information system (e-government) implementation· operation guideline by nia/mospa korea

Information SystemInformation System(e-Government) (e-Government) Implementation·Implementation· OperationOperation GuidelineGuidelineBy NIA/MoSPA KoreaBy NIA/MoSPA Korea

Table of ContentsTable of Contents

1. A brief Overview

2. Structure of the guideline

3. The Body Chapter 2 Development of Project Plan Chapter 3 Procurement of ICT Project Chapter 4 Selection of Provider and Contract Chapter 5 Project Implementation Chapter 6 Software Secure coding Chapter 7 Audit and Operation

2

Overview

history

Establishment(‘`11.9.5) Improvement of procurement and contract system Reflection of the change of other related laws and orders . Change about 30 kinds of contents applicable to all stages

of ICT project (plan‧ procurement‧ contract‧ implementation etc.)

1’st Revision(‘`12.3.6) To decrease the side-effect of preventing big business from

attending to IT project To make an environment friendly to the good small and

medium business

2’nd Revision(‘`12.6.27) To enhance SW secure coding

3

Legal structure

Parliament

Parliament

President DecreePresident Decree

Minister orderMinister order

Manual

Manual

LawLaw

OrderOrder

4

ManualManual

Training

Training Training Training

Contents of the GuidelineContents of the GuidelineSection 1 : General

1.Purpose2. Definition of terms 3. Scope to apply the guideline

4. Basic Principle5. Relation to other laws and orders

Section 2 Development of Project Plan

6. Guideline to select proper H/W/ and S/W 7Guideline for ensuring the use of proper technology and interoperability 8. Evaluation and management of Security 9. Budget plan and cost estimation

10. Special privilege to SME 11. Separate procurement of S/W and H/W 12. Compensation for submitting a proposal 13. Audit 14. Coordination among related entities

Section 3 Procurement of ICT project

15. Clear and detail description of service and system requirement 16. Guideline for writing RFP, items to be included in RFP 17. Deletion of sensitive information in RFP18. Specification of proposal evaluation process , development of standard score sheet19. How to use sub-contract20. Presentation of the proposal21. Use of standard technology(S/W) evaluation

22. Sealing of the estimated price 23 proposed price should be estimated by related government procurement regulation24 Guideline for Pre- release of RFP25. Collection of opinion on the pre-released RFP26. Process to access the RFP 27. Time span for procurement 28. Public explanation of RFP29. Process to submit proposal

5

Contents of the GuidelineContents of the Guideline

Section 4 Selection of provider and contract

30 Composition of evaluation committee 31 Process of the pre-release of a proposal to evaluation committee 32 Process of the Evaluation of proposal 33 Sufficient time allowance for evaluation and correction of extraordinary evaluation score

34 Condition and process of public release of evaluation result35 Release of estimated price and evaluation of the proposed price36 Process of technology and price negotiation

Section 5 project implementation

37 Process of request of subcontract 38 Approval of sub-contract39 Management of initiation and process report 40 Management of sub-contract 41. Regulation of work place 42. Regulation of workers 43. Monitoring of the abiding the technology use plan

44 Management of standard outcome report 45 Alteration of work scope46 Process of the alteration of work scope47 Payment for the alteration of work scope48 Use of Integrated information resource management (EA)49 Implementation of audit

6

Contents of the Guideline Contents of the Guideline

Section 6 S/W Secure coding

50. Principle of S/W secure coding 51. Activity for ensuring S/W secure coding52. Checklist to evaluate S/W weakness

53. Process to analysis S/W weakness54. Certificate and training of S/W secure coding analyst

Section 7 Audit and operation

55 fine for delaying the completion of project56 Process of audit 57 Process of hand over

58. Encouraging the private sector to use the public information resource 59. Process for operation and maintenance 60 Regulation on IP arising in implementing the project

Special section

61 Specific manual will be released by NIA

Appendix 1. Table of special advantage score for the co-participation of SME

2. Number of evaluation committee member by the size of project

3 Checklist for ensuring S/W security 4. Quality requirement for S/W secure coding analyst

Template 1. Technology Use Plan, Technology use result

2. Technology evaluation for interoperability , sharing of information resource, efficiency of the system, information accessibility, appropriateness of technology etc.

3. Document to use sub-contract 4. Evaluation committee report sheet5. Document to start the project 6. Template of system development

plan, pledge for ensuring security and abiding law and regulation while doing project

7

8

Chap. 2. Development of Project PlanChap. 2. Development of Project Plan

Standard of HW and SW Acquisition (Sec.6.)

Refer to “Guide tor HW Capacity Estimation” for HW Acquisition

Check the availability of existing commercial SW products before SW development

Obligation of the use of existing commercial SW products

Exception) extraordinary high expenses, difficulty in fulfilling the required functions and maintenance etc.

Modify technology evaluation plan to reflect this requirement

Priority to the products developed by small & medium business

9

Chap.2. Development of Project PlanChap.2. Development of Project Plan

Ref) Technology Application plan/result and Technology evaluation

Business

Plan

(Sec.7)

RFP

(Sec.16) Proposal

Implementation

(Sec.43)

Auditing

(Sec.50)

Operation

(Sec.52)

Technology Application Plan Technology Application Result

Owner Operator Auditor Owner

Procedure

Documents

Person

In charge

Technology Evaluation

10


Exam.) Technology application plan/result (attached form)

item

plan/result

comments

Application

partially Applicati

on

no-application

NA

Detailed Technology

data expressi

on

o Static expression : HTML

4.01

o Dynamic expression

- JSP 2.1

- ASP

- PHP

11


Exam.) Technology evaluation (attached form)

Detailed evaluation item check comments

Do you describe the background and the

goal of the business?

Do you describe the problem and the

improvement of informatization?

………………

………….

12

Chap. 2. Development of Project PlanChap. 2. Development of Project Plan Technology Application Planning and Technology

Evaluation of Interoperability(Sec.7)

Perform Technology Evaluation prior to the final Business Plan

Big project and national security related project need a special evaluation of technology application in the planning stage

Reflect the result of evaluation to Business Plan and RFP

Make Technology Application Planning when owners make Business Plan and RFP

Bidding participant must summit Technology Application Plan when submitting a Proposal and it should be re-submitted when implementing the Project

13

Chap. 2. Development of Project PlanChap. 2. Development of Project Plan Security Review and Management(Sec.8)

In the time of making or modifying Information System, Request security review by NIS(National Intelligence Service) according to“Guide to National Information Security”

Development security countermeasures applicable in the process of procurement, management, and operation of ICT project etc.

Develop countermeasure for protecting personal information

Devise SW Vulnerability countermeasure and let business operator comply it

Budget and Estimation(Sec.9) Refer to “Guide to Estimation of SW business expense ” Acquisition expense of HW and commercial SW

1. the price which is registered at the public procurement service 2. the newest purchase price 3. the lowest price among 3 estimates

14


The lowest limit of business expenses which big SW business can participate(Sec.10) State clearly in RFP※ sales of big business more than 800billion : 8 billion sales of big business less than 800billion : 4billion

Separate Order of SW(Sec.11) Refer to“the objects of Separate Order of SW”※ more than 1 billion of business expense & more than 50million of SW price

Compensation of Proposal(Sec.12) Refer to“Operation regulation for compensation of SW

proposal”※ compensate for the good proposal with money

15


Audit(Sec.13) Refer to “IT Audit Standard”※audit scope, procedure and obligation, registration of audit firm, qualification and education of IT auditor etc.

→ Sec.50. auditing

Advance Consultation(Sec.14) Refer to “regulation to Advance consultation for e-

government business”※ Main purpose is to filter the duplication among systems

16

Chap. 3.Chap. 3. OrderOrder

Requirement Disambiguation of RFP(Sec.15)

State the requirement of RFP clearly though Function list and requirement specification etc.

In the time of ISP, Make the requirement of RFP through the business operator of ISP and Apply them to RFP

Refer to “The guide to make requirements of RFP”

→ Sec.16. Making RFP Sec.45. Changing Tasks Sec.46. Procedure of Changing Tasks Sec.47. Payment of Changing Tasks

17


Making RFP(Sec.16.)

Include below contents to RFP

1. Tasks and requirements 2. Contract condition 3. Evaluation item and method 4. Size of Proposal sheet·summit method·biding type 5. Compensation of Proposal 6. Items which business operators must comply a. State Price for a subcontract clearly to RFP b. propriety of subcontract c. Technology Application Plan d. SW secure coding compliance e. Obligation of proposal presentation by PM f. Making and submit of standard documents

18


RFP Security(Sec.17)

Consider not to include security issues in RFP

1. IP address of Information systems 2. system diagram and current condition of systems like vendors,

versions etc. 3. configuration information of systems 4. access authority like user id, password etc. 5. analysis report of system vulnerability 6. current status of information protection products like Firewall ㆍ

IPS etc. and NW devices like router ㆍ switch etc. 7. closed objects according to“Public information act” 8. personal information 9. confidential items etc.

19


Evaluation Scale(Sec.18)

In the time of negotiated contact, technology : price = 90:10

Exception) technology : price = 80:20 1. HW ratio is more than 50%

2. business expense is less than 0.1 billion etc.

20


Ref) subcontracting management

Order Selection and

Contract

Owner Operator Owner

stage

Check list

Person

In charge

request of price for a subcontract (Sec.19)

Execution

Approval Application(

Sec.37)

Approval(Sec.38)

Management

(Sec.40)

Review of price for a

subcontract (Sec.36)

21

Chap. 3.Chap. 3. OrderOrder Price for a subcontract (Sec.19)

State Direct labor cost, overhead expense, and engineering fee clearly in RFP

1. direct labor cost : 100% of unit wages 2. overhead expense + engineering : more than 20% of direct labor cost

※ example

The Owner pays for a subcontract directly or Business operator pays for a subcontract within 15 days

Calculation basis price The lowest price for a subcontract

Unit wages unit wages of SW 100 100

overhead Unit wages of SW X 1.1 110

20Engineering fee

(Unit wages of SW+overhead) X 0.2

42

sum 252 120

22

Chap. 3.Chap. 3. OrderOrder Price for a subcontract (Sec.19)

→ Sec.36. Technique and Price Negotiation Sec.37. Approval Application of subcontracting Sec.38. Subcontracting Approval Sec.40. Subcontracting Management

23

Chap. 3.Chap. 3. OrderOrder Proposal Presentation(Sec.21)

PM must make a presentation by himself

Technical Evaluation Standard(Sec.21) Refer to“SW Technology evaluation standard” designate at least 6 Relative evaluation items for

discrimination of technology Enlarge evaluation ratio for small & medium business

consortium

Furnishing of Predetermined Price(Sec.22) Determine Predetermined price before proposal submit Seal it and Keep it in secrete

Predetermined Price Determination Standard(Sec.23) Refer to “National Contract Act”for determination standard

and procedure etc.

24

Chap. 3.Chap. 3. OrderOrder Advance Publication of RFP(Sec.24)

Make public on National procurement service “ww.g2b.go.kr” and homepage of each organization for 5 days (3dyas in urgent case)

1. business name 2. organization name 3. budget 4. expiration date of comment 5. contact number and name 6. delivery deadline 7. RFP etc.

Exception of advance publication 1. in case of no time for competition and special appointment

contract 2. in case of security products 3. product whose estimated price is less than 0.1 billion 4. in case of second time of publication of RFP

→ Sec.25. Review on comment of Advance Publication

25


Review on comment of Advance Publication(Sec.25)

Review the comment and inform the result to the offerer

reflect accepted comment to RFP

Composite a committee for the fair review

26

Chap. 3.Chap. 3. OrderOrder RFP issue and Reading(Sec.26)

Refer to“standard for negotiated contract”

Bid Announcement Period (Sec.27)

Period Business type

urgent

10days

- the urgent system development like law revision,

disaster etc.

- less than 3 months of project period

- audit project

- re-bid project

20days Less than 1 billion of estimated price

25daysMore than 1 billion of estimated price ~

Less than 4 billion of estimated price

30days More than 4 billion of estimated price

normal 40days

27


Presentation Meeting about RFP(Sec.28) Host Presentation meeting for bidders(option) State date & time, place etc. in RFP

Proposal Submission(Sec.29) Bidders submit RFP and a price bid separately Seal the price bid and and Keep them in secrete until

unsealing a bidding price and Evaluation

→ Sec.35(unsealing a bidding price and Evaluation)

28

Chap. 4.Chap. 4. Selection and Contract

Composition of Evaluation Committee(Sec.30) Composite the evaluation committee with experts from

public officials, professors, researchers, industrial experts Appoint public officials as committee members within

50%

Advance Distribution of Proposal(Sec.31) In case of detailed review, distribute proposals toe

evaluation committee members in advance Make security policy to prevent from leakage of proposals

29


Proposal Evaluation(Sec.32) Evaluate with proposals Check the identity of presenter※ if the presenter is not PM, he can’t make a presentation

Review Time of Proposal and Adjustment of Evaluation Score(Sec.33) Make Review time of Proposal

1. Less than 1 billion business : 90 Min.2. Less than 2 billion business : 120 Min. 3. Less than 4 billion business : 150 Min.4. more than 1 billion business : 180 Min.

Adjust Evaluation Score in case of suspicious situation

30


Publication of Technology Evaluation Result(Sec.34) In case of more than 2 billion business, make public the

evaluation result

unsealing a bidding price and Evaluation(Sec.35) After the technology evaluation, unseal a bidding price

and evaluate it without delay

Technology and Price Negotiation(Sec.36) Refer to “National Contract Act” In case of changing the task, consider price for a

subcontract also.

31

Chap. 5.Chap. 5. ExecutionExecution

Approval Application of subcontracting(Sec.37) The Business operator summit to get approval for

subcontracting Include approval application of subcontracting, detailed calculation

report, business fulfillment plan of subcontracting(include detailed schedule) etc.

Subcontracting Approval(Sec.38) Check price for a subcontract In case of less than the standard of price for a

subcontract, refuse it Notice it clearly within 14 days, or It regards as approval

32


Lunching and Report(Sec.39) The Business operator summit business lunching report

within 10 days after contract In case of complementary, complement it within 7 days Ask lunching meeting, if it needs

Subcontracting Management(Sec.40) The Subcontractor summits compliance report of

subcontracting In case of unfulfilling, report it to Fair Trade Commision

33


Workplace(Sec.41) Decide workplace with the business operator Prepare workplace, if budget don’t include the expense

for workplace Consider Remote place development, if it is possible

Human Resource Management(Sec.42) In case of FP, don’t use head-counting management

Compliance of Technology Application Planning(Sec.43) The business operator comply with Technology

Application Plan and summit the result

34


Standard Documents(Sec.44) Receive standard documents and keep them consistency

to use in the time of operation and maintenance

Changing Tasks(Sec.45) Change task, if it is necessary

Procedure of Changing Tasks(Sec.46) Comply the procedure according to to “industrial

development act” and “general condition of service contract”

Payment of Changing Tasks(Sec.47) Adjust the business expense according to “Enforcement

decree of national contract act”

35


Integration Management of Information Resource(Sec.48) Register information resource to “National EA portal

(www.geap.go.kr)” Use the system to manage the status and statistics

information resource

Auditing(Sec.49) Follow up the action plan for audit according to audit

report Auditors write the compliance result between Technology

application plan and the result

36

Chap.6.Chap.6. Software Secure Coding

Principal of SW Secure Coding(Sec.50) Comply with SW secure coding

In case of new development : all sw codes In case of maintenance : modified sw codes

Activity of SW Secure Coding (Sec.51) In time of proposal evaluation, evaluate reasonability of

the tools, procedures, method etc. Refer to “SW secure coding guide” developers/programmers are trained with secure coding

37

Chap.6.Chap.6. Software Secure Coding

Diagnosis standard of Security Weakness (Sec.52) Refer to mandatory diagnosis item

Diagnosis Procedure of Security Weakness(Sec.53) Diagnose to remove the security weakness Include diagnosis to Audit check list Use the tool to remove the security weakness Business operators verify to remove the security weakness

Diagnostician(Sec.54) Qualified experts Registered in Ministry of Security and Public Administration Management of Diagnostician

38

Chap.7. Examination and Operation

Compensation of Deferment(Sec.55) Calculate it according to “general condition of service

contract”

Examination(Sec.56) Examine it according to “general condition of service

contract” Check the compliance between Technology application

plan and the result Check the non-conformity of Audit report to be corrected

Private Application of Information Resource(Sec.58) share information resource with the private through

“public data portal(www.data.go.kr)”or your own Information system

39

Chap.7. Examination and Operation

Operation and Maintenance(Sec.59) In case of modification of systems, make consistency

between systems and documents Make manual of operation and maintenance though the

business operator

Attribution of Intellectual Property and Deposit of Technical Data(Sec.60) Refer to“general condition of service contract”

Ref1) Structure of User Requirement Ref1) Structure of User Requirement

40

NO Requirement type code

1 System overview and Function list BR

2 Function requirement FR

3 Performance requirement PR

4 Quality requirement QR

4.1 reliability QRR

4.2 Availability QUR

4.3 Maintenance QMR

4.4 Portability QPR

4.5 Security QSR

5 Interface requirement IR

6 Data requirement DR

7 Operation requirement OR

8 constraints CO

Ref2) Flow of CBD documents Ref2) Flow of CBD documents

41

Analysis Design Implementation

Test

IntegrationTest result

AcceptanceTest Scenario

tio

Definition and analysis of requirement

Use caseSpecification

Requirement Defintiion

Testing

System testresult

AcceptanceTest result

Acceptance

Sourcecode Unit test result

RFPProposalBusiness

Fulfillment plan

Meeting result

…

Class

Classdesign

Componentcomponent

design

user interface

design

Screen

DatabaseEntity relationship

description

Database design

Data conversion and initial data

design

Conversion

test plan

Test

IntegrationTest

scenario

System testscenario

Unit testcase

architecturedesign

Architecture

Interfacedesign

Interface

Database

Database table

User manual

Training

Operatormanual

System Installation

result

Installation

Requirement trace

Requirement trace

42

Q & A

information system (e-government) implementation· operation guideline by nia/mospa korea

Documents

evaluation of proposal

contract chapter

guideline section

process of technology

process report

sub contract

project implementation

process of request