in-house /

(Yes/No)

Sch.

Act.

Sch.

Act.

 

name of

 

 

lakh) *

as on

Owner/

through

 

 

 

 

 

 

person &

 

 

 

31.03.2020

sub-

sub-

 

 

 

 

 

 

address of

 

 

 

( Rs. in

contractor

contractor

 

 

 

 

 

 

contact

 

 

 

lakh)

 

(area of

 

 

 

 

 

 

 

 

 

 

 

 

sub-

 

 

 

 

 

 

 

 

 

 

 

 

contracting)

 

 

 

 

 

(a)

(b)

(c)

(d)

(e)

(f)

(g)

(h)

(i))

(j)

(k)

(l)

(m) (n)

Note: The work which is completed in the last ten (10) year period specified above even if it has been started earlier, the same may also be considered.

Date

:

(Signature) ………………………………………………….

Place

:

(Print Name of Authorized person having Power of

 

 

Attorney) …………………………………………………….

 

 

(Designation) ……………………………………………….

 

 

(Common Seal of firm) …………………………………….

ANNEXURE -VIII

PAGE 1 of 1

(FORM OF ACCEPTANCE OF FRAUD PREVENTION POLICY)

Agency’s Name & Address:

To:

 

Dy. General Manager (CS),

 

NTPC Ltd., Engineering Office Complex,

 

6th Floor,A-8A, Sector-24, NOIDA – 201301,

 

U.P., INDIA

Ladies and / or Gentlemen,

We have read the contents of the Fraud Prevention Policy of NTPC displayed on its tender website http://www.ntpctender.com and undertake that we along with our associate/ collaborator / subcontractors/subvendors/ consultants/service providers shall strictly abide by the provisions of the Fraud Prevention policy of NTPC.

Yours faithfully,

Date :

Signature

……………………………

Place:

Name

………………….…………

 

Designation

……………………………

 

Common Seal ……………………………

Guidelines for compliance to

Quality requirements of eProcurement Systems

STQC Directorate

Department of Information Technology,

Ministry of Communications & Information Technology,

Electronics Niketan, 6 CGO Complex, Lodhi Road,

New Delhi – 110003

Dt: 31.08.2011

CONTENTS

1.0Introduction

2.0Operating Models of eProcurement System

3.0Specific requirements of eProcurement System

4.0Requirements of Conformity

5.0Testing framework for Quality and Security Characteristics

6.0Evaluation & Certification process

Annexures

Annexure‐I : Risks of eProcurement Systems and related ISO 27001 controls

Annexure‐II : Checklist for eSecurity Compliance (including CVC Guidelines)

Annexure‐III : Checklist for compliance to GOI procurement procedures (GFR)

Annexure‐IV : Checklist for legal compliance (IT Act – Amendment 2008)

Annexure‐V : Definitions and Reference Documents

Reference documents:

1.eTendering Process

2.eTendering Glossary

3.eProcurement Integrity Matrix

4.OWASP (Open Web Application Security Project) Top10 Application Security Risks‐ 2010

5.Business requirements specification‐ cross industry e‐Tendering process (Source CWA 15666)

Forms & Templates:

 

Template I

: Template for defining Usability Requirements Specifications of

 

the Software product

Template II

: Template for Performance Specification

Form I

: Application form for applying for Testing to STQC

2

1.0Introduction

1.1Background

The public sector is one of the biggest purchasers of goods & services in the economy. The Government of India acknowledges that automating procurement process using electronic tools/techniques and enabling opportunities to suppliers fully supports the objective of non‐discrimination, fair & open competition. eProcurement is identified as a mission mode project under national eGovernance plan. The objective is to transform public sector purchase activity from labor intensive paper based to efficient eProcurement process.

Electronic Procurement (eProcurement) is the use of Information and Communication Technology (specially the Internet) by the buyer (in this case Government) in conducting their procurement processes with supplier for the acquisition of goods (supplies), works and services. Use of Information Technology promotes the aims of open, non‐discriminatory and efficient government procurement through transparent procedures.It is the technology‐enabled acquisition of goods and services, required by an organisation, at the best value obtainable in the most efficient manner possible.

The factors driving the adoption of eProcurement are:

Reduced purchasing cost and improved efficiency

Standardized purchasing processes across the organization

Reduced administrative costs with better effectiveness

Significant reduction in the procurement cycle

Reduced discretion

At the same time the inhibitors to adoption are:

Lack of supplier readiness

System integration issues (compatibility and interoperability)

Confidence on the system (Security, Functionality and Performance)

Insufficient skilled staff

eProcurement involves a set of technology solution which concentrate on different key areas of procurement such as

e‐Tendering,

e‐Auction or Reverse Auction,

e‐Catalogue/Purchasing,

eMarket Place,

e‐Invocing etc.,.

The focus of the current Guidelines is mainly on e‐Tendering, (i.e. tendering with encrypted bids, the equivalent of which in the manual context would be ‘sealed bids’).

This document provides the guideline for compliance to quality requirements of eProcurement systems. The essential quality characteristics of eProcurement system cover Security, Transparency & Functionality.

3

1.2General Requirements of eProcurement System

The basic requirements of any eProcurement system are to achieve the goal of Government procurement, standardisation of procurement processes and information entities in an efficient and transparent way. Hence the key requirements are to:

Address the requirement of GFR

For public procurement of goods, services, works (e.g. construction) compliance with GFR rules, processes, roles (purchasing officer, local purchasing committee etc) are mandatory requirements. The GFR rules needs to be applied into the application workflow of e‐tendering process. eProcurement System should be designed as per defined workflow with adequate security measures.

Confidentiality and Integrity of Information

The key requirement of procurement in public service organisation is to maintain the confidentiality & integrity of the information in procurement life cycle to protect the interest of buyer & supplier and to encourage the competitiveness in the business. The e‐procurement platform transacts confidential procurement data and is exposed to several security threats. This requires employing a combination of security technologies and security best practices which result in reduced threat of data loss, leakage or manipulation.

Address Vigilance Guidelines

The system should meet the requirements of guidelines issued from time to time by Central Vigilance Commission.

System Adaptability & customisation

eTendering System need to have templates to offer flexibility in bidding methodologies as prevailing and followed currently in the manual process. Further, system should have templates to adopt bidding methodologies as may be prescribed by respective authorities.

The aim of this document is to provide guidelines that could be followed for designing/developing some critical functionality in an e‐Procurement system as well as the necessary process for monitoring adherence to the security and transparency requirements of an e‐procurement system during the implementation and post implementation by the e‐procurement application developers, service providers and other stakeholders.

1.3Objective

To provide Guidelines for assuring Quality and Security of an e‐Procurement system so that confidence can be provided to its stakeholders that the system is secure, transparent, auditable & compliant with government procurement procedures.

1.4Target Audience

Purchase/ Head of Public Service Organization

eProcurement Service Provider

eProcurement Solution Provider/ Application Developer

Third Party Testing and Audit Organization

4

1.5.Approach

To achieve the above objective the following approach is recommended.

Evaluation of eProcurement System (including data, software, hardware, network, process) to ensure

Correct & complete implementation of organisation procurement policies & procedures

Compliance to GFR rules, CVC guidelines, IT Act (including amendments)

Assuring Security by Design & Development (ie some critical security and transparency related functionality has to be built into the e‐procurement software application) , Implementation, Deployment & Use

Security of Data Storage and Communication

Performance

Usability

Interoperability

Identification of risks and concerns of e‐procurement system & providing the guidelines for mitigating the identified risks.

2.0Operating Models of eProcurement System

There are four operating models for eProcurement (Reference doc – 1)

i)Dedicated e‐Procurement System: the Government organization wishing to do e‐ Procurement, owns and controls the system infrastructure, and also controls all the procurement activities carried out.

ii)Outsourcing Model‐1 (Partial Outsourcing – Managed Services): The Government organization procures and owns the system, which is managed by service provider with adequate security controls. There is a risk that service providers may get access to vendor data. Issues relating to Official Secrets Act shall be considered for this model.

iii)Outsourcing Model‐2 (Partial Outsourcing – Infrastructure Support): The Government organization uses the eProcurement system of a Service Provider. The Service Provider also owns and controls the infrastructure. There is a risk that service providers may get access to vendor data & service provider start participating in core procurement process, Issues relating to Official Secrets Act shall be considered for this model.

iv)Outsourcing Model‐3 (Full Outsourcing (ASP) Model): Multiple Government organizations can register and themselves use the ASP’s portal for their various e‐tendering/ e‐auction activities with complete control of the all the ‘core tendering activities’ in their hands, without any intervention from the service provider. The registration/ deregistration activities, and the portal infrastructure is managed by the service provider with adequate security controls. In this case, essentially the Service Provider is only a platform‐provider. The powers and responsibility of the tendering process remains in the hands of the duly authorized officers of the government organizations, and does not get transferred to third party service providers as in ‘Outsourcing Model‐2 (Full Outsourcing)’. So while there is some outsourcing in respect of infrastructure, there is no outsourcing of the actual tendering/ procurement activities by the concerned user‐Government organizations.

5

All models of e‐procurement system must incorporate functionality, processes and technologies outlined in (Annexure I, II, III and IV), and especially apply countermeasures to mitigate known risks (Annexure‐I)

3.0Specific requirement of eProcurement System

3.1The service provider in consultation with the Purchase Officer shall establish the following process:

Business Process Re‐engineering switching from Manual Procurement to eProcurement. (Since Government tendering processes falls within a standard framework, only limited options should be given to the Purchase Officer. The service Provider/ Purchase Officer should not be able to reduce the essential security and transparency aspects of the system on the pretext of re‐engineering and customization]).

Implementation of Bid‐ Encryption at client‐end (ie bidder’s computer) using Symmetric Key, or Asymmetric Key (PKI‐based) subject to issues raised in Annexure‐I and II being suitably addressed

Bids before transmission from the bidder’s computer should be protected with SSL Encryption.

Functionality/ Security/ Transparency related Requirements of a Manual Tendering System and Conformance its Availability in the Offered eProcurement system (functionality requirements of GFR & CVC guidelines)

eProcurement System must have templates to offer flexibility in bidding methodology as prevailing and followed currently in the manner of processing. Further, the system should have templates to adopt bidding methodology as may be prescribed by the purchaser, as long as the methodology is a legally acceptable methodology.

eProcurement System should deploy PKI based technologies for authenticating the bids, and opening electronic tender box. Secure methodology for decrypting bids should be deployed corresponding to the encryption methodology deployed (viz symmetric, or PKI‐based asymmetric). The entire IT hardware infrastructure of E‐Procurement System which includes application software, hardware, and system software be hardened as relevant. The system must deploy anti‐spyware and anti‐spam with a provision to update regularly. The updation of these software on the E‐Procurement System be done using the offline updation mode. The E‐Procurement System must have software tools to protect the operating system from injection of spyware. The entire infrastructure be protected and secured at the perimeter level by installing firewalls and Intrusion Prevention System. The system be configured properly so as to detect any kind of Intrusion into IT system.

eProcurement System can be further secured by installing suitable security incident and event management mechanisms SIEM (Security Incident Event Management).

eProcurement application should have audit trail facilities.

The PKI Key Management System for authenticating the bids or other purposes must specify the holder of private key and public key. The procedure in this case may be prescribed.

eProcurement System should not provide read access to password to the Administrator. E‐Procurement System further should not have “forgot password” feature which provides administrator‐generated or system‐generated temporary password. Once the password is forgotten, a new password may be

6

allotted following a set of processes needed for allotment of password. The forget password request shall be digitally signed.

3.2The Purchase Officer of a Public Service Organisation (Government Department) must to ensure that e‐Procurement system which he intends to use complies with all the applicable requirements listed in Sections 3 and 4.

3.3The Purchase Officer must analyse the risk arising out of establishment of above mentioned processes and apply suitable controls. The annexure I,II,III and IV may be followed

3.4Escrowing of Source Code

The source code of the e‐procurement application software along with the modification/changes/patches which is implemented by the agency from time to time shall be escrowed with the agency nominated by the user organizations or government in case of dedicated portals.

An MOU would be entered between purchase officer/ purchase‐organization and service provider.

4.0Requirements of Conformity

4.1eProcurerement systems must address:

E‐procurement application should have provisions of ensuring validation of PKI signature through Certificate revocation list (CRL) and validity of certificate.

Shall have mechanism for time synchronisation by using time synchronisation service (TSS) at hosting level, or synchronisation with master‐server at the data‐ centre where the e‐procurement system is hosted

Time Stamping [facility should be there in the e‐procurement application for time‐stamping of all important events like – creation of tender notice, approval of tender notice/ tender documents, submission of bids and supplementary bids (like modification, substitution, alternatives), etc]

The system must confirm to GFR rules, processes, roles (purchasing officer, local purchasing committee etc.), compliance to CVC guidelines and Information Technology Act (including amendments) and other laws of the land as applicable.

4.2Other Requirements for Quality and Security Evaluation

:

The following conditions shall be agreed in writing by service provider

For Dedicated portal and ASP‐Model, the e‐procurement application should have facility for generating audit‐logs, which should be accessible (in downloadable such form) to a specially designated officer of the Purchase organization. For Outsourcing Models 1 and 3, e‐procurement service provider shall submit all the logs of transaction created by the e‐procurement solution including forensic image on quarterly basis or as prescribed by the user organization regularly and as and when demanded by the purchasers. The logs will be duly signed by the administrator of the service provider by his electronic signature.

The audit for certification of the entire e‐procurement solution shall be undertaken after its deployment and prior to its usage.

The e‐procurement solution including the computer server shall be installed in India. No data as captured/stored in the e‐procurement solution will be taken

7

out of India. However, bidder outside India should be able to quote and download permitted data/information.

The audit of the ‘ complete e‐procurement system’ shall be undertaken only on the request of the organization/agency who wish to use/install the system. Software application can be tested based on the request of the developer.

The e‐procurement solution shall need to be tested and audited again after it has been significantly modified (addition/ deletion of functions/ modules) or customized for a new organization whether stand alone or shared mode

The traffic emanating to and from eProcurement systems will be scanned if required by the authorised body. The traffic (netflow) emanating to and from eProcurement System may be provided to CERT‐IN.

Storage of Electronic Invoices

It is assumed that invoices transmitted electronically will be stored electronically. If public service organisation wish to store invoice in the paper form, same shall be provisioned in local purchase procedure approved from competent authority

For VAT purpose records must be retained for years as provided in the respective Act.

The records may be stored anywhere State Data Centre/PSU own data center. The only requirement is that of security, strategic control and record must be made available to public service organisation on demand within two working days.

8

5.0Testing framework for Quality and Security Characteristics

5.1eProcurement Quality and Security Assurance Model

A eProcurement Quality and Security Assurance Model is depicted below:

The Quality & Security evaluation model consist of four layers namely, Data, Application, Infrastructure and Process. Layer by layer assessment will ensure compliance with applicable requirements such as CVC, IT Act, GFR 2005 and concerns of other stakeholders.

5.2Description of the model

Brief description of the layers (from outermost to inner) is given below.

Process‐Layer

ISO 27001 Process Audit #

Verification of the IT security processes to ensure that secure and best practices are followed in operation and maintenance of the e‐Procurement System in line with international standard on Information Security Management System, ISO 27001/27002

To supplement the functionality built into the e‐procurement system, where some requirements of the e‐procurement system and allied processes are being addressed through organizational procedures under ISO 27001/ 27002, these should be explicitly defined with satisfactory explanations. At the time of certification/ audit, such procedures as outlined by the e‐procurement vendor / service provider in response to Annexure‐I , II, III of these Guidelines, shall be reviewed and evaluated.

Monitoring against agreed SLAs #

SLA monitoring shall ensure that the e‐procurement system is adhering to the agreed upon service related (i.e., user centric) as well as system related (i.e.,

9

technology centric) service quality requirements such as availability, performance, problem resolution, etc. While service related SLAs take care of the services delivery issues, the system related SLAs address IT technology (hardware, software and network) used in delivering the services.

Infrastructure Layer Architecture Review #

The review of e‐procurement system shall be done to ensure that the defined architecture of the e‐procurement system is adequate and suitable for meeting the various operational and service delivery requirements such as performance, security, availability, etc.

It is also recommended that once the e‐procurement system is deployed, the deployed architecture should be audited to verify its compliance against the defined architecture. The audit should cover logical positioning of various system components such as firewall, IDS/IPS, servers, load balancer, etc. In addition, end‐ to‐end transaction flows should be verified to ensure that they are going through the defined path by using dummy test transactions and analysis of logs at various layers. Certification body shall use standardized checklist for the criteria.

Vulnerability Assessment (Servers & Network Devices) #

System configuration checking or verification of hardening and vulnerability scanning shall be performed to find out weaknesses, vulnerabilities and mis‐configuration in the target hosts (Servers, Routers, Firewalls, Switches etc.) which hosts the e‐ procurement application system. Certification body shall use standardized checklist for the criteria.

Penetration Testing of the System #

Penetration Testing (PT) shall be normally done remotely from public domain (Internet) and also can be done from internal network to find out exploitable vulnerabilities. Series of testing conducted like information gathering from public domain, port scanning, system fingerprinting, service probing, vulnerability scanning, manual testing, password cracking etc. using state‐of‐the‐art tools (commercial and open source) and other techniques shall be used with the objective of unearthing vulnerabilities and weaknesses of the overall e‐procurement system and its underlying IT infrastructure. Certification body shall use standardized checklist for the criteria.

Performance Testing of the System #

Performance testing of the e‐procurement system shall be done to ensure that system is capable of handling defined user as well as transactional load. The performance testing of the e‐procurement system essentially means measuring the response time of the system for defined scenarios. While measuring the response time it is important to record the resource (CPU, Memory, etc.) utilization. The capacity of the e‐procurement system should be checked by systematically increasing the load on the system till performance degradation or system crash is encountered. Also the manner/ trend in which performance changes with load will determine the scalability of the e‐procurement system.

10

Application Layer Application Design Review #

(Note: This would be applicable only where ‘customized software development’ is being done for a specific organization. Furthermore, it should be noted that this review would not be a substitute for the review and testing of critical security and functionality outlined in Annexures I, II and III of these Guidelines)

Design review covers the high level design and the low level (detailed) design of the e‐ procurement software application. It will ensure that software has been designed using best practices and design rules. The review will verify that the design has modularity, flexibility, low complexity, structural fan‐in & fan‐out and it is loosely coupled & highly cohesive. The correctness of logics and algorithms used in the detailed design should be verified including any zero day vulnerability in the algorithm.

Application Code review *

(Note: This would be applicable only where ‘customized software development’ is being done for a specific organization. Furthermore, it should be noted that this review would not be a substitute for the review and testing of critical security and functionality outlined in Annexures I, II and III of these Guidelines)

The code review (i.e., static analysis) of the software application source code shall be carried out using tool and measure metrics such as lines of Code, Code Complexity, Fan‐in & fan‐out, Application Call Graph, Dead Codes, Rule Violation, Memory leaks etc. It is also recommended to perform walk through of the source code with code developer to verify the logics and algorithms used for correctness and optimization.

Special focus should be given to identify any unwanted functions (not required by the e‐procurement software application), as these ‘not to have functionalities’ can be potential security threats.

Application Functional Testing #

The functional testing of the e‐procurement software application shall be carried out to validate the application meets the specified functional requirements covering the work flows, navigations, and business & data Validation rules for the defined user categories with access rights. The functional testing should be done following black box approach and using end‐to‐end user scenarios.

(Note: Detailed scenarios would be prepared for each application software to be tested. This would include all important steps and scenarios of Government Tendering , as well as, ‘all issues’ outlined in Annexures I, II and III of these Guidelines)

Application Security Testing #

The test is conducted to unearth various application security vulnerabilities, weaknesses and concerns related to Data /Input Validation, Authentication, Authorization /Access Control, Session Management, Error Handling, Use of Cryptography, etc. Typical issues which may be discovered in an application security

11

testing include Cross‐site scripting, Broken ACLs/Weak passwords, Weak session management, Buffer overflows, Forceful browsing, Form/hidden field manipulation, Command injection, SQL injection, Cookie poisoning, Insecure use of cryptography,, Mis‐configurations, Well‐known platform vulnerabilities, Errors triggering sensitive information leak etc. OWASP (Open Web Application Security Project) guidelines are used for the testing.

(Note: Detailed scenarios would be prepared for each application software to be tested. This would tests to cover ‘all’ security related issues outlined in Annexures I, II and III of these Guidelines, especially aspects related to bid‐encryption. In addition, standard security tests, viz – Cert‐In, OWASP, FBI Top 20 (any other?) will be conducted)

Application Usability Testing *

Usability testing usually involves systematic observation under controlled conditions to determine how well people can use the product. e‐procurement system is used by users of different levels of computer knowledge. User expectation varies with different types of user. Usability testing will ensure that the all types of users are comfortable to use the system. This shall be done by using defined international standards which recommend extensive user interaction and analysis of user behaviour for a defined task.

Application Interoperability and Compatibility Testing *

Interoperability Testing shall be done to check if the software can co‐exist and interchange data with other supporting software in the system. Compatibility testing shall check if the software runs on different types of operating systems and other hardware/software/interface according to customer requirements

Data Layer

Data Storage Security Audit #

This is to be done to ensure the use of standard and strong cryptography while storing the sensitive data and user credentials in the application or associated data base. It is also verified that the cryptography used is compliant with the Information Technology Act and the CVC guidelines

Data Communication Security Audit#

This is to be done to ensure that secure communication channel like SSL, TLS or equivalent is used for transmission of sensitive data and credentials by the e‐ procurement system. The cryptographic algorithms and the key size implemented by the system should be standard, strong and compliant with the IT ACT and the CVC guidelines.

It is recommended that the complete data transmission to and from the e‐ procurement website should be SSL/ TLS enabled.

6.0Evaluation and Certification Process

6.1The applicant shall submit the request to Testing and auditing agency (like STQC) to get eProcurement System assessed. The application should specify whether testing is required ‘only for the e‐procurement application’, or for ‘the complete e‐

12

procurement system, viz the application along with the server in a specific hosting environment’. Application for the former case can be made by the application software developer or licensor, and will cover only Part‐1 of the two scenarios outlined below. The application for the latter case can be made by the service‐ provider, or the organization which is procuring the system for its dedicated use, and will cover both Part‐1 and 2 of the two scenarios outlined below.

6.2Inputs & access required by Certification Body

[Scenario‐A: Where ‘Customized Software Development’ of an e‐Procurement System is undertaken]

(Part‐1)

Inputs required for Application Testing o RFP of the e‐Procurement

o Software Requirements Specification (SRS) addressing functional and non‐functional requirements including business functions and applicable regulations, standards and policies.

o User manual (operational instructions).

o Software application related information such as – Work flows/ Navigations, Business logics/ Rules, Validation Rules, Screen shots and User categories with roles & access rights. Specifically for testing, application related information such as – Work flows/ Navigations for creating comprehensive ‘System Test Cases’ covering various tendering scenarios, User categories with roles & access rights would be required.

o Software Design Document

oSoftware Application Source Code (if the need is to assess to all desirable requirements)

The inputs should be available along with access to the application hosted in a staging environment with test data.

Note: Apart from review of the ‘developmental aspects’, detailed scenarios would be prepared for each application software to be tested. This would cover ‘all’ security related issues outlined in Annexures I, II and III of these Guidelines, especially aspects related to bid‐encryption.

(Part‐2)

System Architecture

Security Architecture for conducting VA&P

ISMS of eProcurement Information System (eSecurity Manual)

Access to e‐procurement system/ test site with sample data (preferably field data).

Access to hardware, software, Network & IT infrastructure to connect test

tools on to the system, where required.

Non‐disclosure Agreement (NDA) will be signed by STQC to cover the confidentiality of the information submitted by the applicant

[Scenario‐B: Where ‘Ready‐to‐Use’ e‐Procurement Software License is to provided, or e‐Procurement Services are made available through an ASP]

13

Note: The focus Testing/ Certification here is on the ‘Functionality’’, ‘Security’ and ‘Transparency’ related aspects.

(Part‐1)

oUser Manual (operational instructions), or equivalent Guidelines for users provided online on the screens of the application

oSoftware application related information such as – Work flows/ Navigations for creating comprehensive ‘System Test Cases’ covering various tendering scenarios, User categories with roles & access rights.

The inputs should be available along with access to the application hosted in a staging environment with test data

Note: Detailed scenarios would be prepared for each application software to be tested. This would tests to cover ‘all’ security related issues outlined in Annexures I, II and III of these Guidelines, especially aspects related to bid‐encryption.

(Part‐2)

System Architecture

Security Architecture for conducting VA&PT

Access to e‐procurement system/ test site with sample data (preferably field data).

Access to hardware, software, Network & IT infrastructure to connect test tools on to the system, where required.

Non‐disclosure Agreement (NDA) will be signed by STQC to cover the confidentiality of the information submitted by the applicant.

6.3Requirements of Compliance for demonstration

Testing and assessment as specified in Section 4.0 shall be carried out.

To demonstrate conformity to the ESSENTIAL Quality and eSecurity assurance requirements and minimum functionality compliance the following shall be complied:

Evidence of compliance to implementation of ISO 27001 Information Security Management System with applicable controls in all concerned entities. The Security processes shall be audited as per controls defined in eSecurity Manual provided by the applicant, and/ or in the applicant’s response to Annexure I, II, III, and IV.

The risk analysis methodology used by the service provider shall adequately address the concerns raised in this document (Annexure‐I). Mitigation methodology and techniques implemented should ensure eProcurement Information System is secure.

While implementing the security controls the service provider shall demonstrate that the requirements of vigilance administration (CVC) (Annexure‐II) are adequately addressed in the Information Security Management System. Also while implementing ISO 27001, the solution provider shall ensure that adequate controls have been implemented to ensure that security at design and operation level are addressed adequately

14

The software shall be tested for functionality, workflow and other essential requirements (like Central Vigilance Commission Guidelines, GFR, Information

Technology Act – Annexure I, II, III, and IV).

The application hardening shall be assessed for Top 10 vulnerabilities defined by OWASP (Reference doc – 3)

Network should be assessed for adequate security through penetration testing

and vulnerability assessment as per NIST 800‐115.To demonstrate that the requirements are implemented and effective, the services of agencies empanelled by CERT‐IN can be used (http://www.cert‐in.org.in).

To demonstrate compliance to the DESIRABLE requirements following shall be complied, where applicable:

The software source code shall be evaluated using white box test approach through code review/ inspection process for identifying malicious codes/ Trojan etc.

Workflow shall be in line with the requirement of CWA 15666 to standardized Business Processes and Information Entities using UML Version 1.4 and ebXML Core Components Technical Specification for Data Structure (Reference doc ‐ 4). This will attain the objective of Interoperability and Compatibility of various solutions both at buyer and supplier end

The solution shall be tested to Usability requirements as per Usability information defined in Template I.

6.4If results are satisfactory and meet the requirements of this document, STQC shall issue a letter indicating Conformity with specified requirements.

15

Certification Process Flow Chart

Applicant

Refer to

Guidelines for Quality Requirements of eProcurement System

Non disclosure agreement

Test Pre-requisites & Procedure

Test Activities

Test Records

Test Reports

Request STQC for Certification

Contract Agreement

Between STQC and Applicant

STQC to evaluate evidence of conformity supplied by the Applicant

No

Satisfactory

Assessment of Information System

Testing of Application by test lab

Result Satisfactory

Grant of Certificate of approval for

Update the record and maintenance of certificate

Corrective Action by Supplier

Intimate client for non compliance if minor discrepancy, ask client to provide the information/

If major and not able to close then close the job with intimation to Applicant

16

Scope of Certification

eProcurement life cycle consist of following activities:

Purchase to pay

oContract management

oContent management

oSelection/requisition

oWorkflow‐approval

oorder

oreceive

oinvoice

opayment

eSourcing

omanagement information

ocollaboration

ospecification/notice

oexpression of interest

oinvitation to tender

oevaluate

onegotiate/reverse auction

oaward

Generally, these activities are covered in different modules e.g.

Supplier Registration

E‐tedenring

eAuction

ePayment

Accounting

Reverse Auction

eCatalogue Management

MIS

Contract Management

The applicant can define any module as a part of scope of certification while the eTendering module is the essential requirement to obtain the certification. Depending on the complexity of the module and the scope identified by the applicant the Certification Body/Test Agency will charge for testing and certification.

Note: For any major change in application (e.g. encryption method, tender opening event,process re‐engineering). The application requires to be completely re‐tested. It is further emphasized the service provider should not have source code and escrowing requirement mentioned earlier should be strictly adhered to.

17

Annexure‐I ‐ Risks of eProcurement Systems and related ISO 27001 controls

Sl.

 

Risks / Concerns

Control

No.

 

 

Identification

1. Concerns related with Electronic vs. Manual Procurement

ISO 27001

Control

Reference

1.1

While implementing eProcurement system the

Identification of

A 15.1.1

 

solution provider may do business process re‐

applicable

“All relevant

 

engineering to make the system efficient and

legislation

statutory, regulatory

 

and contractual

 

effective. There is a risk of compromising basic

compliance

 

requirements and the

 

principles of public procurement

 

organization’s

 

 

 

approach to meet

 

 

 

these requirements

 

 

 

shall be explicitly

 

 

 

defined, documented,

 

 

 

and kept up to date

 

 

 

for each information

 

 

 

system and the

 

 

 

organization”.

 

Guidance and recommended practices

 

 

 

The underlying principle of e‐tendering and manual tendering process should be

 

same in respect of guidelines of CVC, GFR, Legal and transparency related

 

requirements. While doing reengineering these requirements shall not be negotiated

 

and compromised.

 

 

 

Since section A15.1.1 of ISO 27001 demands explicit definition of the requirements,

 

Annexures I, II, III of these Guidelines should be treated as a ‘Checklist’ for this

 

purpose:

 

 

1.2

Incorporation of multiple bidding

Identification of

A 15.1.1

 

methodologies in eProcurement solutions as

applicable

“All relevant

 

provisioned in Manual Procurement System

legislation

statutory, regulatory

 

and contractual

 

and the flexibility in the solution to the extent

compliance

 

requirements and the

 

required

 

organization’s

 

 

 

approach to meet

 

 

 

these requirements

 

 

 

shall be explicitly

 

 

 

defined, documented,

 

 

 

and kept up to date

 

 

 

for each information

 

 

 

system and the

 

 

 

organization”.

Guidance and recommended practices‐ e Procurement System

Depending upon the requirements of a tender any one of the multiple bidding methodologies as outlined below shall be provisioned in the application:

Single‐stage, single‐ envelope

Single‐stage, two‐ envelope

Two stage (with facility for ‘technical conformance’, and if required, ‘revised tender documents’)

Two‐stage, two‐ envelope and requirement of Pre‐qualification stage when required submission of one or more Alternative bids as applicable.

Each bid part (eg technical, financial) may be required to be submitted in a ‘summary format’ along with a ‘detailed bid’. The latter could be a large file. There should be provision of appropriate file size (at least 10 MB) in the application with data encryption as outlined elsewhere in these Guidelines.

After having submitted the ‘original’ bid for each bid‐part, a bidder has a right to submit:

‘Modification’ bid

18

‘Substitution’ bid

Or ‘Withdrawal’ bid for all his bid‐submissions.

The e‐tendering system must effectively cater to all these possibilities without compromising security and transparency in any manner at any stage, for any bid part (such as Pre‐qualification, Technical, and Financial).

The e‐tendering system need to have templates to offer flexibility in bidding methodologies as prevailing and followed currently in the manual process. Further, system should have templates to adopt bidding methodologies as may be prescribed by respective authorities.

2.0Concerns relating to Implementation of e‐procurement systems using PKI based Bid‐ Encryption

2.1

A system in which Public Key of a Tender‐

Cryptographic

A 12.3

 

Opening Officer or of any other officer of the

controls

Objective: To protect

 

purchase department, or of any person from

Regulation of

the confidentiality,

 

authenticity or

 

the service provider’s organization is used for

cryptographic

 

integrity of

 

bid‐encryption, and corresponding Private‐Key

controls

information by

 

used for Decryption

 

cryptographic means.

 

 

 

 

Many time bids are encrypted at the bidder’s

 

A.12.3.1 : “A policy on

 

 

the use of

 

computer with public‐key as mentioned

 

cryptographic

 

 

controls for

 

above, and the encrypted bids, with additional

 

 

 

protection of

 

SSL encryption, reach the e‐tendering server

 

information shall be

 

through file‐upload and/ or filling of online‐

 

developed and

 

 

implemented”.

 

forms.

 

 

 

A.12.3.2 : “Key

 

 

 

 

There are risks related to integrity of persons

 

management shall be

 

 

in place to support

 

in (a) purchase (buyer) organization & (b) e‐

 

 

 

the organization’s use

 

Tendering Service Providers organization. As

 

of cryptographic

 

Typical implementation practices include

 

techniques”.

 

 

 

 

Private Key with which decryption is done,

 

A 15.1.6

 

 

“Cryptographic

 

is available with the concerned officer

 

controls shall be used

 

before the Public Tender Opening Event

 

in compliance with all

 

Public Key with which bid‐encryption is

 

relevant

 

 

agreements, laws,

 

done is available publicly.

 

and regulations”.

Public Key algorithms are slow.

Copy of the decryption‐key (ie private key of the encryption‐certificate issued by a CA) is generally available (ie backed up) with the CA. Duplicate can generally be requested in case of loss, however, this can also be misused.

Guidance and recommended practices‐ Use of PKI technique

If the e‐procurement system uses PKI for bid‐encryption, it has to satisfactorily address the above issues and consequent concerns (Ref 2.2 below) through suitable functionality built into the e‐procurement application. Where, in addition, some issues are being further addressed through organizational procedures under ISO 27001, these should be explicitly defined with satisfactory explanations, otherwise certification process will become subjective. While doing this, the following can be kept in view:

19

A.10.4.2
“Where the use of mobile code is authorized, the configuration shall ensure that the authorized mobile code operates according to a
clearly defined security policy, and unauthorized mobile code shall
be prevented from executing”.
A 11.5
A.11.5.1
Access to operating systems shall be controlled by a secure log‐on procedure.
A.11.5.2
All users shall have a unique identifier (user ID) for their personal
use only, and a suitable authentication technique shall be chosen to
20

Various techniques are available in market for improving implementation of PKI based encryption such as escrowing, splitting and repeated encryption to further strengthening the security of information and implementation.

 

If the e‐procurement system uses any of the above techniques, it will have to be

 

explained how the related concerns (Ref 2.2 below) have been addressed.

 

Furthermore, practical procedures will have to be put in place which can be

 

implemented at the field level in diverse locations in the country in a user friendly

 

manner.

 

 

 

 

 

 

 

 

2.2

(i) While all efforts must be made to ensure

Control of

A 12.6.1

 

that no spyware is put in the server which

technical

“Timely information about

 

can

make clandestine

copies

of a

file

or

vulnerabilities

technical vulnerabilities of

 

information

 

data being uploaded to the server, and then

 

 

 

systems being used shall

 

sending

this clandestine copy to a

secret

Protection

be obtained, the

 

destination, the possibility of such spyware

against

organization's exposure

 

to such vulnerabilities

 

being planted in the web‐server cannot be

malicious and

 

evaluated, and

 

totally

ruled

out.

This

undesirable

mobile code

appropriate measures

 

eventuality could occur due to connivance

 

taken to

 

OS Access

address the associated

 

of the administrators of the Service

 

risk”.

 

Provider, or even through remote injection.

Control

 

 

For secure & transparent functioning of the

Log monitoring

A 10.4

 

e‐tendering system, it cannot be assumed

A.10.4.1

 

that there will never be such a possibility of

 

“Detection, prevention,

 

the

spyware

being

planted

in

the

e‐

 

and recovery controls to

 

 

protect against

 

tendering server.

 

 

 

 

 

 

 

 

 

 

 

malicious code and

 

 

 

 

 

 

 

 

 

 

appropriate user

 

(ii) If the spyware is planted at the kernel

 

awareness procedures

 

 

shall be

 

level, there may not be any audit trail.

 

 

 

 

 

implemented”.

(iii) Audit Trails (both application level, and Operating system level) are essentially reports. To that extent it is possible to fudge these. Also, other than application‐ level audit trail reports, the other audit trail reports can be quite complex and impractical to analyze for ongoing operations of this nature. In spite of this, audit trail‐reports are useful and should be there as supporting evidence. However, in a sensitive application of this nature, audit trails cannot be depended upon as the sole protection against any mala‐fide act.

substantiate the claimed identity of a user.

A.11.5.3

Systems for managing passwords shall be interactive and shall ensure quality passwords.

A.11.5.4

The use of utility programs that might be capable of overriding

system and application controls shall be restricted and tightly

controlled.

A.11.5.5

Inactive sessions shall shut down after a defined period of inactivity.

A.11.5.6

Restrictions on connection times shall be used to provide additional security for high‐risk applications.

A10.10

A.10.10.1

Audit logs recording user activities, exceptions, and information

security events shall be produced and kept for an agreed period to

assist in future investigations and access control monitoring.

A.10.10.2

Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly.

A.10.10.3

Logging facilities and log information shall be protected against tampering and unauthorized access.

A.10.10.4

System administrator and system operator activities shall be logged.

A.10.10.5

Faults shall be logged, analyzed, and appropriate action taken.

21

A.10.10.6

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized with an agreed accurate time source

Guidance and recommended practices‐ Spyware/Trojan/BOTS

It is important that even if a clandestine copy is made and stolen as above, the bid‐ encryption methodology should be such that it should not be possible to decrypt the bids in connivance with any officer of the Buyer organization or the Service Provider organization. While this issue becomes irrelevant if bid encryption is done at bidder‐ end with bidder created symmetric pass‐phrase, in case PKI‐based bid encryption is done, the software functionality has to be suitably augmented to mitigate this security threat. This threat has also been explicitly mentioned in CVC guidelines (refer security check‐point No. 14 of Annexure‐II)

a)The controls should be placed to guard against the possibility of injecting spyware for making clandestine copies of a submitted bid and then sending this clandestine copy to a secret destination.

The spyware are the malicious software codes which can be injected in to the system remotely. To protect the system from injection of spyware, the system needs to be secured. The system need to be secured and protected in the following manner;

Hardening of hardware and software of the entire Information Technology infrastructure (which include computer system, software, router etc.)

Installation of anti spyware, anti spam and antivirus software.

Installation of software tools to protect the operating system from injection of spyware. These software need to be upgraded on a continuous basis.

The entire infrastructure needs to be secured at the perimeter level by installing Firewalls and intrusion Prevention System.

After installation of software and protecting by devices as the entire IT infrastructure needs to be audited by the Information Technology Auditors. Indian Computer Emergency Response Team (CERT‐IN), Department of Information Technology has empanelled auditors for auditing systems from the point of view of cyber security. It is always recommended that system should be audited at least once in a year and as and when the infrastructure (i.e hardware and software) is augmented by additions of new hardware and software.

Further people operating these systems need to be trained in monitoring and detecting any intrusion in the system and network.

b)The kernel of the operating system in the IT infrastructure should be secured first by hardening the operating system and installation of software which protects it from inject of spyware or any kind of intrusion.

c)The e‐procurement system should have audit trail facilities. These audit trails are complex but dependable. The audit trails reports provide useful information about the instructions which take place in the system both at operating system and

22

 

application software. This information is necessary to analyze nature of intrusion,

 

vulnerabilities exploited and to track the perpetrators. It also helps in taking steps in

 

preventing future intrusion.

 

 

 

The analysis of audit trail requires appropriate expertise both in respect of

 

application and operating system. Such expertise is available in the country at many

 

places. CERT‐In also facilitates the user organization in analyzing the audit trails.

2.3

Private Key with which decryption is done,

Cryptographic

A 12.3

 

is available with the concerned officer

controls

A.12.3.1

 

before the Public Tender Opening Event

 

 

 

Segregation

“A policy on the use of

 

a) If a clandestine copy of a bid is made as

of duties

cryptographic controls for

 

protection of

 

described above before the ‘tender opening

 

 

 

information shall be

 

event (TOE)’, and if the concerned tender‐

 

developed and

 

opening officer (TOE‐officer) connives in

 

implemented.”

 

 

 

 

decrypting the bid before the TOE, the

 

A.12.3.2

 

confidentiality of the bid is compromised.

 

“Key management shall be in

 

 

 

place to support the

 

b) The above concern with the difference

 

organization’s use

 

 

of cryptographic techniques”

 

that the copy of the bid is made with the

 

 

 

connivance of the Database Administrator

 

A 10.1.3

 

(DBA).

 

“Duties and areas of

 

 

 

responsibility shall be

 

c) If the concerned TOE‐officer(s) is/ are

 

segregated to reduce

 

 

opportunities for

 

absent during the TOE, how the bids will be

 

unauthorized or

 

decrypted especially keeping in view that

 

unintentional modification or

 

 

misuse of the organization’s

 

the private‐keys should not be handed over

 

 

 

assets.”

 

to anybody else.

 

 

 

Guidance and recommended practices

 

 

 

Note: While some guidance is provided below, it is the responsibility of the individual

 

vendors to design and develop their applications in a manner that addresses the

 

outlined concerns. They should first convincingly demonstrate the full methodology

 

to DIT, and then DIT will transparently put this methodology on its website, so that

 

bidders who use such e‐procurement systems in future are fully assured against

 

breach of confidentiality of their bid‐data.

 

 

 

A process needs to be established and followed in respect of key management of

 

encryption keys particularly the key with which the bid would be decrypted at the

 

time of opening of the bids. Such process should avoid compromising confidentiality

 

and possibility of decrypting clandestine copy of the bid. In this regard the following

 

three approaches may be adopted with proper checks while keeping in view the

 

legality of the process for end‐users. Furthermore, practical procedures will have to

 

be put in place which can be implemented at the field level in diverse locations in the

 

country in a user friendly manner.

 

 

 

Splitting of Keys:

 

 

 

A bidder would submit the bid document after encrypting it with the public key

 

of the tendering organization, so that the contents are encrypted and are

 

decrypted by the authorized officials at the tendering organization. To minimize

 

the risks associated with “person of dubious integrity” or collusion, private key

 

decryption should be split into `M’ parts with the requirement of minimum `N’

 

 

 

23

 

splits being required for its use. (`N’ should be more than 1 and less than or equal

 

to M). `N’ and `M’ will be decided by the tendering organization and suitably

 

configured on the system.

 

 

 

 

 

 

 

 

 

 

Multiple encryption

of the

bid

document with multiple public keys and

 

decryption of document with the multiple corresponding private keys of the

 

tendering organization.

 

 

 

 

 

 

 

 

 

 

Application of multiple encryption of the bid document could be prescribed in a

 

predefined order by authorized officials of the tendering organization. Decryption

 

will have to be carried out in the reverse order. The multiple decryption keys (i.e.

 

private) may be held by different officials of the tender organization. Encrypting the

 

bid document first with public key of the bidder and then by the public key of

 

tendering organization. The bid document may then be decrypted by the private key

 

of the authorized official of tendering organization and then by the private key of

 

bidder. It may be noted that the decryption keys are applied in reverse order in

 

application of encryption keys.

 

 

 

 

 

 

 

 

 

 

The implementation of this system, however, would require physical presence of the

 

bidder who encrypted the bid at the time of submission of bid. Preferably the

 

person of bidding organization should be same who has signed the bid by digital

 

signature. There are logistic issues with this approach.

 

 

2.4

Public Key with which bid‐encryption is

 

Cryptographic

 

A 12.3

 

done

is available

publicly.

The easy

 

controls

 

A.12.3.1

 

availability of the

public

key makes

the

 

 

 

 

A policy on the use of

 

data

encrypted

with

it

vulnerable

to

 

Regulation of

 

cryptographic controls for

 

 

 

protection of

 

‘Chosen Plaintext Attack’

 

 

 

 

 

cryptographic

 

 

 

 

 

 

 

 

information shall be

 

 

 

 

 

 

 

 

 

 

 

controls

 

developed and implemented.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A.12.3.2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Key management shall be in

 

 

 

 

 

 

 

 

 

 

 

 

 

 

place to support the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

organization’s use

 

 

 

 

 

 

 

 

 

 

 

 

 

 

of cryptographic techniques

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A 15.1.6

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Cryptographic controls shall

 

 

 

 

 

 

 

 

 

 

 

 

 

 

be used in compliance with

 

 

 

 

 

 

 

 

 

 

 

 

 

 

all relevant

 

 

 

 

 

 

 

 

 

 

 

 

 

 

agreements, laws, and

 

 

 

 

 

 

 

 

 

 

 

 

 

 

regulations.

 

Guidance and recommended practices

 

 

 

 

 

 

 

Note: While some guidance is provided below, it is the responsibility of the individual

 

vendors to design and develop their applications in a manner that addresses the

 

outlined concerns. They should first convincingly demonstrate the full methodology

 

to DIT, and then DIT will transparently put this methodology on its website, so that

 

bidders who use such e‐procurement systems in future are fully assured against

 

breach of confidentiality of their bid‐data.

 

 

 

 

 

2.5

Public Key algorithms are slow. As a result

Capacity

 

A 10.3.1

 

many e‐tendering systems which use PKI for

management

 

The use of resources shall

 

bid‐encryption,

use

mainly

an

encrypted

 

 

 

be monitored, tuned, and

 

 

 

 

projections

 

online‐form for bid submission, and do not

 

 

 

 

 

 

 

made of future capacity

 

have facility for an encrypted detailed bid (eg

 

 

 

requirements to ensure

 

detailed technical bid as a file), along with the

 

 

 

the required system

 

 

 

 

performance.

 

online form. As a result, the detailed bid is

 

 

 

 

 

 

 

 

 

either

not submitted,

or it is

submitted

in

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

24

unencrypted form.

Guidance and recommended practices

Note: While some guidance is provided below, it is the responsibility of the individual vendors to design and develop their applications in a manner that addresses the outlined concerns. They should first convincingly demonstrate the full methodology to DIT, and then DIT will transparently put this methodology on its website, so that bidders who use such e‐procurement systems in future are fully assured against breach of confidentiality of their bid‐data.

2.6A system in which Public Key of a bidder’s representative is used for bid‐encryption at bidder’s office, and where decryption will be done by the bidder’s representative himself using his private key during the Online Public TOE.

Concerns:

a)Concerns outlined in 2.4 and 2.5 outlined above are applicable here also, and should be suitably addressed.

b)How would the bids be opened if the bidder’s representative with whose key bids have been encrypted is not available during the Online Public TOE ? The non‐availability could be due to leave, termination or any other reason.

c)Copy of the decryption‐key (ie private key of the encryption‐certificate issued by a CA) is generally available (ie backed up) with the CA. Duplicate can generally be requested in case of loss, however, this can also be misused.

Note: Private key cannot be transmitted by the bidder over the internet. Furthermore, during the Online Public TOE, bids cannot be allowed to be downloaded from the server to the bidder’s computer. This would tantamount to the bids being taken away from the tender‐box back to the bidder’s office for opening. This cannot be allowed. Therefore the bidder will have to be physically present during the Public TOE, and such a system will never be able to have a proper Online Public TOE. This would immediately remove one of the biggest benefits of e‐procurement. Assuming that all other concerns are satisfactorily addressed, this would at best be a PARTIAL e‐ procurement system.

3. Concerns relating to situations where bids before being transmitted from the bidder’s

25

computer are protected with only SSL Encryption and Database level Encryption is done before the bid is stored in the Database Server

3.1

i) For secure and transparent functioning of

Cryptographic

A 12.3

 

the e‐tendering system, it cannot

be

controls

A.12.3.1

 

assumed

that

there will

never

be

any

 

A policy on the use of

 

“persons

of

dubious

integrity”

in

the

Regulation of

cryptographic controls for

 

protection of

 

Purchase organization

 

 

 

 

 

 

cryptographic

 

 

 

 

 

 

 

information shall be

 

ii) For secure and transparent functioning of

controls

developed and

 

the e‐tendering system, it cannot

be

 

 

implemented.

 

 

 

A.12.3.2

 

assumed that there will never be any

 

 

 

Key management shall be in

 

“persons

of dubious

integrity”

in the e‐

 

place to support the

 

tendering Service Provider’s organization

 

organization’s use

 

 

of cryptographic techniques

 

iii) While all efforts must be made to ensure

 

 

 

A 15.1.6

 

that no spyware is put in the server

which

 

Cryptographic controls shall

 

can make clandestine copies of a file or data

 

be used in compliance with

 

being uploaded to the

 

 

server,

 

and

 

all relevant

 

 

 

 

 

agreements, laws, and

 

then sending this clandestine copy to a

 

 

 

regulations.

 

secret destination, the possibility of such

 

 

 

spyware being planted in the web‐server

 

 

 

cannot be totally

ruled

out.

 

This

 

 

 

undesirable eventuality could occur due to

 

 

 

connivance of the administrators of the

 

 

 

Service Provider, or even through remote

 

 

 

injection.

For

secure

and

transparent

 

 

 

functioning of the e‐tendering system, it

 

 

 

cannot be

assumed that there will never

 

 

 

be such a possibility of the spyware being

 

 

 

planted in the e‐tendering server.

 

 

 

 

 

iv) If the spyware is planted at the kernel

 

 

 

level, there may not be any audit trail.

 

 

 

 

v) Audit Trails (both application level and

 

 

 

Operating system level) are

essentially

 

 

 

 

reports. To that extent it is possible to fudge

 

 

 

these. Also, other than application‐ level

 

 

 

audit trail reports, the other audit trail

 

 

 

reports can be quite complex and

 

 

 

impractical to analyze for ongoing

 

 

 

operations of this nature. In spite of this,

 

 

 

audit trail‐reports are useful and should be

 

 

 

there as supporting evidence. However, in a

 

 

 

sensitive application of this nature, audit

 

 

 

trails cannot be depended upon as the sole

 

 

 

protection against any malafide act.

 

 

 

 

Guidance and recommended practices

Secure submission of bid from bidder’s computer to the server should be done after the bid file/ data is encrypted (with symmetric or asymmetric encryption) at the bidder’s computer and further submitted to the e‐procurement server through SSL encryption. Only the encrypted file submitted by the bidder should be stored and should be decrypted at the Tender Opening Event (TOE).

3.2

Assuming that ‘only SSL encryption’ is applied

Cryptographic

A 12.3

 

to a bid while it is being transmitted from the

controls

A.12.3.1

 

bidder’s computer to the server, it is a fact the

 

A policy on the use of

 

 

 

26

role

of

SSL

encryption

is

limited

to

the

Regulation of

cryptographic

transmission

phase (ie transportation to the

cryptographic

controls for

protection of

server), and that on reaching the server the

controls

information shall be

SSL

encryption is

removed. The bid

is

now

 

developed and

presumably

encrypted

again with

PKI or

 

implemented.

 

A.12.3.2

Symmetric Key. Albeit small, there is an

 

 

Key management

‘interim

period’ before the

bid is encrypted

 

shall be in place to

again. In the interim period the bid is actually

 

support the

 

organization’s use

in an unencrypted state and to that extent

 

 

of cryptographic

vulnerable.

 

 

 

 

 

 

 

techniques

Irrespective of whether PKI or Symmetric Key

 

A 15.1.6

is used for encryption at Database‐level, the

 

encrypting key is available/ accessible to some

 

Cryptographic

 

controls shall be used

officer of the purchase organization, or an

 

 

in compliance with all

administrator

of

the

e‐tendering

Service

 

relevant

Provider, or the DBA.

 

 

 

 

 

agreements, laws,

 

 

 

 

 

and regulations.

 

 

 

 

 

 

 

 

 

 

The above issues exist irrespective of whether only select data is encrypted, or the entire database is encrypted.

If a clandestine copy of a bid is made as described above in the interim period which would be before the ‘tender opening event (TOE)’, and if the administrator connives, the confidentiality of the bid is compromised.

1b. The above concern with the difference that the copy of the bid is made with the connivance of the Database Administrator (DBA) and decryption done in connivance with the person holding the decryption key.

Guidance and recommended practices

Secure submission of bid from bidder’s computer to the server should be done after the bid file is encrypted (with symmetric or asymmetric encryption) at the bidder’s computer and further submitted to the e‐procurement server through SSL encryption. Only the encrypted file submitted by the bidder should be stored and should be decrypted at the Tender Opening Event (TOE).

The two‐way process as suggested may be followed strictly. This will address the concerns raised. The information on reaching the server where e‐procurement software is deployed through SSL mode will remain encrypted even after the SSL encryption is removed. Information will lie encrypted in the system hosting e‐ procurement software. Data Base Administrator (DBA) will not be able to decrypt the information as he will not be having the decryption keys. It may be mentioned here that at no point of time the System Administrator or Data Base Administrator should be authorized to hold the private (decryption) key. The organization shall have a procedure which can include three different approaches to address three different scenarios.

4. Concern about Symmetric key based Bid‐Encryption done at the Bidder’s computer

4.1

a) While

bidders’ representatives should be

Cryptographic

A 12.3

 

welcome

during Online Public TOE, it should

controls

A.12.3.1

27

The concerns in this regard are :
a) No such limitations exist in the offered e‐ tendering system, and the system supports
multiple departments and a comprehensive hierarchy of officers which is such that each officer can continue to perform his/ her tendering related role in a secure manner with full accountability, and with no need for any re‐assigning of responsibilities. It is being clarified that the objective here is not to provide a full‐
Regulation of cryptographic controls
In any large Government or PSU Purchase organization, there can be multiple indenting departments, multiple tendering authorities (ie entities which can invite tenders in their name), and tens (and sometimes hundreds) of officers involved with different activities relating to various tenders.
A situation should not arise in the e‐tendering system where due to limitation of the e‐ tendering system, these departments and officers are not able to themselves execute their duly assigned roles as in the manual process, and are constrained to re‐assign/ abdicate their roles and responsibilities to a few tech‐savvy technicians or the personnel of the service‐provider of the e‐tendering system.
Cryptographic controls
A 12.3 A.12.3.1
Guidance and recommended practices
The organization shall have procedure to address above. E‐Procurement system should have functionality such that the physical presence of bidders should not be mandatory during Online Public TOE.
b) How the security of the symmetric key (i.e. the key used for encryption of each bid‐part) is ensured, between the period of bid‐ submission and the Online Public TOE, keeping in view the concerns outlined above.
c) It should be allowed for a bidder to have different keys for bid‐encryption of each bid‐ part (such as Pre‐qualification, Technical, and Financial) he submits.
Regulation of cryptographic controls
not be mandatory for them to be present if their bids are to be opened.
A 15.1.6
Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.
A policy on the use of cryptographic controls for protection of Information shall be developed and implemented. A.12.3.2
Key management shall be in place to support the organization’s use of cryptographic techniques
5. Concerns/ clarifications based on s42(1) of the IT Act 2000 relating to Digital Signatures, a User Organization’s Administrative Hierarchy, and some related aspects
5.1
A 15.1.6
Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. A.12.3.2
Key management shall be in place to support the organization’s use of cryptographic techniques

28

fledged virtual office to the officers, but to provide adequate facilities within the application for multiple officers of multiple departments to carry out their respective tendering related activities with proper security and full accountability. Roles relating to various tendering activities within each department, and which could vary from tender to tender, would inter alia include – deciding methodology and rules pertaining to a particular tender, creation of tender notice, approval/ rejection of tender notice, creation of corrigendum, approval of corrigendum, creation tender document forms, approval of tender document forms, overall approval/ rejection of tender documents, providing responses to clarification of tender documents, uploading minutes of pre‐bid meeting, one or more officers conducting public online tender opening event (TOE), approving minutes of the public online TOE, short‐listing responsive bidders for the next stage (where applicable), managing roles of various personnel, and assigning alternative personnel in case the original assignees are absent, etc.

b)The offered e‐tendering system has facility, such that roles with conflict of interest can be offered to different persons within the organization, so that conflict of interest is avoided.

c)There should be one authorized person as an overall coordinator and representative of that organization in the e‐tendering system, with powers to delegate different roles to different users from time to time, and all such role‐changes must be audit‐ trailed in the application. The credentials of this overall coordinator must be verified.

d)There should be provision for having separate authorized user (at the corporate level of each Buyer organization, i.e. external to its tendering departments) who can access the application‐level audit‐trail (ie audit‐log) reports. Other users of the organization should not have access to these reports.

e)Under no circumstances will it be required for any officer to hand over his/ her

29

private‐key (used for digital‐signing, or bid‐ decryption if applicable in the offered system) to anyone else – within the organization, or to anyone in the service provider’s organization, or to anybody else.

f)There could be occasions when an authorized officer of a Purchase/Buyer organization is on leave, gets transferred, resigns or his/ her services are terminated. One example where such an eventuality may arise is if the public key of the tender opening officer is used for bid encryption, and his private key required for bid decryption during the online tender opening event. There should no limitation in the e‐tendering system which may necessitate that the private key of such an officer be handed over to anybody else for the scheduled tendering processes to continue uninterrupted.

Note: The above is necessary for compliance with s‐42(1) of the IT Act 2000.

Guidance and recommended practices

The e‐procurement system should have the features to address above. Under the IT Act, 2000 any holder of a Digital Signature, who’s Digital Signature Certificate has been issued by a licensed CA, is responsible for protecting the corresponding private key. Unless the certificate validity has expired or the certificate has been revoked by the issuing CA, any digital signature will be legally valid and will be attributed to the person listed in the Digital Signature Certificate. Similar mechanism measures should be evolved for encryption key pair as well.

Handing over of private (decryption) key by one officer to another officer both in case of digital signature as well as in case of encryption should not be allowed

In case of digital signature, private key should be one of the two factor authentication method which must be implemented. The other could be Personal Identification Number (PIN) or biometric etc., so that nobody else can use the private key for signing the document.

 

Further, it is the responsibility of the e‐procurement system to reject the Digital

 

Signature (except for verification) in case the corresponding Digital Signature

 

Certificate has expired. It is suggested that e‐procurement tendering system must

 

have signing interface which can keep track of corresponding certificate particularly

 

relating to expiry aspect of digital signature. There should also be a clause in the

 

tender document stating that tender will not be considered for evaluation if the

 

digital signature certificate has expired (except for verification).

 

5.2

In any large Supplier/ Vendor organization,

Cryptographic

A 12.3

 

there can be multiple sales departments

controls

A.12.3.1

 

which

can

bid for different

tenders. Also

 

A policy on the use of

 

within

each

such department

there can be

Regulation of

cryptographic

 

 

 

 

 

 

 

 

30

 

many

executives

involved

with

different

cryptographic

 

controls for

 

activities

relating to various tenders.

controls

 

protection of

 

 

information shall be

 

A situation should not arise in the e‐tendering

 

 

 

 

 

developed and

 

system

where due

to limitation

of the e‐

 

 

implemented.

 

tendering

system,

these

departments and

 

 

A.12.3.2

 

 

 

Key management

 

executives are not able to themselves execute

 

 

 

 

 

shall be in place to

 

their duly

assigned

roles

as

in

the manual

 

 

support the

 

process, and are constrained

to

re‐assign/

 

 

organization’s use

 

 

 

of cryptographic

 

abdicate their roles and responsibilities to a

 

 

 

 

 

techniques

 

few tech‐savvy technicians or the personnel of

 

 

 

 

the service‐provider of the e‐tendering

 

 

A 15.1.6

 

system.

 

 

 

 

 

 

 

 

 

Cryptographic

 

 

 

 

 

 

 

 

 

 

 

controls shall be used

 

 

 

 

 

 

 

 

 

 

 

in compliance with all

 

 

 

 

 

 

 

 

 

 

 

relevant

 

 

 

 

 

 

 

 

 

 

 

agreements, laws,

 

 

 

 

 

 

 

 

 

 

 

and regulations.

 

Guidance and recommended practices

 

 

 

 

This has implication on process and technology. There would be scenarios regarding

 

multiple tendering within organization. e‐Procurement software must have features

 

to address such suggested issues’ viz – multiple sales departments within a bidder/

 

supplier organization, multiple executives (each with his own digital signature

 

certificate) for performing various e‐procurement related tasks within each such

 

department; system for managing roles and authorizations of such executives in case

 

of transfer, leave, termination etc; independent executive within each bidder/

 

supplier organization for accessing audit trails relating to that organization. Apart

 

from from ensuring security within a supplier/ bidder organization, such functionality

 

is necessary to ensure that users within a supplier/ bidder organization do not

 

handover their private keys to each other for completing an ongoing tendering

 

process. If these concerns are not addressed, it would result in violation of s‐42(1) of

 

the IT Act.

 

 

 

 

 

 

 

 

 

 

Further, it is suggested that organizations implementing e‐procurement system

 

should conduct training programmes for persons who have been assigned roles and

 

are using the system on functional aspect related to process and technical aspects of

 

the system. The training programme should also cover dos and don’ts for using the

 

system.

 

 

 

 

 

 

 

 

 

 

6. Some other functionality/ Security/ Transparency related requirements of a Manual

Tendering System and Conformance its Availability in the offered e‐tendering system

6.1

Concern

 

 

 

 

 

 

Cryptographic

A 12.3

 

(Manual System)A Tender Notice is issued

controls

A.12.3.1

 

after internal clearance. Once a Tender Notice

 

A policy on the use of

 

is published in a newspaper, it becomes an

Regulation of

cryptographic controls for

 

protection of information

 

authentic record.

 

 

 

 

 

cryptographic

 

 

 

 

 

 

shall be developed and

 

 

 

 

 

 

 

 

 

controls

implemented.

 

(Electronic System)

 

 

 

 

 

 

A.12.3.2

 

 

 

 

 

 

 

Key management shall be

 

a) At a higher level, there should be clearance

 

 

 

in place to support the

 

(which is audit‐trailed within the application

 

organization’s use

 

and digitally signed) before a Tender Notice is

 

of cryptographic

 

 

techniques

 

issued.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

b) For authenticity and for assurance that it

 

A 15.1.6

 

 

Cryptographic controls

 

has not been tampered, the electronic Tender

 

shall be used in

 

 

 

 

 

 

 

 

 

 

compliance with all

 

 

 

 

 

 

 

 

 

 

31

Notice (which is an electronic record), should have an audit‐trail within the application of its creation/ approval/ posting. Also, the tender notice should be digitally signed by an authorized officer of the Purchase/ Buyer organization.

Concern (Manual System)

A Corrigendum is issued after internal clearance/ approval. Once a Corrigendum to a Tender Notice is published in a newspaper, it becomes an authentic record.

(Electronic System)

a)At a higher level, there should be clearance (which is audit‐trailed within the application and digitally signed) before a Corrigendum is issued.

b)For authenticity and for assurance that it has not been tampered, the electronic Corrigendum (which is an electronic record), should have an audit‐trail within the application of its creation/ approval / posting. Also, the Corrigendum should be digitally signed by an authorized officer of the Purchase/ Buyer organization.

Concern (Manual System)

Once Tender Documents are published, and sold with official receipt and serial no. for each copy sold, these become an authentic record.

(Electronic System)

a)For authenticity and for assurance that it has not been tampered, the electronic Tender Documents (which is an electronic record), should have an audit‐trail within the application of its posting. Also, the Tender Documents should be digitally signed by an authorized officer of the Purchase/ Buyer organization.

b)At the time of online sale/ downloading of the tender documents, official serial number should be given along with the receipt.

Concern (Manual System)

An Addendum is issued after internal clearance/ approval. Once Addendum to Tender Documents are published, and

relevant agreements, laws, and regulations.

32

distributed, these become an authentic record.

(Electronic System)

a)At a higher level, there should be clearance (which is audit‐trailed within the application and digitally signed) before an Addendum is issued.

b)For authenticity and for assurance that it has not been tampered, the electronic Addendum (which is an electronic record), should have an audit‐trail within the application of its approval/ posting. Also, the Addendum should be digitally signed by an authorized officer of the Purchase/ Buyer organization.

Concern (Manual System)

Clarification of Tender Documents. In response to a bidder’s query, an authorized officer of the Purchase/ Buyer organization responds to the querist with a copy to all other prospective bidders who have purchased tender documents (without revealing the identity of the querist). The response is signed by the concerned officer for authenticity.

(Electronic System)

The e‐tendering system should also have such a facility with all the functionality as described in the previous column. For authenticity and for assurance that it has not been tampered, the response from the authorized officer of the Purchase/ Buyer organization should be digitally signed by him.

Concern (Manual System)

Pre‐Bid meeting. The minutes of the Pre‐bid meeting are signed for authenticity by an authorized officer of the Purchaser/ Buyer organization and made available to the prospective bidders.

(Electronic System)

The e‐tendering system should also have such a facility with all the functionality as described in the previous column. For authenticity and for assurance that it has not been tampered, the Minutes should be digitally signed by an authorized officer of the Purchaser/ Buyer

33

 

organization.

 

 

 

 

 

Concern

 

 

 

 

 

(Manual System)

 

 

 

 

 

Bid Methodologies/ Formats:

 

 

 

 

 

Depending on the circumstances and nature of

 

 

 

 

a tender, one of the many bidding

 

 

 

 

methodologies may be prescribed by a Buyer,

 

 

 

 

and the bidder would have to respond

 

 

 

 

accordingly.

 

 

 

 

 

Single‐stage, single‐ envelope

 

 

 

 

 

Single‐stage, two‐ envelope

 

 

 

 

 

Two stage (with facility for ‘technical

 

 

 

 

conformance’, and if required, ‘revised

 

 

 

 

tender documents’)

 

 

 

 

 

Two‐stage, two‐ envelope

 

 

 

 

 

Where required, the above may be

 

 

 

 

combined with a Pre‐qualification stage

 

 

 

 

In some cases, the Purchaser may allow

 

 

 

 

submission of one or more Alternative bids

 

 

 

 

Each bid part (eg technical, financial) may

 

 

 

 

be required to be submitted in a ‘summary

 

 

 

 

format’ along with a ‘detailed bid’.

The

 

 

 

 

latter could be a large file.

 

 

 

 

 

After having submitted the ‘original’ bid

 

 

 

 

for each bid‐part, a bidder has a right to

 

 

 

 

submit:

 

 

 

 

 

‘Modification’ bid

 

 

 

 

 

‘Substitution’ bid

 

 

 

 

 

Or ‘Withdrawal’ bid for all his bid‐

 

 

 

 

submissions.

 

 

 

 

 

(Electronic System)

 

 

 

 

 

The e‐tendering system should

 

 

 

 

 

support all the bidding methodologies/

 

 

 

 

 

formats as outlined above without

 

 

 

 

 

sacrificing any aspect of

 

 

 

 

 

security and transparency

 

 

 

 

 

including those listed elsewhere in this document.

 

 

 

 

Guidance and recommended practices

 

 

 

 

 

CVC Circular No. Office Order No.43/7/04 dated 2nd July 2004 had also required that

 

tender documents posted on an e‐tendering/ e‐procurement website should be

 

digitally signed by an officer of the tendering organization, and for the assurance of

 

the bidder who is viewing or downloading the tender documents, the CVC circular

 

required that facility be provided to verify the digital signature to ensure the

 

authenticity and integrity of the tender documents.

 

 

 

The e‐procurement system should have functionality as outlined above under

 

‘(Electronic System)’, and the Buyer organization should have related procedures to

 

implement this.

 

 

 

 

6.2

Concern

 

Cryptographic

 

A 12.3

 

 

 

 

34

(Manual System)

controls

A.12.3.1

Signing of each page of each bid part (pre‐

 

A policy on the use of

qualification, technical, financial) especially

Regulation of

cryptographic

controls for

the ‘summary format’ and the

cryptographic

protection of

‘detailed’ bid including modification,

controls

information shall be

substitution, withdrawal.

 

developed and

 

implemented.

 

 

The sealed bids are deposited securely in a

 

A.12.3.2

 

Key management

locked tender box, and stored securely till the

 

shall be in place to

 

support the

box is opened during the public tender

 

 

organization’s use

opening event.

 

of cryptographic

 

 

techniques

(Electronic System)

 

A 15.1.6

 

Cryptographic

The e‐tendering system should have the

 

 

controls shall be used

corresponding facilities without sacrificing any

 

in compliance with all

aspect of security and transparency including

 

relevant agreements,

 

laws, and regulations.

those listed elsewhere in these Guidelines.

 

 

 

It should not be possible to open the ‘e‐ tender boxes’ till the specified time has occurred or elapsed, and till all the authorized Tender‐Opening Officers have formally instructed the system to do so with PKI‐based Digital Signatures

Till the Public Tender Opening Event, security related features should be such that the contents of the bids which are being stored cannot be ‘accessed and decrypted’ by even the authorized officers of the Purchaser/ Buyer or the Administrators of the Service Provider (even if they wish to do so with mala‐fide intentions).

 

Guidance and recommended practices

 

 

 

The e‐procurement system should have features to address the suggestions made in

 

this document.

 

 

 

Any e‐procurement/e‐tendering services must provide the facility of Time Stamping

 

which is critical for establishing data and time of document submission and its

 

acknowledgement. Time Stamping feature should be built within the application and

 

synchronisation of e‐tendering/ e‐procurement server should be done with master‐

 

server at the data‐center where the e‐procurement system is hosted (as mentioned

 

in section 4.1 of these Guidelines). Alternatively, the e‐procurement service provider

 

can take Time Stamping services being provided by licensed CAs.

 

6.3

(Manual System)

Cryptographic

A 12.3

 

Public Tender Opening Event(s) [Public TOEs]

controls

A.12.3.1

 

 

 

A policy on the use of

 

For Transparency, there is an elaborate

Regulation of

cryptographic controls for

 

protection of information

 

procedure for opening of bids in the presence

cryptographic

 

shall be developed and

 

of authorized bidders. A few salient aspects of

controls

implemented.

 

 

 

A.12.3.2

 

 

 

35

this are:

Authorized representatives of bidder organizations

a)Who have submitted their bids are entitled to be present and have to sign in their attendance.

b)Each bid is opened one at a time in front of the participating bidders, and the concerned bidder is entitled to satisfy himself that his bid packet is intact and has not been tampered with.

c)If Bid security [earnest money deposit (EMD)] is applicable for a tender, then details of the EMD submitted, or exemption claimed with basis thereof is disclosed to the participants.

d)Salient points of each opened bid are read out aloud for the benefit of the participating bidders, and to ensure that no change is made in the bid contents later on with connivance.

e)Clarifications may be sought from a bidder whose bid has been opened and record is made of the query and the response.

f)Each page of the opened bid is countersigned during the TOE itself (by each tender opening officer (typically up to 3) to ensure that no change is made in the bid contents later on with connivance.

g)After all the bids are opened and countersigned by the TOE‐officers, the minutes of the meeting (ie TOE) are to be recorded.

h)Each bid part may be opened in a separate tender opening event in which only the authorized bidders are allowed. This is supposed to be done in a very transparent manner with proper scheduling of events and proper information to the concerned bidders.

i)Bid parts which are due for opening in a subsequent tender opening event are securely stored till that event.

j)If in a particular TOE, if it is decided not to open the bid of a bidder, then such bids are returned opened.

(Electronic System)

Facility for the authorized personnel to conduct Public Online Tender Opening Event with Bidders attending from remote

Key management shall be in place to support the organization’s use

of cryptographic techniques

A 15.1.6

Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.

36

locations electronically with full security procedures. Tender‐Opening Event should be simultaneously viewable by all attendees from their respective locations

The e‐tendering system should support all the salient aspects,viz a, b, c, d, e, f, g, h, i as listed in the previous column without sacrificing any aspect of security and transparency including those listed elsewhere in this matrix/ questionnaire. As soon as a bid is opened, participating bidders should be able to simultaneously download the salient points (ie the summary information) of the opened bid.

For (j) keeping in view the nature of the internet, such bids may be archived unopened.

Note: In addition, in cases where some bidders have bid offline (ie manually), and this has been allowed, then the following should be ensured:

-That the offline bids are opened first and their salient points entered into the system before the online bids are opened. This is all done in the presence of the online bidders who are simultaneously witnessing this exercise.

The compiled/ integrated data of the both the online and offline bidders should be made available in the form of an online comparison chart to all the participants.

Guidance and recommended practices

The GFR requires that tenders be opened in public in the presence of the authorized representatives of the bidders. The Finance Ministry Manual on procurement procedures outlines in details the requirements of a transparently conducted Public Tender Opening Event. CVC Guidelines on security aspects of e‐procurement also stae the requirement of ‘Online Public Tender Opening Event’. Merely opening bids ‘online’, and then separately making them available for display to the bidders subsequently, and/ or from a different location/ screen (ie user interface) without the simultaneous online presence of bidders, does not fulfill the requirements of a proper and transparent online Public TOE. A comprehensive and transparent Public Tender Opening Event is the ‘backbone of transparency and fairness’ of the Public Procurement process, manual or electronic. This has an impact on technical as well as procedural aspects.

It must be ensured that e‐tendering/ e‐procurement has comprehensive functionality for a transparent Public Online Tender Opening Event (Public OTOE). Well established practices of manual tender opening (with legal and transparency related significance) should have corresponding electronic equivalents for transparent e‐tendering/ e‐procurement. Some relevant processes of a fair and transparent online public TOE should include:

37

i. Opening of the bids in the simultaneous online presence of the bidders with proper online attendance record of the authorized representatives of the bidders. Merely opening bids online, and then subsequently displaying some results to the bidders does not fulfill the requirements of a transparent Online Public Tender Opening Event

ii.Security Checks to assure bidders of non‐tampering of their bids, et al during the online TOE itself

iii.One‐by‐one opening of the sealed bids in the simultaneous online presence of the bidders

iv.Online verification of the digital signatures of bidders affixed to their respective bids

v.Reading out, ie allowing bidders to download the electronic version of the salient points of each opened bid (opened in the simultaneous online presence of the bidders)

vi.There should be a procedure for seeking clarifications by the TOE officers during online Public TOE from a bidder in the online presence of other bidders, and recording such clarifications

vii.Digital counter‐signing (by all the tender opening officers) of each opened bid, in the simultaneous online presence of all participating bidders

viii.Preparation of the ‘Minutes of the Tender Opening Event’ and its signing by the concerned officers in the simultaneous online presence of the bidders

While bidders should be welcome to be present physically during the TOE, it should not be mandatory for them to do so. All the above should be achieved online in a user‐friendly manner.

The e‐procurement system has to satisfactorily address the above requirements through suitable functionality built into the e‐procurement application. Where, in addition, some issues are being further addressed through organizational procedures under ISO 27001, these should be explicitly defined with satisfactory explanations.

7.Concerns/clarifications relating to preventing other Bidders from Bidding in the e‐ Tendering Scenario, and Miscellaneous Concerns/ Clarifications

7.1

Can the e‐tendering prevent competitors/ tender mafia from locking the accounts (target accounts) of other users/ bidders by deliberately entering incorrect authentication information against user‐names (which are not secret) of such bidders/ users?

Control of technical vulnerabilities Cryptographic controls

Regulation of cryptographic controls

A 12.6.1

Timely information about technical vulnerabilities of information systems being used shall be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.

A12.3

A.12.3.1

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

A.12.3.2

Key management shall be in place to support the

38

 

 

 

 

organization’s use

 

 

 

 

of cryptographic

 

 

 

 

techniques

 

 

 

 

A 15.1.6

 

 

 

 

Cryptographic controls

 

 

 

 

shall be used in

 

 

 

 

compliance with all

 

 

 

 

relevant agreements,

 

 

 

 

laws, and regulations.

 

Guidance and recommended practices

 

 

 

Generally any system are designed in such a manner that it gets locked/denied

 

permission after repeated login attempts based on wrong passwords and user IDs.

 

Such a scenario, if it exists, in e‐procurement system may be exploited by the

 

competitors/tender mafia to prevent the genuine bidders. To avoid such a situation

 

the e‐procurement system should not have features for locking the system on

 

account of repetitive login attempts based on wrong passwords and user IDs and

 

digital signatures. It is also suggested that login to the e‐procurement system should

 

be based on digital signatures. It has also been suggested that e‐procurement system

 

should have interface software to check the validity of digital signature/certificate.

 

Other innovative methods may also be developed to address this concern.

7.2

For security reasons, Administrators of the e‐

Control of

A 12.6.1

 

tendering application/ portal should not have

technical

Timely information about

 

any access to the passwords of the various

vulnerabilities

technical vulnerabilities

 

of information

 

users. Neither should the

Administrators

Cryptographic

 

systems being used shall

 

be able to generate passwords for the users.

controls

be obtained, the

 

 

 

Regulation of

organization's exposure

 

 

 

to such vulnerabilities

 

 

 

cryptographic

 

 

 

evaluated, and

 

 

 

controls

appropriate measures

 

 

 

 

taken to address the

 

 

 

 

associated risk.

 

 

 

 

A 12.3

 

 

 

 

A.12.3.1

 

 

 

 

A policy on the use of

 

 

 

 

cryptographic controls for

 

 

 

 

protection of information

 

 

 

 

shall be developed and

 

 

 

 

implemented.

 

 

 

 

A.12.3.2

 

 

 

 

Key management shall be

 

 

 

 

in place to support the

 

 

 

 

organization’s use

 

 

 

 

of cryptographic

 

 

 

 

techniques

 

 

 

 

A 15.1.6

 

 

 

 

Cryptographic controls

 

 

 

 

shall be used in

 

 

 

 

compliance with all

 

 

 

 

relevant

 

 

 

 

agreements, laws, and

 

 

 

 

regulations.

 

Guidance and recommended practices

 

 

 

The Administrators of the e‐tendering application/portal should not have any access

 

to the passwords of the various users. Neither the software should allow the

 

Administrator to generate password for the users.

 

 

The designer/developer should factor this at the design stage/development stage, ie

 

the e‐procurement system has to satisfactorily address the above requirements

 

through suitable functionality built into the e‐procurement application.

 

 

 

 

39

7.3

The Forgot Password feature should not be

Control of

A 12.6.1

 

based on some questions and answers which

technical

Timely information about

 

can be guessed by a competitor/ hacker.

vulnerabilities

technical vulnerabilities

 

of information

 

Please explain how this is achieved.

Cryptographic

 

systems being used shall

 

 

controls

be obtained, the

 

 

 

organization's exposure

 

 

Regulation of

to such vulnerabilities

 

 

evaluated, and

 

 

cryptographic

appropriate measures

 

 

controls

taken to address the

 

 

associated risk.

 

 

 

 

 

 

A 12.3

 

 

 

A.12.3.1

 

 

 

A policy on the use of

 

 

 

cryptographic controls for

 

 

 

protection of information

 

 

 

shall be developed and

 

 

 

implemented.

 

 

 

A.12.3.2

 

 

 

Key management shall be

 

 

 

in place to support the

 

 

 

organization’s use

 

 

 

of cryptographic

 

 

 

techniques

 

 

 

A 15.1.6

 

 

 

Cryptographic controls

 

 

 

shall be used in

 

 

 

compliance with all

 

 

 

relevant agreements,

 

 

 

laws, and regulations.

Guidance and recommended practices

If the e‐procurement system has “Forgot Passwords feature”, it should address these concerns.

7.4There should be facility for Comprehensive

Electronic Audit‐Trail (ie Audit‐Log, or

 

 

 

Log

A 10.10

Vigilance Reports) within the application with

monitoring

A.10.10.1

provision for Archiving.

 

 

 

 

 

 

Audit logs recording user

 

 

 

 

 

 

 

 

 

 

activities, exceptions, and

Specifically:

 

 

 

 

 

 

 

 

information

 

 

 

 

 

 

 

 

security events shall be

i)

There should be audit trail reports for ‐‐

 

produced and kept for an

 

each tender of each Buyer organization, as

 

agreed period to assist in

 

 

future investigations and

 

well as, non‐tender specific activities (like

 

 

 

access control monitoring.

 

creation of user‐hierarchy and role

 

A.10.10.2

 

authorization),

which is

viewable

only

to

 

Procedures for monitoring

 

the authorized

user

of that

 

Buyer

 

use of information

 

 

 

processing facilities shall be

 

organization.

Other

users

of

the

 

 

 

established and the results

 

organization should not

have

access

to

 

of the monitoring activities

 

these audit trail reports.

 

 

 

 

 

 

reviewed regularly.

ii)

 

 

 

 

 

 

A.10.10.3

Similarly, there should be audit trail

 

 

Logging facilities and log

 

reports for ‐‐ each tender of each Supplier/

 

information shall be

 

Bidder organization, as well as, non‐tender

 

protected against

 

 

tampering and

 

specific activities (like creation of user‐

 

 

 

unauthorized access.

 

hierarchy and role authorization), which is

 

A.10.10.4

 

viewable only

to

the authorized

user

of

 

System administrator and

 

that Supplier organization. Other users of

 

system operator activities

 

 

shall be logged.

 

the organization should not have access to

 

 

 

A.10.10.5

 

audit trail reports.

 

 

 

 

 

 

 

Faults shall be logged,

 

 

 

 

 

 

 

 

 

 

analyzed, and appropriate

 

 

 

 

 

 

 

 

 

 

40

iii) As backup,

and

as

protection against

action taken.

tampering of audit‐trail reports saved by

A.10.10.6

The clocks of all relevant

an individual organization at its end,

information processing

facility should

be

available

for the

systems within an

authorized

e‐procurement

application

organization or security

domain shall be

administrator to have parallel access to

synchronized with an

such reports of both Buyer organizations,

agreed accurate time

as well as, Supplier organizations.

source

 

Furthermore,

information

pertaining

 

content of bids and Bid Submission [which

 

is sensitive till the Tender‐Opening Event

 

(TOE)], should not be accessible to the e‐

 

procurement application administrator till

 

the start of the TOE.

 

 

 

iv)The authorized administrator of the e‐ procurement/ e‐tendering application should also have access to audit trail reports of other administrators within the application.

v)The application should not provide any facility to modify or delete audit logs, or suspend logging operations

Guidance and recommended practices

The e‐procurement system and software should have the facility and functionality. There should be facility for Reports relating to Tendering‐Activities, and corresponding MIS Reports which are accessible to the relevant authorized users of that organization.

7.5

As required in a CVC order, the e‐tendering

CVC Order

 

NA

 

system should have facility for displaying

 

 

 

 

‘Award of Contracts’

 

 

 

 

 

 

 

Guidance and recommended practices

 

 

 

 

 

The application shall have this functionality. Furthermore, this information should be

 

digitally signed by the concerned user of the Buyer organization with facility for

 

verification by the viewer.

 

 

 

 

 

7.6

It is important that officers of a Buyer

Control of

A 12.6.1

 

organization involved in procurement related

technical

Timely information about

 

activities continue

to perform their

related

vulnerabilities

technical vulnerabilities

 

of information

 

roles without re‐assigning or abdicating

 

 

 

systems being used shall

 

responsibilities. A

pre‐requisite

to

enable

 

be obtained, the

 

officers to perform their roles is the existence

 

organization's exposure

 

 

to such vulnerabilities

 

of comprehensive virtual hierarchy and role‐

 

 

 

evaluated, and

 

authorization as outlined above.

 

 

 

appropriate measures

 

 

 

 

 

 

taken to address the

 

Another requirement to enable this is that e‐

 

associated risk.

 

 

 

 

 

Tendering Systems must design their user

 

 

 

 

interfaces to be “user friendly”, and that all

 

 

 

 

information that the user needs to

perform

 

 

 

 

each transaction is available easily and clearly

 

 

 

 

from the screen

 

 

 

 

 

 

 

Concern

 

 

 

 

 

 

 

 

 

 

 

 

41

The e‐Tendering application must be designed, developed and deployed using reputed and secure platforms such as ‐‐ .DotNet, J2EE etc, that minimize defects like bugs and vulnerabilities. It is important to ensure that during deployment; only compiled codes of the e‐tendering application software are used, with further protection to prevent run‐time modifications in the code. Please clarify how this is achieved.

Concern

It should not be possible to compromise the security of the e‐tendering application, even with knowledge of its architecture, design and encryption algorithm used.

Guidance and recommended practices

The application shall be architectured, designed and developed (ie the required functionality should be inbuilt in the application) to address above concerns. The best practices and processes to develop secure software shall be followed.

8.Concerns relating to Bidders making false assertions based on non‐existing functionality in their e‐tendering software (Important Eligibility/ Qualifying Criteria)

References may be given of various clients

Quality

NA

who have used the e‐tendering/ e‐

 

assessment

 

procurement software before the date of

 

of solution

 

submission of bids. Such references should

Publically

 

state whether or not the e‐Tendering software

 

available

 

supplied to each reference client was capable

 

capability

 

of handling each of the following

No

 

requirements: composite technical & financial

 

monopolizati

 

bids (single stage‐ single envelope); technical

 

on

 

and financial bids in separate envelopes (single

 

 

 

stage‐ two envelope); single stage two

 

 

 

envelope preceded by pre‐qualification; and

 

 

 

various security and transparency related

 

 

 

concerns outlined in this Annexure‐I,

 

 

 

Annexure‐II (which is based on CVC

 

 

 

Guidelines).

 

 

 

Guidance and recommended practices

The solution should be assessed in respect of various security and transparency related concerns outline in these Guidelines, and its scope of Capability should be in public domain, ie the functionality claimed should have references. This will discourage monopolizing a particular vendor and solution and will encourage new entrants from offering such systems thereby affecting the competitiveness of procurement of systems. To encourage new entrants, while there should be no compromise on security, transparency and crucial functionality related concerns highlighted herein, the eligibility criteria in respect of ‘number of tenders’, ‘revenue criteria from e‐procurement’, etc should be minimum.

42

Summary‐ Analysis of Risk of eProcurement Systems

 

 

Security Risks

 

Security

Compromise through potential weaknesses in the system

Availability

The need for services to be `on’ all the time

Authentication

Masquerading identity or repudiation of message

 

Any purchasing system must support authentication of users so

 

that individual transaction can be traced back to the relevant

 

person. Generally, this is by user name and password.

 

Alternatively, the authentication mechanism could be network

 

login or other directory services, while higher security

 

requirement may demand token based method such as digital

 

certificate, smart card or biometrics devices.

Access

To ensure users only have access to the functions required to do

 

their jobs, an eProcurement system should incorporate “roles –

 

based” access control mechanism. This should allow a particular

 

role to be assigned to each user of the application, and to

 

determine which function areas this role incorporates.

Audit Trail

A robust eProcurement solution should incorporate a

 

comprehensive audit trail, with recording of who did what and

 

when at various key stages of the purchasing process. The

 

system should also allow rules to be incorporated, example the

 

person who approves a requisition must be different from the

 

requisition originator. Setting such principles within the

 

purchasing application can be a useful counter major against

 

possible fraud.

Liability

Through employment or legal contractual obligations

Computer Fraud

Internal abuse and misuse

Breach by external

External attack by various parties, whether corporate espionage

party

or terrorists

Virus affecting the

Email viruses such as NIMDA or Melissa which have capability of

system

crippling systems

Denial of service

Flooding a computer’s internet connection with requests to

 

disrupt traffic flow

Intellectual property

Misappropriation or release of intellectual property

Software Risks

 

Switching Cost and

Control of spending to specific suppliers as part of e‐Commerce

compliance with Rules

 

of Government

Some applications which only require users to have access to the

Procurement

 

internet via a web browser may also require additional software

Applets, scripting and

to be installed and run on the local machine, such as ActiveX

punch‐out

components, Java Applets, browser script and cookies. Security

 

policy should allow these software components to be installed

 

and run.

Interoperability

Lack of interoperability between the system of the bidder and

 

system of the procurement body

 

System interoperability is the smooth transition of data between

 

systems internally within an organisation, example between an

 

43

eProcurement system and a finance system and externally example between a buyers eProcurement system and suppliers eCommerce System.

The preferred method of data flow today is eXtensible Mark‐Up Language (XML). XML is accepted a core standard for data exchange between the Government and Business.

Project Risks

Competitive

Risk to customer and supplier data, as well as other commercially

information

sensitive information

Lack of required skills

Staff not being properly equipped with the correct skill set.

 

Repercussion of not adhering to roles & responsibilities while

 

handling private key/ user secret of personnel involved in e

 

procurement life cycle.

Wrong technology

Investing in the wrong technology, this may lead to greater costs

choice

than initially projected, or being stuck with a vendor

Complexity and

Increasing complexity of organisation, systems and models

Management of

The increasing electronic delivery of public services to business

electronic records

and citizens, in turn, producing more electronic records.

 

Electronic records unlock content previously difficult to assess in

 

paper form, enable more effective sharing of information and

 

contribute to knowledge exchange. However, they need to be

 

retained and maintained over the medium to long term as the

 

records also demonstrate accountability.

 

Privacy and excess issues and particularly right to information act,

 

VAT and other taxation act required that electronic records be

 

managed constantly within regulatory environment.

Reputational Risk

The risk of damaging goodwill or brand equity as a result of e‐

 

Commerce mishap

Business Continuity

To protect historic data in the event of a system failure, or to

 

allow a purchase department to continue off‐site in the event of

 

disaster, security arrangement should also include a business

 

continuity plan. This should detail :

 

Precautions to prevent disaster from occurring such as virus

 

checking

 

Physical security in the premises where the application is

 

held and

 

Duplication of data onto multiple storage devices

 

Procedures to follow in the event of an unrecoverable

 

disaster e.g. retrieval of off‐site back‐ups or relocating to a

 

“warm recovery” server which contains all historical data.

 

Finally, it is important to test any continuity plans on a regular

 

basis. The time to discover that not all relevant files are backed

 

up is during a test drill, not when trying to recover after a

 

catastrophic failure.

Environmental Risks

 

Natural hazard

Because of involvement of remotely located additional body

Changing technology

Rate of change of technology progressing ahead of the ability to

 

secure it

Maverick

Procurement risk, describing employee’s expenditure via non‐

Spend/compliance

preferred suppliers, resulting in a blow‐out in costs.

 

44

Annexure‐II ‐ Checklist for eSecurity Compliance (including CVC Guidelines)

Table 1: General Security Issues

 

Sl.

Issues to be Checked

Means of Checking

No.

 

 

1

Whether the application is secure from making any

Functionality

 

temporary distortion in the electronic posing of tender

Verification/Testing

 

notice, just to mislead certain vendors?

(Application level)

2

If yes at 2 above, then whether any automatic systems

Functionality

 

alert is provided in the form of daily exception report in

Verification/Testing

 

the application in this regards?

(Application level)

3

Whether application ensures that the tender documents

Functionality

 

issued to/downloaded by bidders are complete in shape

Verification/Testing

 

as per the approved tender documents including all its

(Application level)

 

corrigendum?

 

4

Is there any check available in the application to detect

Functionality

 

and alert about the missing pages to the tenderer, if any?

Verification/Testing

 

 

(Application level)

5

Whether application ensures that all the corrigendum

Functionality

 

issued by the Competent Authority are being fully

Verification/Testing

 

communicated in proper fashion to all bidders including

(Application level)

 

those who had already purchased/downloaded the bid

 

 

documents well ahead of the due date and before

 

 

uploading the corrigendum?

 

6

Whether system is safe from sending discriminatory

Functionality

 

communication to different bidders about the same e‐

Verification/Testing

 

tendering process?

(Application level)

7

Whether e‐procurement solution has also been

Functionality

 

customized to process all type of tenders viz

Verification/Testing

 

Limited/Open/Global Tenders?

(Application level)

8

Whether online Public Tender opening events feature are

Functionality

 

available in the application?

Verification/Testing

 

 

(Application level)

9

Whether facilities for evaluation/loading of bids, strictly in

Functionality

 

terms of criteria laid down in bid documents are available

Verification/Testing

 

in the application?

 

10

Whether sufficient safeguards have been provided in the

Functionality

 

application to deal with failed attempt blocking?

Verification/Testing

 

 

(Application level)

11

Whether application is safe from submission of fake bids?

Functionality

 

 

Verification/Testing to

 

 

check that a bid can be

 

 

submitted only by a duly

 

 

authorized user of the

 

 

bidder organization, and

 

 

that all bidder

 

 

organizations are

 

 

authenticated.

 

 

(Application level)

 

 

Application

 

 

Vulnerability

 

 

45

 

 

 

Assessment (Test for

 

 

 

OWASP Top 10 and

 

 

 

other known

 

 

vulnerabilities)

 

 

(Application level)

12

Whether encryptions of bids are done at clients end?

Functionality

 

 

Verification/Testing

 

 

(Application level)

13

Whether safety against tampering and stealing

Functionality

 

information of submitted bid, during storage before its

 

Verification/Testing of

 

opening is ensured?

 

related ‘features’ and

 

 

 

‘explanations’ given by

 

 

 

the e‐procurement/ e‐

 

 

 

tendering software/

 

 

 

service provider

 

 

 

against relevant

 

 

 

sections and points of

 

 

 

Annexure‐I, viz

 

 

 

sections 2, 3 and 4 of

 

 

 

Annexure‐I.

 

 

 

(Application level, as

 

 

well as, Network level)

 

 

Application

 

 

 

Vulnerability

 

 

 

Assessment (Test for

 

 

 

OWASP Top 10 and

 

 

 

other known

 

 

 

vulnerabilities)

 

 

 

(Application level, as

 

 

 

well as, Network level)

14

Whether application is safe from siphoning off and

Functionality

 

decrypting the clandestine copy of a bid encrypted with

 

Verification/Testing of

 

Public key of tender opening officer?

 

related ‘features’ and

 

 

 

‘explanations’ given by

 

 

 

the e‐procurement/ e‐

 

 

 

tendering software/

 

 

 

service provider

 

 

 

against relevant

 

 

 

sections and points of

 

 

 

Annexure‐I, viz

 

 

 

sections 2, 3 and 4 of

 

 

 

Annexure‐I.

 

 

(Application level)

 

 

Application

 

 

 

Vulnerability

 

 

 

Assessment (Test for

 

 

 

OWASP Top 10 and

 

 

 

other known

 

 

 

vulnerabilities)

 

 

 

(Application level)

 

 

 

46

15

Whether application is safe from mutilation/sabotage of

Functionality

 

otherwise rendering the encrypted bid in the e‐tender box

 

Verification/Testing of

 

during storage, to make it unreadable/invalid in any form,

 

related ‘features’ and

 

before opening of the bids?

 

‘explanations’ given by

 

 

 

the e‐procurement/ e‐

 

 

 

tendering software/

 

 

 

service provider

 

 

 

against relevant

 

 

 

sections and points of

 

 

 

Annexure‐I, viz

 

 

 

sections 2, 3 and 4 of

 

 

 

Annexure‐I.

 

 

 

(Application level, as

 

 

 

well as, Network level)

 

 

Application

 

 

 

Vulnerability

 

 

 

Assessment (Test for

 

 

 

OWASP Top 10 and

 

 

 

other known

 

 

 

vulnerabilities)

 

 

 

(Application level, as

 

 

 

well as, Network level)

16

Whether introduction of special characters/executable

Testing of Input Validation

 

files etc by users are restricted in the application?

(Refer OWASP Testing

 

 

Guide)

 

 

(Application level)

17

Whether validity check of DSC is being done at server

Verification of the

 

end?

implementation

 

 

(Application level)

18

Whether system supports the feature that even though if

Verification of the

 

a published tender is being deleted from the application,

implementation

 

does not allow permanent deletion of the published

(Application level)

 

tender from the Database?

 

 

19

Whether sufficient security features are provided in the

Review of the

 

application for authentication procedure of the system

authentication mechanism

 

administrator like ID, password, digital signature,

implemented.

 

biometric etc.

(Application level, as well

 

 

as, Network level)

20

Whether audit trails are being captured in the application

Verification of the

 

on media not prone to tampering, such as optical write

implementation

 

once?

(Application level, as well

 

 

as, Network level)

21

Whether log shipping featuring available, where a

Verification of the

 

separate dedicated server receives the logs from the

implementation

 

application over web service in real time?

(Network level)

22

Whether integrity and non‐tampering is ensured in

Verification of the

 

maintaining the server clock synchronization and time

implementation

 

stamping?

(Network level)

23

Whether application generates any exception

Functionality

 

report/system alerts etc to indicate the resetting of the

Verification/Testing

 

 

 

47

 

 

clock, in case the application for time stamping is killing at

(Network level)

 

 

the server level and time is manipulated?

 

 

 

24.

Whether application ensures that the quotes from various

Functionality

 

 

bidders with their name are not being displayed to anyone

Verification/Testing

 

 

including to the organization during carrying out of the e‐

(Application level)

 

 

reverse auctioning process?

 

 

 

25

Whether application is fit for usage complying with the

 

Functionality

 

 

requirements of tender processing viz authenticity of

 

Verification/Testing

 

 

tender, non‐repudiation and secrecy of information till the

(Refer GFR for the

 

 

actual opening of tenders

 

 

 

 

 

 

requirements)

 

 

 

 

 

(Application level)

 

26

Whether any comprehensive third party audit (as per

 

Verification of

 

 

statutory requirement and also as per the requirements of

records/reports/certificate

 

 

e‐tender processing (compliance to IT Act 2000) was got

 

s

 

 

conducted before first putting it to public use?

 

(Application level, as well

 

 

 

 

 

as, Network level)

 

27

Whether application complies with the Commission/s

 

Covered below

 

 

Guidelines dated 17.9.2009 on Security consideration for

 

 

 

 

e‐procurement systems

 

 

 

Table 2: Infrastructure Security Issues

 

 

 

Sl.

Issues to be Checked

 

Means of Checking

 

No.

 

 

 

 

 

1

Perimeter Defence:

 

Network Architecture

 

 

Deployment of routers, firewalls. IPS/IDS, Remote

 

 

Review

 

 

Access and network segmentation.

 

Assessment of

 

 

 

 

 

vulnerabilities and

 

 

 

 

 

hardening/configuration of

 

 

 

 

 

network and security

 

 

 

 

 

devices e.g. routers,

 

 

 

 

 

switches, firewalls, IPS/IDS

 

 

 

 

 

etc.

 

 

 

 

 

(Network level)

 

2

Authentication:

 

Review of authentication

 

 

Network authentication through deployment of

 

policies and mechanisms

 

 

password policy for accessing the network resources.

 

(Network level)

 

 

To minimize unauthorised access to the e‐

 

 

 

 

 

procurement system, at system level.

 

 

 

 

3

Monitoring:

 

Review of logging and

 

 

Deployment of logging at OS/ network level and

 

monitoring policies,

 

 

monitoring the same.

 

procedures & mechanisms

 

 

 

 

(Network level)

 

4

Secure configuration of network host:

 

Assessment of vulnerabilities

 

 

The security of individual servers & workstations is a

 

and hardening/configuration

 

 

critical factor in the defence of any environment,

 

of the hosts (servers, client

 

 

especially when remote access is allowed

 

work stations etc.)

 

 

workstations should have Safeguards in place to resist

 

(Network level)

 

 

common attacks.

 

 

 

 

5

System patching:

 

Review of Patch

 

 

As the vulnerability of the system is discovered almost

 

 

Management Procedure

 

 

 

 

 

48

 

regularly and the system vendors are also releasing

Verification of the

 

the patches, It is expected that the host are patched

system patching status

 

with latest security updates.

(Network level)

 

 

 

6

Control of Malware:

Review of Malware Control

 

Suitable control like anti‐virus, anti spyware ext.

policies, procedures and

 

should be deployed on the host associated with e‐

mechanisms

 

procurement system. However, option for running the

(Network level)

 

services at non‐privileged user profile may be looked

 

 

 

for. Otherwise suitable operating system which is

 

 

 

immune to virus, Trojan and malware may be

 

 

 

deployed.

 

 

7

Structured cabling:

Verification of the cabling

 

The availability of the network services is critically

(Network level)

 

dependent on the quality of interconnection between

 

 

 

the hosts through structured including termination &

 

 

 

marking. It is expected the e‐procurement system has

 

 

 

implemented structured cabling and other controls

 

 

 

related with network and interconnection.

 

 

Table 3: Application Security Issues at Design Level

 

 

Sl.

Issues to be Checked

Means of Checking

No.

 

 

 

1

Authentication:

Functionality Verification of

 

The authentication mechanism of the e‐procurement

the implementation

 

application should ensure that the credentials are

(Application level, and SSL

 

submitted on the pages that are served under SSL

 

 

verification at Network Level)

2

Access Control:

Assessment/Testing (Refer

 

The application shall enforce proper access control

OWASP Testing Guide)

 

model to ensure that the parameter available to the

(Application level)

 

user cannot be used for launching any attack.

 

 

3

Session management:

Assessment/Testing (Refer

 

The design should ensure that session tokens are

OWASP Testing Guide)

 

adequately protected from guessing during an

(Application level)

 

authenticated session.

 

 

4

Error handling:

Assessment/Testing (Refer

 

The design should ensure that the application does

OWASP Testing Guide)

 

not present user error messages to the outside world

(Application level)

 

which can be used for attacking the application.

 

 

5

Input validation:

Assessment/Testing (Refer

 

The application may accept input at multiple points

OWASP Testing Guide)

 

from external sources, such as users, client

(Application level)

 

applications, and data feeds. It should perform

 

 

 

validation checks of the syntactic and semantic

 

 

 

validity of the input. It should also check that input

 

 

 

data does not violate limitations of underlying or

 

 

 

dependent components, particularly string length and

 

 

 

character set.

 

 

 

All user‐supplied fields should be validated at the

 

 

 

 

 

49

 

 

server side.

 

 

 

6

Application logging and monitoring:

 

Functionality Verification of

 

 

Logging should be enabled across all applications in

 

the implementation

 

 

the environment. Log file data is important for

 

(Application level)

 

 

incident and trend analysis as well as for auditing

 

 

 

 

 

purposes.

 

 

 

 

 

The application should log failed and successful

 

 

 

 

 

authentication attempts, changes to application data

 

 

 

 

 

including user accounts, serve application errors, and

 

 

 

 

 

failed and successful access to resources

 

 

 

 

Table 4: Application Security Issues During Deployment & Use

 

Sl.

Issues to be Checked

Means of Checking

 

 

No.

 

 

 

 

 

1

Availability /Clustering /Load balancing:

Verification of the

 

 

 

Depending on the number of expected hits and

implementation

 

 

 

access the option for clustering of servers and load

(Network level)

 

 

 

balancing of the web application shall be

 

 

 

 

 

implemented

 

 

 

 

2

Application and data recovery:

Review of backup policies,

 

 

 

Suitable management procedure shall be deployed

procedures and the backup

 

 

 

for regular back‐up of application and data. The

and restoration records.

 

 

 

regularity of data backup shall be in commensurate

(Network level)

 

 

 

with the nature of transaction/ business translated

 

 

 

 

 

into the e‐procurement system.

 

 

 

 

3

Integrity of the Application, Control of source code.

Review of the configuration

 

 

 

Configuration management:

management procedure,

 

 

 

Suitable management control shall be implemented

mechanism and its

 

 

 

on availability of updated source code and its

implementation

 

 

 

deployment. Strict configuration control is

(Network level)

 

 

 

recommended to ensure that the latest software in

 

 

 

 

 

the production system.

 

 

 

 

Table 5: Application Security Issues during Data Storage & Communication

 

Sl.

Issues to be Checked

Means of Checking

 

 

No.

 

 

 

 

 

1

Encryption for data storage:

Verification of the

 

 

 

Sensitive data should be encrypted or hashed in the

implementation

 

 

 

database and file system. The application should

(Application level)

 

 

 

differentiate between data that is sensitive to

 

 

 

 

 

disclosure and must be encrypted, data that is

 

 

 

 

 

sensitive only to tampering and for which a keyed

 

 

 

 

 

hash value (HMAC) must be generated, and data

 

 

 

 

 

that can be irreversibly transformed (hashed)

 

 

 

 

 

without loss of functionality (such as passwords).

 

 

 

 

 

The application should store keys used for

 

 

 

 

 

decryption separately from the encrypted data.

 

 

 

 

2

Data transfer security:

Verification of the

 

 

 

Sensitive data should be encrypted prior to

implementation

 

 

 

transmission to other components. Verify that

(Application level, as well as,

 

 

 

intermediate components that handle the data in

Network level)

 

50

 

clear‐text form, prior to transmission or subsequent

 

 

to receipt, do not present an undue threat to the

 

 

data. The application should take advantage of

 

 

authentication features available within the

 

 

transport security mechanism.

 

 

Specially, encryption methodology like SSL must be

 

 

deployed while communicating with the payment

 

 

gateway over public network.

 

3

Access control:

Testing/Assessment of the

 

Applications should enforce an authorization

access control

 

mechanism that provides access to sensitive data

implementation as per

 

and functionality only to suitably permitted users or

defined policies.

 

clients.

(Application level)

 

Role‐based access controls should be enforced at

 

 

the database level as well as at the application

 

 

interface. This will protect the database in the

 

 

event that the client application is exploited.

 

 

Authorization checks should require prior successful

 

 

authentication to have occurred.

 

 

All attempts to obtain access, without proper

 

 

authorization should be logged

 

 

Conduct regular testing of key applications that

 

 

process sensitive data and of the interfaces

 

 

available to users from the Internet include both

 

 

“black box” informed” testing against the

 

 

application. Determine if users can gain access to

 

 

data from other accounts.

 

51

Annexure‐III – Checklist for Compliance to GOI procurement procedures

GFR 2005, Government of India, Ministry of Finance, Department of Expenditure

The contents of GFR 2005 are as follows:

 

Chapter

 

 

Name of the Chapter

 

 

 

 

 

 

 

 

 

 

 

1.

 

 

Introduction

2.

 

 

General System of Financial Management

 

 

 

 

I. General Principles relating to expenditure & payment of money

 

 

 

 

II. Defalcation and losses

 

 

 

 

III. Submission of records & information

3.

 

 

Budget formulation and implementation

4.

 

 

Government Accounts

5.

 

 

Works

6.

 

 

Procurement of Goods and Services

 

 

 

 

I. Procurement of Goods

 

 

 

 

II. Procurement of Services

7.

 

 

Inventory Management

8.

 

 

Contract Management

9.

 

 

Grants‐in‐aid and Loans

10.

 

 

Budgeting and Accounting for Externally Aided Projects

 

 

 

 

11.

 

 

Government Guarantees

12.

 

 

Miscellaneous Subjects

 

 

 

 

I. Establishment

 

 

 

 

II. Refund of revenue

 

 

 

 

III. Debt and misc. obligations of Govt.

 

 

 

IV. Security deposits

 

 

 

V. Transfer of land and buildings

 

 

 

VI. Charitable endowments and other trusts

 

 

 

VII. Local bodies

 

 

 

VIII. Destruction of records connected with Accounts

 

 

 

IX. Contingent and Miscellaneous Expenditure.

Chapter‐6, Procurement of Good & Services is applicable for e‐Procurement System (EPS).

The list of GFR requirements given below provides general guidelines about the applicability of the requirements in the EPS and the verification mechanism. The assumption has been made that in an ideal situation, all the GFR requirements will be applicable to the EPS. However, in actual situation, depending on the client’s (buyer organization) requirements, all the GFR requirements may not be applicable and hence not addressed by the EPS. Therefore, it is recommended that the EPS solution/ service provider uses this list as a guideline and prepares similar list for the EPS being developed as per the applicability of the GFR requirements.

The compliance to applicable GFR requirements may be verified as follows:

In case of manual procurement system, compliance verification may be done through process audit of the policy & procedures of the client’s (buyer organization). It is up to the client to perform the process audit to ensure compliance.

In case of e‐procurement system, compliance verification shall be done through testing and audit of the functionalities in the EPS solution. It is recommended; that internal verification may be done by the EPS solution provider and also be externally verified by Third Party Agency for client’s acceptance.

52

RuleDescription

General

GFR covers Rules relating to – Tenders relating to Works, Goods and Services. The e‐procurement system should have functionality to cover all kinds of tenders, whether the tenders relate to Works, Goods or Services. While some specific rules relating to procurement of Goods and Services are outlined below, corresponding functionality for Works tenders should also be implemented in the e‐ procurement system.

To Be Addressed

By

Compliance Verification

Chapter 6: Procurement of Goods and Services ‐ Guidelines

Rule

 

Description

 

To Be Addressed By

Compliance

 

 

 

 

 

 

 

Verification

 

A) Procurement of Goods: Rule 135 to 162

 

 

135

This chapter contains the general rules applicable

 

to all Ministries or Departments, regarding

 

 

 

procurement of goods required for use in the

 

 

 

public service. Detailed instructions relating to

 

 

 

procurement of goods may be issued by the

 

 

 

procuring departments broadly in conformity

 

 

 

with the general rules contained in this Chapter.

 

 

136

Definition of Goods The term 'goods' used in this

 

chapter

includes

all

articles,

material,

 

 

 

commodities, livestock, furniture, fixtures, raw

 

 

 

material,

spares,

instruments,

machinery,

 

 

 

equipment, industrial plant etc. purchased or

 

 

 

otherwise acquired for the use of Government

 

 

 

but excludes books, publications, periodicals, etc.

 

 

 

for a library.

 

 

 

 

 

137

Fundamental principles of public buying:

e‐procurement System

Functionality

 

Every authority delegated with the financial

should have functionality

Verification/Testing

 

powers of procuring goods in public interest shall

to ensure transparency,

of related

 

have the responsibility and accountability to bring

accountability, fairness

‘features’ and

 

efficiency, economy, and transparency in matters

and equitable treatment

‘explanations’

 

relating to public procurement and for fair and

of suppliers. This should

given by the e‐

 

equitable treatment of suppliers and promotion

be ensured by e‐

procurement/ e‐

 

of competition in public procurement.

 

procurement system

tendering

 

The procedure to be followed in making public

strictly and satisfactorily

software/ service

 

procurement must conform to the following

addressing the various

provider against

 

yardsticks:

 

 

 

 

issues especially outlined

relevant sections

 

(i) The specifications in terms of quality, type etc.,

in Annexure‐I of these

and points of

 

as also quantity of goods to be procured, should

Guidelines. Specifically for

Annexure‐I of

 

be clearly spelt out keeping in view the specific

fairness it must be

these Guidelines

 

needs of the procuring organisations. The

ensured that the e‐

 

 

specifications so worked

out should

meet the

procurement system

 

 

 

 

 

 

 

 

53

basic needs of the organisation without including

supports all legitimate

superfluous and non‐essential features, which

processes and

may result in unwarranted expenditure. Care

methodologies for

should also be taken to avoid purchasing

inviting bids in a

quantities in excess of requirement to avoid

transparent manner, and

inventory carrying costs;

under no circumstances

(ii) Offers should be invited following a fair,

should the confidentiality

transparent and reasonable procedure;

of the bid be

(iii)The procuring authority should be satisfied compromised before the that the selected offer adequately meets the Online Public Tender

requirement in all respects;

Opening Event.

(iv)The procuring authority should satisfy itself Importantly, a properly that the price of the selected offer is reasonable conducted Public Tender

and consistent with the quality required;

Opening Event is the

(v)At each stage of procurement the concerned backbone of transparency procuring authority must place on record, in in public procurement. precise terms, the considerations which weighed The e‐procurement

with it while taking the procurement decision.

system must have a very

 

 

transparent and

 

 

comprehensive Online

 

 

Public Tender Opening

 

 

Event. For accountability,

 

 

there should be a

 

 

comprehensive Hierarchy

 

 

and Role Authorization of

 

 

officers with detailed

 

 

Audit Trails as outlined in

 

 

Annexure‐I of these

 

 

Guidelines.

 

 

Where required,

 

 

functionality of the e‐

 

 

procurement system

 

 

should be supplemented

 

 

with Procurement Policy

 

 

& Procedures internal to

 

 

the Buyer organization.

 

138 Authorities competent to purchase goods:

e‐procurement System

Functionality

An authority which is competent to incur

should have functionality

Verification/Testing

contingent expenditure may sanction the

for Requisition

& Audit

purchase of goods required for use in public

Management (ie Indent

 

service in accordance with Schedule V of the

Management) with digital

 

Delegation of Financial Powers Rules, 1978,

signatures.

 

following the general procedure contained in the

 

 

following rules.

 

 

139 Procurement of goods required on mobilisation:

Procurement Policy &

Process Audit

Procurement of goods required on mobilisation

Procedures internal to

 

and/ or during the continuance of Military

the Buyer organization

 

operations shall be regulated by special rules and

Note: Generally no

 

orders issued by the Government on this behalf

 

from time to time.

specific requirements for

 

 

e‐procurement.

 

 

 

54

140

Powers for procurement of goods:

 

Procurement Policy &

Process

 

The Ministries or Departments have been

Procedures internal to

Audit

 

delegated full powers to make their own

the Buyer organization

 

 

arrangements for procurement of goods. In case

Note: Generally no

 

 

however, a Ministry or Department does not have

 

 

the required expertise, it may project its indent to

specific requirements for

 

 

the Central Purchase Organisation (e.g. DGS&D)

e‐procurement.

 

 

with the approval of competent authority. The

 

 

 

indent form to be utilised for this purpose will be

 

 

 

as per the standard form evolved by the Central

 

 

 

Purchase Organisation.

 

 

 

141

Rate contract:

 

Procurement Policy &

Process

 

The Central Purchase Organisation (e.g. DGS&D)

Procedures internal to

Audit

 

shall conclude rate contracts with the registered

the Buyer organization

 

 

suppliers, for goods and items of standard types,

Note: Generally no

 

 

which are identified as common user items and

 

 

are needed on recurring basis by various Central

specific requirements for

 

 

Government Ministries or Departments.

 

e‐procurement.

 

 

Definition of Registered suppliers is given in Rule

 

 

 

142 below. The Central Purchase Organisation

 

 

 

will furnish and update all the relevant details of

 

 

 

the rate contracts in its web site. The Ministries

 

 

 

or Departments shall follow those rate contracts

 

 

 

to the maximum extent possible.

 

 

 

142

Registration of suppliers:

 

Procurement Policy &

Process

 

With a view to establishing reliable sources for

Procedures internal to

Audit

 

procurement of goods commonly required for

the Buyer organization

Functionality

 

Government use, the Central Purchase

 

 

Organisation (e.g. DGS&D) will prepare and

Note: Generally no

Verification/Testing

 

maintain item‐wise lists of eligible and capable

specific requirements for

 

 

suppliers. Such approved suppliers will be known

e‐procurement.

 

 

as "Registered Suppliers". All Ministries or

 

 

 

Departments may utilise these lists as and when

 

 

 

necessary. Such registered suppliers are prima

 

 

 

facie eligible for consideration for procurement of

 

 

 

goods through Limited Tender Enquiry. They are

 

 

 

also ordinarily exempted from furnishing bid

 

 

 

security along with their bids. A Head of

 

 

 

Department may also register suppliers of goods

 

 

 

which are specifically required by that

 

 

 

Department or Office.

 

 

 

 

(ii) Credentials, manufacturing capability, quality

 

 

 

control systems, past performance, after‐sales

 

 

 

service, financial background etc. of

the

 

 

 

supplier(s) should be carefully verified before

 

 

 

registration.

 

 

 

 

(iii) The supplier(s) will be registered for a fixed

 

 

 

period (between 1 to 3 years) depending on the

 

 

 

nature of the goods. At the end of this period, the

 

 

 

registered supplier(s) willing to continue with

 

 

 

registration are to apply afresh for renewal of

 

 

 

registration. New supplier(s) may also

be

 

 

 

 

 

 

55

 

considered for registration at any time, provided

 

 

 

they fulfil all the required conditions.

 

 

 

(iv) Performance and conduct of every registered

 

 

 

supplier is to be watched by the concerned

 

 

 

Ministry or Department. The registered

 

 

 

supplier(s) are liable to be removed from the list

 

 

 

of approved suppliers if they fail to abide by the

 

 

 

terms and conditions of the registration or fail to

 

 

 

supply the goods on time or supply substandard

 

 

 

goods or make any false declaration to any

 

 

 

Government agency or for any ground which, in

 

 

 

the opinion of the Government, is not in public

 

 

 

interest.

 

 

143

Enlistment of Indian agents:

e‐procurement System

Functionality

 

As per the Compulsory Enlistment Scheme of the

should have feature for

Verification/Testing

 

Department of Expenditure, Ministry of Finance,

bidder (Indian Agent) to

& Audit

 

it is compulsory for Indian agents, who desire to

be able to furnish details

 

 

quote directly on behalf of their foreign

of their enlisting with the

 

 

principals, to get themselves enlisted with the

concerned Central

 

 

Central Purchase Organisation (eg. DGS&D).

Purchase Organization in

 

 

However, such enlistment is not equivalent to

the bid.

 

 

registration of suppliers as mentioned under Rule

 

 

 

142 above.

 

 

144

Reserved items:

e‐procurement System

Functionality

 

The Central Government, through administrative

should have feature for

Verification/

 

instructions, has reserved all items of handspun

Tender Notice to highlight

Testing

 

and handwoven textiles (khadi goods) for

such special reservations.

 

 

exclusive purchase from Khadi Village Industries

 

 

 

Commission (KVIC). It has also reserved all items

 

 

 

of handloom textiles required by Central

 

 

 

Government departments for exclusive purchase

 

 

 

from KVIC and/or the notified handloom units of

 

 

 

ACASH (Association of Corporations and Apex

 

 

 

Societies of Handlooms). The Central Government

 

 

 

has also reserved some items for purchase from

 

 

 

registered Small Scale Industrial Units. The

 

 

 

Central Departments or Ministries are to make

 

 

 

their purchases for such reserved goods and

 

 

 

items from such units as per the instructions

 

 

 

issued by the Central Government in this regard.

 

 

145

Purchase of goods without quotation (Upto

Procurement Policy &

Process Audit

 

Rs.15,000/‐):

Procedures internal to

 

 

Purchase of goods upto the value of Rs. 15,000/‐

the Buyer organization

 

 

(Rupees Fifteen Thousand) only on each occasion

Note: Generally no

 

 

may be made without inviting quotations or bids

 

 

on the basis of a certificate to be recorded by the

specific requirements for

 

 

competent authority in the following format.

e‐procurement.

 

 

"I, ___________________, am personally satisfied

 

 

 

that these goods purchased are of the requisite

 

 

 

quality and specification and have been

 

 

 

purchased from a reliable supplier at a reasonable

 

 

 

price."

 

 

 

 

 

56

146

Purchase of goods by purchase committee

Procurement Policy &

Process Audit

 

(Above Rs.15,000/‐ & upto Rs.1,00,000/‐):

Procedures internal to

 

 

Purchase of goods costing above Rs. 15,000/‐

the Buyer organization

 

 

(Rupees Fifteen Thousand) only and upto Rs.

 

 

 

1,00,000/‐ (Rupees One lakh) only on each

Note: Generally no

 

 

occasion may be made on the recommendations

specific requirements for

 

 

of a duly constituted Local Purchase Committee

e‐procurement.

 

 

consisting of three members of an appropriate

 

 

 

level as decided by the Head of the Department.

 

 

 

The committee will survey the market to

 

 

 

ascertain the reasonableness of rate, quality and

 

 

 

specifications and identify the appropriate

 

 

 

supplier. Before recommending placement of the

 

 

 

purchase order, the members of the committee

 

 

 

will jointly record a certificate as under.

 

 

 

"Certified that we _____________________,

 

 

 

members of the purchase

 

 

 

committee are jointly and individually satisfied

 

 

 

that the goods recommended for purchase are of

 

 

 

the requisite specification and quality, priced at

 

 

 

the prevailing market rate and the supplier

 

 

 

recommended is reliable and competent to

 

 

 

supply the goods in question."

 

 

147

Purchase of goods directly under rate contract:

Procurement Policy &

Process Audit

 

(1) In case a Ministry or Department directly

Procedures internal to

 

 

procures Central Purchase Organisation (e.g.

the Buyer organization

 

 

DGS&D) rate contracted goods from suppliers,

Note: Generally no

 

 

the prices to be paid for such goods shall not

 

 

exceed those stipulated in the rate contract and

specific requirements for

 

 

the other salient terms and conditions of the

e‐procurement.

 

 

purchase should be in line with those specified in

 

 

 

the rate contract. The Ministry or Department

 

 

 

shall make its own arrangement for inspection

 

 

 

and testing of such goods where required.

 

 

 

(2) The Central Purchase Organisation (e.g.

 

 

 

DGS&D) should host the specifications, prices and

 

 

 

other salient details of different rate contracted

 

 

 

items, appropriately updated, on the web site for

 

 

 

use by the procuring Ministry or Department.

 

 

148

A demand for goods should not be divided into

Procurement Policy &

Process Audit

 

small quantities to make piece meal purchases to

Procedures internal to

 

 

avoid the necessity of obtaining the sanction of

the Buyer organization

 

 

higher authority required with reference to the

 

 

 

estimated value of the total demand.

Note: Generally no

 

 

 

specific requirements for

 

 

 

e‐procurement.

 

149

Purchase of goods by obtaining bids:

Procurement Policy &

Process

 

Except in cases covered under Rule 145, 146 and

Procedures

Audit

 

147(1), Ministries or Departments shall procure

 

 

 

goods under the powers referred to in Rule 140

e‐procurement system

Functionality

 

above by following the standard method of

should have functionality

Verification/Testing

 

obtaining bids in:

for creating and

of related

 

 

 

57

(i) Advertised Tender Enquiry;

managing Tender Notices,

‘features’ and

(ii) Limited Tender Enquiry;

Corrigenda, Tender

‘explanations’

(iii) Single Tender Enquiry.

Documents, Addenda;

given by the e‐

 

floating Open Tenders, as

procurement/ e‐

 

well as, Limited Tenders

tendering

 

(Single Tenders being a

software/ service

 

special case of Limited

provider against

 

Tenders);

relevant sections

 

and functionality for

and points of

 

other associated

Annexure‐I

 

processes

 

150 Advertised tender enquiry:

e‐procurement System

Functionality

(i) Subject to exceptions incorporated under

should have functionality

Verification/Testing

Rules 151 and 154, invitation to tenders by

for creating and

of related

advertisement should be used for procurement of

managing Tender Notices,

‘features’ and

goods of estimated value Rs. 25 lakh (Rupees

Corrigenda, Tender

‘explanations’

Twenty Five Lakh) and above. Advertisement in

Documents, Addenda;

given by the e‐

such case should be given in the Indian Trade

floating Open Tenders

procurement/ e‐

Journal (ITJ), published by the Director General of

with functionality for

tendering

Commercial Intelligence and Statistics, Kolkata

other associated

software/ service

and at least in one national daily having wide

processes. Cost of priced

provider against

circulation.

Tender Documents

relevant sections

(ii) An organisation having its own web site should

should be payable online

and points of

also publish all its advertised tender enquiries on

at the time of

Annexure‐I.

the web site and provide a link with NIC web site.

downloading tender

In addition, audit of

It should also give its web site address in the

documents, or payable

advertisements in ITJ and newspapers.

offline parallel to the

the Procurement

(iii) The organisation should also post the

online bid‐submission

Policy &

complete bidding document in its web site and

before the bid‐submission

Procedures of the

permit prospective bidders to make use of the

deadline. In the latter

concerned Buyer

document downloaded from the web site. If such

case, provision should be

organization can be

a downloaded bidding document is priced, there

there to take the offline

carried out.

should be clear instructions for the bidder to pay

payment on record during

 

the amount by demand draft etc. along with the

the Public TOE.

 

bid.

 

 

(iv)Where the Ministry or Department feels that In addition, the the goods of the required quality, specifications concerned Buyer

etc., may not be available in the country and it is organization should have necessary to also look for suitable competitive Procurement Policy & offers from abroad, the Ministry or Department Procedures to implement may send copies of the tender notice to the the other requirements Indian embassies abroad as well as to the foreign

embassies in India. The selection of the embassies will depend on the possibility of availability of the required goods in such countries.

(v)Ordinarily, the minimum time to be allowed

for submission of bids should be three weeks from the date of publication of the tender notice or availability of the bidding document for sale, whichever is later. Where the department also contemplates obtaining bids from abroad, the minimum period should be kept as four weeks for

58

both domestic and foreign bidders.

 

 

151 Limited tender enquiry:

e‐procurement System

Functionality

(i) This method may be adopted when estimated

should have functionality

Verification/Testing

value of the goods to be procured is up to Rupees

for inviting Limited

of related

Twenty‐five Lakhs. Copies of the bidding

Tenders (Domestic, as

‘features’ and

document should be sent directly by speed post/

well as, Global) with all

‘explanations’

registered post/courier/ e‐mail to firms which are

related features such as ‐‐

given by the e‐

borne on the list of registered suppliers for the

creating and managing

procurement/ e‐

goods in question as referred under Rule 142

Tender Notices,

tendering

above.

Corrigenda, Tender

software/ service

The number of supplier firms in Limited Tender

Documents, Addenda,

provider against

Enquiry should be more than three. Further, web

sending Invitation Letters,

relevant sections

based publicity should be given for limited

etc. Relevant Supplier

and points of

tenders. Efforts should be made to identify a

organizations registered

Annexure‐I.

higher number of approved suppliers to obtain

by the Buyer under Rule

 

more responsive bids on competitive basis.

142 should be sent

In addition, audit of

(ii) Purchase through Limited Tender Enquiry may

Invitation Letters.

the Procurement

be adopted even where the estimated value of

For web‐publicity Tender

Policy &

the procurement is more than Rupees twenty five

Notices of such Limited

Procedures of the

Lakhs, in the following circumstances.

Tenders (or Short‐Term

concerned Buyer

(a) The competent authority in the Ministry or

tenders) should be posted

organization can be

Department certifies that the demand is urgent

on the e‐procurement

carried out.

and any additional expenditure involved by not

website for general

 

procuring through advertised tender enquiry is

publicity. This is also a

 

justified in view of urgency. The Ministry or

CVC requirement.

 

Department should also put on record the nature

In addition, the

 

of the urgency and reasons why the procurement

 

could not be anticipated.

concerned Buyer

 

(b)There are sufficient reasons, to be recorded in organization should have writing by the competent authority, indicating Procurement Policy & that it will not be in public interest to procure the Procedures to implement

goods through advertised tender enquiry.

the other requirements

 

(c) The sources of supply are definitely known and

 

 

possibility of fresh source(s) beyond those being

 

 

tapped is remote.

 

 

(iii) Sufficient time should be allowed for

 

 

submission of bids in Limited Tender Enquiry

 

 

cases.

 

 

152 Two bid system:

e‐procurement System

Functionality

For purchasing high value plant, machinery etc. of

should have functionality

Verification/Testing

a complex and technical nature, bids may be

for inviting ‘Single Stage

of related

obtained in two parts as under :‐

Two Envelope’ tenders or

‘features’ and

(a) Technical bid consisting of all technical details

Two‐Stage tenders (as

‘explanations’

alongwith commercial terms and conditions; and

mentioned in CVC

given by the e‐

(b) Financial bid indicating item‐wise price for the

guidelines), with secure

procurement/ e‐

items mentioned in the technical bid.

methodology for sealing

tendering

The technical bid and the financial bid should be

bids (ie data encryption of

software/ service

sealed by the bidder in separate covers duly

both the ‘Technical’, as

provider against

superscribed and both these sealed covers are to

well as, ‘Financial’ bid

relevant sections

be put in a bigger cover which should also be

parts by the bidder

and points of

sealed and duly superscribed. The technical bids

himself before bid‐

Annexure‐I.

are to be opened by the purchasing Ministry or

submission. In addition,

 

 

 

59

 

Department at the first instance and evaluated by

there should be

 

 

a competent committee or authority. At the

functionality for opening

 

 

second stage financial bids of only the technically

only the technical bids

 

 

acceptable offers should be opened for further

first; functionality for

 

 

evaluation and ranking before awarding the

creating a short‐list of

 

 

contract.

technically responsive

 

 

 

bidders; functionality for

 

 

 

a second tender opening

 

 

 

event for opening the

 

 

 

financial bids of the

 

 

 

technically responsive

 

 

 

bidders

 

153

Late bids:

e‐procurement System

Functionality

 

In the case of advertised tender enquiry or

should have functionality

Verification/Testing

 

limited tender enquiry, late bids (i.e. bids

for ‘Not Accepting Late

 

 

received after the specified date and time for

Bids’

 

 

receipt of bids) should not be considered.

 

 

154

Single tender enquiry:

e‐procurement System

Functionality

 

Procurement from a single source may be

should have functionality

Verification/Testing

 

resorted to in the following circumstances:

for inviting bid from only

In addition, audit of

 

(i) It is in the knowledge of the user department

one specified Supplier

 

that only a particular firm is the manufacturer of

organization with all

the Procurement

 

the required goods.

features applicable for

Policy &

 

(ii) In a case of emergency, the required goods are

Limited Tenders as

Procedures of the

 

necessarily to be purchased from a particular

highlighted above.

concerned Buyer

 

source and the reason for such decision is to be

In addition, the

organization can be

 

recorded and approval of competent authority

carried out.

 

obtained.

concerned Buyer

 

(iii)For standardisation of machinery or spare organization should have parts to be compatible to the existing sets of Procurement Policy & equipment (on the advice of a competent Procedures to implement technical expert and approved by the competent the other requirements authority), the required item is to be purchased

only from a selected firm.

Note: Proprietary Article Certificate in the following form is to be provided by the Ministry / Department before procuring the goods from a single source under the provision of sub Rule 154

(i)and 154 (iii) as applicable.

(i)The indented goods are manufactured by

M/s……..………………..

(ii)No other make or model is acceptable for the following reasons: ……………………….

(iii)Concurrence of finance wing to the proposal vide: ………………..

(iv)Approval of the competent authority vide:

………………………

________________________

(Signature with date and designation

of the procuring officer)'

 

 

155 Contents of bidding document:

e‐procurement System

Functionality

All the terms, conditions, stipulations and

should have functionality

Verification/Testing

 

 

60

 

information to be incorporated in the bidding

for – General Terms and

In addition, audit of

 

document are to be shown in the appropriate

Conditions, Special Terms

 

chapters as below:

 

 

 

and Conditions, Detailed

the Procurement

 

Chapter–1: Instructions to Bidders.

 

Tender Documents and

Policy &

 

Chapter–2: Conditions of Contract.

 

Electronic Form (for

Procedures of the

 

Chapter–3: Schedule of Requirements.

 

Technical details) and

concerned Buyer

 

Chapter–4: Specifications and allied Technical

Electronic Form (for

organization can be

 

Details.

 

 

 

 

Financial details).

carried out.

 

Chapter–5: Price Schedule (to be utilised by the

 

 

 

bidders for quoting their prices).

 

In addition, the

 

 

Chapter–6: Contract Form.

 

 

concerned Buyer

 

 

Chapter–7: Other Standard Forms, if any, to be

organization should have

 

 

utilised by the purchaser and the bidders.

Procurement Policy &

 

 

 

 

 

 

 

Procedures to implement

 

 

 

 

 

 

 

the other requirements

 

156

Maintenance contract:

 

 

e‐procurement System

Functionality

 

Depending on the cost and nature of the goods to

should have functionality

Verification/Testing

 

be purchased, it may also be necessary to enter

for inviting bids for such

In addition, audit of

 

into maintenance contract(s) of suitable period

Maintenance contracts.

 

either with the supplier of the goods or with any

 

the Procurement

 

other competent firm, not necessarily the

In addition, the

Policy &

 

supplier of the subject goods. Such maintenance

concerned Buyer

Procedures of the

 

contracts are especially needed for sophisticated

organization should have

concerned Buyer

 

and costly equipment and machinery. It may

Procurement Policy &

organization can be

 

however be kept in mind that the equipment or

Procedures to implement

carried out.

 

machinery is maintained free of charge by the

the other requirements

 

 

supplier during its warranty period or such other

 

 

 

extended periods as the contract terms may

 

 

 

provide and the paid maintenance should

 

 

 

commence only thereafter.

 

 

 

 

157

Bid security:

 

 

 

 

e‐procurement System

Functionality

 

(i) To safeguard against a bidder’s withdrawing or

should have functionality

Verification/Testing

 

altering its bid during the bid validity period in the

for payment of Bid

In addition, audit of

 

case of advertised or limited tender enquiry, Bid

Security (ie Earnest

 

Security (also known as Earnest Money) is to be

Money Deposit) as per

the Procurement

 

obtained from the bidders except those who are

instructions of the Buyer,

Policy &

 

registered

with

the

Central

Purchase

either online at the time

Procedures of the

 

Organisation,

National

Small

Industries

of online bid‐submission

concerned Buyer

 

Corporation (NSIC) or the concerned Ministry or

(subject to the payment

organization can be

 

Department. The bidders should be asked to

limits of the Payment

carried out.

 

furnish bid security along with their bids. Amount

Gateway), or payable

 

 

of bid security should ordinarily range between

offline parallel to the

 

 

two percent to five percent of the estimated

online bid‐submission

 

 

value of the goods to be procured. The exact

before the bid‐submission

 

 

amount of bid security should be determined

deadline. In the latter

 

 

accordingly by the Ministry or Department and

case, provision should be

 

 

indicated in the bidding documents. The bid

there to take the offline

 

 

security may be accepted in the form of Account

payment on record during

 

 

Payee Demand Draft, Fixed Deposit Receipt,

the Public TOE.

 

 

Banker's Cheque or Bank Guarantee from any of

In addition, the

 

 

the commercial banks in an acceptable form,

 

 

safeguarding

the

purchaser's interest in all

concerned Buyer

 

 

 

 

 

 

 

 

61

 

respects. The bid security is normally to remain

organization should have

 

 

valid for a period of forty‐five days beyond the

Procurement Policy &

 

 

final bid validity period.

Procedures to implement

 

 

(ii) Bid securities of the unsuccessful bidders

the other requirements

 

 

should be returned to them at the earliest after

 

 

 

expiry of the final bid validity and latest on or

 

 

 

before the 30th day after the award of the

 

 

 

contract.

 

 

158

Performance security:

e‐procurement System

Functionality

 

(i) To ensure due performance of the contract,

should have functionality

Verification/Testing

 

Performance Security is to be obtained from the

for recording important

In addition, audit of

 

successful bidder awarded the contract.

milestones of Contract

 

Performance Security is to be obtained from

Execution which would

the Procurement

 

every successful bidder irrespective of its

include submission of

Policy &

 

registration status etc. Performance Security

Performance Security by

Procedures of the

 

should be for an amount of five to ten per cent. of

the successful bidder(s)

concerned Buyer

 

the value of the contract. Performance Security

 

organization can be

 

may be furnished in the form of an Account payee

In addition, the

carried out.

 

Demand Draft, Fixed Deposit Receipt from a

concerned Buyer

 

 

Commercial bank, Bank Guarantee from a

organization should have

 

 

Commercial bank in an acceptable form

Procurement Policy &

 

 

safeguarding the purchasers’ interest in all

Procedures to implement

 

 

respects.

the other requirements

 

 

(ii) Performance Security should remain valid for a

 

 

 

period of sixty days beyond the date of

 

 

 

completion of all contractual obligations of the

 

 

 

supplier including warranty obligations.

 

 

 

(iii) Bid security should be refunded to the

 

 

 

successful bidder on receipt of Performance

 

 

 

Security.

 

 

159

(1) Advance payment to supplier: Ordinarily,

e‐procurement System

Functionality

 

payments for services rendered or supplies made

should have functionality

Verification/Testing

 

should be released only after the services have

for recording important

In addition, audit of

 

been rendered or supplies made. However, it may

milestones of Contract

 

become necessary to make advance payments in

Execution which would

the Procurement

 

the following types of cases:

include Advance

Policy &

 

(i) Advance payment demanded by firms holding

Payments and other

Procedures of the

 

maintenance contracts for servicing of Air‐

payments made to the

concerned Buyer

 

conditioners, computers, other costly equipment,

successful bidder(s)/

organization can be

 

etc.

suppliers.

carried out.

 

(ii) Advance payment demanded by firms against

In addition, the

 

 

fabrication contracts, turn‐key contracts etc.

 

 

Such advance payments should not exceed the

concerned Buyer

 

 

following limits:

organization should have

 

 

(i) Thirty per cent. of the contract value to private

Procurement Policy &

 

 

firms;

Procedures to implement

 

 

(ii) Forty per cent. of the contract value to a State

the other requirements

 

 

or Central Government agency or a Public Sector

 

 

 

Undertaking; or

 

 

 

(iii) In case of maintenance contract, the amount

 

 

 

should not exceed the amount payable for six

 

 

 

months under the contract.

 

 

 

 

 

62

Ministries or Departments of the Central Government may relax, in consultation with their Financial Advisers concerned, the ceilings (including percentage laid down for advance payment for private firms) mentioned above. While making any advance payment as above, adequate safeguards in the form of bank guarantee etc. should be obtained from the firm.

(2)Part payment to suppliers: Depending on the terms of delivery incorporated in a contract, part payment to the supplier may be released after it dispatches the goods from its premises in terms of the contract.

160 Transparency, competition, fairness and

e‐procurement System

Functionality

elimination of arbitrariness in the procurement

should have functionality

Verification/Testing

process:

to ensure transparency,

 

All government purchases should be made in a

accountability, fairness

In addition, Audit

transparent, competitive and fair manner, to

and elimination of

of the Procurement

secure best value for money. This will also enable

arbitrariness in the

Policy &

the prospective bidders to formulate and send

procurement process.

Procedures of the

their competitive bids with confidence. Some of

This should be ensured by

concerned Buyer

the measures for ensuring the above are as

e‐procurement system

organization can be

follows:

strictly and satisfactorily

carried out.

(i)The text of the bidding document should be addressing the various self‐contained and comprehensive without any issues especially outlined ambiguities. All essential information, which a in Annexure‐I of these bidder needs for sending responsive bid, should Guidelines. Specifically for be clearly spelt out in the bidding document in fairness it must be simple language. The bidding document should ensured that the e‐

contain, inter alia;

procurement system

(a)The criteria for eligibility and qualifications supports all legitimate to be met by the bidders such as minimum processes and

level of experience, past performance, methodologies for technical capability, manufacturing facilities inviting bids in a

and financial position etc.;

transparent manner, and

(b)Eligibility criteria for goods indicating any under no circumstances legal restrictions or conditions about the origin should the confidentiality of goods etc. which may be required to be met of the bid be

by the successful bidder;

compromised before the

(c) The procedure as well as date, time and

Online Public Tender

place for sending the bids;

Opening Event.

(d) Date, time and place of opening of the bid;

Importantly, a properly

(e) Terms of delivery;

conducted Public Tender

(f) Special terms affecting performance, if any.

Opening Event is the

(ii)Suitable provision should be kept in the backbone of transparency bidding document to enable a bidder to question in public procurement. the bidding conditions, bidding process and/ or The e‐procurement

rejection of its bid.

system must have a very

(iii) Suitable provision for settlement of disputes,

transparent and

if any, emanating from the resultant contract,

comprehensive Online

should be kept in the bidding document.

Public Tender Opening

(iv) The bidding document should indicate clearly

Event with simultaneous

63

that the resultant contract will be interpreted

online presence of

under Indian Laws.

authorized

(v) The bidders should be given reasonable time

representatives of

to send their bids.

bidders, and to eliminate

(vi)The bids should be opened in public and arbitrariness each opened authorised representatives of the bidders should bid should be

be permitted to attend the bid opening.

countersigned by the

(vii)The specifications of the required goods TOE‐officers in the should be clearly stated without any ambiguity so simultaneous online that the prospective bidders can send meaningful presence of the bids. In order to attract sufficient number of authorized bidders. bidders, the specification should be broad based

to the extent feasible. Efforts should also be In addition, authorized made to use standard specifications which are representatives of

widely known to the industry.

bidders may also be

(viii)Pre‐bid conference: In case of turn‐key present offline during a contract(s) or contract(s) of special nature for TOE. However, to procurement of sophisticated and costly eliminate any equipment, a suitable provision is to be kept in arbitrariness and any the bidding documents for a pre‐bid conference doubt about tampering, for clarifying issues and clearing doubts, if any, the simultaneous online about the specifications and other allied technical presence of bidders details of the plant, equipment and machinery during TOE is important. projected in the bidding document. The date, Bidders may have doubts time and place of pre‐bid conference should be about the transparency of indicated in the bidding document. This date the process if the bids are should be sufficiently ahead of bid opening date. opened by the Buyer

(ix)Criteria for determining responsiveness of independently in the bids, criteria as well as factors to be taken into backend (ie without the account for evaluating the bids on a common simultaneous online platform and the criteria for awarding the presence of bidders), and

contract to the responsive lowest bidder should

then subsequently

be clearly indicated in the bidding documents.

displayed to the bidders.

(x) Bids received should be evaluated in terms of

For comparison, this

the conditions already incorporated in the

would tantamount to bids

bidding documents; no new condition which was

being opened by the

not incorporated in the bidding documents

Buyer in another room

should be brought in for evaluation of the bids.

(where the bidders are

Determination of a bid's responsiveness should

not present), and then

be based on the contents of the bid itself without

brought to a second room

recourse to extrinsic evidence.

where the bidders are

(xi)Bidders should not be permitted to alter or waiting. This is obviously modify their bids after expiry of the deadline for not a transparent public

receipt of bids.

opening, and so it is not

(xii)Negotiation with bidders after bid opening acceptable. must be severely discouraged. However, in

exceptional

circumstances

where

price

Furthermore, e‐

negotiation against an ad‐hoc procurement is

procurement system

necessary

due

to

some

unavoidable

should allow submission

circumstances, the same may be resorted to only

of Modification/

with the lowest evaluated responsive bidder.

 

Substitution/ Withdrawal

(xiii) In the rate contract system, where a number

of bids only till the bid‐

64

 

of firms are brought on rate contract for the same

submission deadline.

 

 

item, negotiation as well as counter offering of

 

 

 

rates are permitted with the bidders in view and

To further eliminate

 

 

for this purpose special permission has been

arbitrariness, the e‐

 

 

given to the Directorate General of Supplies and

procurement system

 

 

Disposals (DGS&D).

should have

 

 

(xiv) Contract should ordinarily be awarded to the

comprehensive

 

 

lowest evaluated bidder whose bid has been

electronic‐forms for

 

 

found to be responsive and who is eligible and

capturing specific data

 

 

qualified to perform the contract satisfactorily as

requirements of each

 

 

per the terms and conditions incorporated in the

tender, and detailed

 

 

corresponding bidding document. However,

response from each

 

 

where the lowest acceptable bidder against ad‐

bidder to General Terms

 

 

hoc requirement is not in a position to supply the

& Conditions (GTC) and

 

 

full quantity required, the remaining quantity, as

Special Terms &

 

 

far as possible, be ordered from the next higher

Conditions (STC).

 

 

responsive bidder at the rates offered by the

Where required,

 

 

lowest responsive bidder.

 

 

(xv) The name of the successful bidder awarded

functionality of the e‐

 

 

the contract should be mentioned in the

procurement system

 

 

Ministries or Departments notice board or

should be supplemented

 

 

bulletin or web site

with Procurement Policy

 

 

 

& Procedures internal to

 

 

 

the Buyer organization.

 

161

Efficiency, Economy and Accountability in public

For accountability, e‐

Functionality

 

procurement system:

procurement system

Verification/Testing

 

Public procurement procedure is also to ensure

should have a

In addition, Audit

 

efficiency, economy and accountability in the

comprehensive Hierarchy

 

system. To achieve the same, the following keys

and Role Authorization of

of the Procurement

 

areas should be addressed:

officers with detailed

Policy &

 

(i) To reduce delay, appropriate time frame for

Audit Trails as outlined in

Procedures of the

 

each stage of procurement should be prescribed

Annexure‐I of these

concerned Buyer

 

by the Ministry or Department. Such a time frame

Guidelines.

organization can be

 

will also make the concerned purchase officials

Where required,

carried out.

 

more alert.

 

 

(ii) To minimise the time needed for decision

functionality of the e‐

 

 

making and placement of contract, every

procurement system

 

 

Ministry/ Department, with the approval of the

should be supplemented

 

 

competent authority, may delegate, wherever

with Procurement Policy

 

 

necessary, appropriate purchasing powers to the

& Procedures internal to

 

 

lower functionaries.

the Buyer organization.

 

 

(iii) The Ministries or Departments should ensure

 

 

 

placement of contract within the original validity

 

 

 

of the bids. Extension of bid validity must be

 

 

 

discouraged and resorted to only in exceptional

 

 

 

circumstances.

 

 

 

(iv) The Central Purchase Organisation (e.g.

 

 

 

DGS&D) should bring into the rate contract

 

 

 

system more and more common user items which

 

 

 

are frequently needed in bulk by various Central

 

 

 

Government departments. The Central Purchase

 

 

 

Organisation (e.g. DGS&D) should also ensure

 

 

 

 

 

65

 

that the rate contracts remain available without

 

 

 

 

any break.

 

 

 

 

 

 

 

 

162

Buy‐back offer:

 

 

 

 

 

e‐procurement System

Functionality

 

When it is decided with the approval of the

 

should have functionality

Verification/Testing

 

competent authority to replace an existing old

where ‘Buy Back Price’

 

 

item(s) with a new and better version,

the

should also be captured

 

 

department may trade the existing old item while

in the Financial‐Bid and

 

 

purchasing the new one. For this

purpose, a

provision should be there

 

 

suitable clause is to be incorporated in the

 

for ‘Net Procurement

 

 

bidding document so that the prospective and

 

Price’ after taking into

 

 

interested bidders formulate their bids

 

account the ‘Buy Back

 

 

accordingly.

Depending

on the

value

and

Price’

 

 

condition of the old item to be traded, the time as

 

 

 

 

well as the mode of handing over the old item to

 

 

 

 

the successful bidder should be decided and

 

 

 

 

relevant details in this regard suitably

 

 

 

 

incorporated in the bidding document. Further,

 

 

 

 

suitable provision should also be kept in the

 

 

 

 

bidding document to enable the purchaser either

 

 

 

 

to trade or not to trade the item while purchasing

 

 

 

 

the new one.

 

 

 

 

 

 

 

 

 

B) Procurement of Services Rule 163 to 177

 

 

 

163

The Ministries or Departments may hire external

 

Procurement Policy &

Process

 

professionals, consultancy firms or consultants

 

Procedures internal to the

Audit

 

for a specific job, which is well defined in terms

 

Buyer organization

 

 

of content and time frame for its completion or

 

Note: Generally no specific

 

 

outsource certain services.

 

 

 

 

 

 

 

 

 

 

 

 

requirements for e‐

 

 

 

 

 

 

 

 

procurement.

 

164

This chapter contains the fundamental principles

 

 

applicable to all Ministries or Departments

 

 

 

 

 

regarding engagement of consultant(s) and

 

 

 

 

 

outsourcing of services.

 

 

 

 

 

 

 

165

Identification of Work/ Services required to be

 

e‐procurement System

Functionality

 

performed by Consultants:

 

 

 

should functionality for

Verification/Testing

 

Engagement of consultants may be resorted to

 

obtaining approval of an

 

 

in situations requiring high quality services for

 

Indent or Requisition Note

 

 

which the concerned Ministry/ Department does

 

for engagement of

 

 

not have requisite expertise. Approval of the

 

consultants with provision

 

 

competent authority should be obtained before

 

for recording relevant

 

 

engaging consultant(s).

 

 

 

 

justification.

 

166

Preparation

of scope of

the required work/

 

e‐procurement System

Functionality

 

service:

 

 

 

 

 

should functionality for

Verification/Testing

 

The Ministries/ Departments should prepare in

 

obtaining approval of an

 

 

simple and concise language the requirement,

 

Indent or Requisition Note

 

 

objectives and the scope of the assignment. The

 

for engagement of

 

 

eligibility and pre‐qualification criteria to be met

 

consultants with provision

 

 

by the consultants should also be clearly

 

for recording relevant

 

 

identified at this stage.

 

 

 

 

justification.

 

167

Estimating reasonable expenditure:

 

 

 

e‐procurement System

Functionality

 

Ministry or

Department

proposing

to engage

 

should functionality for

Verification/Testing

 

 

 

 

 

 

 

 

 

66

 

consultant(s) should estimate reasonable

obtaining approval of an

 

 

expenditure for the same by ascertaining the

Indent or Requisition Note

 

 

prevalent market conditions and consulting

for engagement of

 

 

other organisations engaged in similar activities.

consultants with provision

 

 

 

for recording relevant

 

 

 

justification with estimated

 

 

 

expenditure.

 

168

Identification of likely sources:

e‐procurement System

Functionality

 

(i) Where the estimated cost of the work or

should have functionality

Verification/Testing

 

service is upto Rupees twenty‐five lakhs,

for inviting ‘Expression of

of related

 

preparation of a long list of potential consultants

Interest (EOI)’ through

‘features’ and

 

may be done on the basis of formal or informal

Limited or Open Invitation,

‘explanations’

 

enquiries from other Ministries or Departments

with other functionality as

given by the e‐

 

or Organisations involved in similar activities,

applicable for Limited and

procurement/ e‐

 

Chambers of Commerce & Industry, Association

Open Tenders. This could

tendering

 

of consultancy firms etc.

be done through first

software/ service

 

(ii) Where the estimated cost of the work or

Inviting Applications for

provider against

 

service is above Rupees twenty‐five lakhs, in

Pre‐qualification followed

relevant sections

 

addition to (i) above, an enquiry for seeking

by Bidding, or directly

and points of

 

‘Expression of Interest’ from consultants should

inviting Bids in one or two

Annexure‐I.

 

be published in at least one national daily and

envelopes.

In addition, Audit

 

the Ministry's web site. The web site address

 

 

should also be given in the advertisements.

Where required,

of the Procurement

 

Enquiry for seeking Expression of Interest should

functionality of the e‐

Policy &

 

include in brief, the broad scope of work or

procurement system

Procedures of the

 

service, inputs to be provided by the Ministry or

should be supplemented

concerned Buyer

 

Department, eligibility and the pre‐qualification

with Procurement Policy &

organization can be

 

criteria to be met by the consultant(s) and

Procedures internal to the

carried out.

 

consultant’s past experience in similar work or

Buyer organization.

 

 

service. The consultants may also be asked to

 

 

 

send their comments on the objectives and

 

 

 

scope of the work or service projected in the

 

 

 

enquiry. Adequate time should be allowed for

 

 

 

getting responses from interested consultants

 

 

169

Short listing of consultants:

e‐procurement System

Functionality

 

On the basis of responses received from the

should have functionality

Verification/Testing

 

interested parties as per Rule 168 above,

for short listing consultants

In addition, Audit

 

consultants meeting the requirements should be

who have been found to

 

short listed for further consideration. The

be eligible after the first

of the Procurement

 

number of short listed consultants should not be

round/ pre‐qualification.

Policy &

 

less than three.

 

Procedures of the

 

 

Where required,

concerned Buyer

 

 

functionality of the e‐

organization can be

 

 

procurement system

carried out.

 

 

should be supplemented

 

 

 

with Procurement Policy &

 

 

 

Procedures internal to the

 

 

 

Buyer organization.

 

170

Preparation of Terms of Reference (TOR):

e‐procurement System

Functionality

 

The TOR should include:

should have functionality

Verification/Testing

 

1. Precise statement of objectives;

for including in the

 

 

2. Outline of the tasks to be carried out;

Request for Proposal (RFP)

 

 

 

 

67

 

3.

Schedule for completion of tasks;

documents, the detailed

 

 

4.

The support or inputs to be provided by the

Terms of Reference (TOR)

 

 

 

Ministry or Department to facilitate the

 

 

 

 

consultancy;

 

 

 

5.

The final outputs that will be required of the

 

 

 

 

Consultant.

 

 

171

Preparation and issue of Request for Proposal

e‐procurement System

Functionality

 

(RFP):

should have functionality

Verification/Testing

 

RFP is the document to be used by the Ministry/

for creating detailed

of related

 

Department for obtaining offers from the

Request for Proposal (RFP)

‘features’ and

 

consultants for the required work/ service. The

and posting this on the e‐

‘explanations’

 

RFP should be issued to the shortlisted

procurement system

given by the e‐

 

consultants to seek their technical and financial

website with allied

procurement/ e‐

 

proposals.

functionality for

tendering

 

The RFP should contain:

Corrigenda and Addenda

software/ service

 

1.

A letter of Invitation

to RFP. The functionality

provider against

 

2.

Information to Consultants regarding the

should also include

relevant sections

 

 

procedure for submission of proposal

creation of Electronic

and points of

 

3.

Terms of Reference (TOR)

Forms to capture precise

Annexure‐I.

 

4.

Eligibility and pre‐qualification criteria in

data in the application/ bid

In addition, Audit

 

 

case the same has not been ascertained

submitted by each

 

 

through Enquiry for Expression of Interest

consultant.

of the Procurement

 

 

(EOI)

Where required,

Policy &

 

5.

List of key position whose CV and experience

Procedures of the

 

 

would be evaluated

functionality of the e‐

concerned Buyer

 

6.

Bid evaluation criteria and selection

procurement system

organization can be

 

 

procedure

should be supplemented

carried out.

 

7.

Standard formats for technical and financial

with Procurement Policy &

 

 

 

proposal

Procedures internal to the

 

 

8.

Proposed contract terms

Buyer organization.

 

 

9.

Procedure proposed to be followed for

 

 

 

 

midterm review of the progress of the work

 

 

 

 

and review of the final draft report

 

 

172

Receipt and opening of proposals:

e‐procurement System

Functionality

 

Proposals should ordinarily be asked for from

should have functionality

Verification/Testing

 

consultants in ‘Two‐bid’ system with technical

for inviting ‘Single Stage

of related

 

and financial bids sealed separately. The bidder

Two Envelope’ tenders, or

‘features’ and

 

should put these two sealed envelopes in a

Two‐Stage tenders (as

‘explanations’

 

bigger envelop duly sealed and submit the same

mentioned in CVC

given by the e‐

 

to the Ministry or Department by the specified

guidelines), with secure

procurement/ e‐

 

date and time at the specified place. On receipt,

methodology for sealing

tendering

 

the technical proposals should be opened first

bids (ie data encryption of

software/ service

 

by the Ministry or Department at the specified

both the ‘Technical’, as

provider against

 

date, time and place.

well as, ‘Financial’ bid parts

relevant sections

 

 

 

by the bidder himself

and points of

 

 

 

before bid‐submission. In

Annexure‐I.

 

 

 

addition, there should be

 

 

 

 

functionality for opening

 

 

 

 

only the technical bids

 

 

 

 

first; functionality for

 

 

 

 

creating a short‐list of

 

 

 

 

technically responsive

 

 

 

 

 

68

 

 

bidders; functionality for a

 

 

 

second tender opening

 

 

 

event for opening the

 

 

 

financial bids of the

 

 

 

technically responsive

 

 

 

bidders

 

173

Late bids:

e‐procurement System

Functionality

 

Late bids i.e. bids received after the specified

should have functionality

Verification/

 

date and time of receipt should not be

for ‘Not Accepting Late

Testing

 

considered.

Bids’

 

174

Evaluation of technical bids:

In the e‐procurement

Functionality

 

Technical bids should be analysed and evaluated

System after the TOE in

Verification/

 

by a Consultancy Evaluation Committee (CEC)

which the Technical‐Bids

Testing

 

constituted by the Ministry or Department. The

are opened, functionality

 

 

CEC shall record in detail the reasons for

should exist for members

 

 

acceptance or rejection of the technical

of Consultancy Evaluation

 

 

proposals analysed and evaluated by it.

Committee (CEC) to access

 

 

 

the Technical‐Bids for

 

 

 

evaluation with provision

 

 

 

to record

 

 

 

recommendations.

 

175

Evaluation of financial bids of the technically

In the e‐procurement

Functionality

 

qualified bidders:

System after the TOE in

Verification/

 

The Ministry or Department shall open the

which the Financial‐Bids of

Testing

 

financial bids of only those bidders who have

the technically qualified

 

 

been declared technically qualified by the

bidders are opened,

 

 

Consultancy Evaluation 69

functionality should exist

 

 

Committee as per Rule 174 above for further

for members of

 

 

analysis or evaluation and ranking and selecting

Consultancy Evaluation

 

 

the successful bidder for placement of the

Committee (CEC) to access

 

 

consultancy contract.

the Financial‐Bids for

 

 

 

evaluation with provision

 

 

 

to record

 

 

 

recommendations.

 

176

Consultancy by nomination:

Procurement Policy &

Process Audit

 

Under some special circumstances, it may

Procedures internal to the

 

 

become necessary to select a particular

Buyer organization

 

 

consultant where adequate justification is

 

 

 

available for such single‐source selection in the

Note: Generally no specific

 

 

context of the overall interest of the Ministry or

requirements for e‐

 

 

Department. Full justification for single source

procurement.

 

 

selection should be recorded in the file and

 

 

 

approval of the competent authority obtained

 

 

 

before resorting to such single‐source selection.

 

 

177

Monitoring the contract:

e‐procurement System

Functionality

 

The Ministry/ Department should be involved

should have functionality

Verification/Testing

 

throughout in the conduct of consultancy,

for monitoring

In addition, audit of

 

preferably by taking a task force approach and

performance of a

 

continuously monitoring the performance of the

consultant, which would

the Procurement

 

consultant(s) so that the output of the

include recording of

Policy &

 

consultancy is in line with the Ministry

important parameters/

Procedures of the

 

 

 

69

 

/Department’s objectives.

mile‐stones relating the

 

concerned Buyer

 

 

consultant’s performance.

organization can be

 

 

In addition, the concerned

 

carried out.

 

 

 

 

 

 

Buyer organization should

 

 

 

 

have Procurement Policy &

 

 

 

 

Procedures to implement

 

 

 

 

the other requirements

 

 

 

C) Outsourcing of Services: Rule 178 to 185

 

 

 

 

178

Outsourcing of Services:

Procurement Policy &

 

Process

 

A Ministry or Department may outsource certain

Procedures internal to the

 

 

Audit

 

services in the interest of economy and

Buyer organization

 

 

 

 

efficiency and it may prescribe detailed

Note: Generally no

 

 

 

 

instructions and procedures for this purpose

 

 

 

 

without, however, contravening the following

specific requirements for

 

 

 

 

basic guidelines.

e‐procurement.

 

 

 

179

Identification of likely contractors:

e‐procurement System

 

Functionality

 

The Ministry or Department should prepare a list

should have functionality

 

Verification/Testing

 

of likely and potential contractors on the basis of

for creating Classified Lists

 

 

 

 

formal or informal enquiries from other

of likely and potential

 

 

 

 

Ministries or Departments and Organisations

contractors. Also

 

 

 

 

involved in similar activities, scrutiny of ‘Yellow

functionality should exist

 

 

 

 

pages’, and trade journals, if available, web site

for a Buyer organization

 

 

 

 

etc.

to Create/ Manage

 

 

 

 

 

Contractor organizations

 

 

 

 

 

under different Heads and

 

 

 

 

 

Grades

 

 

 

180

Preparation of Tender enquiry:

e‐procurement System

 

Functionality

 

Ministry or Department should prepare a tender

should have functionality

 

Verification/Testing

 

enquiry containing, inter alia :

for creating and managing

 

of related ‘features’

 

(i) The details of the work or service to be

Tender Notices,

 

and ‘explanations’

 

performed by the contractor;

Corrigenda, Tender

 

given by the e‐

 

(ii) The facilities and the inputs which will be

Documents, Addenda;

 

procurement/ e‐

 

provided to the contractor by the Ministry or

floating Open Tenders, as

 

tendering software/

 

Department;

well as, Limited Tenders;

 

service provider

 

(iii) Eligibility and qualification criteria to be met

and functionality for other

 

against relevant

 

by the contractor for performing the required

associated processes

 

sections and points

 

work / service; and

 

 

of Annexure‐I

 

(iv) The statutory and contractual obligations to

In addition, the concerned

 

 

 

 

be complied with by the contractor.

Buyer organization should

 

In addition, Audit of

 

 

have Procurement Policy

 

the Procurement

 

 

& Procedures to

 

Policy & Procedures

 

 

implement the other

 

of the concerned

 

 

requirements

 

Buyer organization

 

 

 

 

can be carried out.

181

Invitation of Bids:

e‐procurement System

 

Functionality

 

(a) For estimated value of the work or service

should have functionality

 

Verification/Testing

 

upto Rupees ten lakhs or less:

for creating and managing

 

of related ‘features’

 

The Ministry or Department should scrutinise

Tender Notices,

 

and ‘explanations’

 

the preliminary list of likely contractors as

Corrigenda, Tender

 

given by the e‐

 

identified as per Rule 179 above, decide the

Documents, Addenda;

 

procurement/ e‐

 

 

 

 

70

 

prima facie eligible and capable contractors and

floating Open Tenders, as

tendering software/

 

issue limited tender enquiry to them asking for

well as, Limited Tenders;

service provider

 

their offers by a specified date and time etc. as

and functionality for other

against relevant

 

per standard practice. The number of the

associated processes

sections and points

 

contractors so identified for issuing limited

 

of Annexure‐I

 

tender enquiry should not be less than six.

 

In addition, the concerned

 

 

(b) For estimated value of the work or service

Buyer organization should

In addition, Audit of

 

above Rupees ten lakhs:

 

 

have Procurement Policy

the Procurement

 

The Ministry or Department should issue

& Procedures to

Policy & Procedures

 

advertised tender enquiry asking for the offers

implement the other

of the concerned

 

by a specified date and time etc. in at least one

requirements

Buyer organization

 

popular largely circulated national newspaper

 

can be carried out.

 

and web site of the Ministry or Department.

 

 

 

182

Late Bids:

 

 

 

e‐procurement System

Functionality

 

Late bids i.e. bids received after the specified

should have functionality

Verification/Testing

 

date and time of receipt should not be

for ‘Not Accepting Late

 

 

considered.

 

 

 

Bids’

 

183

Evaluation of Bids Received:

 

 

In the e‐procurement

Functionality

 

The Ministry or Department should evaluate,

System after the TOE in

Verification/ Testing

 

segregate, rank the responsive bids and select

which the Bids are

 

 

the successful bidder for placement of the

opened, functionality

 

 

contract.

 

 

 

 

should exist for members

 

 

 

 

 

 

 

of the Evaluation

 

 

 

 

 

 

 

Committee (EC) to access

 

 

 

 

 

 

 

the Bids for evaluation

 

 

 

 

 

 

 

with provision to record

 

 

 

 

 

 

 

recommendations.

 

184

Outsourcing by Choice:

 

 

Procurement Policy &

Testing & Audit

 

Should it become necessary, in an exceptional

Procedures internal to the

 

 

situation to outsource a job to a specifically

Buyer organization

 

 

chosen contractor, the Competent Authority in

Note: Generally no

 

 

the Ministry or Department may do so in

 

 

consultation with the Financial Adviser. In such

specific requirements for

 

 

cases

the

detailed

justification,

the

e‐procurement.

 

 

circumstances leading to the outsourcing by

 

 

 

choice and the special interest or purpose it shall

 

 

 

serve shall form an integral part of the proposal.

 

 

185

Monitoring the Contract:

 

 

e‐procurement System

Functionality

 

The Ministry or Department should be involved

should have functionality

Verification/Testing

 

throughout in the conduct of the contract and

for recording important

 

 

continuously monitor the performance of the

milestones of Contract

In addition, audit of

 

contractor.

 

 

 

Execution.

the Procurement

 

 

 

 

 

 

In addition, the concerned

Policy & Procedures

 

 

 

 

 

 

of the concerned

 

 

 

 

 

 

Buyer organization should

Buyer organization

 

 

 

 

 

 

have Procurement Policy

can be carried out.

 

 

 

 

 

 

& Procedures to

 

 

 

 

 

 

 

implement the other

 

 

 

 

 

 

 

requirements

 

71

Annexure‐IV ‐ Checklist for Compliance with IT ACT (IT ACT 2000 and Amendment 2008)

Sl.

Issues to be Checked

IT ACT

Means of Checking

No.

 

 

Reference

 

1

Electronic Signature Implementation:

3, 3A, 5, 6,

Verification of

 

i)

ESC (Electronic Signature Certificate) used for

15, 42, Ch‐

Implementation/

 

 

the e‐Procurement System by the users are

VI;

Functionality and

 

 

Issued by CC(Certifying Authority) recognized

Sch‐2, 13

the ESC used.

 

 

by Govt. of India CCA(Controller of Certifying

 

 

 

 

Authority).

 

 

ii)The private key or the signature creation data should not be stored in the e‐Procurement System or kept under the control of the e‐ Procurement Service Provider.

iii)By the use of a public key of the subscriber/ signer, it should be possible to verify the electronic record. This may be read in conjunction with Sch‐2, 13 85B(2)(b) “except in the case of a secure electronic record or a secure digital signature, nothing in this section shall create any presumption relating to authenticity and integrity of the electronic record or any digital signature”.

(Explanation: This implies that important electronic records of an e‐procurement application, like – Tender Notice, Corrigenda, Tender Documents, Addenda, Clarifications to Tender Documents, Bids, etc should not only be electronically signed, there should also be provision in the e‐procurement application to verify the electronic signatures).

iv)Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure (Explanation: There should be no limitation in the functionality of the e‐procurement system which may necessitate for the tendering processes to continue uninterrupted that the private key of any officer be handed over to anybody else (who may be absent or unavailable), or where a private key is shared by multiple users due to any reason such as – absence of detailed hierarchy within a user organization, or multiple users of a group using a common key.

v)Similarly, functionality of the e‐procurement system should cover other aspects outlined in various sections (specified in the adjacent

72

 

 

column) of the IT Act.

 

 

2

Electronic Document & Record Control:

7

Verification of

 

Suitable controls are established for electronic

 

policies,

 

documents /records generated, processed, stored,

 

procedures,

 

disposed of by the e‐Procurement System to comply

 

mechanisms and

 

i)

The information contained in e‐

 

relevant records,

 

 

Documents/e‐Records remains

 

and functionality of

 

 

accessible/usable for subsequent reference;

 

the e‐procurement

 

ii)

The e‐Records are retained in the original

 

system.

 

 

format, it was generated, to accurately

 

 

 

 

demonstrate how it was

 

 

 

 

generated/sent/received.

 

 

 

iii)

The e‐Records should be maintained with

 

 

 

 

identification of origin, destination, date and

 

 

 

 

time of dispatch or receipt.

 

 

 

iv)

The retention period of the e‐Records should

 

 

 

 

be compliant with the legal and contractual

 

 

 

 

requirements.

 

 

3

Data Protection:

43A,

Verification of

 

i)

Adequate and reasonable security practices

Draft rule

policies,

 

 

and procedures are in place to protect

under

procedures,

 

 

confidentiality and integrity of the users data

Section

mechanisms and

 

 

and credentials

43A

relevant records,

 

ii)

The e‐procurement system has to

 

and functionality of

 

 

satisfactorily address the above) through

 

the e‐procurement

 

 

suitable functionality built into the e‐

 

system.

 

 

procurement application. Where, in

 

(Some checks are

 

 

addition, some issues are being further

 

covered in

 

 

addressed through organizational

 

Annexure‐I, II and

 

 

procedures, these should be explicitly

 

III)

 

 

defined with satisfactory explanations.

 

 

 

 

The reasonable security practices and

 

 

 

 

procedures followed should be documented

 

 

 

 

in line with the international standard

 

 

 

 

ISO/IEC 27001.

 

 

 

 

 

 

4

Due diligence exercise:

79,

Verification of the

 

i)

The Service Provider shall publish the terms

Draft rule

terms and

 

 

and conditions of use of its e‐Procurement

under

conditions of use of

 

 

System, user agreement, privacy policy etc.

Section 79

the e‐Procurement

 

ii)

The Service Provider shall notify users not to

 

System, user

 

 

use, display, upload, modify, publish,

 

agreement, privacy

 

 

transmit, update, share or store any

 

policy, and other

 

 

information that:

 

notifications as

 

 

(a) belongs to another person;

 

mentioned.

 

 

(b) is harmful, threatening, abusive,

 

 

 

 

harassing, blasphemous, objectionable,

 

 

 

 

defamatory, vulgar, obscene,

 

 

 

 

pornographic, pedophilic, libelous,

 

 

 

 

 

 

73

invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c)harm minors in any way;

(d)infringes any patent, trademark, copyright or other proprietary rights;

(e)violates any law for the time being in force;

(f)discloses sensitive personal information of other person or to which the user does not have any right to;

(g)causes annoyance or inconvenience or deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(h)impersonate another person;

(i)contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(j)threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.

iii)The Service Provider shall not itself host or publish or edit or store any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in (ii) above.

iv)The Service Provider shall inform its users that in case of non‐compliance with terms of use of the services and privacy policy provided by the Service Provider, it has the right to immediately terminate the access rights of the users to the e‐Procurement System.

v)The Service Provider shall publish on the e‐ Procurement website about the designated agent to receive notification of claimed infringements.

74

Reference Documents

75

Reference Document – 1

eTendering Processes

e‐tendering portal

an e‐tendering portal, or an e‐tendering website, refers to an internet‐based portal on which an e‐tendering application software is hosted in a secure manner. One or more Government organizations register on the portal (as Buyer organizations). Various vendors also register on the portal (as Supplier organizations). A Buyer organization floats (i.e. invites) a tender on the portal, and Supplier organizations respond to such tenders. Depending on the functionality offered by an e‐tendering portal, all the tendering related activities, from ‘Indent Management (or Requisition Management)’ to ‘Award of Contract’ can be carried out ‘Online’ over the Internet by a Buyer organization, and related activities by Supplier organizations.

Non‐negotiable founding principles of Public Procurement like transparency, encouraging competitiveness and fair treatment to all etc.

Switchover from manual system of tendering to electronic tendering or e‐tendering is major change. Some ‘process re‐engineering’ (i.e. change or improvement in the methodology of conducting various activities) becomes inevitable when changeover is made to a new technology, or a new method of working is adopted. However, while switching over to e‐tendering, no compromise should be made by the Government organization on `Security and Transparency’ related aspects of the Government Tendering Policy and Rules on the pretext of re‐engineering.

While switching over to e‐tendering, a Government organization (in the role of a Buyer) which urges its Suppliers/Vendors to changeover to e‐tendering, should ensure that the e‐tendering portal also takes care of the Supplier organizations needs for security and transparency, and that suppliers are given reasonable time to change‐over in a phased manner.

core activities related to tendering

From a Buyer’s perspective, `core activities related to tendering’ refers to activities like‐ raising indents (or requisitions) for procuring some item or service, approving such requisitions, configuring the e‐tendering system to act as per that organisation’s tendering policy, creating a hierarchy of officers with specific authorizations to manage and control activities related to e‐tendering for various tenders, configuring the e‐ tendering system to act as per specific rules for a given tender, creating a list of bidders to be invited for a `limited tender’, creating a tender notice, approving a tender notice, authorizing issue of corrigenda , creating corrigenda, approving tender documents, authorizing issue of addenda, approving addenda, furnishing clarifications to tender documents, conducing online public tender opening event(s) and sharing salient points of each bid with all participating bidders, counter‐signing each opened bid during tender opening event, evaluating the bids which have been opened, creating a list of bidders for the next stage (where applicable). From a Supplier’s (or Vendor’s perspective), `core tendering activities’ or `core activities related to tendering’ refers to activities relating to responding to various tenders. These include‐creating a hierarchy of executives with specific authorizations to manage and control activities related to e‐tendering for various tenders, procuring tender documents for a tender, seeking clarifications to tender documents, preparing a bid in multiple parts(as required by the Buyer) and required), attending online public tender opening event(s).

76

Operating Models for e‐Tendering

A variety of `Operating Models’ have emerged through which e‐tendering services are currently being offered. Some prominent models are ‐ `Dedicated e‐Tendering Portals’ (also referred to as Captive e‐Tendering Portals), `Shared e‐Tendering Portals’ [ where services are offered in ASP (Application Service Provider) mode/SaaS (Software as a Service) mode, and different types of `Outsourcing Models’. Also, it is important to differentiate between the concepts of the portal. In view of the emphasis on Security and Transparency in Public‐Procurement, the acceptability of these models varies. Guidelines are as follows:

A)(Dedicated e‐Tendering Portals)‐ where the Government organization wishing to do e‐tendering, owns and controls the portal infrastructure, and also controls all the core tendering activities carried out on the portal.

A Government organization wishing to set up a dedicated e‐tendering portal for its tendering requirements should float an `Open Tender’ for selecting a suitable vendor. It should not resort to by‐passing of the tendering process on the grounds, that as a Buyer organization it has been offered the service free of charge or at nominal charge, and only Suppliers or Vendors have to pay to the Service Provider or the Supplier of the e‐tendering software, as the case may be. In situations like this, as in the case of infrastructure projects, the total revenue which accrues to the Service provider of the e‐tendering portal should be considered, viz revenue from the Buyer organization(s), revenue from registration of Supplier organizations which will register on the portal at the behest of that Buyer organization, and any other sources of revenue.

B)(Use of a Shared e‐Tendering Portal)‐ where the Government organization

wishing to do e‐tendering controls all the core tendering activities of its organization carried out on the portal, but where ownership and control of the portal infrastructure is with the Service Provider.

A Government organization wishing to use an existing e‐tendering portal on shared basis for its tendering requirements may float a tender for the purpose of selecting a suitable Service Provider. In such situations, the nomination route may be used if both the following conditions are satisfied.

i)The total annual revenue which accrues to the Service Provider from that Government organization and its Suppliers who register specifically at the behest of that Government organization is less than Rs. Five/ten lakhs a year. (Note: Limit to be defined by the appropriate Govt body keeping in view Finance Ministry’s current limit of Rs. Ten lakhs for consultancy service through the nomination route). For this purpose, revenue should include registration and portal usage charges of the Buyer organization, registration charges of supplier organizations which register at the behest of that buyer organization, and portal‐usage charges of the aforesaid supplier organizations specifically in respect of responding to tenders of that Buyer organization.

ii)The arrangement of that Government organization with the Service Provider is on a `non‐exclusive’ basis.

77

C)(Outsourcing Model‐1): The Government organization outsources its tendering activities to a Service Provider. The control of all or most of the core tendering activities is in the hands of the Service Provider. The Service Provider also owns and controls the portal infrastructure.

(Outsourcing Model 2): The government organization procures and owns partially or fully the portal infrastructure, but does not manage it. Furthermore, the Government organization outsources the management and control of its tendering activities to a Service Provider.

It is important to note that `Outsourcing’ as outlines above is substantively distinct from `Use of a Shared e‐Tendering Portal’ as outlined in (ii) B above. In case of the `Shared e‐Tendering Portal, the Government organization wishing to so e‐tendering controls all the core tendering activities of its organization carried out on the portal.

In case of `outsourcing’ since `complete control is in the hands of a third party Service Provider’, number of `legal’ and `security’ related issues arise. Some of these issues are:

i)`Tendering’ is a sensitive activity, where integrity and transparency of the procurement process is on paramount importance. Can such a sensitive activity be outsourced to a third party Service Provider (who in turn may be a public sector entity, or a private entity) where `complete control is in the hands of the third party Service Provider’?

ii)In case of a Government organization, the officers authorized for `tendering’ are legally accountable under the official Secrets Act’. Certain Standards of propriety, integrity and confidentiality are expected of Government officers and Government departments. How will this be ensured from personnel of a third party private Service Provider, who would gain complete control of the tendering activities under the outsourcing‐contract?

iii)Guidelines pertaining Access to the e‐Tendering Portal:

Access shall be provided to the general public for viewing `tendering opportunities’ (i.e. Tender Notices) posted on the e‐tendering portal for all `Open Tenders’, as well as `Limited Tenders’ (the exception in case of Limited Tenders is where due to reasons of national security it is expedient not to do so). Access shall imply‐viewing a Tender Notice, searching a Tender Notice with its reference number, or name of the Buyer organization.

Access shall be provided to the general public for accessing any other `Public Information’ sections of the e‐tendering portal, such as – Information pertaining to forthcoming Tendering Opportunities, Information pertaining to `Award of Contracts i.e. Purchase Orders’.

iv)Guidelines pertaining use of Digital Signatures, IT Act 2000 and Phased Approach:

Any e‐tendering portal to be used by a Government organization must allow the users of the portal to use any one Digital Certificate (Digital Signature) issued by any Certifying Authority licensed by the CCA subject to other conditions of the Digital Certificate issuing authority.

78

The Digital Signature (i.e. Private Key) cannot be handed over by the owner of that key to any other person. (It has been observed that in some e‐tendering portals, the private digital keys of the authorized officers are handed over to the staff of the service provider, or the keys are freely exchanged amongst the users. This practice should be stopped forthwith).

No technology should be forced on the users suddenly. A phased approach must be adopted. Specifically in case of e‐tendering, unless a large number of users are comfortable with use of Digital Signatures, there is no point forcing them to deal with more sophisticated features like online bid‐submission involving encryption of bids etc. (It has been observed that in some e‐tendering portals that the staff of the Service Provider have been encrypting bids on behalf of the bidders and conducting the Tender Opening Events on behalf of the authorized Government officers.

All Digital Signature Certificates should be PKI based and issued by a Certifying Authority duly licensed by the CCA.

Compliance with IT Act 2000: Vendors of e‐tendering portals, or‐ tendering software, should be specifically instructed to keep in view s‐ 42 (1), and s‐85B2(b) of the IT Act 2000 while giving a `confirmation of compliance with the IT Act 2000’.

To avoid compromise of security (i.e. compromise of private key in this context), users of an e‐tendering portal should not obtain `pre‐ prepared’ digital certificates’ through the service provider or any other source. The digital certificate should be generated by the concerned user (i.e. the applicant of the digital certificate) himself, preferably on his own computer, and securely stored under a password

79

 

Reference Document – 2

 

Electronic Tendering Glossary

 

 

Information Entity

Definition

Goods

The supply of Goods with minimal Labour

Invitation to Tender

A request by procuring entity to contractors of commercial offer for

 

the entity to appoint a contractor to execute the works

Open Tender

All interested suppliers may submit a tender

Opening of tenders

Tenders shall be opened under procedures and conditions

 

guaranteeing the regularity of the openings

Optional Contract

Procuring entity identifies a tenderer who has suitable assets,

 

repute and ability and then contracts with it as its discretion

Registration

A system to ensure that tenders are sought only from contracts

 

whom the procuring entity has already established as having the

 

requisite resources and experience to perform the intended work

 

satisfactorily.

Public Invitation

An invitation to participate in intended procurement published by

 

procuring entities. The notice shall be published in the appropriate

 

publication

Selective Tender

Suppliers invited to do so by the procuring entity may submit a

 

tender

Services

The supply of Services, mainly Intellectually based Labour

Tender

The letter of Tender and all other documents which the Contractor

 

submitted with the Letter of Tender, as included in the Contract.

Tender Documents

Documents which should be issued by the procuring entity to those

 

firms who have been selected to tender, or who wish to tender in

 

case of an Open tender

Tenderer

Firm answering an invitation to tender

Tender Result

Procuring entity creates tender result notice, issues it to tenders

Notice

 

Contract Award

Procuring entity publishes the contract award

Publication

 

Qualification

Procuring entity verifies tender participation qualification of

 

tenders

Works

The supply of Labour, Materials and associated Plant.

80

Reference Document – 3

OWASP(Open Web Application Security Project) Top 10 Application Security Risks‐2010

A1‐Injection

A2‐Cross Site Scripting (XSS)

A3‐Broken

Authentication and

Session Management

A4‐Insecure Direct Object References

A5‐Cross Site Request Forgery (CSRF)

A6‐Security Misconfiguration

A7‐Insecure Cryptographic Storage

A8‐Failure to Restrict URL Access

A9‐Insufficient

Transport Layer

Protection

A10‐Unvalidated

Redirects and

Forwards

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A CSRF attack forces a logged‐on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.

Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

81

Reference document – 4

Business requirements specification‐ cross industry e‐Tendering process (Source CWA

15666)

To attain the objective of interoperability and compatibility of various solutions, both at buyer and supplier end it is required that processes and information entities shall be standardized across industrial electronic tendering. Following are the business requirements for the same.

Business Process Elaboration

E‐Tendering

Registration

Public Invitation

Tender/Opening of Tenders

Publication of Award

Business Information Flow Definition

Submit Registration Application

Issue Examination Result Notification

Publish prior information notice

Publish invitation to tender

Submit pre‐qualification application

Issue letter of invitation to tender

Request Tender Information

Issue tender information

Issue tender guaranty

Submit the response of tender guaranty

Submit tender

Submit qualification and application

Issue qualification result notice

Issue tender result notice

Following are the process details:

Registration

 

Preconditions

None

Begins When

Tenderers apply for registration

Definitions

Tenderers apply for registration

 

Procuring entity receives registration application

 

Procuring entity examines registration application

 

Procuring entity notifies tenderers of examination result

 

Tenderers receive examination result

Public Invitation

 

Preconditions

Procuring entity has a tendering subject release invitation to tender

Begins When

Procuring entity establishes project strategy

Definition

Procuring entity establishes project strategy

 

Procuring entity publishes invitation to tender

 

If necessary, tenderers should be pre‐qualified

 

If necessary,procuring entity selects tenders

 

82

 

When tenderers have intention to submit tenders

 

Tenderers request detailed information of the tendering subject

 

Procuring entity receives request for detailed information of the

 

tendering subject

 

Procuring entity issues detailed information of the tendering

 

subject to tenders

 

Tenders receive detailed information of the tendering subject

Ends When

Tenderers receive detailed information of the tendering subject

Exceptions

Procuring entity does not receive request for detailed information of the

 

tendering subject by tenderers

 

Tenderers do not receive detailed information of the tendering subject

 

from procuring entity

 

Tenderers have no intention to participate in tender

Post conditions

Tenderers get detailed information of the tendering subject

Tender/Opening of Tenders

Preconditions

Targeted tendering subject is within submission period of tenders

 

Tenderers receive detailed information of the tendering subject

Begins When

Tenderers submit tenders

Definitions

Tenderers submit tenders

 

Procuring entity receives tenders

 

Procuring entity opens tenders

 

If necessary, procuring entity verifies qualification of the tenderer

 

Procuring entity notifies tender result

 

Tenders receive tender result

Ends When

Tenderers receive tender result

Exceptions

Procuring entity does not receive tenders from tenderers

 

Tenderers do not receive tender result from procuring entity

Post conditions

Tenderers get details of tender result.

Publication of Award

Preconditions

Procuring entity notifies tender result to tenderers

Begins when

Procuring entity publishes tender result

Definitions

Procuring entity publishes tender result

 

Note: This definitions are example of executing business collaborations

 

within this business process

Ends When

Procuring entity publishes tender result

Exceptions

None

Postconditions

Procuring entity proves that the tender has been performed without

 

injustice.

83

Templates & Forms

84

Template 1 : Defining Usability Requirement Specifications of the Software

Product

USABILITY REQUIREMENTS SPECIFICATIONS OF < > SOFTWARE PRODUCT

Note: This is an illustration only. Applicant shall specify the parameters like files size(MB), time(second and bandwidth for each item). Only applicable clauses of this template should be used.

1.NAME AND PURPOSE OF THE PRODUCT :

< > is a web based eGovernance solution designed and developed for complete automation of the tendering/ procurement of materials, components, contracts, works and services.

This specification defines the Usability requirements for < >software application

2.CONTEXT OF USE

< >has the capability to support the complete tendering process which includes placing of on‐line technical bids, commercial bids, facility for e‐payment and secure opening of vendor bids with provision for interface to e‐payment gateways and incorporating PKI enabled digital signatures.

Fine details of tendering like creation of vendor database, tender announcement and corrigendum; tender offer processing, opening, negotiation, dynamic pricing mechanism, automatic generation of comparative statement of bids received tender awarding and management of tender contract operation and re‐tendering are supported in a real time interactive environment. This system enables both procurers and vendors to interact with each other and transact business.

a. Specification of users:

Based on the analysis of the product, the main classes of users are

Department users (ie Buyers or Purchasers)

Portal/ e‐Procurement Application Administrators (for Dedicated Portal of a Buyer)

Registered suppliers/ contractors/vendors

Portal/ e‐Procurement Application Administrators (for Service Providers)

Registered suppliers/ contractors/vendors

i.Skills & knowledge –

Should be computer literate and in the habit of surfing the net

Should have Knowledge about tendering process

ii.Training on the usage of software mandatory

iii.Product Experience – Nil

iv.Organizational experience – Nil

v.Physical attributes – Normal

Department Users (ie Buyers or Purchasers)

i.Skills & knowledge –

Should be computer literate and in the habit of surfing the net

Should have Knowledge about tendering process

ii.Training on the usage of software mandatory

iii.Product Experience – Nil

85

iv.Organizational experience – Required

v.Physical attributes ‐ Normal

86

b. Broad Specification of tasks

The major work flows analysed in terms of severity, criticality and frequency of use for the respective users are as given below :

Department Users

1.Vendor Registration specific to a particular Buyer/ Department‐ Any person who wants to bid for any tender of that Buyer/ Department, has first to register with the department (after having registered on the portal) . Where required, Department Administrator can create vendors

a.They receive filled in application with credentials of the vendors , and then register them for a particular classification and grade

2.The Tendering Creation : Creation ,Uploading of tender and Authorizing the tender

3.Tender Opening ‐ Tender Opening in the simultaneous online presence of authorized bidder representatives with additional optional offline presence, EMD Authorisation , countersigning of each opened bid in the simultaneous online presence of authorized bidder representatives, Downloading of submitted vendor documents , Disqualification of a vendor (i.e. archiving a bid unopened) and Comparative statement generation

Sub activities: verification of documents and EMD/Bank

Guarantee

Suppliers/ contractors/vendors

a.Self Registration on the e‐procurement by the first user of an organization, and submission his Public Key

Sub activities:

i.Where required, registration by an authorized user for particular Department/ Buyer for a particular classification of trade, region and vendor class for a particular duration

ii.Attachment of supporting documents required for the registration

b.PKI based login and Request/ Procurement of tender documents

c.Pre‐qualification based on projects/tenders

d.Download tender documents/ addenda

e.Upload filled tender documents (ie bids, in envelopes and stages as instructed in the tender documents)

Sub activities:

i.Attachment of supporting documents required for the tender

ii.Submission c. Specification of environment

As this application is generally used in an office environment , testing can be done in an office ambience .

So the Usability Lab at < > can be used for carrying out the user tests .

3.SPECIFICATION OF MEASURES OF USABILITY FOR PARTICULAR CONTEXTS Department Users

1.Vendor Registration

a.Effectiveness (Accuracy & Completeness): All Vendor Registrations have been completed successfully .

87

b.Efficiency: Registration to be completed by the user within <10 minutes>.

c.Satisfaction: Less than 10% of users report dissatisfaction with the vendor registration procedures.

2.Generation of a tender‐ Creation

a.Effectiveness (Accuracy & Completeness); All Tenders have been

completed correctly and successfully .

b. Efficiency: Tender Creation to be completed by the user within 10 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the tender generation process.

3.Uploading of tender

a.Effectiveness (Accuracy & Completeness): All tenders have been uploaded successfully.

b. Efficiency: Uploading to be completed by the user within 3 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the uploading procedures.

4.Opening of Tenders

a.Effectiveness (Accuracy & Completeness): The opening of all tenders have been completed successfully .

b. Efficiency: Opening of tenders to be completed by the user within 5 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the tender opening procedures.

5.EMD Authorisation ,

a.Effectiveness (Accuracy & Completeness): The EMD Authorisation of all tenders has been completed successfully.

b.Efficiency: EMD Authorisation to be completed by the user within 1 minute

c. Satisfaction: Less than 10% of users report dissatisfaction with the EMD Authorisation procedures.

6.Downloading of submitted vendor documents ,

a.Effectiveness (Accuracy & Completeness) : The downloading of all submitted tenders have been completed successfully.

b.Efficiency: Downloading of submitted vendor documents to be completed by the user within 5 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the Downloading procedures.

7.Disqualification of one vendor

a. Effectiveness (Accuracy & Completeness) Vendor Disqualification has been completed successfully.

b.Efficiency: Disqualification of one vendor to be completed by the user within 3 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the disqualification procedures.

88

8. Comparative statement generation

a. Effectiveness (Accuracy & Completeness) Generation of Comparative statement has been completed successfully .

b.Efficiency: Comparative statement generation to be completed by the user within 2 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the Comparative statement procedures.

Suppliers/ contractors/vendors 1. Self Registration with PKI

a. Effectiveness (Accuracy & Completeness) Self Registration with PKI has been completed successfully.

b.Efficiency: Registration to be completed by the user within 12 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the PKI registration procedures.

2.PKI based login and Request for tender documentation

a.Effectiveness (Accuracy & Completeness) All Vendor requests have been completed successfully .

b. Efficiency: Tender request to be completed by the user within 5 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the Tender request procedures.

3.Downloading of tender documents

a.Effectiveness (Accuracy & Completeness) All the tender documents have been downloaded successfully .

b.Efficiency: Downloading of tender documents to be completed by the user within 3 minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the downloading procedures.

4.Upload filled tender documents, Supporting documents and Submission of

tender

Effectiveness (Accuracy & Completeness) All the tender documents

a.

 

have been uploaded and submitted successfully .

b.

Efficiency: Tender Submission to be completed by the user within 15

 

minutes.

c.Satisfaction: Less than 10% of users report dissatisfaction with the whole tender submission procedures.

4.Usability objective : Overall usability

1.Effectiveness measures

a.Percentage of goals achieved ‐ 100%

b.Percentage of users successfully completing task‐ 100%

2.Efficiency measures

a.Average time to complete a task ‐ less than 40 mts

b.Average no of tasks completed per unit time ‐ 0ne per 10 mts

3.Satisfaction measures

a.Rating scale for satisfaction ‐ more than 90%

b.No of complaints ‐ less than 10%

89

Template 2: ‐ Defining Performance Specifications

To be provided by developer/user

The application

< Brief about application >

The data model

< Use of Data base and Data Architecture>

The technology

<Use of Technology e.g. Net, Oracle, SQL, Soft etc)

The user profiles

Type of User (Internal, External etc)

The business requirements

Sl.

 

Characteristic/requirement

Supplied

No.

 

 

Data Value

1.

Type of user’s (e.g. administrator/power user/user/guest etc. on the basis

 

 

of access rights & frequency of use.

 

2.

Type of activities to be performed by the users (Identify each

 

 

activity/function)

 

3.

No. of user’s for each activity/function/scenario

 

 

(with concurrent users/activities)

 

4.

Response time for each activity/scenario

 

 

(a) At normal load

 

 

(b) At max. load

 

5.

Total no. of Task (identify & list each task)

 

6.

Response time for each task

 

 

(c) At normal load

 

 

(d) At max. load

 

7.

Throughput (for each activity) in terms of Bytes/second or task/second or

 

 

no. of tasks to be completed within a specified period

 

 

(a) At normal load

 

 

(b) At max. load

 

8.

Turn‐Around Time(activity wise)

 

 

(a) At normal load

 

 

(b) At max. load

 

9.

I/O Devices (e.g. printer, Keyboard, Mouse, scanner, Modem etc.)

 

 

(a) Utilization time for I/O devices

 

 

(b) I/O error messages /warning /failure messages at max. load

 

 

(c) Waiting time for I/O utilization at max. load

 

10.

Memory Utilization

 

 

(a) Memory utilization at max. load

 

 

(b) Memory related error messages/warning/failure messages at max. load

 

11

Transmission resources utilization

 

 

(a) Specify the followings:

 

 

i)

Data transfer speed of network cable

 

 

ii)

NIC card

 

 

iii) Modem

 

 

iv)

Hub, Switch and Router

 

 

(b) Internet Service provider(e.g. ISDN dial‐up/lease line with 64/128 KBPS)

 

 

(c) No. of error messages at max. load

 

 

(d) Transmission capacity at max. load

 

12.

Compliance:

 

 

Identify the activities /functions requiring conformance to standard

 

 

(Organization specific/national/international), rules & regulations.

 

 

Signature of supplier/user:

 

 

Place:

Dated:

 

 

 

 

90

Annexure V

Definitions and Reference Documents

E‐Procurement:‐ Electronic procurement (e‐procurement) is use of electronic tools and systems to increase efficiency and reduce costs during each stage of the purchasing process

Amendments/Modifications to Tenders

The tender, after submitting its tender, is permitted to submit alterations/modifications to its tender so long such alterations/modifications are received duly sealed and marked like original tender, upto the date and time of receipt of tender. Any amendment/modification received after the prescribed date and time of receipt of tenders are not to be considered.

Source: Manual on Policies and Procedures for purchase of goods (Ministry of Finance)

Withdrawal, substitution and modification of Bids

STANDARD BIDDING DOCUMENT

Procurement of Goods User’s Guide‐ Asian Development Bank

26.1A Bidder may withdraw, substitute, or modify its Bid after it has been submitted by sending a written Notice, duly signed by an authorized representative, and shall include a copy of the authorization in accordance with ITB 22.2 (except that Withdrawal Notices do not require copies). The corresponding substitution or modification of the Bid must accompany the respective written Notice. All Notices must be:

a)submitted in accordance with ITB Clauses 22 and 23 (except that Withdrawal Notices do not require copies), and in addition, the respective envelopes shall be clearly marked “Withdrawal”, “Substitution”, “Modification” and

b)received by the Purchaser prior to the deadline prescribed for submission of bids, in accordance with ITB 24.

26.2Bids requested to be withdrawn in accordance with ITB 26.1 shall be returned unopened to the Bidders.

26.3No Bid shall be withdrawn, substituted, or modified in the interval between the deadline for submission of bids and the expiration of the period of bid validity specified by the Bidder on the Bid Submission Sheet or any extension thereof.

ESourcing:‐ Electronic sourcing (esourcing) is the use of internet technology to establish, manage and monitor contracts. It includes:

*eTendering

*eEvaluation

*eCollaboration, and

*eContract Management

Public Service Organization (PSO):‐ An organization which provides service (s) to public at large and/or whose activities influences influence public interest.

eg: Government ministries and departments, Regulatory bodies, Public utility service providers, etc.

91

Purchase Officer:‐ A Purchase officer is an employee within Public service organization(Govt. Department/ Public Service Undertaking) who is responsible at some level for buying or approving the acquisition of goods and services needed by the organization. A Purchase Officer may oversee the acquisition of materials, general supplies for offices and facilities or equipment. The term Purchase Officer is also known as “Procurement Manager”. They are overall responsible for building and managing their organization supply chains.

Service Provider: ‐ A service provider is an entity that provides services to other entities. In the context of this document Service Provider refers to a business that provides e‐procurement services to the Public service organization (Govt. Department/ Public Sector Undertaking).

Solution Provider:‐ A solution provider is a vendor, a service provider or a value‐ added reseller (VAR) that comprehensively handles the project needs of their client from concept to installation through support. This process normally involves studying the client's current infrastructure, evaluating the client's needs, specifying the mix of manufacturers' hardware and software required to meet project goals, installing the hardware and software at the client's site(s). In many cases, the "solution" also includes ongoing service and support from the VAR.

Senior Administrators: Employee within Public service organization charged with improving their company’s profits, responsiveness, and standing in the market. They are also termed as (Executive Director, Material Management or Chief Executive Officer) depending on the size of the organization.

Financial Advisor (CFO):‐ Employee of Public service organization focused on controlling costs and optimizing their organization resources. They are also designated as Chief financial Advisors (CFO).

Head IT:‐Employee of Public Service Organization involved in selecting and implementing e‐Governance in the P.S.O also Known as chief information officer. He is also responsible for managing consultants and system integrators (SI) tasked with identifying leading e‐Procurement solutions.

Facility Management Partner (FMP):‐ In some cases PSO’s take services of Front end FMP’s for implementation, operation, management and training of eProcurement Solution. PSO’s outsourced the operation of the e‐procurement solution through front end facility management partner

92

2.0Reference Standards and Normative documents

Application Security : OWASP‐10, 2010

Network Security as per NIST 800‐115 Technical Guide to Information Security Testing and Assessment

CWA (CEN Workshop Agreement 15994‐ e‐Tendering Process)

CWA (CEN Workshop Agreement 15666‐ Business requirements specification‐ Cross Industry e‐Tendering Process)

eProcurement Integrity Matrix from Transparency International India

ISO / IEC 27001 Information Security Management System Requirements

ISO/TS 15000 Electronic business eXtensible Markup Language (ebXML)

IT Act 2000 with amendments 2008

General Financial Rules, 2005

Relevant CVC Guidelines

93