USAID Government Accountability Initiative (GAI)REQUEST FOR PROPOSALS (RFP)

Title Electronic Register of Corruption Cases

RFP Number GAI-RFP-014Contracting Authority

Checchi and Company Consulting, Inc. -

The USAID Government Accountability Initiative, implemented by Checchi and Company Consulting, Inc., is requesting proposals from qualified offerors for development and implementation of an Electronic Register of Corruption Cases (ERCC).

Date Published July 3, 2020Submission Deadline

August 3, 2020

Point of Contact Name: Uroš ČuljkovićEmail: uculjkovic@checchiconsulting.comTel: 381 11 4145 880

BackgroundThe USAID Government Accountability Initiative (GAI) is a four-year, US Agency for International Development-funded project awarded in February 2018 to implementing partner Checchi and Company Consulting, Inc. GAI works with key Serbian stakeholders at the national and local levels to increase government accountability at the national and local levels. Under GAI’s third component - Adjudication of Corruption Cases - GAI works with specialized anti-corruption court units and public prosecutors’ offices (PPOs) to support the adjudication of corruption cases and to establish an Electronic Register of Corruption Cases (ERCC). The establishment of these specialized anti-corruption units (in Higher Courts and Higher Public Prosecutor Offices in Belgrade, Novi Sad, Niš, and Kraljevo) is based on the adoption of the new Law on Organization and Jurisdiction of Government Authorities in the Suppression of Organized Crime,

1

Terrorism and Corruption1, which entered into force on March 1, 2018.Under Component 3 Adjudication of Corruption Cases, GAI will:

1. Support anti-corruption specialized court units in implementing the new Law on the Organization and Jurisdiction of State Organs in Fight against Organized Crime, Corruption and Terrorism Financing.

2. Develop procedures and methodology for data collection, record keeping and statistical reporting on corruption cases.

3. Establish an electronic register of corruption cases (ERCC) to support information sharing between different institutions working on the investigation and prosecution of corruption cases.

The ERCC is a reporting tool that will provide regular and ad hoc reports with timely information on the status of corruption cases, detect bottlenecks in the prosecution and adjudication of these cases and enable the identification of strategies to increase the efficiency of these court and public prosecutor’s offices units. The register will communicate with the existing Case Management Systems within the judiciary sector and will base its reports on the data stored in their databases.

Purpose and objectiveAs a pre-accession candidate, the Republic of Serbia (RS) is carrying out judicial reforms according to the European Union`s (EU) accession requirements. The accession negotiations for Chapter 23 ('the Judiciary and Fundamental Rights') of the Acquis were formally opened in July 2016. As part of the negotiation process, the Republic of Serbia needs to meet a number of interim benchmarks. Successful implementation of these benchmarks will result in a more efficient, effective, accountable, professional, and independent justice sector in the country.The need for reliable, unified judicial statistics at the national level has been identified for a long time as an important priority in several EU Annual Country Progress Reports as well as in several judiciary analytical reports developed by other international institutions (World Bank, USAID etc.). The existence of unified judicial statistics at the national level is available to all interested parties in the justice and public sectors and can contribute to better policy decisions, cost savings, and increased effectiveness of justice sector agencies.The EU Progress Report in 2014 states that “the current system of collecting court statistics is not efficient and does not allow making a meaningful analysis of the performances of the Serbian judicial system.”2 The 2014 World Bank, in 1 Official Gazette of Republic of Serbia no. 94/162 Annex to COM(2014)700 final of 8.10.2014, p. 42

2

its “Serbia Judicial Functional Review” document3 emphasizes that in order to be effective “Courts, PPOs and the Councils need meaningful, accurate, and timely statistics”. Further, it concludes that “There is no overall software ‘umbrella’ that provides sector-wide statistical information, which impairs evidence-based decision-making.”More recently, one of the recommendations from the screening report in the area of the fight against corruption noted in the Action Plan for Chapter 23, section 2.3.44 is the necessity to “Improve the collection of unified statistics on corruption, with a clear distinction between the various criminal acts with a possibility for a detailed assessment of the length of the cases, outcomes etc.”. As a result of the implementation of the activities related to this recommendation, “a system for collection of unified statistics on corruption will be established, that enables monitoring different types of criminal offences, length of the cases, outcome of the proceedings, etc.”The establishment of such a system will have impact on the following matters:

– Positive opinion of the European Commission (EC) stated in the Annual Progress Report on Serbia;

– Data on criminal cases with elements of corruption can be effectively collected and disclosed at any time;

– Improved statistical analysis of data on the activities within the criminal offenses with elements of corruption and use of the results obtained for criminal policy planning.

EligibilityOfferors must have:

1. Economic and financial capacity

The average annual turnover of the tenderer of the last three (3) closed financial years must be at least 750.000 EUR;

2. Professional capacity

At least 8 experts in the fields related to this tender (development, installation/maintenance, customization) out of which at least 1 is business analyst and 4 are software experts. Experience in the justice

3 “World Bank Group. 2014. Serbia Judicial Functional Review. Washington, DC. © World Bank. https://openknowledge.worldbank.org/handle/10986/21531 License: CC BY 3.0 IGO.”4 Revised Action Plan for Chapter 23 – Fight Against Corruption, page 76.https://www.mpravde.gov.rs/tekst/22159/prvi-nacrt-revidiranog-akcionog-plana-za-poglavlje-23.php

3

sector will be considered an asset. Offerors must submit a signed Statement of Commitment by each expert

indicating that the expert agrees to work on this project for that offeror. In case the expert is prevented to work on the project during the implementation, the offeror must provide expert with similar or better experience. Any change within the proposed team of experts after award of the subcontract needs to be approved by GAI;

The tenderer must have ISO 27001 certification, and the tenderer or the Manufacturer (if the tenderer is not the Manufacturer) must have ISO 9001 certification. The tenderer must provide written evidence of both certifications.

3. Previous relevant experience

The tenderer has successfully completed at least one (1) individual contract of at least 200.000 EUR in the field of software development within the five (5) year period prior to the closing date of submission of the tenders;

The Tenderer has successfully completed at least one (1) individual contract of at least 150.000 EUR in the field of Reporting Management System IT solution, including software architecture design, customization, development, and project management;

Submission of ProposalsProposals should be submitted electronically to GAI Project Office in Belgrade, Serbia, to the email address: GAI-Belgrade@checchiconsulting.com, no later than August 3, 5 p.m. (CET). Bidders should provide reference to the RFP number (in the subject line of the email). Any proposals that arrive after this time, will be considered at Checchi’s discretion.

Questions and ClarificationsAll questions and requests for clarification regarding this RFP should be submitted electronically to GAI-Belgrade@checchiconsulting.com, no later than July 20. GAI will publish answers to questions and requests for clarifications that may be of interest to all potential bidders/interested parties on the website www.odgovornavlast.rs.

All correspondence must provide reference to the RFP number (in the subject).

4

Content of the ProposalsProposal must include:1. Technical Proposal Form: proposed technical approach, relevant previous

experience of the organization in the field and professional/organizational capacities (including the key project team members and relevant experts that will directly work on design, development, or content creation (Annex II)). The offeror must describe how it will address requirements listed in this RFP and provide a detailed description of the activities, reporting, and quality assurance mechanisms that will be put in place, while demonstrating that the proposed methodology will be appropriate to the local conditions and context of the work.

2. Financial Proposal Form: costs presented in Excel, developed by offeror (Annex III). When calculating its financial offer, the offeror should include all anticipated costs for the assignment such as labor, travel, accommodation, and Defense Base Act insurance. Please be advised, DBA insurance is mandatory for all subcontractors, at their expense. DBA insurance is 2% of labor costs. DBA insurance cannot be added to the cost afterwards or be reimbursed.Any airfares should be for the lowest cost economy class and Fly America

compliant.3. Proposal Submission Form (Annex IV).

Selection Criteria for AwardProposals will be ranked based on the criteria given in the Evaluation table below:

Table 1 - Evaluation tableNo. Evaluated Area of Proposal Maximum

Points1 Technical proposal Total 50

1.1 Quality of Methodology 251.2 Professional capacity 151.3 Previous relevant experience 10

2 Cost Total 50

Total Points 100

5

6

ANNEX IScope of Work

Electronic Register of Corruption Cases1. Purpose and Objectives

The Electronic Register of Corruption Cases, as a reporting tool, will provide regular and ad hoc reports with timely information on the status of corruption cases, detect bottlenecks in the prosecution and adjudication of these cases, and enable the identification of strategies to increase the efficiency of these court and public prosecutor’s offices units.The register will communicate with the existing Case Management Systems within the judiciary sector and will base its reports on the data stored in their databases.2. Current State of Affairs

The justice sector in the Republic of Serbia at this moment “relies on a variety of unlinked ICT systems for case processing, case management, and document management”2. These ICT systems use different data models that prevent streamlined linkage between data that is a basic prerequisite for creation of reliable reports. For this reason, information exchange is mainly performed manually, which is one reason for significant delays in case processing and for significant data duplication.The following IT systems are used in the justice sector: • AVP – Case Management System used in Basic, Higher, Commercial

Courts and Commercial Appellate Court; • SAPS – Case Management System used in the Supreme Court of

Cassation, Appellate Courts, High Court in Sremska Mitrovica and Administrative Court;

• SIPRES – Case Management System used in Misdemeanor Appellate Court and all Misdemeanor Courts;

• SIPRIS – Case Management System used in the Commercial Courts;• SAPO – Case Management System used in Public Prosecutors Offices;• SAPA – Software application within the Administration for Enforcement of

Penal Sanctions;• Central statistics – business intelligence tool for statistics and reporting;• ESB – Enterprise Service Bus, a platform for data exchange between

different software applications within the Ministry of Justice and other Governmental Institutions;

• JIS – Judicial Information System, tool that uses the ESB to access different registers within the judiciary sector (courts, public prosecutor offices, civil

7

enforcement offices, public notaries) as well as registers managed by other institutions in the country with which the Ministry of Justice exchanges data on a regular basis;

• E-Court – a modern technical solution for efficient communication between the courts and its parties

8

Figure 1. IT systems used in the judiciary sector in Republic of Serbia

9

Figure 1 shows a graphical representation of the existing IT systems used in the judiciary sector in Republic of Serbia.Taking into consideration that the established specialized anti-corruption units are based in the Higher Courts and the Higher Public Prosecutor Offices in Belgrade, Novi Sad, Niš, and Kraljevo, AVP and SAPO case management systems are of interest when establishing the Electronic Register of Corruption Cases.

2.1AVP (Automatizovano Vodjenje Predmeta)

General Information AVP is a Case Management System used in 66 Basic Courts, 24 Higher Courts, 16 Commercial Courts and the Commercial Appellate Court in Republic of Serbia. It was initially implemented in 2008 in the Commercial Courts and in the Commercial Appellate Court under the project Commercial Court Administration Strengthening Activity (CCASA) financed by USAID with a goal to streamline courts business processes and reduce manual record keeping. In 2010 it was further expanded and implemented in the Basic and Higher Courts using financial resources from the Serbian budget and the Multi Donor Trust Fund in cooperation with the World Bank. For the purposes of the recently established specialized anti-corruption units in the Higher Courts in Belgrade, Novi Sad, Niš, and Kraljevo, a slightly modified version of AVP was installed and has been used since mid-November 2018. Another important institution that works with anti-corruption cases is the Special Department for Organized Crime in the High Court in Belgrade. This department uses an older version of AVP that works only inside their department and is neither connected to, nor communicates with any other system outside that department.Functional Overview

The AVP Case Management System consists of several modules: - Record Management Office Module – records and searches cases,

monitors and manages the flow of the case, receives written documents, records actions in proceeding, records security measures, records custody decisions, distributes decisions and punishments, records decisions on regular and extraordinary legal remedies, records the validity of the decision, manages fees, makes case re-assignment, etc.;

- Judges’ Module – provides statistical reports about judges according to pre-selected reporting criteria, manages the calendar of hearings;

- Judicial Assistants’ Module – provides statistical reports for all judicial assistants using different reporting criteria, manages the schedule of hearings, contacts and forms;

- Recording Clerks’ Module – allows registration and distribution of hearings, registration of the actions in the proceedings, registration of the received

10

written documents, dispatching of the written documents, printing of envelopes used in expedition of mail, correction of various entered data, reporting according to given criteria, registration of fees and other actions in the proceedings;

- Administrative Workplace Module – allows scanning and electronically adding written documents;

- Court Administration Module – allows filing Court Administration (SU) cases, searching cases, acting upon a specific case, distribution of SU cases, expedition and receipt of written documents, correction of various data (judges, participants, SU base cases, proceedings within a case, link with a case, decision in the case, flow of the case etc.), prints the list of documents and envelopes, verifies documents intended for use abroad, and others;

- Mediation Module – allows registration, search and correction within cases in which mediation takes place (peaceful resolution of disputes);

- Monetary Book Module - contains exchange rate list, calculator, options for registering fees and password changes;

- Archive Module – allows archiving of one or group of cases, cases with expired shelf life, printing archived cases, searching archived cases, and more;

- Reception Office Module – contains all software options that covers the work processes of the Courts Reception Office related to registration and distribution of cases, their search, recording of written documents and their dispatching as well as other actions in the proceedings prescribed in the Court Rules of Procedures;

- Court Practice Module – contains options for registering cases in court practice, their search and their flow;

- Execution of Criminal Sanctions Module – contains registration of a new case and search of existing cases, recording flow of the case and actions performed within the case, registration of requests, fees recording, the use of forms, correction of data entered and reporting;

- Central Issuance of Criminal Certificates Module – contains options for searching citizens by first name, last name, parent’s name, date of birth, and unique registration number of citizens from all registers in which criminal and investigative procedure is conducted, and then generating the appropriate certificate using data already stored in databases within the Basic and Higher Courts as well as Public Prosecutor Offices that use SAPO application in their work;

- Central Criminal Record of Legal Entities Module – contains search options for all legal entities with final judgment of conviction and generating

11

appropriate certificates whether a legal entity has been convicted / not convicted;

- Central Criminal Record of Natural Persons Module – contains all natural persons with final judgment of conviction, options for search, and information on the conviction used by the judges in criminal cases;

- Register of Natural Persons Module – contains data on all natural persons participating in the proceedings in a specific court, and functionality for updating their data;

- Register of Legal Entities Module – contains data on all legal entities participating in the proceedings in a specific court and functionality for updating their data;

- Deleting Cases Module – contains option to delete a case, to renumber the case, to change the initial judge;

- System Administration Module – module where various software options can be set for proper functioning of the system, management of catalogues (criminal acts, safety measures, the basis of the dispute, records of acting judges, the number of working days for a specific month in a year, register of third parties (lawyer, enforcement agent...)); also adjusts the envelopes to be printed, keeps register of participants in the proceedings, provides functionality for review of log files, etc.

Technical Overview

AVP is a distributed Case Management System, with local installations of the software application and the database within each court. Local IT administrators are responsible for the everyday operations and maintenance of the system. The software application is developed using Macromedia ColdFusion MX8, MS SQL Server 2005 is used as a database server in the Basic and Higher Courts, and MS SQL Server 2000 as a database server in the Commercial Courts.Client computers need to have MS Windows XP/2000, MS Office, Acrobat Reader 7.0 or newer, and MS Internet Explorer 6.0/7.0 or newer. It is important to emphasize that AVP uses ActiveX components on the client side that makes it functional only on specific versions of Internet Explorer (IE) browser. MOJ is the owner of the source code, but since it does not have the technical capacity and resources to make in – house changes on the software, it publishes a tender for preventive and adaptive maintenance of AVP on a yearly basis. The purpose of the preventive maintenance is to get technical support for uninterrupted operation of all AVP installations. All changes and upgrades of the software fall under the framework of adaptive maintenance.

Interoperability

Except several isolated cases where AVP data is replicated on other servers, AVP does not directly communicate, nor exchange data, with any other IT

12

system in the judiciary sector in real time. The main reason for this lies in its distributed architecture as well as in the technologies for its implementation. With this architecture and these technologies, the only way to integrate AVP with other systems is by using web services.

Reporting

AVP provides local reports using data that is available in each court. It has implemented “more than 200 specific reports”5 most of which are in accordance with the Court Rules of Procedure (for example: T1 report prescribed in the Court Rules of Procedure). AVP at this moment doesn’t have the possibility to generate reports on criteria of importance for ERCC (for example: Report on court operations in corruption cases and criminal offences prescribed by article 194. of CC and 344.-a of CC, which content is created by Supreme Court of Cassation)7.

2.2SAPO (Software Application for the Prosecution Offices)General Information

SAPO is a Case Management System used in 23 Public Prosecutor Offices in the Republic of Serbia. It was financed with a grant by the European Union as part of the IPA 2008 Programme, through the project “Improvement of Transparency and Efficiency in Public Prosecution and Penal System of the Republic of Serbia” – EuropeAid/129341/C/SER/RS, implemented during the period 2010 – 2013. The main objectives of its implementation were to improve the efficiency and transparency of the processes in the Prosecutor Offices (PO) through their automation, establishment of a centralized electronic archive of cases and documents, and implementation of a consolidated and unified reporting engine.SAPO is used in three out of four recently established specialized anti – corruption units in the Higher PPOs (Belgrade, Novi Sad, and Niš). Because of a lack of technical capacities for the implementation of the SAPO software, the Higher PPO in Kraljevo, as well as the established specialized anti-corruption unit in that PPO, use only hardcopy registers to store and submit information about their cases. The Prosecutor’s Office for Organized Crime that works on anti-corruption cases is also using a “closed” version of SAPO that does not communicate with other systems outside that office. At the moment, under the project “Supply of IT equipment and software for improvement of case management systems for the Prosecutors' Offices and the administration for the enforcement of criminal sanctions” – EuropeAid/139372/DH/SUP/RS financed by the European Union, SAPO is being implemented in all remaining Public Prosecutors Offices, with a goal to create unified centralized Case Management System for all Public Prosecutors Offices in Republic of Serbia.Functional Overview

13

The SAPO Case Management System is currently automating all business processes within a number of Public Prosecutor Offices in Serbia at all levels: basic, higher, appellate and republic, covering all stages within a case lifecycle – from the moment the case is generated till the moment the case is archived, enforcing legal requirements as prescribed in the Rulebook on Administration in Public Prosecutors Offices5. SAPO has a centralized repository of all cases and documents of all prosecutor’s offices where it is implemented, and a digitalized case archive with all external and internal documents and acts that provides more efficient reporting and improved transparency (specific data about the cases is published on the Public Prosecutor Office web site). SAPO Case Management System consist of several modules:

- Module for Scanning – module that transforms all documents that arrive at the prosecutor’s office into electronic format. Multifunctional network devices are used for document scanning.;

- Electronic Registry Module – the central module of the system. According to the Rulebook on Administration in Public Prosecutor's Office, an authorized employee of the registry records every official act within the case in the registry office. The scanned documents are delivered in the registry office after signing. When a new case is created, all necessary case data are entered through this module, including persons in the case and related offences. When there is a certain record that relates to an existing case, this module provides necessary functionalities to register and connect these records with the appropriate case.; The Electronic Registry Module enables the necessary search functionality so that the clerks in the registry office can see the current status and location of the case at any time;

- Case Management Module – module designed for deputy prosecutors who are working with the case, deputy prosecutors who sign input documents, as well as for clerks within registry offices. Cases processors and clerks are engaged in the process of generating acts that the processor brings, and their placement in the case;

- Reporting Module – efficient reporting is one of the main goals of the introduction of SAPO. Using this module, all annual reports for any given period can be easily obtained. The module can also generate periodical reports in addition to the standard set of annual reports. Both annual and the periodic reports are regularly changed to correspond to changes in the Law on Criminal Procedure;

- System Administration Module – a module that is used for administration of the system components and system catalogues. The following

5 Rulebook on Administration in Public Prosecutor's Offices, “Official gazette of Republic of Serbia", no. 116/08 and 104/09;

14

catalogues are managed using this module: list of prosecutors, assigned users in the appropriate prosecutor's offices and definition of their roles in the prosecutor's offices, list of registers in the prosecutor's offices, list of natural persons, case statuses and persons, list of public institutions, list of institutions for KEO (deferred criminal prosecution / odlaganje krivičnog gonjenja).

Technical Overview

SAPO is a centralized Case Management System that is installed at the prosecutors’ office data center in Belgrade. All prosecutors’ offices where it is implemented are accessing the system via HTTP protocol using an Internet connection. Because of its centralized architecture, the main prerequisite for its proper operation is stable internal networks within the prosecutors’ offices and stable Internet connection between the prosecutors’ offices and the hosting location. SAPO is realized as a web application based on EMC Documentum xCP2 platform, Captiva platform for digitization and processing of images, and MS SQL Server 2008 R2 as a database for keeping meta(data). All documents are kept on a storage system within a secured zone at the hosting location. EMC Documentum Content Server is used for authentication. Each office has one multifunctional network device for scanning the entire incoming documentation. Scanned documents are automatically sent to a special SAPO module that converts them to text format, making them searchable for the end users. SAPO works well on all modern browsers and the end users does not need to install any add-ons on their computers for proper use of the system. Since EMC Documentum is a proprietary product, MOJ does not own the source code. This makes the licensing for SAPO an issue for its maintenance and its further expansion to other public prosecutor’s offices in the Republic of Serbia. For this reason, under the new EU project it has been decided to redesign SAPO in order to make it not depend on EMC Documentum. Open source tools will be used and the system will have the same and improved functionalities.

Interoperability

SAPO software architecture and technology provide the necessary tools and interfaces for seamless connection and data exchange with any other external system. This is due to the implementation of the Service Oriented Architecture for data exchange and supports the use of web services for communication with other external systems using well-defined interfaces and standard set of data exchange protocols.

Reporting

Using its reporting module, SAPO is able to generate all regular reports as prescribed in the Rulebook on Administration in Public Prosecutor's Offices. It is

15

also able to generate reports according to different search criteria.

2.3Enterprise Service Bus (ESB)General Information

An Enterprise Service Bus (ESB) is an integrated software platform known as middleware that provides interaction and communication services for complex software applications, aiding application-to-application communication. The main goal for implementation of an ESB is to achieve interoperability and seamless data exchange between different software applications, no matter their different software architectures or technological platforms. The main goal for implementation of the ESB in the Ministry of Justice was to enable data exchange between different IT systems in the judiciary, as well as with other institutions outside of the judiciary sector.Using this ESB, the Ministry of Justice exchanges data with the following institutions: Ministry of Public Administration and Local Self-Government, Serbian Business Registers Agency, Ministry of Interior and State Statistical Office. Connection with various registers in the Tax Administration, the Post of Serbia, and the Public Prosecutor’s Office is under development.

Figure 2. Enterprise Service Bus at the Ministry of Justice

Functional Overview

The ESB represents a central place for data exchange (both internal and external data exchange). It also enables simple implementation of business processes and rules. The ESB provides communication between different software solutions with the following modules:

- Implementation and use of SOA architecture – with the implementation of SOA architecture the applications are hidden from other applications, but their services are published on the service bus. Even if the applications are not designed using SOA architecture, no matter what platform is used

16

for their development (.NET, ColdFusion, Documentum etc.), this functionality enables the inclusion of these applications and the use of their data in business processes through simple creation of adapters on the service bus that allow access to their data. With this, “older” software applications can also be integrated on the ESB;

- Access to the system using web services – web services represents a single access point for all applications that would like to communicate with the ESB. Each web service in the system has a consistent interface for accessing the system. These interfaces do not depend on any change in the internal system architecture. All other activities, for example the direction of messages, the change of communication protocols, the delivery and reception of messages, are done by the ESB;

- Increased level of security and reliable and safe messaging – the ESB security settings enable support for PKI (Public Key Infrastructure), access to the infrastructure and software components, support for document encryption and decryption, support for multimodal system authentication, support for user authorization for individual services/actions, and support for definition of roles in the system/platform. In order to ensure the safety of incoming and outgoing messages, the ESB implements Message Security mechanisms and integrated security (Enterprise Single Sign-On).

- Simple management of business processes and rules – these functionalities define the rules, conditions, and channels of communications. It allows central control of the access rules to individual data. Rules that can be defined include the automatic reaction of the platform to specific business events;

- Orchestration of business processes – these functionalities connect the messages and web services from different software applications into one unified business process. All transformations and actions over the messages and the services (including the order of messages and service calls) can be configured using the user interface;

- Advanced reporting system and specific reports for monitoring the performances of the system – the functionalities in this module are: monitoring of business functionalities of the system, review of the current operating status of the system, possibility to define different business KPIs for easier monitoring of the system, preview of the existing business KPIs, business analytics, drill-down functionality for data review and application system monitoring.

Technical Overview

The ESB that is implemented in the Ministry of Justice is based on a commercial off-the-shelf product developed by Microsoft – Microsoft BizTalk Server 2013R2. SQL Server 2014 as a database server and a Microsoft operating system are also needed for proper operation of the ESB. The solution is compatible with

17

Simple Object Access Protocol (SOAP) and Web Service (WS) standards and has an internal workflow mechanism that can use SOAP services. The database allows querying with high availability as well as stable operation with mission-critical operations and supports integration with cloud systems. Since Microsoft BizTalk is a proprietary product, the Ministry of Justice does not own the source code. Because MoJ does not have the technical capacity and resources to administer or manage the platform, it publishes a tender for preventive and adaptive maintenance on a yearly basis. The purpose of the preventive maintenance is to get technical support to provide uninterrupted operation of the application. All changes and upgrades of the software fall under the framework of adaptive maintenance.

2.4Judicial Information System (PIS)General Information

The Judicial Information System is a responsive web-based application that uses ESB to access different registers within the judiciary sector (courts, public prosecutor offices, civil enforcement officers, public notaries) as well as registers managed by other institutions in the country with which the Ministry of Justice exchanges data on a regular basis. Judicial Information System was implemented in October 2017 and links registers within Ministry of Interior, Ministry of State Administration and Local Self-Government, Central Register of Obligatory Social Insurance, Business Registers Agency, Republic Geodetic Authority, etc.The main goal of PIS is to speed up the communication between the Ministry of Justice and other institutions within and outside judiciary sector in order to speed up work processes and average time for case processing, at the same time cutting the costs for postal services by enabling access to data from electronic registers that was before collected on paper. During the first year of its implementation, PIS processed over 360,000 electronic inquiries.Functional Overview

The Judicial Information System consists of a user interface, a database for keeping data about user activities and queries made, and links (clients) for queries to different web services. The system consists of several modules:

- Module for User Administration – module with functionalities for management of users and its properties on PIS;

- Module for User Registration – functionality (wizard) for the approved users where they can enter their data and obtain username and password for accessing the system;

- Module for Authentication – module for verifying user credentials and their comparison with the appropriate Active Directory;

18

- Module for User Profile – module with functionalities where each user on PIS can manage data related to their profile;

- Module for User Access Rights – module where the administrator is able to assign the user the appropriate user roles. Using this module, the administrator can set access to specific links (clients) for queries to different web services;

- Module for Active Directory Authentication – PIS users have to be active users in one of the two existing Active Directories. This module verifies that the authenticated user exists in one of this Directories;

- Module for Roles – module for definition of roles inside PIS. The administrator is able to give access rights to specific links (clients) for queries to different web services to specific defined roles;

- Module links (clients) to web services – Module for management of the links to different web services with which PIS communicates and performs queries;

- Module for presentation of the received data – module where received results from the queries sent to the different web services are presented on user friendly interface.

- Module for Printing – module where the user can get the received results in a format appropriate for printing.

Technical Overview

The Judicial Information System is a centralized system with responsive user interface. It is closed within the judiciary network, and only those users that are appointed by the court presidents can have access to it. The application was created using the Bootstrap 4 front-end framework in compliance with the guidelines of Google Material Design. The application uses SQL Server 2017 SP1 DBMS. The logic of the application is mostly realized in store procedures.The server side is implemented in ASP.NET Core 2.1. Part of the application was developed using MVC and part was developed with REST Api and client data processing.JQuery, Mustache, vue.js libraries were used for the client side. The client retrieves static HTML templates from the server and all other communication with the server is via JSON.

2.5Data Models and Data DictionariesThe Electronic Register of Corruption Cases will base its reports on the data stored in AVP and SAPO. In order to select the appropriate set of data that will be sent to the ERCC database, AVP and SAPO Database Models and Data Dictionaries are of particular interest.

19

Under USAID’s Government Accountability Initiative (GAI) project, AVP and SAPO Database Models and Data Dictionaries were created and will be available to the subcontractor. The AVP and SAPO Database Models and Data Dictionaries document identify database tables, and describe their purpose and the meaning and the context of each column in these database tables. In addition, the models and dictionaries identify the catalogues (šifarnici) in both case management systems in terms of their number, structure, and content.

20

Figure 3. ERCC Software Architecture

21

3. Proposed Conceptual Architecture of the Electronic Register of Corruption Cases (ERCC)

The software architecture of the ERCC is shown on Figure 3. Following the principles and the strategic guidelines set in the IT Development Guidelines in the Justice Sector document6, and taking into consideration that the existing case management systems use different technologies, platforms, data formats, and exchange mechanisms, ERCC should be directly connected to and communicates with the existing case management systems through the Judiciary Enterprise Service Bus (ESB), implementing the concepts of Service-Oriented Architecture (SOA). With this approach, the existing systems can still be used, developed, and improved independently and at the same time interoperability of data and technological platforms is achieved both at local level as well as in communication with external information systems.With the implementation of this architecture, each individual system is directly connected to the ESB. It communicates and exchanges data only with the ESB and the ESB is then capable to translate an individual connection interface (communication mechanisms and data formats) into another connection interface, allowing cutting the costs of integration, and extreme flexibility.This architectural approach also follows the strategic principle of sharing the data (set in the IT Development Guidelines in the Justice Sector document) between different systems. This principle promotes the use of data from the existing systems (those who “own” the data) and avoid data re-entry in other systems, preventing data duplication. As a first step towards the implementation of this ERCC software architecture, the existing case management systems of interest (AVP and SAPO in this case) need to be connected to and communicate through the existing ESB in the Ministry of Justice, realizing the SOA concept of one connection (interface) per system. The interface will define the method of exchange and the set of data that will be exchanged between each system and the connecting ESB. Data exchange between systems will be provided through the ESB.The connection between the existing systems and the ESB should be done using web services. These web services need to provide the necessary data from each installation of AVP and from SAPO to the ESB so that it is included in the ERCC database for further analysis and reporting.Due to the data confidentiality in the Special Department for Organized Crime in the High Court in Belgrade and the Prosecutor’s Office for Organized Crime, web services that will connect these institutions with the ESB will not be able to communicate directly with the local AVP and SAPO installations. A “proxy” solution needs to be developed that will receive data (manually or automatically) from the existing installations of AVP and SAPO and then serve that data to the web services that will transfer them through ESB to the ERCC

6 IT Development Guidelines in Justice Sector, Ministry of Justice, Belgrade, 2016;

22

database (For example: an Excel file with a predefined format containing non-confidential data extracted from the existing AVP and SAPO installations, or any type of local database that will serve the same purpose).

4. Requirements for the Electronic Register of Corruption Cases (ERCC)

The requirements of the Electronic Register of Corruption Cases (ERCC) are drafted to the level of granularity and details expected to be adequate so that the Bidder can prepare its proposal. For that purpose, the requirements are divided into the following groups:

General Requirements Functional Requirements Non-Functional Requirements Implementation Service Requirements Hardware Requirements

As appropriate, the structured and numbered requirements are accompanied by narrative lead-in paragraphs or explanatory comments.

4.1General RequirementsGEN-1. ERCC has to be designed as a multi-tier web application. Presentation

layers and business rules have to be clearly separated;GEN-2. All additional licenses of specific software (OS, COTS, DBMS, other

software) necessary for ERCC to operate on the hardware infrastructure described in 4.5 for unlimited number of end users and unlimited time should be included in the offer;

GEN-3. The subcontractor needs to assure that the system can operate in compliance with the Serbian legal framework and implemented regulations;

GEN-4. The system has to be harmonized with relevant technical standards related to quality, interoperability, performances, or other system properties, including but not limited to: - The system should support the most common Internet browsers,

primarily their new versions: Google Chrome, Safari, Firefox, Edge, etc;

- The system should be able to export data in various formats such as MS Office documents, pdf, XML, etc.

GEN-5. With the UAT (User Acceptance Test) acceptance, the MoJ becomes the owner of the source code for all software modules generated in the process of system development. If the subcontractor uses products

23

from other producers for some of the component of the system (e.g. RDBMS etc.) the MoJ will not demand the delivery of the source code for such products. After the UAT acceptance, the following must be delivered to the MoJ: - Source code of the system with comments;- Technical documentation of the system;- User documentation of the system;- Documentation required for database administration;

Database scheme with detailed description of tables, fields, procedures, triggers, queries. Additionally, SQL query generating the pre-defined database;

Procedure and documentation related to back up; Procedure and documentation related to the process of

restoring and recovery of data base; Procedure and documentation related to replication of data

base to safe location (Disaster location); Procedure and documentation related to the transfer of the

system to backup location and vice versa (failover and failback).

GEN-6. During the period of the development of the system, business procedures and processes will be in the ownership of the MoJ, i.e. they will be the intellectual property of the MoJ. After the development period expires, and after the takeover test (UAT) is successfully done, the source code remains in the ownership of the MoJ. In that case, the MoJ has all the rights to use and modify the source code and executive code. This right is in existence for an unlimited period of time, and there is no obligation to pay any fee.

4.2Functional RequirementsThe Functional Requirements of ERCC are divided into several modules:

- Module for User Management;- Module for User Group Management;- Module for Management of Permissions;- Module for Management of Catalogues;- Module for Reporting;- Module for Data Exchange;- Module for System Logs.

24

Module for User Management

The User Management module should allow management of all users and their authentication features within the ERCC. It shall provide the system administrators within MoJ with ability to identify and control the status of the users that will have the rights to log into the ERCC and use it.This module shall provide at least the following functionalities:FUN-1. The system shall display a list of all registered users in a table with at

least the following columns: Username, First Name and Last Name, E-mail Address, User Role(s), and Institution;

FUN-2. The system shall provide functionality for adding new users. The system shall request at least the following information about the user: First Name, Last Name, E-mail address, Institution (dropdown), Position within the Institution, User Role (dropdown);

FUN-3. The system shall provide functionalities for importing user accounts into ERCC using well formatted Excel or CSV file;

FUN-4. The system shall provide functionality for adding/removing users from User Group(s). The User Groups are defined in the Module for User Group Management;

FUN-5. The system shall provide functionalities for viewing user’s information;FUN-6. The system shall provide functionalities for deactivating/activating

user’s ERCC account;FUN-7. The system shall provide functionalities for editing user’s information;FUN-8. The system shall provide functionalities for querying, filtering and

sorting of the registered users;FUN-9. The system shall provide functionalities for viewing information about

the user activity in ERCC (including but not limited to user login counts and login times).

Module for User Group Management

Users in ERCC shall be grouped into User Groups. The permission to access specific functionality of the system shall be based on belonging to one or more User Groups. There shall be two pre-defined User Groups in the system (System Administrators and Users). Each active user can belong to one or more User Group and each User Group shall give access to specific set of functionalities based on defined permissions for that user group (as defined in the Module for Management of Privileges).This module shall provide at least the following functionalities:FUN-10.The system shall display a list of all existing user groups in ERCC in a

table with at least the following columns: User Group Name;

25

FUN-11.The system shall provide functionality for adding new user group. The system shall request at least the following information about the user group: User Group Name, and users that will belong to the new user group;

FUN-12.The system shall provide functionality for adding/removing user from User Group(s);

FUN-13.The system shall provide functionalities for viewing user group’s information including information about the users that are belonging to that user group;

FUN-14.The system shall provide functionality for managing permissions for a User Group. The Permissions are defined in the Module for Management of Permissions;

FUN-15.The system shall provide functionalities for deactivating/activating user group;

FUN-16.The system shall provide functionalities for editing user group’s information;

FUN-17.The system shall provide functionalities for querying, filtering and sorting of the existing user groups;

Module for Management of Permissions

This module manages permissions for access to specific functionalities of the ERCC. The system shall keep a list of all of its functionalities (listed in this section) grouped by modules and using this module the system administrator shall be able to dynamically manage the permissions of a specific user group to a specific functionality.This module shall provide at least the following functionalities:FUN-18.The system shall display a list of all ERCC functionalities in a table,

grouped by modules, with at least the following columns: Functionality Name;

FUN-19.The system shall display a list of all permissions to ERCC functionalities for a specific user group in a table, grouped by modules, with at least the following columns: Functionality Name. In order to display this list, the system administrator shall select an existing user group from a dropdown menu. Selected checkbox in front of the name of the ERCC functionalities may mean that the selected user group has privileges to that functionality;

FUN-20.The system shall provide functionality for adding permission to a user group. During this process, the system administrator shall select an existing user group from a dropdown menu and then using the checkboxes that shall exist in front of each ERCC functionality add

26

permission to a specific functionality by selecting the corresponding checkbox. If the system administrator wants to add permission to all functionalities within a specific module to a specific user group then he/she shall select the checkbox in front of the module name. As a result, the system shall automatically select all checkboxes in front of the names of the functionalities within that module;

FUN-21.The system shall provide functionality for removing permission to a user group. During this process, the system administrator shall select an existing user group from a dropdown menu and then using the checkboxes that shall exist in front of each ERCC functionality remove permission to a specific functionality by deselecting the corresponding checkbox. If the system administrator wants to remove permission from all functionalities within a specific module to a specific user group then he/she shall deselect the checkbox in front of the module name. As a result, the system shall automatically deselect all checkboxes in front of the names of the functionalities within that module.

Module for Management of Catalogues

This module should allow management of standardized catalogues that are needed for the purposes of creating statistical reports in the area of corruption. These catalogues shall be managed centrally and in an ideal situation shall be the same as the corresponding catalogues within the existing Case Management Systems. Because the performed analysis of the existing IT systems in the judiciary identified discrepancies between the catalogues in the existing Case Management Systems and issues with the quality of their data, this module shall provide functionalities for mapping the defined records in the ERCC catalogues with the records from the catalogues in the existing Case Management Systems. This module shall provide at least the following functionalities:FUN-22.The system shall display a list of all ERCC standardized catalogues in a

table with at least the following columns: Catalogue Name;FUN-23.The system shall provide functionality for adding a new standardized

catalogue. The system shall request at least the following information about the catalog: Catalogue Name, names of catalogue columns;

FUN-24.The system shall provide functionality for editing standardized catalogue. This functionality shall allow changes to the Catalogue Name and the names of the catalogue columns;

FUN-25.The system shall provide functionality for adding/removing column into a standardized catalogue. When adding new column within existing standardized catalogue, for all existing records this column shall have null value. When removing existing a column within an existing standardized catalogue, all data within that column will be lost. The

27

user should be appropriately informed about the consequences;FUN-26.The system shall provide functionality for adding a record inside an

existing ERCC standardized catalogue. During this functionality the user shall be able to enter data into all columns that are defined for the selected catalogue;

FUN-27.The system shall provide functionality for removing a record from an existing ERCC standardized catalogue. When removing a record from an existing ERCC standardized catalogue, the existing connection (mapping) with the records from the catalogues in the existing Case Management Systems will be lost. The user should be appropriately informed about the consequences;

FUN-28.The system shall provide functionality for connecting (mapping) a record inside an existing ERCC standardized catalogue with a record(s) from the catalogues in the existing Case Management Systems (AVP and SAPO in the initial phase). During this functionality the user shall be able to select which record(s) from the catalogues in the existing Case Management Systems shall be mapped to the selected record from the ERCC standardized catalogue. These connections (mappings) will be further used for the creation of the statistical reports;

FUN-29.The system shall provide functionality for removing existing connection (mapping) between record(s) inside an existing ERCC standardized catalogue and record(s) from the catalogues in the existing Case Management Systems (AVP and SAPO in the initial phase). During this functionality the user shall be able to remove previously created connection (mapping) between record(s) from the catalogues in the existing Case Management Systems and the selected record from the ERCC standardized catalogue;

FUN-30.The system shall provide functionality for viewing information about the existing standardized catalog. This functionality shall display the Catalog Name, Catalog Columns, records that are entered within that catalogue and their connections (mappings) with the records from the catalogues in the existing Case Management Systems;

FUN-31.The system shall provide functionality for deactivating/activating ERCC standardized catalogues;

FUN-32.The system shall provide functionality for querying, filtering and sorting of the standardized catalogues;

FUN-33.The system shall provide functionality for querying, filtering and sorting of the records within the ERCC standardized catalogues;

FUN-34.The system shall provide functionality, where possible, for automated synchronization of the records within the ERCC standardized catalogues with the external basic registers in cases when these catalogues are

28

legal responsibility of other institutions in the country (catalogues which are considered as basic registers in the country).

Module for Reporting

This is a module that shall generate all regular and ad-hoc statistical reports related to corruption in the judiciary sector. The module must be able to implement operations as data load, transfer and extract from the implemented underlying data base model. It has to provide tools for querying the collected data in ERCC database and creating, storing and reusing predefined and ad hoc reports. The module has to provide visualization tools and a dashboard for tracking and reduction of the decision making process and time for setting, monitoring and visualizing progress and deadlines of the cases, KPIs (key performance indicators), as well as possibility to drill into the collected data in specified directions. The module has to provide exporting functionalities in the most frequently used formats.Taking into consideration the reporting needs of the specialized anti-corruption units within Higher Courts and Higher Public Prosecutor’s Offices and the existing legal practice, this module shall be able to create at least the following regular and ad-hoc reports:Reports of the Higher Public Prosecutor’s Offices

– Regular Quarterly/Six-months/Annual Reports o Report on criminal offences with corruption element - KST-3

(tabulation) per persons;o Report on criminal offences with corruptive element - KST-3

(tabulation) per acts (offences);o Report on seized material gained OIKKo - (tabulation);o Report on plea bargaining agreements regarding criminal offences

with corruption element -SKKO (tabulation);o Report on plea bargaining agreements regarding number of criminal

offences – SKKO (tabulation);o Report on criminal offences in general crime KSTKo-2 (tabulation);o Report on PPOs work in the proceedings upon legal remedies - КSTKo-10 (tabulation);

o Report on PPOs work upon unknown offenders - KSTKo -8 (tabulation);

o Report on PPOs work upon lex specialis prescribing crimes KSTKo-7 (tabulation);

o Report on PPOs work in the proceedings upon the procedure of differing criminal prosecution KEOKo;

29

o Annual textual report on PPO work with the presented statistics per set pattern;

– Ad-hoc Reportso Report on crime rate per certain corruption criminal offences, for

instance “money laundering”;o Report on amount of works in PPO (tabulation);

o Report on crime rate per certain persons and categories (for instance, certain occupations, types of legal entities, and other.);

o Extraordinary reports/tables KSTKKo-3 per persons/acts;o Monthly reports on number of newly-registered cases/persons;o Report (comparison of KTKo and SKKo report)o Report for Statistical office o Report on requalification of a crimeo Report on trial durationo Reports on proactive investigations.

Reports of Higher Courts – Regular annual/six months reports

o Annual report on court operations;o Reports on backlog cases against reports on backlog cases

according to the initial enactment;o Reports on backlog cases;o Reports on disposed and unresolved cases;

– AD-hoc reportso Reports on certain criminal offence with corruption element;o Reports on cases related to the data on prevention of money

lauding;o Reports on protection measures imposed to the accused to attend

hearings;o Reports on measures to set bail;o Report on trial duriationo Report on requalification

This module shall provide at least the following functionalities:FUN-35.System shall be able to produce the above-mentioned regular and ad-

30

hoc reports using the data within the system and according the needs of the judicial institutions through a user-friendly graphical interface without the need for coding or scripting;

FUN-36.System shall provide functionality for definition and monitoring of custom KPIs (key performance indicators) using data stored in the ERCC database. The KPIs that the system should provide will be defined during the analysis phase of the project. Their initial number will not be larger than 8 (eight);

FUN-37.System shall provide functionality for saving and reusing the defined KPIs and reports;

FUN-38.System shall provide functionality for tracking and monitoring KPIs movement over periods of time;

FUN-39.The system shall provide visualization tools and interactive dashboard for each user. Users should be able to configure the set of KPIs (from the available ones) that will be part of their dashboard;

FUN-40.On the dashboard they should be able to see: the list of all translation orders for that specific translation agency, the list of contracts, the list of invoices, information about the available resources (remaining value, remaining number of pages for translation etc.) according to the active contracts, list of registered translators, list of registered users for proofreading;

FUN-41.System shall provide drill-down analysis tool both for the indicators and the reports.

FUN-42.On each report the system shall display the date and time of the last synchronization of data between ERCC and the Case Management Systems (AVP and SAPO).

Module for Data Exchange

This is a module that collects the necessary data from the existing Case Management Systems so that ERCC reporting module is able to generate the needed regular and ad-hoc reports. During the initial implementation of ERCC, this module shall collect data from all installations of AVP (four specialized anti-corruption units and the Special Department for Organized Crime in the High Court in Belgrade) and from SAPO (four specialized anti-corruption units and Prosecutor’s Office for Organized Crime). The module communicates with the existing Case Management Systems through the Judiciary ESB as described in section 3 of this document. Due to the large amount of data that is stored in the databases of the existing CMSs, this module should automatically query these databases once a day during the late-night hours. However, for the purposes of more accurate reporting, the module shall have functionality for manual activation of the

31

querying by the system administrator. The module shall extract all necessary data from the databases of the existing CMSs that is needed for generation of the required regular and ad-hoc reports listed in the description of the Module for Reporting, and store that data in the ERCC database in a well designed structure. This module shall provide at least the following functionalities:FUN-43.The system shall be able to display a list of all registered Content

Management Systems from which it collects the necessary data in a table with at least the following columns: Name of the CMS and information about the date, time and status of the last synchronization;

FUN-44.The system shall provide functionality for registration of a new Content Management Systems from which it will collect data. The system shall request at least the following information the new CMS: Name of the CMS, stored procedure (or other job) that is executed within the database for extracting the necessary data from that CMS (dropdown) through the ESB;

FUN-45.The system shall provide functionality for automatic synchronization with the registered Content Management systems from which it collects data. The system shall provide functionality for setting up the time for this automatic synchronization;

FUN-46.The system shall provide functionality for manual synchronization with one or all registered Content Management systems from which it collects data. A user with the appropriate privileges can activate this manual synchronization;

FUN-47.The system shall be able to display a report about the successful/unsuccessful synchronizations with the registered Content Management systems from which it collects data;

FUN-48.The system shall provide functionality for activation/deactivation of a registered Content Management Systems from which it collects data.

Module for System Logs

This module provides information about the specific actions that happened into the ERCC that may be of future interest for observation and analysis. Examples of such actions can be: system errors, specific users actions, changes of important information etc.This module shall provide at least the following functionalities:FUN-49.The system shall be able to display a list of all information about the

specific actions that were performed in ERCC that may be of future interest for observation and analysis;

FUN-50.The system shall provide only view permissions to the information

32

about the System Logs. For the purposes of consistency, non-repudiation and security, no action shall be allowed on this data.

4.3Non-functional requirements specificationThe Electronic Register of Corruption Cases (ERCC) should be:

- implemented in accordance with the suggested concept;- Installed on the hardware described in 4.5 and deployed on the MoJ

technical infrastructure;- developed in accordance with technical standards and legal regulations;- interoperable with other systems and open for connecting etc.

Requirements or quality attributes during the system development

The following has to be ensured during the ERCC development: - Testability of the system is a property that ensures testing of every

functional and non-functional requirement in system’s operation. In that sense, it is necessary to provide test/development environment (applications, databases etc.);

- Extensibility of the system is a possibility of implementing new properties into the system in an economically acceptable manner and with no adverse effects on existing functionalities;

- Flexibility of the system or its modifiability is the ability of the system to adjust to changes, e.g. regulations or business processes in an economically acceptable way;

- Reusability is a property that ensures that some of the modules can be reused. This primarily refers to software modules.

ERCC development needs to be secured by change management methodology that includes:

- Keeping records on all change management requests;- Delivering requests for changes in an official form to official addresses of

the parties;- Change management requests containing all data necessary for decision –

making;- Decision – making related to acceptance of the requests at a proper

project management level; - Notification of all interested parties about the implemented change;- Change implementation follow-up.

Requirements or quality attributes during the operation of the system

Usability

33

Usability is the property of the system that enables primary target groups of users to use the system in a user – friendly manner. The usability of ERCC shall comprise the following attributes:

- simple learning curve to work with the software; - efficiency and speed for trained users to achieve their goals using the

software;- forestalling all potential errors, a user may make using the software, and

the ability of the system to recover efficiently in case of errors; - User-friendly work with the software.

The usability of the system shall be implemented through: - Harmonization with business processes; - Intuitive user interface design;

Harmonization with business processes is the key factor for usability, since it enables the user to integrate with the system in a manner that is natural for the work he/she performs. The system follows the steps within a business process in a natural way, and follows the users in their regular flow of activities. Screen forms must be designed in line with the rules and best practice for the simplicity of web applications usage. This refers to presence, appearance and behavior of standard elements, consistency, graphic design, error – processing, user help functions, etc. The requirements related to usability are:

- Most common transactions have to be designed in such a way that they can be performed with the least number of interactions (mouse or keyboard clicks);

- Rules and behavior of user interface have to be consistent through the entire system, including windows, menus, and commands;

- All system modules should have an intuitive user interface and consistent object concept (fields, drop – down lists, choice of options) so that users may use different pages/system screens in a simplified manner (e.g. display of available data, data-entry validity, error notifications);

- The system has to offer default values in all the fields for data entry, where reasonable. Default values may be fixed in advance, defined by the user or determined based on the context;

- Validation: the use of valid data in the system should provide for the rapid entry of data, less sensitive to errors. The users should be given the option of selecting appropriate elements from the list (the list shows appropriate code and description) or to insert the code directly. Once selected, an appropriate code and description is always visible to all data entries and query screens;

- Double – check principle should be ensured for all the changes of reference data within a module for reference data management.

34

Confirmation should be requested from the other (different) user. The module for managing reference data and all its clients use the original version of the record, until its modifications get verified, i.e. the modifications are pending until confirmed;

- The system has to prevent data redundancy, i.e. it should ensure that all the data entered are unique.

SupportabilitySupportability comprises different elements of support and maintenance to be provided during the software implementation and software exploitation in the warranty period, these being:

- Elements of the operational supporto Installation, configuration and supervision of the software;o User training, separate for users in charge of the administration of

the software, and for users in charge of the exploitation of the software. In that sense, database shall be implemented for the needs of user training;

o Support to the users who operate in the system. - help-desk services

o by phone, e-mail, web pages, etc. - elements of proactive maintenance and logging of the operational events

of the software: o identification and providing information on emergency events in the

operations of the software;o System maintenance, data base maintenance, application

maintenance; o request for proactive replacement of hardware and system

software.- elements of corrective maintenance

o error correction and repairs. - elements of technological maintenance

o migration and updating of the software to new versions of system software, base server and application server.

- documentation o technical and user documentation (updated in line with the latest

changes) .Reliability ERCC has to be reliable in order to perform its functions without interruptions

35

during a specific time period within set conditions. Availability of the system on an annual level must not be lower than 99%. Performance Performance of the system is its property to perform its functions fast enough to be acceptable for the users. Performance may be measured by response time (in a normal and peak system load, with anticipated network resources) and the time required for a service to be performed. Response time of the system must not be longer than 5 seconds in case of import and export of data. Controllability Controllability is the property of the system related to its administration. Requirements related to controllability are the following:

- The system should ensure that the administrator could follow information on intensity of usage, number of customers, usage of the resources, incidents etc.;

- The system should regularly (daily, weekly, monthly) and automatically create a report on the operations in past;

- The system should automatically create a report on extraordinary events; - The system should support the possibility to reconfigure hardware and

software (detailed specification) without downtime. SecuritySecurity is the property of the system to prevent access, viewing and change of data or applications by unauthorized persons. In technical terms, it is ensured by implementing a proper user’s authentication and authorization system, defining rights and roles within a system, data encryption, implementation of security elements into the application, monitoring and recording all activities on the system itself, log management on data changes, etc. However, implementation of technical security measures is not sufficient. A comprehensive IT security system should be developed, comprising all the aspects of the system, including processes, people, and technology. Data contained in the system have to be protected in line with current legislation, particularly with Law on Personal Data Protection. ERCC has to contain a special module for global configuration of the ERCC security core, which shall be available exclusively to specific groups of users (Administrators). The system has to support the usage of encrypted communication for exchange of data between clients and the central server. The system has to support electronic identification of the user, whose level of security depends on the level of access to the system. Electronic identification protocols have to be designed in a flexible manner, so that they can support

36

different methods of checking user’s authenticity, such as: - User password, for the low-level security access, - Qualified electronic certificates, for the high-level security access.

The system has to ensure settings for strong password policy and expiry of password. System parameter has to enable the System Administrator to configure the expiry of password policy. The system has to ensure memorizing the old password, in order to prevent the user from using the same password multiple times. The system has to ensure the settings of session’s expiry, and in case of user’s inactivity for a certain time period, automatic sign out is activated. The system has to ensure that certain users may only perform permitted operations and have the insight into certain cases and documents, in line with the roles assigned by the System Administrator. The system has to meet the requirements for maintaining auditor’s records on all data changes based on user’s requests. In that sense, the implementation of history tables has been described within the logical architecture. Proper records shall be kept in a safe manner, for the purpose of auditing recorded transactions, change of data and queries submitted by end-users with time stamps, in order to enable future review of log records. BackupThe system has to create security back-ups on a daily, weekly, and monthly level, outside the system’s working hours, in a way that will not impact regular operation of the system. Two main goals to be achieved through backup procedures are:

- The system has to enable recovery of database through stored security back-ups and the possibility of recovery of loss data;

- Minimizing the time needed for data restore, i.e. minimizing the downtime.

Scalability Scalability is the property of the system to serve the sudden increase in the number of users or to perform the increased number of transactions. The scalability of the system and its stable operation should be ensured. Scalability should provide for the possibility of: - Performing an increased number of operations, providing greater number

of services or the increase in the number of users. The initial estimated number of users of the ERCC is 500;

- Administrative or organizational extension – the possibility of providing services to additional organizational units or organizations;

37

- Functional extension – possibility of providing additional services; - Technological extension – possibility of extension to other devices or

platforms (e.g. by providing service on wearable devices). Interoperability Interoperability refers to the property of the system to implement transactions with other systems. The system should be interoperable with other existing systems in the public administration. Interoperability involves process interoperability, semantic interoperability and technical interoperability. Openness of the system ensures that other systems can connect with ERCC and modify the data or use its services. Interoperability and openness of the system should be implemented through the ESB.

4.4Implementation Service RequirementsThe Implementation Service Requirements section covers the following topics:

- General implementation requirements- Business Analysis and Software Development requirements- Installation, Testing, and Acceptance Test Planning requirements- Training requirements- Maintenance and Support Requirements

General Implementation Requirements

IMP-1. The subcontractor shall develop a Project Plan that will ensure comprehensive knowledge transfer through the inclusion of MoJ personnel in relevant activities of systems design, development and testing. In this context the subcontractor shall apply all necessary measures for comprehensive familiarization of the said staff with methodologies, tools and techniques used for providing and maintaining the system design, program code, technical documentation, user manuals, test material and training material.

IMP-2. The Project Plan shall clearly define the software development methodology, the tools and the techniques that will be used for design and development of the software;

IMP-3. The Project Plan shall comprise provisions for delivery of training materials and training of all persons nominated by the MoJ.

IMP-4. In order to ensure sustainability and appropriate maintenance of the system, the subcontractor must deliver full system documentation. The following supporting documents are required:- Project documents – providing detailed information about project

38

goals, specification of user requirements and implementation plan;- User documentation – describing in details the how to use the

software from the perspective of the user;- Technical documentation – providing detailed information related to

upgrading and maintaining the system;- Commercial documentation - all commercial software packages that

will be eventually used, have to come with the documentation for installation, administration, management and other reference documents.

IMP-5. The subcontractor has to submit the following Project documentation for the system: - Project Plan;- Software Development Plan (SDP);- Software Design Document (SDD); and - Software Requirements Specification (SRS) document.

IMP-6. The subcontractor has to submit the following User documentation for the system: - User manual for the system (for all types of users), both inside the

system and in printable format;User documentation shall not only explain how the software should be used, but also has to explain the rationale: for example, it is not sufficient only to say that a field is mandatory, it has to be explained why it is mandatory, and what is the meaning of certain attribute etc.

IMP-7. The subcontractor shall develop Technical documentation in parallel with the system development. Technical documentation is intended for future maintenance and upgrading of the system. The following technical documentation for the software has to be submitted: - Documentation that describes specification of the system (system

description, conceptual design of the system, description of system architecture etc.);

- Database schemes (with comments provided);- User interface;- Report design;- Documented system logic for all system components;- Documented backup procedures.The technical documentation has to be detailed and prepared in such a

39

way that upgrade is feasible without participation of analysts, designers and programmers that developed the system.

IMP-8. All commercial software packages that are eventually used for development of the software have to come with documentation for all their components which has to include the following: - Instructions for system installation;- Instructions for administration and management;- Other reference documents.

IMP-9. All documents shall be submitted in English and Serbian language. Business Analysis and Software Development Requirements

IMP-10. The subcontractor shall provide detailed Software Development Plan (SDP). This plan needs to provide details about the methods that will be used and the approach that will be followed for each activity and resource during the development of the software. It should reference specific standards, methods, tools, actions, reuse strategy, and responsibility associated with the development and qualification of all requirements, including safety and security;

IMP-11. The subcontractor shall provide Software Design Document (SDD). This document needs to provide information about the architecture of the software outlining all its parts and how they will work;

IMP-12. As a result of the performed Business Analysis, the subcontractor shall provide Software Requirements Specification (SRS) document. This document describes what the system is supposed to do, and how the system will perform each function. It explains the features of the system, the interfaces of the system, the constraints under which it must operate and how the system will react to external stimuli. This document needs to be approved by the Client before the start of the development process.

Installation, Testing, and Acceptance Test Planning requirements

IMP-13. The Project Plan produced by the subcontractor shall describe the proposed approach to development, installation, and testing that will verifiably ensure the completeness and quality of the system deliverables, and will provide the Client with regular opportunities to review and confirm acceptance of system and project components;

IMP-14. The subcontractor shall create three different working environments: - Development environment – environment where the modules of the

software and their functionalities are developed by the Contractor’s staff;

- Testing environment - environment where the developed modules

40

are deployed for user testing;- Production environment – environment where the software modules

that passed the user testing are deployed. This is the real working environment of the software;

The Contractors should ensure that the testing environment and the production environment are the same;

IMP-15. Design of tests cases: - The subcontractor shall design test cases (with the assistance of the

Client) that cover all scenarios possible in using the system in real life;

- Test cases shall be made on the basis of functional, non-functional, technical, performance and security specifications of the system;

IMP-16. Testing Team shall be composed of future system users. The working group for monitoring, preparation, development and testing of the ERCC will participate in the selection of the members of the team for testing. Since some the members of the WG are also future system users of the platform, they can also participate in the User Acceptance Test;

IMP-17. After completion of each development cycle agreed with the Client, the subcontractor should install a version of the software on the testing environment;

IMP-18. Testing team will execute the prepared test cases upon installation on each version of the software on the testing environment to prove that it operates according to specification. All mistakes, inconsistencies and flaws have to be recorded in the minutes from testing with all relevant comments;

IMP-19. Correcting mistakes or anomalies in the system: - On the basis of the minutes from testing, the subcontractor is

obliged to correct the identified mistakes/anomalies within two weeks;

- An updated version of the source code has to be is compiled/processed when the mistakes and anomalies are corrected and a new version of the software installed on the testing environment;

- The testing team should repeat the testing process.When the above steps are done successfully and all test cases are executed without mistakes or anomalies the testing process is considered completed.

IMP-20. After the completion of the development process for the whole system, and verification of the functionalities of the system on the testing

41

environment, the subcontractor (with the assistance of the Client) will perform User Acceptance Test (UAT) on the system following its installation and configuration on production environment. User Acceptance Test (UAT) is the last stage in software testing. During UAT users will test the software to make sure that the system and its subsystems meet all functional and non-functional requirements mandated for Operational Acceptance, meaning that the system is ready to be used in real life. During the User Acceptance Test the following actions will be implemented:- Unit Testing- System Integration Testing- User Acceptance Testing, including:

Performance testing Stress testing Functionality testing Security testing Parallel testing Upgrade Testing

IMP-21. If the above steps are completed successfully, UAT will be signed. Signature of UAT will mean that the system is officially ready for the production and use in real life;

Training Requirements

IMP-22. The subcontractor should organize at least 8 training sessions in 4 different cities (Belgrade, Novi Sad, Niš, and Kraljevo). In each session 20 persons should be trained 160 people total.

IMP-23. The subcontractor shall provide a description of their approach to delivering training. The subcontractor shall provide a preliminary Training Plan with detailed description of training to be carried out;

IMP-24. The subcontractor shall provide training services in all aspects of the system to enable Clients’ staff to use, maintain, and develop the system;

IMP-25. The subcontractor shall train all persons nominated by the MoJ, to enable them to test, administer, operate, and use the system effectively;

IMP-26. Technical training required to administer the system must be provided. Technical training will include courses for ERCC configuration and monitoring, database administration and server administration;

42

IMP-27. The users should not have access to the production version of the system until they complete the appropriate training;

IMP-28. All training materials must be packaged for electronically delivery and accessible for on-demand requests.

Maintenance and Support Requirements

IMP-29. The subcontractor shall include a detailed Warranty, Maintenance and Support plan in its bid, including.- On-going support for all software components of the solution,

including: Bug fixes; Help Desk to log all fault; Distribution, documentation, and installation of patches and

upgrades; Resolve all faults per the service level; Resolve equipment faults and provide advice on configuration

changes and performance enhancements.- On-site one (1) year warranty;- On-line support that includes:

Technical advice and assistance; Knowledge-base, information sharing; Service Level Reporting; Software configuration guides; Fault status tracking.

IMP-30. The subcontractor shall include off-site technical support and maintenance period for software of one (1) year. The subcontractor shall describe their internal fault reporting, fault escalation and feature request processes. This description should include but not limited to.- Fault resolution;- Fault escalation;- Feature requests;- Feature development.

IMP-31. During the Warranty and Maintenance Period, subcontractor shall describe the proposed staffing plan, location and operational process of its support centers to meet the following minimum service level requirements.

43

- Make qualified personnel available to the Client by telephone, via a domestic or toll-free line staffed during business hours, for the reporting of Non-Conformities or other problems with the system;

- During the Warranty Period, such telephone service to the Client shall be unlimited.

4.5Hardware RequirementsFor implementation of the Electronic Register of Corruption Cases (ERCC) the following equipment needs to be delivered, installed, and configured on MoJ infrastructure. The web application and the database should be installed on different virtual machines. The subcontractor should also provide license for the Operating System (OS) and license for the Database that will be used for implementation of ERCC.

1 Server – Quantity 11.1 Minimum 2 processor system

1.2

Installed 2 processors each with: Minimum 8 physical cores; Minimum 3.0 GHz basic frequency; Minimum 24MB L3 Cache; Minimum DDR4 2666; Minimum PassMark Score 24 000;

1.3 Minimum 256 GB installed memory DDR4 2666

1.4

Internal disk adapter (HBA - Host Bus Adapter) must have at least 2GB Battery Backed Write Cache (or equivalent technology) and must support RAID 1, 5, 6 protection levelMinimum 3x 200 GB SSD/Flash disks, organized in RAID 1, with minimum 1 stand-by hot-spare diskMinimum 5x 900 GB SSD /Flash disks, organized in RAID 5, with minimum 1 stand-by hot-spare disk

1.5 Ethernet: minimum 4 x 1Gbps RJ-451.6 Redundant hot-plug power supply

Redundant hot-plug fans1.7 Rack rails with cable management arm1.8 Embedded full server management including virtual KVM console, LDAP

integration, Virtual media1.9 Included software for central management of all servers1.10 TPM 2.01.11 Ability to lock down configuration and firmware, protecting the server from

inadvertent or malicious changes1.12 UEFI secure boot with custom certificates

1.13Included installation in existing 19” rack;Included installation, configuration and integration with the IT Infrastructure;Included all needed power and network cables.

1.14 Operating System must be provided for all CPUs/Cores1.15 Warranty: 1 year

44

DeliverablesThe following are the main expected deliverables. The offerors may suggest additional or interim deliverables based on the proposed methodology.

Phase Deliverable Duration PaymentAnalysis & Design Software Requirements Specification (SRS) 8 weeks 10%

Development Web Services for communication between existing CMSs (AVP and SAPO) and ERCC 4 weeks 20%

Development Electronic Register for Corruption Cases (ERCC) 13 weeks 60%

Training and Implementation

Training, Source code and Documentation 5 weeks10%

TOTAL 30 weeks

Expected durationEstimated start date: September 1, 2020.Estimated end date March 31, 2021.

45

ANNEX IITechnical Proposal Form

1. MethodologyDescription of the proposed methodology

2. Economic and financial capacity Please provide copies of Financial statements of the company for the past 3 (three) years

3. Professional capacity and proposed Core TeamPlease provide information on the positions and experience of primary personnel responsible for implementation. For the listed personnel, please provide CVs. The combined qualifications of personnel listed should indicate ability to meet all requirements and expectations outlined in this SOW. Please add additional tables if needed.

Position 1Name and

surname, proposed position

Professional background (occupation, degree of

education)

Number of years of professional experience

Position 2Name and

surname, proposed position

Professional background (occupation, degree of

education)

Number of years of professional experience

Position 3Name and

surname, proposed position

Professional background (occupation, degree of

education)

Number of years of professional experience

Position 4Name and

surname, proposed position

Professional background (occupation, degree of

education)

Number of years of professional experience

• Please provide copies of ISO 9001 and ISO 27001 certificates

4. Previous relevant experiencePrevious experiences in software development with similar requirements as outlined in Annex 1 - Scope of Work

Please provide information on work completed in previous 5 years in the field of software development. Add rows as necessary.

Please provide information on work completed in previous 5 years in the field of Reporting Management System IT solution, including software architecture design, customization, development, and project management. Add rows as necessary

ANNEX IIIFinancial Proposal Form

For Financial Submission Form (budget proposal) please use separate excel form. Please, break down budget for all estimated types of costs in USD.

Financial Proposal Form: costs presented in Excel, developed by offeror: (Annex III). When calculating your financial offer, the offeror should include all anticipated costs for the assignment such as labor, travel, accommodation, and Defense Base Act insurance. Please be advised, DBA insurance is mandatory for all subcontractors at their expense. DBA insurance is 2% of labor costs. DBA insurance cannot be added to the cost afterwards or be reimbursed.Any airfares should be for the lowest cost economy class and Fly America

compliant.

Dear Sir/Madam,

ANNEX IVProposal Submission

Form[Please insert logo of your

organization/company]

We, the undersigned, hereby offer to provide professional services for GAI with the aim to ______________________, in accordance with your Request for Proposal. We are hereby submitting our Proposal, which includes the Technical Submission Form and Financial Submission Form.We hereby declare that:a) All the information and statements made in this Proposal are true and we accept that any misrepresentation contained in it may lead to our disqualification;b) We have no outstanding bankruptcy or pending litigation or any legal action that could impair our operation as a going concern; andc) We confirm that we have read, understood and hereby accept the Terms of Reference describing the duties and responsibilities required of us in this RFP.We fully understand and recognize that GAI is not bound to accept this proposal, that we shall bear all costs associated with its preparation and submission, and that GAI will in no case be responsible or liable for those costs, regardless of the conduct or outcome of the evaluation.

Sincerely,

Authorized Signature:Name and Title of Signatory: Name of Firm:Contact Details: