290 likes | 717 Views
e-Tendering. CVC, IT Act & other Security Aspects. Introduction.
E N D
e-Tendering CVC, IT Act & other Security Aspects
Introduction • Organizations or departments require certain raw material/stationery/items which are needed in order of their proper functioning in day-to-day activities. For example : An organization has an accounts department, which needs regular supply of stationery in order to keep its books up-to-date. • So, to procure such items or services, which are needed by any organization in order to function properly; they undergo a process of tendering through which they assign the work/service to the outside party for regular supply of such work/service.
Tendering / Procuring • Process of procuring for a certain time frame at pre-fixed rates on pre-defined terms & conditions is known as TENDERING/ Procurement. • Even after such a high penetration of IT in organizations, these processes are still done manually. • The processes are well defined, but manual processes has its limitations.
Difference between Procurement / Tendering • Procurement : It is the acquisition of goods and/or services at the best possible total cost of ownership, in the right quality and quantity, at the right time, in the right place and from the right source for the direct benefit or use of corporations, individuals, or even governments, generally via a contract. • Tender : is a legal way of “offering”. In simple words, it is a legal document which offers a contract. So, we tender if we need to procure something !
Limitations or Drawbacks • The traditional process is manual and hence attracts more cost & time. • Different departments employ separate tendering. De-centralized processes again add to all these. • Additional burden of paperwork. • Very lengthy process, difficult to understand and requires dedicated man-power. • Increased cases of fake tendering/bribery lead to lack of faith in process. • Transparency of process as well as of persons involved is at stake. • Small geographical reach. Local competition & local lobby flourishes. • These are only a few… We can effectively manage to process tendering/procurement processes the ‘e’ way !
What is e-Procurement ? • e-Procurement is IT-enabled process of procurement. Employing IT systems & solutions to do the process of tendering/procurement. • A Web based approach to remove the paper based manual process to a tech-based process which gives additional features like time saving, cost reduction, greater transparency etc.
Why e-Procurement ? Its need… • In order to ensureeconomy and efficiency in procurement- Reduction in costs, better price negotiation and shorter procurement cycle. Through an easy and effective reporting and analysis tools, one can improve efficiency in report maintenance, check maverick buying and create seamless data integration. Clarity of specifications and adherence to time frame are other benefits. • To promotecompetition among bidders • To provideequitable treatment of bidders • To promotefairness and transparency in bidding offers • Further from a Government Department’s perspective e-procurement system can be designed to factor in all Rules and Orders on the subject such as: • Rules relating to procurement in GFR 2005 • Policy preferences for PSUs/cottage and small industries • CVC Guidelines • C&AG observations • Delegation of Powers • Best international practices
Central Vigilance Commission • Formed in February,1964 on the recommendations of the Committee on Prevention of Corruption, headed by Shri K. Santhanam, to advise and guide Central Government agencies in the field of vigilance. • CVC is conceived to be the apex vigilance institution, free of control from any executive authority, monitoring all vigilance activity under the Central Government and advising various authorities in Central Government organizations in planning, executing, reviewing and reforming their vigilance work. • The CVC Bill was passed by both the houses of Parliament in 2003 and the President gave its assent on september 11, 2003. Thus the Central Vigilance Commission Act 2003 (No45 0f 2003) came into effect from that date.
CVC Act • The CVC Bill was passed by both the houses of Parliament in 2003 and the President gave its assent on September 11, 2003. • Thus, the Central Vigilance Commission Act 2003 (No45 0f 2003) came into effect from that date. • The Commission, while conducting the inquiry, shall have all the powers of a Civil Court with respect to certain aspects.
Jurisdiction of CVC • Members of All India Service serving in connection with the affairs of the Union and Group A officers of the Central Government • Officers of the rank of Scale V and above in the Public Sector Banks • Officers in Grade D and above in Reserve Bank of India, NABARD and SIDBI • Chief Executives and Executives on the Board and other officers of E-8 and above in Schedule ‘A’ and ‘B’ Public Sector Undertakings • Chief Executives and Executives on the Board and other officers of E-7 and above in Schedule ‘C’ and ‘D’ Public Sector Undertakings • Managers and above in General Insurance Companies • Senior Divisional Managers and above in Life Insurance Corporations • Officers drawing salary of Rs.8700/- p.m. and above on Central Government D.A. pattern, as on the date of the notification and as may be revised from time to time in Societies and other Local Authorities
CVC guidelines : e-Procurement • Various GOs/GRs regarding CVC guidelines on e-Procurement can be found on http://www.cvc.nic.in/proc_works.htm • These promote use of a web-based tendering process to ensure greater transparency, high efficiency, effective cost cutting through reduction of time delays etc., defining the powers of people involved with respect to various rules/practices followed and the security aspects that need to be followed.
Electronic Actions have a legal binding • We must adhere to all the legal bindings in all our actions. • Documentation plays vital role in all manual processes across organizations. • Similarly, there was a need to legalize the transactions made in electronic mode. • IT Act was implemented to give authentication to documents and signatures in e-mode.
IT Act of India • The Act simultaneously amended the following Acts- • The Indian Penal Code Act, 1860; The Indian Evidence Act, 1872; The Reserve Bank of India Act, 1934; The Banker’s Book Evidence Act, 1891. • Gave legal recognition to electronic records (Section 4 of the Act) • Gave legal recognition to digital signatures (Section 5 of the Act) • Provided for Certifying Authorities and Subscribers in connection with digital signature (Section 17 to 42 of the Act) • Made provision for penalties for cyber offences (Section 43 to 47 of the Act) • Established Cyber Appellate Tribunal (Section 48 to 64 of the Act) • Listed cyber offences (Section 65 to 78 of the Act).
IT Act provides legal backbone to • Electronic Commerce (E-Commerce) includes not only Internet commerce but also transactions through other electronic medium. In other words it can be described as- • transaction between a company and its customers i.e. buying and selling of goods, services and information (including after-sale service and support); • exchange of structured business information between two or more companies, e.g. Electronic Data Interchange (EDI); and • internal commerce involving work flow reengineering, product and service customization, Supply Chain Management (SCM) etc; by using electronic devices. • Electronic devices/medium used for E-Commerce include – Bar Code Machines, Vending Machines, Telephone & Telegraphs, Fax, Television, Stand alone Computers, Computer Network, Internet, WWW & E-mail.
And it talks about SECURITY… • In manual process, we maintain a definite security through defined means and authenticity of our acts is reflected. • IT transactions or electronic actions also are legalized by implementing IT Act. • BUT, IT Act talks about the Secured actions and transactions and securely authenticating the documentation. It also talks about the ways in which information should be encrypted so as to maintain its authenticity.
Secured Documentation • The process of DIGITAL SIGNATURE involves the converting electronic record into secret code first, and then translating the codes into a small number by applying a formula. Each licensed Subscriber uses unique secret code and formula, which is known to him only. This is done through private key. Based on private key techniques, public key is designed. • The AUTHENTICATION of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. • ASYMMETRIC CRYPTO SYSTEM : a system of a secure key pair consisting of a private key for creating digital signature and a public key to verify the digital signature. • PRIVATE KEY : the key of a key pair used to create digital signature • PUBLIC KEY : the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate.
Contd… • CRYPTOGRAPHY : The process of coding is called encryption and the process of decoding is called decryption. Encryption and decryption is done through software. These software are called Public Key and Private Key. Private Key is kept secret and the Public Key is made public. • HASH FUNCTION means an algorithm mapping or translation of one sequence bits into another, generally a smaller set, known as ‘hash result’ such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible – • to derive or reconstruct the original electronic record from the hash result produced by the algorithm • that two electronic records can produce the same hash result using the algorithm
https:// Secured Sites • TLS / SSL (Secure Socket Layer is now Transport Layer Security) : are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. • These help in secured data flow/transactions on a site. It also allows to check for hacking or unauthorized intrusion inside the web network. • The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths. • In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server's identity), but not vice versa (the client remains unauthenticated or anonymous). • TLS also supports the more secure bilateral connection mode (typically used in enterprise applications), in which both ends of the "conversation" can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party's certificate). This is known as mutual authentication. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario). Unless, that is, TLS-PSK, the Secure Remote Password (SRP) protocol, or some other protocol is used that can provide strong mutual authentication in the absence of certificates.
It also includes any new attempt to make security of IT services stronger and fool proof. Authenticating various actions taken on-line in a secured manner is the key to it.
Ensuring Security • Security The security features incorporated in the application would ensure that all activities are logged, no unauthorized person has access to data, all sensitive data is encrypted and system can be restore in a minimal possible time in case of a disaster or system crash. • Audit Trail The Solution has to be so designed that all the activities, transactions and changes in configuration are logged and a log report is made available to the concerned people. Further, a log is also made available of activities at the database level thereby ensuring that a robust audit trail is always available of all the activities either at the application level or the database level. • Data Encryption The solution supports encryption and all the price bids received against a tender are encrypted at the database level. Further, the login passwords of all the users and the suppliers are also encrypted at the database level. • Secure Administrator Access To prevent an administrator from misusing his access privileges, the TMS requires two level password verification before allowing an administrator access to the admin module. The first password is provided by the administrator himself and the second password is provided by some designated senior person within the buying organization. The administrator will be authenticated on advanced technologies using biometrics. • Process Validation The Solution has to be so architected that a user cannot view the commercial bid of a supplier till the technical evaluation of the tender is complete and the date & time specified for the opening of the commercial bid is due. • Secured Socket Layer (SSL) Certificate The solution would use SSL Certificate for communication between the browser and the web server. This ensures that all the data is encrypted and cannot be hacked/misused by anyone • Unauthorized Access - The entire solution is to be placed behind a firewall and intrusion detection system that protects it against unauthorized access and hackers
Benefits of e-Procurement • It is a web based process to manage purchases online, across the entire requisition to payment cycle. • A comprehensive e-procurement system typically includes three components: information & registration, e-purchasing and e-tendering. • It creates specialized networks of suppliers on the internet where one can place request for proposals (RFP)/ post tender documents, exchange specifications and receive bids and approve quotations. • It enables organizations to automate their purchasing process and reduce processing costs. • Organizations can now have access to new strategic partners, uncover new suppliers and streamline purchasing processes while simultaneously lowering the cost. • Savings on money, time and labour that are normally wasted on sieving through reams of paper. • Adopting best practices which are common all across stepping ahead to make a globally accepted standard and setting procurement rules as per government rules and latest orders on the subject. • It also captures data that is vital for creating more effective strategic supplier management; it also produces reports on product use and supplier performance. Thus the organization is rendered more efficient and more productive. • Centralizing the process for several departments, which used to waste the same time and money on procuring similar/same items. It empowers us with the opportunity to simplify & streamline this process and thus harness the power of the web to ensure savings for organisations.