information system (e-government) implementation· operation guideline by nia/mospa korea
TRANSCRIPT
Information SystemInformation System(e-Government) (e-Government) Implementation·Implementation· OperationOperation GuidelineGuidelineBy NIA/MoSPA KoreaBy NIA/MoSPA Korea
Table of ContentsTable of Contents
1. A brief Overview
2. Structure of the guideline
3. The Body Chapter 2 Development of Project Plan Chapter 3 Procurement of ICT Project Chapter 4 Selection of Provider and Contract Chapter 5 Project Implementation Chapter 6 Software Secure coding Chapter 7 Audit and Operation
2
Overview
history
Establishment(‘`11.9.5) Improvement of procurement and contract system Reflection of the change of other related laws and orders . Change about 30 kinds of contents applicable to all stages
of ICT project (plan‧ procurement‧ contract‧ implementation etc.)
1’st Revision(‘`12.3.6) To decrease the side-effect of preventing big business from
attending to IT project To make an environment friendly to the good small and
medium business
2’nd Revision(‘`12.6.27) To enhance SW secure coding
3
Legal structure
Parliament
Parliament
President DecreePresident Decree
Minister orderMinister order
Manual
Manual
LawLaw
OrderOrder
4
ManualManual
Training
Training Training Training
Contents of the GuidelineContents of the GuidelineSection 1 : General
1.Purpose2. Definition of terms 3. Scope to apply the guideline
4. Basic Principle5. Relation to other laws and orders
Section 2 Development of Project Plan
6. Guideline to select proper H/W/ and S/W 7Guideline for ensuring the use of proper technology and interoperability 8. Evaluation and management of Security 9. Budget plan and cost estimation
10. Special privilege to SME 11. Separate procurement of S/W and H/W 12. Compensation for submitting a proposal 13. Audit 14. Coordination among related entities
Section 3 Procurement of ICT project
15. Clear and detail description of service and system requirement 16. Guideline for writing RFP, items to be included in RFP 17. Deletion of sensitive information in RFP18. Specification of proposal evaluation process , development of standard score sheet19. How to use sub-contract20. Presentation of the proposal21. Use of standard technology(S/W) evaluation
22. Sealing of the estimated price 23 proposed price should be estimated by related government procurement regulation24 Guideline for Pre- release of RFP25. Collection of opinion on the pre-released RFP26. Process to access the RFP 27. Time span for procurement 28. Public explanation of RFP29. Process to submit proposal
5
Contents of the GuidelineContents of the Guideline
Section 4 Selection of provider and contract
30 Composition of evaluation committee 31 Process of the pre-release of a proposal to evaluation committee 32 Process of the Evaluation of proposal 33 Sufficient time allowance for evaluation and correction of extraordinary evaluation score
34 Condition and process of public release of evaluation result35 Release of estimated price and evaluation of the proposed price36 Process of technology and price negotiation
Section 5 project implementation
37 Process of request of sub- contract 38 Approval of sub-contract39 Management of initiation and process report 40 Management of sub-contract 41. Regulation of work place 42. Regulation of workers 43. Monitoring of the abiding the technology use plan
44 Management of standard outcome report 45 Alteration of work scope46 Process of the alteration of work scope47 Payment for the alteration of work scope48 Use of Integrated information resource management (EA)49 Implementation of audit
6
Contents of the Guideline Contents of the Guideline
Section 6 S/W Secure coding
50. Principle of S/W secure coding 51. Activity for ensuring S/W secure coding52. Checklist to evaluate S/W weakness
53. Process to analysis S/W weakness54. Certificate and training of S/W secure coding analyst
Section 7 Audit and operation
55 fine for delaying the completion of project56 Process of audit 57 Process of hand over
58. Encouraging the private sector to use the public information resource 59. Process for operation and maintenance 60 Regulation on IP arising in implementing the project
Special section
61 Specific manual will be released by NIA
Appendix 1. Table of special advantage score for the co-participation of SME
2. Number of evaluation committee member by the size of project
3 Checklist for ensuring S/W security 4. Quality requirement for S/W secure coding analyst
Template 1. Technology Use Plan, Technology use result
2. Technology evaluation for interoperability , sharing of information resource, efficiency of the system, information accessibility, appropriateness of technology etc.
3. Document to use sub-contract 4. Evaluation committee report sheet5. Document to start the project 6. Template of system development
plan, pledge for ensuring security and abiding law and regulation while doing project
7
8
Chap. 2. Development of Project PlanChap. 2. Development of Project Plan
Standard of HW and SW Acquisition (Sec.6.)
Refer to “Guide tor HW Capacity Estimation” for HW Acquisition
Check the availability of existing commercial SW products before SW development
Obligation of the use of existing commercial SW products
Exception) extraordinary high expenses, difficulty in fulfilling the required functions and maintenance etc.
Modify technology evaluation plan to reflect this requirement
Priority to the products developed by small & medium business
9
Chap.2. Development of Project PlanChap.2. Development of Project Plan
Ref) Technology Application plan/result and Technology evaluation
Business
Plan
(Sec.7)
RFP
(Sec.16) Proposal
Implementation
(Sec.43)
Auditing
(Sec.50)
Operation
(Sec.52)
Technology Application Plan Technology Application Result
Owner Operator Auditor Owner
Procedure
Documents
Person
In charge
Technology Evaluation
10
Chap.2. Development of Project PlanChap.2. Development of Project Plan
Exam.) Technology application plan/result (attached form)
item
plan/result
comments
Application
partially Applicati
on
no-application
NA
Detailed Technology
data expressi
on
o Static expression : HTML
4.01
o Dynamic expression
- JSP 2.1
- ASP
- PHP
11
Chap.2. Development of Project PlanChap.2. Development of Project Plan
Exam.) Technology evaluation (attached form)
Detailed evaluation item check comments
Do you describe the background and the
goal of the business?
Do you describe the problem and the
improvement of informatization?
………………
………….
12
Chap. 2. Development of Project PlanChap. 2. Development of Project Plan Technology Application Planning and Technology
Evaluation of Interoperability(Sec.7)
Perform Technology Evaluation prior to the final Business Plan
Big project and national security related project need a special evaluation of technology application in the planning stage
Reflect the result of evaluation to Business Plan and RFP
Make Technology Application Planning when owners make Business Plan and RFP
Bidding participant must summit Technology Application Plan when submitting a Proposal and it should be re-submitted when implementing the Project
13
Chap. 2. Development of Project PlanChap. 2. Development of Project Plan Security Review and Management(Sec.8)
In the time of making or modifying Information System, Request security review by NIS(National Intelligence Service) according to“Guide to National Information Security”
Development security countermeasures applicable in the process of procurement, management, and operation of ICT project etc.
Develop countermeasure for protecting personal information
Devise SW Vulnerability countermeasure and let business operator comply it
Budget and Estimation(Sec.9) Refer to “Guide to Estimation of SW business expense ” Acquisition expense of HW and commercial SW
1. the price which is registered at the public procurement service 2. the newest purchase price 3. the lowest price among 3 estimates
14
Chap. 2. Development of Project PlanChap. 2. Development of Project Plan
The lowest limit of business expenses which big SW business can participate(Sec.10) State clearly in RFP※ sales of big business more than 800billion : 8 billion sales of big business less than 800billion : 4billion
Separate Order of SW(Sec.11) Refer to“the objects of Separate Order of SW”※ more than 1 billion of business expense & more than 50million of SW price
Compensation of Proposal(Sec.12) Refer to“Operation regulation for compensation of SW
proposal”※ compensate for the good proposal with money
15
Chap. 2. Development of Project PlanChap. 2. Development of Project Plan
Audit(Sec.13) Refer to “IT Audit Standard”※audit scope, procedure and obligation, registration of audit firm, qualification and education of IT auditor etc.
→ Sec.50. auditing
Advance Consultation(Sec.14) Refer to “regulation to Advance consultation for e-
government business”※ Main purpose is to filter the duplication among systems
16
Chap. 3.Chap. 3. OrderOrder
Requirement Disambiguation of RFP(Sec.15)
State the requirement of RFP clearly though Function list and requirement specification etc.
In the time of ISP, Make the requirement of RFP through the business operator of ISP and Apply them to RFP
Refer to “The guide to make requirements of RFP”
→ Sec.16. Making RFP Sec.45. Changing Tasks Sec.46. Procedure of Changing Tasks Sec.47. Payment of Changing Tasks
17
Chap. 3.Chap. 3. OrderOrder
Making RFP(Sec.16.)
Include below contents to RFP
1. Tasks and requirements 2. Contract condition 3. Evaluation item and method 4. Size of Proposal sheet·summit method·biding type 5. Compensation of Proposal 6. Items which business operators must comply a. State Price for a subcontract clearly to RFP b. propriety of subcontract c. Technology Application Plan d. SW secure coding compliance e. Obligation of proposal presentation by PM f. Making and submit of standard documents
18
Chap. 3.Chap. 3. OrderOrder
RFP Security(Sec.17)
Consider not to include security issues in RFP
1. IP address of Information systems 2. system diagram and current condition of systems like vendors,
versions etc. 3. configuration information of systems 4. access authority like user id, password etc. 5. analysis report of system vulnerability 6. current status of information protection products like Firewall ㆍ
IPS etc. and NW devices like router ㆍ switch etc. 7. closed objects according to“Public information act” 8. personal information 9. confidential items etc.
19
Chap. 3.Chap. 3. OrderOrder
Evaluation Scale(Sec.18)
In the time of negotiated contact, technology : price = 90:10
Exception) technology : price = 80:20 1. HW ratio is more than 50%
2. business expense is less than 0.1 billion etc.
20
Chap. 3.Chap. 3. OrderOrder
Ref) subcontracting management
Order Selection and
Contract
Owner Operator Owner
stage
Check list
Person
In charge
request of price for a subcontract (Sec.19)
Execution
Approval Application(
Sec.37)
Approval(Sec.38)
Management
(Sec.40)
Review of price for a
subcontract (Sec.36)
21
Chap. 3.Chap. 3. OrderOrder Price for a subcontract (Sec.19)
State Direct labor cost, overhead expense, and engineering fee clearly in RFP
1. direct labor cost : 100% of unit wages 2. overhead expense + engineering : more than 20% of direct labor cost
※ example
The Owner pays for a subcontract directly or Business operator pays for a subcontract within 15 days
Calculation basis price The lowest price for a subcontract
Unit wages unit wages of SW 100 100
overhead Unit wages of SW X 1.1 110
20Engineering fee
(Unit wages of SW+overhead) X 0.2
42
sum 252 120
22
Chap. 3.Chap. 3. OrderOrder Price for a subcontract (Sec.19)
→ Sec.36. Technique and Price Negotiation Sec.37. Approval Application of subcontracting Sec.38. Subcontracting Approval Sec.40. Subcontracting Management
23
Chap. 3.Chap. 3. OrderOrder Proposal Presentation(Sec.21)
PM must make a presentation by himself
Technical Evaluation Standard(Sec.21) Refer to“SW Technology evaluation standard” designate at least 6 Relative evaluation items for
discrimination of technology Enlarge evaluation ratio for small & medium business
consortium
Furnishing of Predetermined Price(Sec.22) Determine Predetermined price before proposal submit Seal it and Keep it in secrete
Predetermined Price Determination Standard(Sec.23) Refer to “National Contract Act”for determination standard
and procedure etc.
24
Chap. 3.Chap. 3. OrderOrder Advance Publication of RFP(Sec.24)
Make public on National procurement service “ww.g2b.go.kr” and homepage of each organization for 5 days (3dyas in urgent case)
1. business name 2. organization name 3. budget 4. expiration date of comment 5. contact number and name 6. delivery deadline 7. RFP etc.
Exception of advance publication 1. in case of no time for competition and special appointment
contract 2. in case of security products 3. product whose estimated price is less than 0.1 billion 4. in case of second time of publication of RFP
→ Sec.25. Review on comment of Advance Publication
25
Chap. 3.Chap. 3. OrderOrder
Review on comment of Advance Publication(Sec.25)
Review the comment and inform the result to the offerer
reflect accepted comment to RFP
Composite a committee for the fair review
26
Chap. 3.Chap. 3. OrderOrder RFP issue and Reading(Sec.26)
Refer to“standard for negotiated contract”
Bid Announcement Period (Sec.27)
Period Business type
urgent
10days
- the urgent system development like law revision,
disaster etc.
- less than 3 months of project period
- audit project
- re-bid project
20days Less than 1 billion of estimated price
25daysMore than 1 billion of estimated price ~
Less than 4 billion of estimated price
30days More than 4 billion of estimated price
normal 40days
27
Chap. 3.Chap. 3. OrderOrder
Presentation Meeting about RFP(Sec.28) Host Presentation meeting for bidders(option) State date & time, place etc. in RFP
Proposal Submission(Sec.29) Bidders submit RFP and a price bid separately Seal the price bid and and Keep them in secrete until
unsealing a bidding price and Evaluation
→ Sec.35(unsealing a bidding price and Evaluation)
28
Chap. 4.Chap. 4. Selection and Contract
Composition of Evaluation Committee(Sec.30) Composite the evaluation committee with experts from
public officials, professors, researchers, industrial experts Appoint public officials as committee members within
50%
Advance Distribution of Proposal(Sec.31) In case of detailed review, distribute proposals toe
evaluation committee members in advance Make security policy to prevent from leakage of proposals
29
Chap. 4.Chap. 4. Selection and Contract
Proposal Evaluation(Sec.32) Evaluate with proposals Check the identity of presenter※ if the presenter is not PM, he can’t make a presentation
Review Time of Proposal and Adjustment of Evaluation Score(Sec.33) Make Review time of Proposal
1. Less than 1 billion business : 90 Min.2. Less than 2 billion business : 120 Min. 3. Less than 4 billion business : 150 Min.4. more than 1 billion business : 180 Min.
Adjust Evaluation Score in case of suspicious situation
30
Chap. 4.Chap. 4. Selection and Contract
Publication of Technology Evaluation Result(Sec.34) In case of more than 2 billion business, make public the
evaluation result
unsealing a bidding price and Evaluation(Sec.35) After the technology evaluation, unseal a bidding price
and evaluate it without delay
Technology and Price Negotiation(Sec.36) Refer to “National Contract Act” In case of changing the task, consider price for a
subcontract also.
31
Chap. 5.Chap. 5. ExecutionExecution
Approval Application of subcontracting(Sec.37) The Business operator summit to get approval for
subcontracting Include approval application of subcontracting, detailed calculation
report, business fulfillment plan of subcontracting(include detailed schedule) etc.
Subcontracting Approval(Sec.38) Check price for a subcontract In case of less than the standard of price for a
subcontract, refuse it Notice it clearly within 14 days, or It regards as approval
32
Chap. 5.Chap. 5. ExecutionExecution
Lunching and Report(Sec.39) The Business operator summit business lunching report
within 10 days after contract In case of complementary, complement it within 7 days Ask lunching meeting, if it needs
Subcontracting Management(Sec.40) The Subcontractor summits compliance report of
subcontracting In case of unfulfilling, report it to Fair Trade Commision
33
Chap. 5.Chap. 5. ExecutionExecution
Workplace(Sec.41) Decide workplace with the business operator Prepare workplace, if budget don’t include the expense
for workplace Consider Remote place development, if it is possible
Human Resource Management(Sec.42) In case of FP, don’t use head-counting management
Compliance of Technology Application Planning(Sec.43) The business operator comply with Technology
Application Plan and summit the result
34
Chap. 5.Chap. 5. ExecutionExecution
Standard Documents(Sec.44) Receive standard documents and keep them consistency
to use in the time of operation and maintenance
Changing Tasks(Sec.45) Change task, if it is necessary
Procedure of Changing Tasks(Sec.46) Comply the procedure according to to “industrial
development act” and “general condition of service contract”
Payment of Changing Tasks(Sec.47) Adjust the business expense according to “Enforcement
decree of national contract act”
35
Chap. 5.Chap. 5. ExecutionExecution
Integration Management of Information Resource(Sec.48) Register information resource to “National EA portal
(www.geap.go.kr)” Use the system to manage the status and statistics
information resource
Auditing(Sec.49) Follow up the action plan for audit according to audit
report Auditors write the compliance result between Technology
application plan and the result
36
Chap.6.Chap.6. Software Secure Coding
Principal of SW Secure Coding(Sec.50) Comply with SW secure coding
In case of new development : all sw codes In case of maintenance : modified sw codes
Activity of SW Secure Coding (Sec.51) In time of proposal evaluation, evaluate reasonability of
the tools, procedures, method etc. Refer to “SW secure coding guide” developers/programmers are trained with secure coding
37
Chap.6.Chap.6. Software Secure Coding
Diagnosis standard of Security Weakness (Sec.52) Refer to mandatory diagnosis item
Diagnosis Procedure of Security Weakness(Sec.53) Diagnose to remove the security weakness Include diagnosis to Audit check list Use the tool to remove the security weakness Business operators verify to remove the security weakness
Diagnostician(Sec.54) Qualified experts Registered in Ministry of Security and Public Administration Management of Diagnostician
38
Chap.7. Examination and Operation
Compensation of Deferment(Sec.55) Calculate it according to “general condition of service
contract”
Examination(Sec.56) Examine it according to “general condition of service
contract” Check the compliance between Technology application
plan and the result Check the non-conformity of Audit report to be corrected
Private Application of Information Resource(Sec.58) share information resource with the private through
“public data portal(www.data.go.kr)”or your own Information system
39
Chap.7. Examination and Operation
Operation and Maintenance(Sec.59) In case of modification of systems, make consistency
between systems and documents Make manual of operation and maintenance though the
business operator
Attribution of Intellectual Property and Deposit of Technical Data(Sec.60) Refer to“general condition of service contract”
Ref1) Structure of User Requirement Ref1) Structure of User Requirement
40
NO Requirement type code
1 System overview and Function list BR
2 Function requirement FR
3 Performance requirement PR
4 Quality requirement QR
4.1 reliability QRR
4.2 Availability QUR
4.3 Maintenance QMR
4.4 Portability QPR
4.5 Security QSR
5 Interface requirement IR
6 Data requirement DR
7 Operation requirement OR
8 constraints CO
Ref2) Flow of CBD documents Ref2) Flow of CBD documents
41
Analysis Design Implementation
Test
IntegrationTest result
AcceptanceTest Scenario
tio
Definition and analysis of requirement
Use caseSpecification
Requirement Defintiion
Testing
System testresult
AcceptanceTest result
Acceptance
Sourcecode Unit test result
RFPProposalBusiness
Fulfillment plan
Meeting result
…
Class
Classdesign
Componentcomponent
design
user interface
design
Screen
DatabaseEntity relationship
description
Database design
Data conversion and initial data
design
Conversion
test plan
Test
IntegrationTest
scenario
System testscenario
Unit testcase
architecturedesign
Architecture
Interfacedesign
Interface
Database
Database table
User manual
Training
Operatormanual
System Installation
result
Installation
Requirement trace
Requirement trace
42
Q & A