DEPARTMENT OF FOREIGN AFFAIRS
REQUEST FOR TENDER (422/7108) OPEN PROCEDURE
THE PROVISION OF A CONSULAR CASE MANAGEMENT AND
CRISIS RESPONSE MANAGEMENT SYSTEM
Tender Response Deadline: [07 March 2008]
Table of Contents
1 Introduction ............................................................................................................. 5
1.1 Overview .................................................................................................................. 5
2 General Statement of Requirements ....................................................................... 7
2.1 Consular Case Management System........................................................................ 7
2.1.1 Prisoner Case Requirements................................................................................ 7
2.2 Crisis Management System...................................................................................... 7
2.2.1 Integration with Citizen’s Registration facility..................................................... 8
2.3 Data Protection ........................................................................................................ 8
3 Detailed Specification of Functional Requirements................................................. 9
3.1 Consular Case Management System........................................................................ 9
3.1.1 Prisoner Case Requirements.............................................................................. 10
3.2 Crisis Management System.................................................................................... 11
3.3 Reporting requirements of Case Management and Crisis Management Solution 13
3.4 Application Administration .................................................................................... 14
4 Integration with existing ICT Infrastructure........................................................... 16
4.1 .Storage Solutions .................................................................................................. 18
4.2 System Hardware Environments............................................................................ 18
4.3 Definition of Policies and Procedures .................................................................... 18
4.4 OWASP ‐ Secure Software Development............................................................... 18
4.5 Security Requirements........................................................................................... 19
5 Specification of Solution Delivery, Implementation, Training and Support Requirements..................................................................................................................... 21
5.1 Analysis and Design................................................................................................ 21
5.2 System Development ............................................................................................. 22
5.3 Provision of System, Integration, Stress, Performance and User Acceptance Test Environment........................................................................................................................ 22
5.4 System Test Planning/Execution............................................................................ 22
2
5.5 Integration/Stress and Performance Test Planning/Execution ............................. 23
5.6 User Acceptance Test Planning/Execution ............................................................ 23
5.7 Release Management ............................................................................................ 24
5.8 Implementation Planning/Implementation........................................................... 24
5.9 Integration of Solution with current Department Infrastructure. ......................... 24
5.10 User/System Documentation................................................................................. 24
5.11 Training Preparation/Delivery................................................................................ 25
5.12 Post Implementation Support................................................................................ 26
6 Qualification Requirement..................................................................................... 28
6.1 Completed Article 45 Declaration.......................................................................... 28
6.2 Completed Declaration of Bona Fides ................................................................... 28
6.3 Satisfactory evidence of the Professional and Technical Capacity needed to undertake the Project. ........................................................................................................ 28
7 Contract Award Criteria ......................................................................................... 30
8 Instructions to Respondents on Format, Content and Submission of Responses. 31
8.1 Format and Content of Responses......................................................................... 31
8.2 Submission of Responses ....................................................................................... 32
8.3 Query Handling ...................................................................................................... 33
8.4 Further Information ............................................................................................... 33
9 General Conditions of the Tender.......................................................................... 35
9.1 Treatment of Tenders ............................................................................................ 35
9.2 Evaluation of Tenders ............................................................................................ 35
9.3 No Contract ............................................................................................................ 35
9.4 Tax Clearance Certificate ....................................................................................... 35
9.5 Costs....................................................................................................................... 36
9.6 Confidentiality........................................................................................................ 36
9.7 Tender Validity Period............................................................................................ 37
9.8 Acceptance of Tender ............................................................................................ 37
3
9.9 Insurance Requirement.......................................................................................... 37
9.10 Governing Law and Jurisdiction ............................................................................. 37
9.11 Conflicts of Interest................................................................................................ 37
9.12 Financial Arrangements ......................................................................................... 38
APPENDIX I ......................................................................................................................... 39
DECLARATION ..................................................................................................................... 39
APPENDIX II ........................................................................................................................ 41
ICT Infrastructure ................................................................................................................ 41
APPENDIX III ....................................................................................................................... 42
Current Crisis Management Solution.................................................................................. 42
APPENDIX IV....................................................................................................................... 44
OWASP ‐ SECURE SOFTWARE DEVELOPMENT CONTRACT ................................................. 44
APPENDIX V........................................................................................................................ 50
Declaration of Bona Fides ................................................................................................... 50
APPENDIX VI....................................................................................................................... 51
Schedule of Costs ................................................................................................................ 51
4
1 Introduction
1.1 Overview
The Department of Foreign Affairs, through its network of consular offices overseas, provides consular assistance to Irish citizens who experience difficulties abroad, either as a result of individual circumstances or in cases of general emergency or natural disaster. These services are delivered on a 365 day a year, 24 hour a day worldwide basis under the overall management and direction of Consular Division at HQ in Dublin.
In consultation with Irish Embassies and Consulates abroad and, sometimes, those of our EU partners, the Consular Division of the Department of Foreign Affairs provides a range of services relating to the Consular protection of Irish citizens visiting or resident in other countries. Consular Assistance can take many forms, such as communicating with the local health or judicial authorities on behalf of an Irish citizen, arranging for the repatriation of human remains, liaising with family members, friends and social services in Ireland, and direct practical intervention by the nearest Irish Mission. While consular cases are many and varied, they can generally be broken down into four categories: welfare/illness, death, imprisonment and crisis response.
Annually the Department deals with several thousand requests for consular assistance from individual Irish citizens who encounter difficulties overseas. In the event of a major international incident which has the potential to impact the safety of Irish citizens abroad, the Department’s Consular Division in Dublin is required to lead Ireland’s response, in liaison with the Department’s consular offices in the affected areas. For example, during the Tsunami disaster in Asia in 2004, the Department dealt with over 3,000 calls at its Crisis Centre concerning over 1,200 people who were believed to be in or near the affected areas.
The demand for consular services continues to grow in line with the increasing numbers of Irish people travelling abroad. The provision of consular protection and assistance to Irish citizens abroad is a key priority for the Department. It is essential to the effective delivery of such services that the Department maintain a vigilant and accessible Consular Service which is capable of responding quickly and flexibly to individual or collective emergency situations wherever they may arise.
In addition, the Department is introducing a Citizen’s Registration facility on its website, www.dfa.ie. Data which is collected via this facility must be integrated into the Crisis Response solution.
5
To assist the Department and its consular missions in the effective delivery of consular services and crisis management response it has been decided to invite tenders from suitably qualified application developers/suppliers of Management Information Systems for the provision of the new system.
The requirements for general consular case management and crisis response management are specified separately purely for ease of reference. This does not imply two separate solutions and it is a key requirement that both elements must be interlinked so as to ensure close cohesion and to enable the crossover of these services.
The Department is prepared to consider proposals where the contractor:
(a) is the licensor of existing software and has the professional capability, resources, experience and personnel to enable adaptation (as required) of the software to provide an efficient and effective solution to meet the Department’s requirements; or
(b) has the professional capability, resources, experience and personnel to design, develop and implement a bespoke solution that meets the Department’s requirements.
6
2 General Statement of Requirements
The Department of Foreign Affairs has a requirement for a system with the following subcomponents:
‐ Consular Case Management System ‐ Prisoner Case Requirements
‐ Crisis Management System ‐Integration with Citizen’s Registration facility
2.1 Consular Case Management System
An integrated set of management information tools is required to assist the Department’s staff who are involved in the delivery of consular services to Irish citizens, both at HQ and through its network of consular offices overseas.
The system must include a comprehensive, flexible reporting module enabling users of the system view reports on a variety of areas with ease.
2.1.1 Prisoner Case Requirements
Consular Division has a particular requirement for a system to support the management of cases of Irish citizens imprisoned abroad. There will be specific data capture and workflow associated with such cases e.g. prison case details must include details of arrest, trial and parole dates, reason for imprisonment, visit dates, lawyer and prison addresses, history of assignments to prisons, details of any advance of funds, etc. In addition, while Consular currently manages prisoner and all other consular cases within the one unit, it is expected that a separate unit to manage prisoner cases may be set up in the future. Access to particular case streams should be restricted to only appropriate authorised staff. The Department asks Respondents to set out how these requirements will be met. There may be a requirement for other such categories in future.
2.2 Crisis Management System
The Department has a Crisis Response Plan which it will initiate should an international event have the potential to threaten the safety and welfare of Irish citizen’s abroad. The Department requires a crisis management solution to support the Department’s staff, at HQ and abroad, in responding effectively to calls for assistance from Irish citizens caught up in an emergency/disaster abroad and following the activation of the Department’s Crisis Response Plan. There is currently an interim solution in place to support Consular in the event the crisis response is
7
initiated. Details of the type of data captured and reports generated is set out in APPENDIX III.
2.2.1 Integration with Citizen’s Registration facility
The Department will shortly launch a Citizen’s Registration facility on its website, www.dfa.ie. It is intended that the internal element to this facility will be managed within the framework of the solution implemented on foot of this RFT. Data from the website will be forwarded for storage on a database within the overall Consular solution. Responses should include details as to how a mechanism by which data collected via this facility can be integrated into the Crisis Response solution; the Department’s preference is that this process is fully automated. Data to be captured under the Citizen Registration system is broadly similar to the data captured for the Crisis Response system. The Citizen’s Registration facility, like all other elements of the proposed solution, must fully adhere to Data Protection requirements in particular around access to and storage of data as well as the automated deletion of data in the appropriate timeframe. The data collected for this purpose must only be used for the purpose indicated. Responses should set out any requirements from data structure and technology infrastructure perspectives.
2.3 Data Protection
Given the nature of the data being held in any element of the Consular Management system, any solution proposed must ensure compliance with the Data Protection Acts 1988 and 2003. Responses should clearly set out how the obligations on the Department under the Data Protection Acts will be met.
Details of the Data Protection Acts 1988 and 2003 can be found here:
http://www.irishstatutebook.ie/1988/en/act/pub/0025/index.html
http://www.irishstatutebook.ie/2003/en/act/pub/0006/index.html
8
3 Detailed Specification of Functional Requirements
3.1 Consular Case Management System
An integrated set of management information tools is required to assist the Department’s staff who are involved in the delivery of consular services to Irish citizens, both at HQ and through its network of consular offices overseas.
Workflow elements will be required to support the provision of services and management of cases by staff at multiple locations – the extent of the workflow will vary depending on case types.
The system must:
allow authorised staff at multiple locations in the Department to collaborate, through the solution provided, in the provision of consular services;
support the recording of all requests for consular assistance and, depending on the type of assistance required, incorporate the appropriate workflow process(es) to be followed to ensure quality delivery of service;
support a range of different case categories, e.g. advance of funds, lost passport, arrest, deportation, repatriation, illness, death. The system must support sub‐categories, e.g. drowning or motor accident might be subcategories under death of an Irish citizen abroad. It must be possible for these additional categories to be input by Department staff. Note: this list is not exhaustive and the system should be flexible enough to extend to further categories over the lifetime of the solution;
capture a core set of details for all case types, e.g. name, date and place of birth, travel documentation, contact details for family in Ireland, officers involved in the provision of the services, etc;
capture all detailed information relevant to each case type/category, e.g. details of any advance of funds, reason for advance, etc;
associate particular workflows to particular case types. Workflow is seen as critical in ensuring consistent delivery of service from any location;
allow staff at any office of the Department to create a new case at any time; be capable of allowing multiple staff at multiple locations to record any
interactions and information relevant to any case; support the recording of all interactions associated with any case/incident;
be capable of assigning case handlers; be capable of monitoring the progress of individual cases; enable staff in Consular identify if particular individuals have a history of
requiring assistance;
9
have a system audit trail which should record by whom case notes, actions, etc, on a case are entered;
have a case notes function which must support the detailing of all action taken in a case by staff at the local Mission or at Consular Division HQ. The notes function will be key to supporting the development of the history of a case and, when relevant, providing background on previous cases involving the same person/parties;
allow for relevant documents to be attached to a particular case, e.g. files, emails, scanned documents, photographs, etc;
have a communications function to enable staff involved with a case be alerted to any updates on the case or to be alerted to an action they may be required to undertake. It should be possible to differentiate between communications for information purposes and those on foot of which an action may be required. This communications function should be supported by the workflow management elements that might be appropriate to particular case types/categories, e.g. the person responsible for the management of a long term prisoner case should be alerted when the next visit is due;
have a workflow process to support the closure of a case. This should include recording final observations, the printing of the case details and all associated notes and documents and the archiving of the file;
include a flexible and intelligent search facility, e.g. partial keywords, near match, sound‐alike, etc. The search facility should search live and archived cases and return details of both in the results displayed;
be sufficiently flexible to allow new categories/case types be added; such new categories may/may not have a requirement for workflow support; this must be an administrative role done by Department staff;
include a mechanism which supports Consular Division in having visibility of all newly opened cases, regardless of location, e.g. a bulletin board which shows all newly opened cases & other information of particular relevance to Consular Division. Staff in Consular Division must be able to “subscribe” to any case to monitor updates/additions/changes in status, bearing in mind the Data Protection Acts.
3.1.1 Prisoner Case Requirements
The Department requires a system to capture all detailed information relevant to each Prisoner case. This can be integrated into the overall case management solution provided that it is possible to easily identify and report on individual or all prisoner cases. In addition, as set out earlier, the Department may set up a new unit whose sole purpose will be the management of prisoner cases. Any solution
10
proposed must allow only the appropriately authorised staff access to these cases and case details.
In addition to the requirements set out in section 3.1, the prisoner case management system must:
capture all detailed information relevant to the prisoner case type/category, and must include details of arrest, trial and parole dates, reason for imprisonment, visit dates, lawyer and prison addresses, history of assignments to prisons, details of any advance of funds, etc.
particular workflows to the management of prisoner case types is essential, e.g. regular visits are required, details of which should be recorded; the system should prompt case handlers when the next visit is due to be scheduled.
3.2 Crisis Management System
The Department has a requirement for a system to support the implementation of its Crisis Response Plan which will be activated in response to an international incident which may impact on the safety of Irish citizens abroad. Accordingly, the Department requires a crisis management solution to support the Department’s staff, at HQ and abroad, in responding effectively to calls for assistance from Irish citizens caught up in an emergency/disaster abroad, their friends/family and following the activation of the Department’s Crisis Response Plan. Details of the Department’s existing system are set out in APPENDIX III.
While not an absolute requirement, the Department has a preference that the user interface of the crisis and consular case management applications be similar to minimise training and for ease of use.
The solution must:
allow appropriately authorised staff have access to this service; support the recording of all enquiries and the management of any cases
involving Irish citizens following the activation of the Department’s incident response;
capture a core set of details for all enquiries, e.g. enquirers name, contact details, relationship to the affected person, affected person’s name, gender, date and place of birth, passport details, etc;
enable linkages be set up between multiple affected persons, tour groups, etc;
11
have an associated “level of concern” for each case which can be updated as the case progresses. Details of these levels will be decided by Consular Division; the system should be sufficiently flexible to allow changes to these levels following the outcome of a review of the effectiveness of the response to a particular international incident. Any such changes should be within the capacity of the Department to implement and not require any external assistance;
have the capability to log all interactions on a case, be they from concerned relatives or the individuals affected, and record any actions taken;
be capable of allowing multiple staff at multiple locations to record any interactions and information relevant to any case;
have a case notes function which must support the detailing of all action taken in a case by staff at the local Mission or at Consular Division HQ;
allow for relevant documents to be attached to a particular case, e.g. files, emails, scanned documents, photographs, etc;
have a communications function to enable staff involved with a case be alerted to any updates on the case or to be alerted to an action they may be required to undertake. It should be possible to differentiate between communications for information purposes and those on foot of which an action may be required. This communications function should be supported by the workflow management elements;
include a flexible and intelligent search facility, e.g. partial words, near match, sound‐alike, etc.
The system audit trail should show by whom case notes and actions on a case are entered and track changes in the level of concern assigned to each case, etc., be capable of supporting multiple “live” incidents to cater for the possibility of Irish citizens being caught up in a number of independent crises.
The solution should have a mechanism to check for possible duplicate cases and provide a workflow mechanism to ensure such cases can be associated, i.e. to cater for the possibility that multiple people will enquire about the same person and also where the operators may not all use the same spelling when recording names. Ideally the system should include an alerting mechanism highlighting possible duplicates.
From time to time there may be a need for crossover functionality with the Consular Case Management System where longer term cases are no longer handled in crisis response mode. The system should allow for the “transfer” of a case to the general case management solution while retaining the history of the case within the Crisis Response solution for reporting purposes.
12
3.2.1 Integration with Citizen’s Registration facility
In early 2008 the Department intends to introduce a Citizen’s Registration facility on its website, www.dfa.ie. Responses should include details as to how a mechanism by which data collected via this facility can be integrated into the Crisis Response solution. This process must be fully automated. Data to be captured under the Citizen Registration system is similar to the data captured in the Crisis Response solution. There must be automated management of the data once it is on the system and it must comply with the Data Protection Acts, 1988 and 2003, e.g. once the information is expired it must be deleted, this must be an automated task. Responses should set out any requirements from data structure and technology infrastructure perspectives.
3.3 Reporting requirements of Case Management and Crisis Management Solution
The system must include:
a comprehensive, flexible reporting module enabling users of the system view reports on a variety of areas with ease. The types of reports required will vary from a more management focus by the Consular Division HQ, to those with a more operational focus by individuals locally delivering services. The reporting tool provided must be sufficiently flexible to cater for both requirements.
a standard set of reports which must be available making it possible to generate up‐to‐the minute reports on any and all case categories and subcategories, e.g. number of open advance of funds cases, number of open prisoner cases, list of prisoner cases where scheduled visits are due, number of deaths caused by drowning, etc, amount of monies advanced/repaid in a period, etc. These reports will be identified as part of the functional specifications development phase. See APPENDIX III for details of reports on the existing Crisis Response database. The new system must include such reports at a minimum;
the provision for reports with a statistical focus indicating trends, e.g. increased demand for a particular service in a particular country/region.
The system should
provide a set of regularly used reports, e.g. end of month reports on cases/incidents by location/globally etc.
have the capability for users to easily generate ad hoc reports as required. Training for Consular Division in the use of this tool is a requirement and should be included as part of the Training proposals. It should be possible to
13
export reports from the system into a variety of formats for circulation, e.g. PDF, Microsoft Excel, etc.
Some reports will be required long term. Therefore there will be a need to hold some data so that it can be used for long tern reporting and still comply with the Data Protection Acts.
Reporting capabilities should be available to Consular Division HQ and to Missions.
3.4 Application Administration
Responses must include full details of the application administration functions that will be associated with the proposed solution. Consular Division HQ will be responsible for any application administration functions, e.g. generating a new template for every crisis response incident.
Consular Division HQ will have a central role in the administration of the solution in order to ensure delivery of services to the required standards.
Consular Division will be responsible for defining the various roles that should exist within the system. Roles will determine to what areas of the system/functions users have access. There is a requirement to allow for differing levels of access to elements of an individual case, e.g. only the Mission involved and the Consular Divisions HQ staff might be approved for access to documents attached to an individual case. Consular Division will also be responsible for role management and assigning users and roles.
Role based access to the solution is seen as key to ensuring only authorised users have access to only those areas of the solution appropriate to their specific area.
In the Crisis Response solution it must be possible for users assigned the appropriate role to “create” an instance of the solution in response to a particular crisis situation and have it immediately available for use.
Assuming that, over its lifetime, the solution will be used to support the response to multiple crises, the requirement is that each instance will be identifiable, including any records associated with that instance. Responses must detail how this scenario will be supported. It is a requirement to keep each instance for historical and reporting purposes.
The process to create an instance should include assigning a name, description etc, as defined by Consular Division, and recording relevant associated details as
14
appropriate to that instance. Exact details of requirements will be established during the development of the functional requirements phase.
Consular Division HQ is responsible for both the initiation of the Crisis Response and the stand‐down of that response. Responses must include details of the “close‐out” procedure that will be required at the end of an incident.
It is a requirement that any cases, which are on‐going after a crisis response has formally been stood down, should be migrated/transferred to the general consular case management application.
Responses should include details of how Consular Division can leverage the application to disseminate policy and procedure manuals on how services are to be delivered.
15
4 Integration with existing ICT Infrastructure
Any solution proposed must be consistent with the Department’s ICT infrastructure as set out in Appendix II.
The solution must leverage the Microsoft Active Directory Service for user authentication and, where possible, assigning access to the various elements and roles within the solution.
A key element of the Department’s ICT Strategy is the centralisation of services. Accordingly the Department expects any solution will be installed at HQ but available to all offices of the Department connected via the Department’s communications infrastructure. Some of this infrastructure is satellite based and solutions should cater for any potential issues associated with high latency satellite communications (600 ms avg.).
The Department expects any solution will be web‐based, browser independent, accessible via a link on the Intranet and not require any local client installation.
The Department has an existing Microsoft SQL cluster in place and will expect any solution proposing MS SQL to have its database(s) hosted on the SAN and cluster.
All applications and application servers must conform to the Department’s security requirements, including hardening of server operating system and application software.
The successful Respondent will be expected to workshop with the ICT Unit through design and implementation phases. Formal signoff by the ICT Unit is a requirement for both the design and implementation.
The successful Respondent will be expected to work with the ICT Unit around the specification and installation of any hardware and software required for the solution. The successful provider will be expected to work with the ICT Unit’s Security Team to ensure the application and any associated servers and services are appropriately secured.
The successful Respondent will be expected to work with the ICT Unit to ensure the appropriate backup and recovery policy is implemented for the solution. Responses should set out the high level design for back up and recovery of the solution.
16
In accordance with the Data Protection Acts, 1998 and 2003, there must be a facility for controls in place so appropriately authorised people only can access the data. All rights must be managed through Active Directory.
4.1 The contractor may be required to provide additional unforeseen items of software, hardware or services in order to ensure satisfactory delivery and implementation of the project. Costings for such additional items will be agreed in advance between the Department and the contractor in accordance with the change order procedures set out in the contract. All changes, however small, must go through a formal change control process in the Department. Requests must be submitted in a pre‐determined format to the Department’s ICT Change Control Committee, who will review and must approve every change. The Department reserves the right to procure additional items of hardware or software separately. In the event that the cost of any additional items or service exceeds €250,000 or 25% of the contract award price, whichever is lower, a separate tender process shall be conducted.
Responses must include a list of all necessary software for the Consular Case Management and Crisis Management components in this procurement in the production environment, including operating system, database applications and supporting software modules. The Department reserves the right to provide the necessary operating system, database applications and supporting software modules, which would be at least to the minimum specification that the Respondent proposes.
All Pre‐Existing Intellectual Property Rights (IPR) shall remain the sole property of the Party who owned, acquired or developed such IPR.
The Minister or the Minister’s nominee shall own all Newly Created Copyright in any materials developed pursuant to this Project, including reports, databases and other materials. The successful Respondent will be required, in the Contract, to assign all intellectual property rights created as a result of the project to the Minister or the Minister’s nominee. The Minister will remain the sole owner of all data and end‐products e.g. instrumentation, reports, studies and any other related items or documents, irrespective of whether or not the project terminated prior to its completion. However, the Minister will consider and not unreasonably withhold consent to any applications for royalty free, non‐transferable, non‐exclusive licences to utilise the intellectual property rights subject to the necessary protections, which may arise under Data Protection legislation.
17
4.1 .Storage Solutions
It is expected that any solution will be implemented on the Department’s existing Storage Area Network and as such the solution will significantly impact existing facilities for data storage. Respondents must specify anticipated data storage requirements and liaise with the Department in relation to storing data on the Departments SAN.
The Respondent must specify and cost all necessary hardware required to support the data storage requirements of the Consular Case Management and Crisis Management solution.
4.2 System Hardware Environments
The Respondent should advise how best to facilitate a development, production, training and User Acceptance Testing environment. It is not acceptable to conduct any development, training or patch updates on the production environment.
4.3 Definition of Policies and Procedures
The successful Respondent will be required to play a key role in the definition of policies and procedures to support the operation of the solution. Under the guidance of the Department, these will include, but may not necessarily be limited to:
Security policies & procedures Data & Storage Management procedures Performance Monitoring and Tuning procedures Content Administration procedures Detailed operations manuals, including a description of all required operating
and administrative procedures; and Disaster Recovery and failover procedures.
4.4 OWASP ‐ Secure Software Development
Compliance with the OWASP (Open Web Application Security Project) ‐ http://www.owasp.org/index.php/Category:OWASP_Guide_Project is essential. See APPENDIX IV. OWASP is an open‐source project that provides a very comprehensive model for the development of secure web based applications. It has been widely
18
adopted throughout the world as a model of Best Practice and has also been endorsed and recommended by several well known organisations.
4.5 Security Requirements
The following points must be taken into consideration:
In the event that the application is not bespoke developed for the Department, it is essential that the application should be consistent with the principles of the OWASP when a security audit is performed.
A security audit (penetration test) will be performed as part of the testing phase by a third party selected by the Department.
It is desirable that all data pertaining to Citizens that is stored in the database or file storage system of the proposed solution is encrypted to an internationally recognised standard using an accredited algorithm. Detailed encryption key management routines and procedures must be provided.
All authentication data must be encrypted in transit across the Department's network
Authentication must be integrated with the Department's existing authentication system, Microsoft Active Directory. Authorisation of authenticated users to access information within the system must be based on the Active Directory user or group membership.
All access to the system and queries/updates to the system and the data must be audited and these audit trails or logs must be preserved in a sound and secure manner and tools made available to review them. Exceptions to normal/authorised usage patterns must be alerted to management.
Where SSL is not used for a complete session other than authentication, the supplier must demonstrate that no details will be left behind in browser caches or other file locations on the hard disk of the machine from which the application is being accessed.
A facility to implement controls pertaining to the Department's obligations under the Data Protection Acts, i.e. expiry and deletion of data as appropriate based on time etc. must be provided.
19
When designing the application, the successful provider will be required to map out administrative functionality and ensure that appropriate access controls and auditing are in place. Provide necessary audit and traceability of administrative functionality.
20
5 Specification of Solution Delivery, Implementation, Training and Support Requirements
Responses must include how the Respondent plans to ensure the completion of this project within the time and budget specified in their proposal. A communications strategy is seen as a key element to ensure requirements are fully captured and that the project proceeds at the appropriate pace. Equally key are the resources assigned to the project and their capabilities to interact successfully with the user community involved, the ICT Unit, the Project Management Team and Project Board. The following requirements must be addressed, point by point, both in the Financial Proposal and the Project Implementation Plan. The steps below are required regardless of whether this is an off‐the‐shelf or bespoke application.
5.1 Analysis and Design
The successful Respondent will be required to undertake detailed functional requirements analysis at the project outset to fully understand the business process requirements that the system will need to support. This will involve a number of workshops in Dublin with personnel in Consular Division as well as the Department’s ICT Unit. There may also be a requirement for up to two workshops with Missions abroad which have particularly high consular workloads.
A key deliverable from this phase will be a comprehensive functional specification and set of business process requirements documents. These will be subject to formal approval and sign off by the Department before proceeding to the next stage of the project. The functional requirements documents are critical to the success of the application. These must be comprehensive and include not only those areas discussed at workshops but elements such as application administration, etc. Respondents must set out in their proposals how their approach will ensure that the process to develop the functional requirements will bring innovation to the solution and ensure the documentation produced will encompass the entirety of the solution.
The successful Respondent will be required to develop and present a full system solution design, which must be agreed with the Department. The Department requires that the formulation of the solution architecture includes several workshops with the Department’s ICT Unit. Key areas for consideration will be implementation into the existing infrastructure, performance at missions and security. The solution design will require formal sign off by the ICT Unit.
Detailed system documentation is a requirement. The successful Respondent must use the Department’s Design and Configuration documents and templates (which
21
will be provided to the successful Respondent) to the level of detail specified by the Department. These documents and templates will be provided to the successful bidder and should be updated and maintained as architecture updates occur at any stage during the lifetime of the Consular Case Management solution and Crisis Management solution development process up to and including implementation.
Respondents must outline the supporting processes that it will use to ensure that the development of functional specifications and solution design will be comprehensive e.g. project management, risk management, communications management, milestone achievement etc.
5.2 System Development
If required, the successful Respondent will be expected to build a development environment for the new solution, with the assistance of the ICT Unit where appropriate. The Respondent must state the recommended specification of all hardware and software required and cost of same. The Department reserves the right to provide the necessary hardware, which would be at least to the minimum specification that the Respondent proposes. The Respondent must be responsible for the installation of all necessary hardware and software and the development/configuration and testing of the solution platform components to be provided in this procurement. Any such installations must comply with the ICT Unit’s requirements for the build and securing of infrastructure.
5.3 Provision of System, Integration, Stress, Performance and User Acceptance Test Environment
Respondents must specify the necessary hardware for the test environment and procure & install all necessary software, as appropriate, for the solution components to be provided in this procurement (making best use of existing hardware and software). All hardware, software and configuration must be priced separately.
5.4 System Test Planning/Execution
There will be a project review point before approval to enter into System Test. The system as delivered for the System Test phase must fully reflect the agreed functionality in the Functional Requirements documents. A number of demonstrations of the system to the Department and a report at the end of the process will be required during the development phase with sign‐off required to proceed to System Test.
22
The successful Respondent will be expected to work with the ICT Unit to build the test environment to meet the Department’s ICT requirements.
The successful Respondent must:
prepare a comprehensive System Test plan, approved by the Department, for the solution components to be provided in this procurement;
execute the System Test plan and resolve any issues where the components do not function as defined in the functional specification and any technical design specification documents; and
work with the Department to determine key functions to be incorporated in the System test plan, including sign off and acceptance criteria.
5.5 Integration/Stress and Performance Test Planning/Execution
Regardless of whether the application is off‐the‐shelf or bespoke, the successful Respondent must:
work with the Department to determine the required level of stress testing, simulating actual application volumes, predicted growth volumes, effect on the Department staff workload.
prepare a comprehensive Integration/Stress and Performance Test Plan covering all elements of the solution and associated systems, including cross‐functionality between both and produce a report for the Department.
execute the Integration/Stress and Performance Test Plan and resolve any issues where the solution components in this procurement do not function as agreed in the functional specification and any technical design specification documents and assist in the resolution of issues related to other components.
5.6 User Acceptance Test Planning/Execution
Regardless of whether the application is off‐the‐shelf or bespoke, the successful Respondent must:
support User Acceptance testing of all elements of the solution and associated systems;
resolve any issues where the components in this procurement do not function as agreed in the functional specification document and assist in the resolution of issues related to other components;
work with the Department staff on back office processes to ensure that provided functionality fully meets the requirements identified as part of the functional specification; and
23
train the Department staff who will be involved in system testing and response should set out the approach that will be taken.
5.7 Release Management
The successful Respondent must assist in the development of good practice release management procedures to include:
bundling software patches into documented releases/product versions; Regulating release/product version implementation; and Ensuring software releases into the development/UAT/production ICT
environments are fully documented and introduced as per standard change control procedures.
5.8 Implementation Planning/Implementation
The successful Respondent will play a key role in implementation planning and potentially in the actual implementation of the solution(s). The successful Respondent will be expected to work closely with the Department in this area. The contractor will at all times be subject to the control and direction of the Department’s Project Manager.
The successful Respondent must:
assist in the preparation of a comprehensive implementation plan and implementation test plan, which must include details of processes, resources, structures, timescales, budget, and risk management;
assist the Department to execute the implementation test plan in order to ensure that the overall solution is functioning as specified in the production environment.
5.9 Integration of Solution with current Department Infrastructure.
The successful Respondent must work with the Department to ensure the integration between the Consular Case Management solution and Crisis Management solution and other Department applications e.g. the Department’s Active Directory, etc.
5.10 User/System Documentation
The successful Respondent must:
24
develop comprehensive user and system documentation for the Consular Case Management and Crisis Management components in this procurement; and
supply all documentation in electronic format and all documentation must provide a detailed description (both textual and diagrammatic) of all aspects of the design, implementation and deployment of the components. This will include but may not necessarily be limited to:
Overview of system and software Detailed users manuals, including description of all Consular Case
Management and Crisis Management functions Brief manuals Detailed technical specifications of all components and details of their
interoperability Business process descriptions Detailed training manuals for users, administrators, trainers and
"super users"; and Procedures for managing and updating documentation
5.11 Training Preparation/Delivery
A comprehensive and innovative approach to training will be required from the successful respondent. Respondents should take into account that on‐site training will be available only to those staff at HQ; respondents should consider innovative approaches to providing training and training materials to staff at Missions.
Responses should recognise the dispersed nature of the Department and propose and cost a range of training solutions that will reflect the diversity of locations, time zones, etc, which apply across the Department. Responses must set out in detail how the Department’s requirements listed below will be met.
The requirement includes:
A training programme in Dublin for the staff of Consular Division (approximately 20 staff).
This should cover:
General training on the system, Administration Support Train the trainer type training for a small number of these staff so they can
train others.
25
Training in dealing with errors/unexpected responses; Training in initial fault diagnosis (may be done on a "super user" basis); and Training in routine maintenance and administration, where this will be the
responsibility of the Department. Provision for training in Dublin for diplomatic staff from throughout the
Department, and other officers who are likely to deal regularly with consular cases when they work abroad, should also be included in this training.
Training for staff in the ICT Unit in dealing with all technical aspects of the system.
Respondents are free to propose alternative costed suggestions which will enable training and training materials to be made available in an effective manner.
Training solutions proposed should look to leverage the reach of the Department’s ICT Infrastructure and in particular the intranet as a delivery tool and consider a modular approach to training material.
Regardless of the method of delivery, training manuals must be available for the system. In terms of any training delivered on‐site, full manuals will be required for attendees of any courses. A Quick Reference Guide should also be available to cover all aspects, e.g. a one or two page guide on the Crisis Response solution for people that have done the training and received the manual but who may need a reminder if a crisis was to occur.
Responses should set out proposed syllabus and duration for Consular Division training (both end user and application administration).
5.12 Post Implementation Support
The Department has a minimum requirement for one years support and maintenance. It also requires Respondents to propose and cost an option by the Department to extend support and maintenance in two annual increments for up to 3 years in total. Respondents should provide clear costing proposals for the required one year minimum requirement and also for each of the two optional extra years.
Respondents may propose different management models for ongoing support and maintenance, ranging from traditional maintenance support contracts, call off arrangements, to managed service support provision and staff training. All options proposed must be fully and clearly costed in the Schedule of Costs.
26
Ongoing support arrangements must include details of proposed system refresh frequencies and technology upgrade paths, as well as details of costs for refresh/upgrade.
Respondents may propose options for ongoing support, ranging from traditional maintenance support contracts, call off arrangements, to managed service support provision and staff training. All options proposed must be fully and clearly costed in the Schedule of Costs. Ongoing support arrangements must include details of proposed system refresh frequencies and technology upgrade paths, as well as details of costs for refresh/upgrade. The Department has a requirement for one year support (costed) and an option by the Department to extend this a further two years (3 years in total).
27
6 Qualification Requirement
Respondents must meet the following requirements before their tenders will be considered for the award of the contract.
6.1 Completed Article 45 Declaration
A formal declaration in the form prescribed at APPENDIX I (confirming that that none of the circumstances set out in Article 45 of Directive 2004/18/EC apply to the Respondent) must be completed as instructed and enclosed with the Tender.
6.2 Completed Declaration of Bona Fides
The Declaration of Bona Fides in the form prescribed at APPENDIX V must be completed and returned with the tender.
6.3 Satisfactory evidence of the Professional and Technical Capacity needed to undertake the Project.
This should consist of:
details of the Respondent’s professional ability and expertise to design, implement and support ICT systems of the nature and scale of the Consular Management and Crisis Response systems specified in this RFT;
details of sales volume for similar projects undertaken in the previous three years; and
at least two testimonials from clients for whom the Respondent has developed and implemented similar projects in the previous three years. Full contact details of referees must be provided for verification purposes.
evidence of Financial Capacity – this should consist of a brief statement from the Respondents banker or auditors confirming that the Respondent has the financial capacity to undertake and carry out the project. The Department reserves the right to conduct appropriate credit and other checks, prior to the award of the contract, in order to verify the successful Respondent’s stated financial capacity.
Completeness of tender documentation as specified in Section X of this RFT. Only tenders submitted in English or Irish will be accepted. All costs must be quoted in Euro (€) net of VAT.
Respondents are required to provide details of and a costing for any third party licensing liability for the Department to deploy and support the proposed solution and the licensing regime applicable to those licences.
28
Respondents should indicate if their proposal is being submitted by a consortium or by an individual legal entity. If it is a consortium then details must be provided on the nature of the consortium, how long it has been in existence, country of origin and its track record in bidding for similar business. Country of origin refers to the country where the organisation is registered. If a consortium has been established specifically for this proposal this should be clearly stated.
If a Respondent is a consortium or a group of parties that have come together to submit a proposal, the proposal must clearly identify the party designated as lead contractor. The party designated as lead contractor, and each member of the group/consortium, must confirm in writing that they are prepared to guarantee, jointly and severally, the performance of all obligations and the delivery of all services to the Department. If a Respondent (including a group/consortium) intends to use sub‐contractors, the tender proposal must clearly set out (i) the elements of service envisaged for sub‐contracting (supported with signed letters of intent from the proposed sub‐contractors) and (ii) written confirmation that, notwithstanding the use of sub contractors, the Respondent will accept full liability to the Department for the delivery of all services under the contract, including those to be performed by sub contractors. Proposed group or sub‐contracting arrangements will at all times be subject to the Department’s approval and changes to proposed group or sub‐contracting arrangements cannot be made save with the Department’s express consent in writing.
Any proposed solution(s) must integrate and be consistent with the Department’s existing ICT infrastructure and ICT policies and in particular the Department’s ICT Security infrastructure and protocols.
The Respondent must state where appropriate how much involvement will be required from Consular Section.
29
7 Contract Award Criteria
Those Respondents which meet the qualification requirements set out in Section X will be evaluated in accordance with the contract award criteria set out in this Section.
The contract will be awarded to the most economically advantageous tender having regard to the following award criteria, scored from 200 marks and weighted as indicated:
CRITERIA Mark Available
Overall Cost of Contract over the maximum term of the Contract (development time and maximum 3 year support)
60
Functional characteristics and technical merit of proposed solution.
50
Quality of the Project Implementation Plan, proposals for delivery, implementation, training and support; approach to service quality assurance and project management mechanisms proposed.
40
Technical skills /qualifications and experience of the proposed Project Team
30
Period for completion of project 20
30
8 Instructions to Respondents on Format, Content and Submission of Responses.
8.1 Format and Content of Responses
Proposals must adhere strictly to the following format:
Executive Summary of no more than five pages, providing an overview of the key elements of the Response;
Detailed information, including references/testimonials to establish the Respondent’s technical capacity, capability and competence to design, develop, implement and support the required solutions;
Evidence of financial capacity in the form of a brief statement from the Respondent’s auditors or bankers confirming that the Respondent has the financial capacity to undertake the project;
Detailed proposal which addresses in full: o the specified functionality requirements for the system as set out in
Section 2 and 3 of this RFT. Responses must demonstrate full understanding of the scope and objectives of the project, and set out detailed proposals for providing the required functionality. Proposals may include suggestions for improvements/added value, provided these are fully costed in the Schedule of Costs;
o the specified delivery, implementation, training and support requirements for the system as specified in Section 2 and 3 of this RFT. All elements, including any options for improvements/enhancements, must be fully and definitively costed in the Schedule of Costs;
A detailed Project Implementation Plan for the delivery of the project which must clearly indicate all key deliverables and milestones for the project. The project plan should include the following elements:
o the total timeline for the project. It is envisaged the project will be completed by the end of the 3rd quarter of 2008;
o the milestone stages for the delivery of the project, having regard to all of the Department’s requirements as specified in Sections 2 and 3 of this RFT;
A detailed approach to training and post‐implementation support; Details of similar projects completed by the Company; The names, technical qualifications and experience, of all the contractor’s
staff (including the proposed project team leader) who will be engaged on the delivery of the service component and details of their particular responsibilities. Please include details of experience gained on the
31
development of similar systems, and, in particular, previous experience of working with consular and/or crisis management services. Respondents should note that all staff engaged to work on the project must undergo security clearance procedures arranged by the Department and will be required to confirm that they will work in accordance with the provisions of the Official Secrets Act. The selected Respondent will be required to sign a confidentiality agreement in relation to work on this project;
The level of Department resources required for the timely delivery of the project and the stages and timelines when this input will be required. The Department expects the Analysis and Design stage to take no longer than 4 weeks and the project to be fully implemented by the end of the 3rd quarter of 2008;
Details of any role to be carried out by third parties/sub‐contractors; All assumptions made by the Respondent in preparing the Project Plan; Initial identified risks to the successful delivery of the project; The mechanisms to be put in place to ensure that services are delivered
in accordance with the Department’s requirements; All project plans must be provided in MS Project 2003 format; Schedule of Costs for solutions in the format specified in APPENDIX VI, to
include all incidental and ancillary costs, including all training, travel, licensing, and ongoing service and maintenance costs.
Signed Declaration of Bona Fides (APPENDIX V) Signed Article 45 Declaration (APPENDIX II) Any other information which the Respondent considers to be relevant
Respondents are required to acknowledge and confirm their acceptance of the terms and conditions set out in this RFT by returning a signed copy of the Declaration of Bona Fides attached at APPENDIX VAPPENDIX V with its tender response. It is envisaged that both this RFT and the successful Respondent’s response will form the central elements of the formal contract which will be prepared by the Minister for Foreign Affairs and issued to the successful Respondent for execution. Tenders which do not include a signed Declaration of Bona Fides will not be considered for the award of the contract.
Responses must adhere strictly to the format and requirements stipulated in this RFT and must be completed in the English or Irish language.
8.2 Submission of Responses
Four (4) paper copies of the Response should be sent in a sealed envelope, clearly marked “Department of Foreign Affairs, Consular Case & Crisis Response Management – Response to Request for Tender” including the name and address of
32
the Respondent. In addition an electronic copy in native and RFT/PDF formats on CD/USB stick marked “Tender 422/7108” should be included. All should be addressed to:
Ms A Griffin ICT Unit Department of Foreign Affairs 76‐78 Harcourt Street Dublin 2
and should be delivered to this address not later than 15:00 local time on 07/03/2008.
The Department has the right, as its sole discretion to extend the Closing Date for Receipt of Responses or any other date provided in this RFT. Notice will be given by the Department of any such extension.
8.3 Query Handling
Queries and requests for clarification relating to the Request for Tenders and any of the requirements specified therein may be submitted no later than 19/02/2008. All queries must be sent through www.entenders.gov.ie. The Department’s responses to queries and requests for clarification will be circulated to all parties who have registered their interest in the tender on www.etenders.gov.ie. Responses to all queries will be sent on 25/02/2008.
8.4 Further Information
All information relating to this tender, including tender documentation, clarifications and changes, will be published on the e‐tenders website (www.etenders.gov.ie) only. Registration is free of charge and there is no charge for documents.
Should the Department require any amendments, clarifications, modifications or adjustments to be made to any of the documents forming this Request for Tenders, it will issue a notice on www.etenders.gov.ie which will be circulated to all parties who have registered their interest in the tender on that site. .
The Department will not accept responsibility for information relayed (or not relayed) via third parties. If the Request for Tenders document is in any way altered, either by the Respondent or by a third party, the tender proposal may be rejected.
33
A summary of the matters raised and the Department’s responses will be circulated to all who have registered their interest in the tender on the Irish Government procurement website: www.etenders.gov.ie
Further information on the Department of Foreign Affairs can be found at http://www.dfa.ie. Information on obtaining a tax clearance certificate from the Irish Revenue Commissioners can be obtained from www.revenue.ie. Information on labour employment protection & working conditions may be obtained from the Department of Enterprise, Trade & Employment at www.entemp.ie.
34
9 General Conditions of the Tender
9.1 Treatment of Tenders
All tenders shall be registered upon receipt and be held securely until after the deadline for receipt of tenders. The opening of tenders shall be witnessed by at least two officers of the Department who shall note and register the commercial details of each tender. Any tenders received after the deadline for receipt of tenders shall not be considered and shall be returned to sender.
9.2 Evaluation of Tenders
The evaluation of the tenders received will be undertaken by an evaluation team composed of employees of the Department and may include such other persons engaged or nominated by the Department for the purposes of this tender process. The members of the evaluation team shall be required to observe strict confidentiality at all stages of the process.
Information supplied by Respondents will be treated as contractually binding. However, the Department reserves the right to request additional information and clarification from Respondents after the closing date for the purposes of assisting in the evaluation of their tender. If necessary, some Respondents may be invited to attend for interview to clarify aspects of proposals submitted. The contractor’s nominated project manager should be among those attending. Attendance at interview will be at the Respondent’s expense.
9.3 No Contract
Without prejudice, the Department of Foreign Affairs reserves the right not to proceed with the award of the Contract(s) for Consular Case Management and Crisis Response solution(s). The Department is not obliged to accept the lowest, or any tender submitted. No commitment of any kind, contractual or otherwise will exist unless and until a formal contract has been executed by or on behalf of the Minister for Foreign Affairs. The award of the tender will not give rise to any enforceable rights by the Respondent. The Minister may cancel the tender process at any time prior to a contract being entered into.
9.4 Tax Clearance Certificate
Before a contract is awarded the successful Respondent will be required to provide a current tax clearance certificate valid for contract purposes. A successful non‐resident contractor or sub‐contractor will be required to produce a Statement of
35
Suitability for tax purposes from the Irish Revenue Commissioners. Details on how to obtain the necessary tax clearance documentation may be obtained from the Irish Revenue Commissioners at www.revenue.ie. All payments under the contract will be conditional on the successful Respondent being in possession of a valid certificate at all times during the period of contract. Should an existing certificate be due to expire during the course of the contract a renewed valid tax clearance certificate must be obtained to allow payments to continue under the contract. The Department reserves the right to request the contractor to furnish the appropriate form of tax clearance at any time during the course of the contract.
9.5 Costs
The Department will not be liable in respect of any costs incurred by Respondents in the preparation of tenders and any submissions and presentations involved as part of the tendering process.
9.6 Confidentiality
The Department will treat all information provided by Respondents as confidential subject to their obligations under the law, including the Freedom of Information Act, 1997. Should you consider that information supplied is commercially sensitive, you should identify the reasons for its sensitivity. You will be consulted before any decision is taken on foot of any relevant Freedom of Information request received. However, the final decision with regard to release of information under the Freedom of Information Acts rests with the Information Commissioner, and, ultimately, the Courts.
The Department requires that all information provided pursuant to this RFT will be treated in the strictest confidence by Respondents.
The selected contractor and all of its staff members, its agents or subcontractors assigned to the Consular Case/Crisis Management Project shall be subject to the terms of the Official Secrets Act, 1963; in particular Sections 4 and 5 thereof, and to the Department of the Public Service Circular 15/79 relating to Official Secrecy and Integrity as they apply to Civil Servants. The obligation to respect confidentiality and the Official Secrets Act with respect to the project shall survive following the performance or termination of the contract.
The contractor shall agree that it will execute on its own behalf, and on behalf of all employees, servants, agents and subcontractors who are assigned to provide any part of the project services any documentation necessitated by the provisions of the Official Secrets Act, 1963 and if required by the Minister for Foreign Affairs will
36
require any sub‐contractors to execute any such documentation. The Minister may require the contractor to produce documentary evidence of compliance with this requirement.
9.7 Tender Validity Period
Unless previously withdrawn, unaccepted tenders shall remain valid for three (3) calendar months from the closing date for receipt of tenders. No Tender may be withdrawn after its acceptance.
9.8 Acceptance of Tender
After a period of at least 15 days has elapsed after notification of the successful Respondent, the Department will issue a formal contract setting out its terms and conditions of contract to the successful Respondent for formal execution.
9.9 Insurance Requirements
The selected Respondent will be required to take out and maintain for the benefit of the Minister at all times for the duration of the Contract(s):
employer’s liability insurance, product liability insurance, public liability insurance, professional indemnity insurance in such sums as are reasonable and adequate having regard to the terms of the Contractor’s obligations under the agreed Contract with a reputable insurance Company each to be approved by the Minister or his advisors and shall note the interest of the Minister on such policy or policies of insurance as an indemnified insured; and,
to produce on request to the Department copies of the summaries of such insurances providing a true and fair view of such insurances together with confirmation from the relevant insurance broker that the premiums have been paid
9.10 Governing Law and Jurisdiction
The contract shall be governed by and construed in accordance with the laws of Ireland. The courts of Ireland shall have exclusive jurisdiction to settle any disputes which may arise out of or in connection with the contract.
9.11 Conflicts of Interest
Any conflicts of interest involving the service provider(s) must be fully disclosed to the Department, particularly where there is a conflict of interest in relation to any recommendations or proposals put forward by the service provider.
37
Any registerable interest involving the service provider (or contractors in the event of a consortium bid) and the Minister for Foreign Affairs, members of the Government, members of the Oireachtas or employees of the Department of Foreign Affairs or their relatives must be fully disclosed in the response to this RFT, or should be communicated to the Department of Foreign Affairs immediately upon such information becoming known to the service provider, in the event of this information only coming to their notice after the submission of a bid, and prior to the award of the Contract(s). The terms 'registerable interest' and 'relative' shall be interpreted as per Section 2 of the Ethics in Public Office Act, 1994.
9.12 Financial Arrangements
Payment for all equipment and services covered by this request for tender will be on foot of appropriate invoices. Invoicing arrangements will be agreed with the successful service provider, following the award of contract and will be subject to the provisions of the Prompt Payment of Accounts Act and Regulations.
Where in this request for tenders there is an unqualified reference to any product or service brand name, or to any technical, quality, or services standards, any such reference shall be read as being subject to the qualification “or equivalent”.
38
APPENDIX I
DECLARATION
Re Non‐Applicability of Article 45 (1) and (2) of Directive 2004/18/EC (as transposed into Irish law by Regulation 53 of the European Communities (Award of Public Authorities’ Contracts) 2006 (S.I. 329 of 2006)).
THIS DECLARATION MUST BE SUBMITTED BY ALL RESPONDENTS FROM IRELAND AND OR THE UK. FOR ALL OTHER RESPONDENTS THE DECLARATION MUST BE APPROPRIATELY EVIDENCED AS PROVIDED FOR BY REGULATION 53 OF THE EUORPEAN COMMUNITES (AWARD OF PUBLIC AUTHORITIES’ CONTRACTS) 2006. WHERE THE RESPONDENT IS A CORPORATION OR PARTNERSHIP THE DECLARATION MUST BE COMPLETED BY A DULY AUTHORISED REPRESENTATIVE.
Name of Respondent:
Address:
I, [ insert name ], solemnly declare that I have been duly authorised to make this declaration by the Respondent and I hereby certify as follows:
The Respondent has not been convicted of fraud, money laundering, corruption, or of being a member of a criminal organisation as those terms are defined in Directive 2004/18/EC.
The Respondent is not bankrupt or subject to bankruptcy or analogous proceedings, or being wound up, its affairs are not being administered by a court, it has not entered into an arrangement with its creditors, it has not suspended its business activities nor is it in any analogous situation arising from a similar procedure under national laws and regulations.
Neither the Respondent, nor any of its directors or partners, has been convicted of an offence concerning professional conduct by a judgement which has the force of res judicata or been guilty of grave professional misconduct (proven by any means which the Department of Foreign Affairs can demonstrate) in the course of its or their business.
39
The Respondent has fulfilled its obligations relating to the payment of taxes or social security contributions in its country of establishment or any other State in which the Respondent is located.
The Respondent has not been guilty of serious misrepresentation or omission in providing information to a public buying agency, including the Department of Foreign Affairs.
I further declare that the information provided above is accurate and complete to the best of my knowledge and belief.
I understand that the provision of inaccurate or misleading information in this declaration may lead to the Respondent being excluded from participation in this or future tenders and I make this solemn declaration conscientiously believing the same to be true and by virtue of the Statutory Declarations Act, 1938. This declaration is made for the benefit of The Minister for Foreign Affairs (the “Contracting Authority”).
Signature of Declarant: _______________________________________
Name of declarant in print or block capitals: _________________________________
Declared before me by [ ] who is personally known to me
(or who is identified to me by [ ] who is personally known to me) at
............................................................
this ................................. day of ................................................... 2007
____________________________________
Practising Solicitor/Commissioner for Oaths
40
APPENDIX II
ICT Infrastructure The Departments core ICT infrastructure is based around a Microsoft Windows domain. All user authentication uses Microsoft Active Directory. Key core components at HQ run in a clustered environment – HQ files services, MS Exchange 2003 and MS SQL 2005.
All staff have a common Intel based PC with a Windows XP SP2 desktop configuration. Software applications available include Microsoft Office 2003, Microsoft Outlook 2003, email services through Microsoft Exchange 2003 running in a SAN environment, McAfee Virus Scan Enterprise and Antispyware as standard. All PCs are directly connected via LAN or WAN to access the relevant Windows 2003 server. All user documents are stored on a central file server in either personal or shared directories and most staff print to shared network printers. Web access at the desktop is widespread using Microsoft Internet Explorer 6 as the browser.
Server side technologies include Microsoft Windows 2003 (standard and enterprise editions), Microsoft Exchange 2003, Commvault Galaxy v6.1, industry standard anti‐virus, anti‐spam and web usage monitoring solutions, server and PC Configuration software, Microsoft Operations Manager 2005 (MOM 2005) and Microsoft Systems Management System 2003 (SMS 2003). All Windows servers are built to a standard specification with appropriate security hardening applied. Application servers also have appropriate hardening implemented. SMS is used to manage all PCs.
The Department has an SQL Software Cluster utilising Microsoft SQL 2000 and 2005. Specifications of the cluster are:
Dell 2950 Dual Quad Core Poweredge Servers, Windows 2003 Enterprise Edition SP1, Two Node Active\Passive Windows Cluster, Dell\EMC CX500 SAN attached for storage (1.3TB available initially),
All offices of the Department are connected. These connections utilise a variety of telecommunications technologies, including satellite and leased lines, delivered at bandwidths ranging from 512 kbps to 100 mbps. Missions are connected at speeds ranging from 512 kbps to 2 mps. Latency on satellite links is high and average at 600ms.
All relevant technical documents including procedures and practices and a network diagrams will be provided to the successful service provider.
The Department’s policy is to deliver ICT services in a centralised model and therefore maximising the user of the telecommunications infrastructure. Any new services must be consistent with this policy.
41
APPENDIX III
Current Crisis Management Solution
The current Crisis Management Solution contains the following fields and these are the minimum that is required in the new solution:
(1) Caller Details – automated – username and date
(2) Current Status:
Priority – choice of High, Medium or Low
Status – choice of Missing, Confirmed Injured, Confirmed Fatality, Accounted for/Safe
Resolved – Yes or No
(3) Caller Details
First Name Last Name Relationship to missing person Address Telephone Number
One caller may be calling about a number of people, so it must be possible to reuse his/her details and log a number of different missing persons with the same caller details.
(4) Missing Person Details
Location of Crisis – can be inputted once by Administrator and then selected for each case
First Name Last Name Gender Date of Birth Place of Birth Minor? – Yes/No Passport Details Home Address Work Address Home Phone No Work Phone No Mobile Phone No. e‐mail address
42
travelling with group (y/n) Number in Group Tour Operator/Group Name Reasons for Suspicion and Comments
Reports:
All Cases by Status All Cases Resolved/Unresolved All Cases by Group Minors Reported As Missing Missing Persons – Female Only Missing Persons – Male Only Statistics – numbers in each of the categories etc.
43
APPENDIX IV
OWASP ‐ SECURE SOFTWARE DEVELOPMENT CONTRACT
This Appendix is intended to clarify the security‐related rights and obligations of all the
parties to a software development relationship. This is a contract made between the
Department of Foreign Affairs and the successful respondent. At the highest level, the
parties must agree to maximise the security of the software system according to the terms
set out below:
1. PHILOSOPHY BEHIND OWASP
(a) Security Decisions Will Be Based on Risk ‐ Decisions about security will be made jointly by both the Department of Foreign Affairs and the successful respondent based on a firm understanding of the risks involved.
(b) Security Activities Will Be Balanced ‐ Security effort will be roughly evenly distributed across the entire software development lifecycle.
(c) Security Activities Will Be Integrated ‐ All the activities and documentation discussed herein can and should be integrated into the successful respondent’s software development lifecycle and not kept separate from the rest of the project. Nothing in this Appendix implies any particular software development process.
(d) Vulnerabilities Are Expected ‐ All software has bugs, and some of those will create security issues. Both the Department of Foreign Affairs and the successful respondent will strive to identify vulnerabilities as early as possible in the lifecycle.
(e) Security Information Will Be Fully Disclosed ‐ All security‐relevant information will be shared between the Department of Foreign Affairs and the successful respondent immediately and completely.
(f) Only Useful Security Documentation Is Required ‐ Security documentation does not need to be extensive in order to clearly describe security design, risk analysis, or issues.
2. LIFECYCLE ACTIVITIES
(a) Risk Understanding ‐ The successful respondent and the Department of Foreign Affairs agree to work together to understand and document the risks facing the application. This effort should identify the key risks to the important assets and functions provided by the application. Each of the topics listed in the requirements section should be considered.
44
(b) Requirements ‐ Based on the risks, the successful respondent and the Department of Foreign Affairs agree to work together to create detailed security requirements as a part of the specification of the software to be developed. Each of the topics listed in the requirements section of this Appendix should be discussed and evaluated by both the successful respondent and the Department of Foreign Affairs. These requirements may be satisfied by custom software, third party software, or the platform.
(c) Design ‐ The successful respondent agrees to provide documentation that clearly explains the design for achieving each of the security requirements. In most cases, this documentation will describe security mechanisms, where the mechanisms fit into the architecture and all relevant design patterns to ensure their proper use. The design should clearly specify whether the support comes from custom software, third party software, or the platform.
(d) Implementation ‐ The successful respondent agrees to provide and follow a set of secure coding guidelines. These guidelines will indicate how code should be formatted, structured, and commented. All security‐relevant code shall be thoroughly commented. Specific guidance on avoiding common security vulnerabilities shall be included. Also, all code shall be reviewed by at least one developer other the successful respondent against the security requirements and coding guideline before it is considered ready for unit test.
(e) Security Analysis and Testing ‐ The successful respondent agrees to provide and follow a security test plan that defines an approach for testing or otherwise establishing that each of the security requirements has been met. The level of rigor of this activity should be considered and detailed in the plan. The successful respondent will execute the security test plan and provide the test results to the Department of Foreign Affairs.
(f) Secure Deployment ‐ The successful respondent agrees to provide secure configuration guidelines that fully describe all security relevant configuration options and their implications for the overall security of the software. The guideline shall include a full description of dependencies on the supporting platform, including operating system, web server, and application server, and how they should be configured for security. The default configuration of the software shall be secure.
3. SECURITY REQUIREMENT AREAS
(a) The following topic areas must be considered during the risk understanding and requirements definition activities. This effort should produce a set of specific, tailored, and testable requirements. Both the successful respondent and the Department of Foreign Affairs should be involved in this process and must agree on the final set of requirements.
(b) Validation and Encoding ‐ The requirements shall specify the rules for canonicalising, validating, and encoding each input to the application, whether from users, file
45
systems, databases, directories, or external systems. The default rule shall be that all input is invalid unless it matches a detailed specification of what is allowed. In addition, the requirements shall specify the action to be taken when invalid input is received. Specifically, the application shall not be susceptible to injection, overflow, tampering, or other corrupt input attacks.
(c) Authentication and Session Management ‐ The requirements shall specify how authentication credentials and session identifiers will be protected throughout their lifecycle. Requirements for all related functions, including forgotten passwords, changing passwords, remembering passwords, logout, and multiple logins, shall be included.
(d) Access Control ‐ The requirements shall include a detailed description of all roles (groups, privileges, authorisations) used in the application. The requirements shall also indicate all the assets and functions provided by the application. The requirements shall fully specify the exact access rights to each asset and function for each role. An access control matrix is the suggested format for these rules.
(e) Error Handling ‐ The requirements shall detail how errors occurring during processing will be handled. Some applications should provide best effort results in the event of an error, whereas others should terminate processing immediately.
(f) Logging ‐ The requirements shall specify what events are security‐relevant and need to be logged, such as detected attacks, failed login attempts, and attempts to exceed authorisation. The requirements shall also specify what information to log with each event, including time and date, event description, application details, and other information useful in forensic efforts.
(g) Connections to External Systems ‐ The requirements shall specify how authentication and encryption will be handled for all external systems, such as databases, directories, and web services. All credentials required for communication with external systems shall be stored outside the code in a configuration file in encrypted form.
(h) Encryption ‐ The requirements shall specify what data must be encrypted, how it is to be encrypted, and how all certificates and other credentials must be handled. The application shall use a standard algorithm implemented in a widely used and tested encryption library.
(i) Availability ‐ The requirements shall specify how it will protect against denial of service attacks. All likely attacks on the application should be considered, including authentication lockout, connection exhaustion, and other resource exhaustion attacks.
(j) Secure Configuration ‐ The requirements shall specify that the default values for all security relevant configuration options shall be secure. For audit purposes, the software should be able to produce an easily readable report showing all the security relevant configuration details.
46
(k) Specific Vulnerabilities ‐ The requirements shall include a set of specific vulnerabilities that shall not be found in the software. If not otherwise specified, then the software shall not include any of the flaws described in the current “OWASP Top Ten Most Critical Web Application Vulnerabilities”
(http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf)
4. PERSONNEL AND ORGANISATION
(a) Security Architect ‐ The successful respondent will assign responsibility for security to a single senior technical resource, to be known as the project Security Architect. The Security Architect will certify the security of each deliverable.
(b) Security Training ‐ The successful respondent will be responsible for verifying that all members of the successful respondent team have been trained in secure programming techniques.
(c) Trustworthiness ‐ The successful respondent agrees to perform appropriate background security checks of all development team members.
5. DEVELOPMENT ENVIRONMENT
(a) Configuration Management ‐ The successful respondent shall use a source code control system that authenticates and logs the team member associated with all changes to the software baseline and all related configuration and build files.
(b) Distribution ‐ The successful respondent shall use a build process that reliably builds a complete distribution from source. This process shall include a method for verifying the integrity of the software delivered to the Department of Foreign Affairs.
6. LIBRARIES, FRAMEWORKS, AND PRODUCTS
(a) Disclosure ‐ The successful respondent shall disclose all third party software used in the software, including all libraries, frameworks, components, and other products, whether commercial, free, open‐source, or closed‐source.
(b) Evaluation ‐ The successful respondent shall make reasonable efforts to ensure that third party software meets all the terms of this agreement and is as secure as custom developed code developed under this agreement.
7. SECURITY REVIEWS
(a) Right to Review ‐ The Department of Foreign Affairs has the right to have the software reviewed for security flaws at their expense at any time within 60 days of delivery. The successful respondent agrees to provide reasonable support to the review team by providing source code and access to test environments.
(b) Review Coverage ‐ Security reviews shall cover all aspects of the software delivered, including custom code, components, products, and system configuration.
47
(c) Scope of Review ‐ At a minimum, the review shall cover all of the security requirements and should search for other common vulnerabilities. The review may include a combination of vulnerability scanning, penetration testing, static analysis of the source code, and expert code review.
(d) Issues Discovered ‐ Security issues uncovered will be reported to both the Department of Foreign Affairs and the successful respondent. All issues will be tracked and remediated as specified in the Security Issue Tracking section of this Appendix.
8. ASSURANCE
(a) Certification Package ‐ The successful respondent will provide a “certification package” consisting of the security documentation created throughout the development process. The package should establish that the security requirements, design, implementation, and test results were properly completed and all security issues were resolved appropriately.
(b) Self‐Certification ‐ The Security Architect will certify that the software meets the security requirements, all security activities have been performed, and all identified security issues have been documented and resolved. Any exceptions to the certification status shall be fully documented with the delivery.
(c) No Malicious Code ‐ The successful respondent warrants that the software shall not contain any code that does not support a software requirement and weakens the security of the application, including computer viruses, worms, time bombs, back doors, Trojan horses, Easter eggs, and all other forms of malicious code.
9. SECURITY ISSUE MANAGEMENT AND ACCEPTANCE
(a) Investigating Security Issues ‐ If security issues are discovered or reasonably suspected, the successful respondent shall assist the Department of Foreign Affairs in performing an investigation to determine the nature of the issue. The issue shall be considered “novel” if it is not covered by the security requirements and is outside the reasonable scope of security testing.
(b) Tracking ‐ The successful respondent will track all security issues uncovered during the entire lifecycle, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue will be evaluated, documented, and reported to the Department of Foreign Affairs as soon as possible after discovery.
(c) Protection ‐ The successful respondent will appropriately protect information regarding security issues and associated documentation, to help limit the likelihood that vulnerabilities in operational the Department of Foreign Affairs software are exposed.
(d) Novel Security Issues ‐ The successful respondent and the Department of Foreign Affairs agree to scope the effort required to resolve novel security issues, and to
48
negotiate in good faith to achieve an agreement to perform the required work to address them.
(e) Other Security Issues ‐ The successful respondent shall use all commercially reasonable efforts consistent with sound software development practices, taking into account the severity of the risk, to resolve all security issues not considered novel as quickly as possible.
(f) Acceptance ‐ The software shall not be considered accepted until the certification package is complete and all security issues have been resolved.
49
APPENDIX V
Declaration of Bona Fides We the undersigned do offer in accordance with the Request for Tenders and the requirements specified therein at Sections 2 and 3, to provide the Department of Foreign Affairs with consular case management and crisis management systems (including integration with the Department’s Citizen Registration facility) at the total fixed fee cost set out in the Schedule of Costs submitted with this tender, and subject in all respects to the terms and conditions set out in the Request for Tenders which we acknowledge shall form the basis of a formal contract to be completed between the Minister for Foreign Affairs and the successful Respondent.
We confirm that our cost proposals contain no mark‐up on any off‐the‐shelf hardware or software that we propose to provide, and that in the event of any discounts we may receive for such materials, we agree to pass the benefit of such discounts to the Department.
We confirm that all information and commitments contained in or referred to in our tender are (i) accurate and correct, and (ii) accurately reflect our actual current operational and financial capability.
We confirm that we are aware of and have taken account of our obligations under Irish employment law with regard to worker protection and working conditions and that we will comply with these obligations at all times if and when we are awarded the contract.
We confirm that our tax affairs are in order and that, if awarded the contract, we will be in a position to provide the Department promptly with a current valid Tax Clearance Certificate or Statement of Suitability from the Irish Revenue Commissioners.
We confirm that this Tender shall remain irrevocably open for acceptance by you for a period of 3 months from the closing date for receipt of tenders and it shall remain binding upon us for that period or such other period as we may agree.
We acknowledge that no legally binding agreement exists between us unless and until our offer is accepted by you and a contract has been concluded with the Minister for Foreign Affairs.
We understand that the Minister for Foreign Affairs is not bound to accept the lowest or indeed any tender it may receive and may abandon or terminate the tender process at any time.
Signature of Respondent or authorised agent: __________________________________
Printed Name: _________________________________________________________
Name of Respondent: __________________________ V.A.T. No: _________________
Postal Address: ________________________________________________________
Telephone: _________________________ Fax:______________________________
e‐mail: _________________________________
50
APPENDIX VI
Schedule of Costs Respondents are requested to submit a lump sum fixed fee in respect of the services specified in Sections 2 and 3 of this RFT. This fixed fee shall exclude VAT but shall include all anticipated expenses including travel and accommodation costs.
The total fixed lump sum cost of the project including costs of training and ongoing support having regard to all the requirements specified in Sections 2 and 3 of this RFT.
A full itemised breakdown of the prices and/or applicable rates for each of the Department’s requirements as detailed in Sections 2 and 3 of the RFT;
Hardware, software and services must be priced separately and responses must confirm that there is no mark‐up on any off‐the‐shelf hardware or software the service provider supplies and that they will pass on to us the benefit of any discount received;
Details of all software and user licensing costs and/or any additional intellectual property royalties or similar charges must be set out in full as they will apply for the lifetime of the contract.
The services component must itemise the cost for each named contractor proposed including the relevant daily rate, the number of days required and the amount, if any, of travel expenses involved. The daily rates quoted for these services shall apply for the duration of the contract and for any extensions to the contract.
Responses which provide average or blended rates will be deemed to be non‐responsive.
The Department will expect full transparency in relation to all of the costs proposed and the Department reserves the right to seek fine detail in respect of each cost item of the overall solution;
Any cost implications resultant from the Department selecting individual components of the solution proposed to be combined with components from an alternative Respondent;
Details of special invoicing arrangements, for example, upfront costs, deposits on hardware etc.
The applicable rate of VAT in respect of each product and service being proposed; and
Details of any other costs, taxes or duties which may be incurred.
51