e-governance stqc role & responsibilities
TRANSCRIPT
E-Governance
STQC Role & Responsibilities
Standardisation
Testing
Quality
Certification
Standardization Testing & Quality Certification Directorate
Department of Information Technology
Govt. of India
STQC Services for IT Sector
Standards formulation
STQC
IT
Services
Software Quality
evaluation
ITeS Quality
Information Security
Quality Management in IT Industry
IT Service Management
STQC IT Network
Bangalore
Mohali
Solan
Delhi
Agartala
Guwahati
Pune
Goa
Thiru’Puram
Mumbai
Kolkata
Hyderabad
Chennai
Jaipur
Delhi
Kolkata
Bangalore
Hyderabad
Chennai
Guwahti
Pune
Jaipur
Certification Requirement - When
• Policy Makers/Administrators are interested to know about
fulfillment of objectives
• Solution Provider is interested to demonstrate about
Completion of a milestones
• Users expect System will deliver as promised.
• Funding agencies are interested to know about achievement
of output and outcome
• Procurement bodies are interested to know
“what was asked” versus “what is supplied” for the
release of payment
• System Architects wants to enforce implementation of
Standards
Challenges – How to Address
A Framework is required to ensure that
end-to-end systems and its components are conforming to the
requirements of RFP/contract
Solutions are complying with legal and regulatory requirements
Users are satisfied with the services
The Body which assess conformance should be Independent third
Party and Competent in its operation
Conformity Assessment –Risk based extentWhen applied correctly, conformity assessment can..
Provide purchaser with confidence in the suppliers, products or
services they purchase
Help businesses be competitive
Facilitate trust in procurement and supply
Create market advantage
Provide a visible link between standards and the market
However, if applied incorrectly, conformity assessment can also…
Be a burden of business by adding cost of demonstrating
compliance
Create barriers to procurement and supply
Inhibit innovation
Confuse the market
Conformity Assessment and Certification
Essential requirements of Conformity Assessment
and Certification in eGovernance
Quality Process in Government Organisation
Software Application Quality
Information Security Management System
IT Service Management
9
Quality Process in Government Organisation
Indian standard on Quality Management System-
requirements for service quality by Public Service
Organization. (IS:15700)
It is an Generic standard that enables an organization
to establish systems to provide quality services
consistently, effectively and efficiently.
It also provides for systems to ensure continual
improvement in services and process.
Key Elements are:◦ Citizen’s Charter.
◦ Service delivery process
◦ Complaints handling.
Software Application QualityDistribution Quality Characteristics
An Illustration
0
20
40
60
80
100Functionality
Reliability
Usability
Efficiency
Maintainability
Portability
Security
Documentation
Information Security
Information Security
Information Security Management System
Management Control
• Risk Assessment & Treatment• Security Policy• Organization of Information Security• Asset Management• Information System Acquisition• Compliance
Operational Control
• Human Resource• Physical & Environmental• Communication & Operations Management• Incident Management• Business Continuity Planning
Technical Control
• Identification & Authentication• Cryptographic Control• Access Control• Audit & Accountability• Acquisition, Development Maintenance
IT Service Management
S L M
F
I
N
A
N
C
E
IT SCM
Availability
Capacity
Management
Security
Service
DeskIncident
Management
Problem
Management
Change
Management
Configuration
Management
Release
Management
Service Support (Operational Management)
Govt. Employees
as IT Users
Government
Administrators
And Policy Maker
RFC
Service Delivery (Tactical Management)
Problem
Incident
S
L
A
CONTRACT
Audit
Systematic, independent and documented
process for obtaining audit evidence and
evaluating it objectively to determine the
extent to which audit criteria are fulfilled
Management System Audit(Basic Principles)
A systematic examination of the management system
• Existence (Intent)
Does the system meet the requirements of the relevant standard(e.g. ISO 20000)?
• Implementation
Does the organization do what the ITSMS requires?
• Effectiveness
Is the ITSMS effective for the organization’s business?
Auditor collects information & evidences during audit
Audit Phases
Opening Meeting
Audit Conduct
Findings & Conclusions
Closing Meeting
Audit Planning
Checklist Preparation
Plan Conduct Report Follow
up
Audit Follow Up
Surveillance
Preparation
Approval & Distribution
Initiating Audit
Document Review
Stage I Audit
Initiate
Stages of Audit
Documentation Review
Determine preparedness for
Stage 2 – location & site
Review status & understanding
Review scope and legal
requirements
Identifying the resources needed
for stage 2 audit
Provide a focus for stage 2 audit
plan
Readiness for Stage 2 audit –
implementation of Mgt. System
Conformance to audit criteria
Performance against key
objectives
Legal Compliance
Operational control of processes
Internal audit & Management
Review
Stage 1
Stage 2
Testing & Audit of
e-Governance Solutions
STQC Experience
e-Governance Projects handled by STQC MCA 21, Ministry of Corporate Affairs
National Service Delivery Gateway (NSDG)
India Portal
Passport Seva, Ministry of External Affairs
Income Tax
Rashtriya Swastha Bima Yogna (RSBY)
Municipality Applications
o NDMC, CMC Ltd.
o MCC, NIC Pune
o KUIDFC, CDAC Bangalore
o SUVIDHA, Nagarjuna Infotech, Hyderabad & Danlaw Technology India Ltd.
o MaiNet, ABM Knowledgeware Mumbai
o Nagrik, Oswal Data Systems, Indore
o Municipality Software Solutions - MoUD (10-States)
Other Applications
o Land Record Information System, NIC (16-States)
o Urban Registration Information System, NIC (2-States)
o Treasuries, MP & UP States
o AIEEE, UPTU, Haryana Counseling, NIC
o eNRICH-DRDA & eNRICH-CIC (North East) Web Portal, NIC
o Corporation Financials, e-Governments Foundation, Bangalore
o Human Resource Municipal Corporation, NIC Pune
Common Problems Observed in Projects User requirements (RFP/ Contract) – Missing/ Inadequately defined
Key Requirements (RFP/ Contract) – Not implemented/ Partially implemented,
deviations in requirements and requirements deferred
Architectural Deviations - Interoperability, Security & Performance related problems
Frequent failures/ system crash – Fatal errors, data loss & data corruption
Serious problems & functional gaps – No proper fixing, temporary workaround
Performance & Scalability – Slow response & over utilization of computing resources
Robustness, Stability & Availability – Frequent failures & crashes, abnormally long down
time & slow recovery
Integration & Interoperability - Incomplete workflow, No data exchange among
components & systems
Security of Software & Data – Wrongly configured systems, Inadequate authentication,
access control and audit logs
Usability – Cumbersome & lengthy navigations, poor messaging
Change Control – Informal/ unauthorized modifications carried out directly on production
system
Digitization & Data Migration Errors – Wrong/ unreliable data in the system
Code & Data Synchronization between DC & DR – DC/ DR switchover failure
Testing & Audit – Key Observations Documentation Issues:
o Missing/ Incomplete/ Incorrect documentation;
o Inconsistency-Among documentation/With application;
o Unclear/ ambiguous documentation;
o Ineffective document control (change & version control)
Functionality Issues:
o Run time fatal error, Data loss/ corruption;
o Wrong/ incomplete workflows;
o Business logic & Data validation errors;
o Transactions not traceable/ work items missing, Transactions wrongly rejected;
o Wrong calculations & incorrect rules;
o Interface problems (payment gateway, bank interface, etc.);
o Integration of various modules/ functions of the software not done;
o Interoperability problems among software modules
Web Site/Portal Issues:
o Inconsistent Home/ Web pages;
o Missing/ Broken links - Site links not working;
o Accessibility requirements as per W3C hardly met;
o Incorrect/ Obsolete contents;
o Important buttons/ keys disabled;
o Site map not available;
o Search function not available/ not working
Testing & Audit – Key ObservationsPerformance Issues:
o Extremely slow Home/ Web page loading, document downloading & uploading;
o Inability of system to sustain increase in transactions/ data volume;
o System crash at much lower users load as against specified requirements;
o Over utilization of system resources such as CPU, Memory, BW, etc.
Security Issues:o Weak Application Security; (SQL Injection, Privilege escalation, Data loss, Access Control, Error
handling/ Information leakage, Session Management, Denial of Services, Audit logs, etc.)
o Missing/ ineffective security policy (E.g., Password policy);
o Mis-configured/ vulnerable systems such as servers, firewalls, etc;
o Improper authentication & access control (access rights & authorizations);
o Inadequate confidentiality/ integrity (credentials transmitted in clear text) ;
o Risk assessment & BCP not done/ not tested;
o Inappropriate data backup & archival for disaster recovery;
o Inadequate physical security;
o Invalid digital signature working/ CRL not updated
Usability Issues:o Cumbersome/ lengthy navigation;
o Poor/ missing user instructions/ Help functions;
o Improper/ misleading messages for users;
o Accessibility requirements not addressed properly
Certification Schemes for eGovernance
Quality Assurance Framework and Conformity Assessment
requirements have been published
The overall framework covers 5 certification schemes
o Smart Card Certification (along NIC)
o Bio-metrics Device Certification (along UIDAI)
o Website Certification
o Information Security Management Systems Certification
o IT Service Management Certification
Software Testing and Quality Evaluation Framework Developed
Thanks