Ill-conceived technical task  leads to other troubles. The contractor at the stage of project implementation may encounter difficulties that were not previously known. This may interfere with the execution of the contract.

How to prepare the terms of reference for the information security tender

In preparing the statement of work for the tender, it is advisable to be guided by the requirements of the standard GOST 34.602-89 “Information technology. Set of standards for automated systems. Terms of reference for the creation automated system". The document will help build a clear structure of the terms of reference, identify sections that will be filled with the necessary requirements.

Consider what you need to pay attention to when filling out a document.

Terms of reference for the tender, sample (approximate structure)

General information

From this section, the technical assignment traditionally begins. In it, the customer indicates the name of the system. Provides information about yourself - full and abbreviated names, location address. If the legal and actual addresses differ, both should be indicated to avoid misinterpretation by the contractor.

The basis of the work. System goals

In this section, you need to specify the basis for the work, the provision of services and the purpose of creating the system.

Often the basis for the creation of the system are the requirements of the law. In this case, it is necessary to list the regulatory documents in accordance with which the system should be created. For example, the requirements of 152-ФЗ “On personal data”.

In the subsection “Objectives of creating a system”, the customer gives the characteristics and indicators that must be achieved as a result of the creation of the system. For example, "Protection of personal data transmitted over open communication channels."

The customer should carefully consider filling out this section, since it is he who will enable the contractor to understand what the customer's expectations are from the system being created and in accordance with what documents the system is being created.

General characteristics of information systems

This section describes the existing customer infrastructure. It is better to fill out this section as detailed as possible.

Information on the existing objects of informatization is indicated here: the exact number of workstations, servers, addresses and their locations, the operating systems used, the availability of connections to the information and telecommunication networks of international exchange, the available means of information protection, information on the operating conditions of information systems and other information, which should be considered when preparing a technical solution.

Detailed and high-quality filling of this section will allow the contractor to form the optimal technical solution.

Information Security System Requirements

This section indicates the requirements for the security system to which it must comply. The section can be conditionally divided into two subsections - general requirements for the system and requirements for the functions performed by the system.

General system requirements

In the subsection "General system requirements" indicate:

• Requirements for the structure and composition of subsystems. For example, “Identification and Authentication Subsystem”, “Access Control Subsystem”, etc.
• Requirements for the reliability of the created system. For example, “The protection system should be able to restore and perform its functions after the failure (failure) of software and hardware.”
• Safety requirements, i.e. safety requirements for the installation, operation, maintenance and repair of technical means of the protection system. For example, “The hardware components of a security system must have protective earth, grounding. "
• Operating requirements maintenance. For example, "The protection system must operate around the clock, in continuous mode."

System Functionality Requirements

For each of the subsystems described earlier, a list of functions, tasks that must be implemented by the information protection system is established. For example, for the access control subsystem, a requirement is established to limit unsuccessful attempts to enter the information system.

When filling out this section, you can focus on the requirements of the guidelines in the field of information security. The current regulatory framework, for example, in terms of personal data protection, allows you to correctly formulate requirements for information protection subsystems.

In separate subsections in the “Requirements for the functions performed by the system” we recommend highlighting “Requirements for software” and “Requirements for hardware”.

Software requirements

In this subsection, the security system software should indicate:

• requirements for compatibility with operating platforms and hardware that are used by the customer;
• requirements for the functionality of the described software;
• requirements for protective mechanisms that the program should implement;
• certification requirements if a certified solution is required in accordance with regulatory documents.

Hardware Requirements

The subsection shall indicate:

• requirements for the hardware platform in which the technical tool should be performed;
• operating system requirement;
• requirements for the functional characteristics of the technical means;
• requirements for physical characteristics (size, case);
• requirements for operating conditions ( working temperature, humidity, etc.);
• certification requirements.

Composition and content of work

This section should contain a list of stages and stages of work to create a system. Be sure to indicate the timing of their implementation for effective control of work. The customer can formulate a requirement for the list of documents presented at the end of the relevant stages and stages of work.

System control and acceptance procedure

In this section, the customer describes the general requirements for acceptance of work. It is possible to envisage the procedure for coordination and approval of reporting documentation for each stage and stage of work, or for the whole complex of works.

For example, an act on the performance of work on each of the stages, signed by the responsible persons of the customer, is required. Upon completion of work and signing of the act of work performed, individual acts for each of the stages will be taken into account.

Performer Requirements

One of the final sections is “Performer Requirements”.

This section indicates what licenses the performer should have. The requirements for the number and qualifications of the contractor’s specialists to perform work are indicated. It is important to understand that the requirements for the contractor must be justified and reasoned, otherwise a complaint may be filed against the requirements of the customer.

Warranty Support Requirements

At this stage, customer warranty requirements are indicated. In the requirements for warranty support, you can specify the type of support required - by phone, mail, online consultant on the website of the contractor. You can specify the requirements for processing complaints about incidents - hours of incident processing, customer service level, response time to the appeal, etc.

Documentation Requirements

The customer indicates the requirements for the list of sets and types of documents to be developed by the contractor, requirements for the provision of documents.

For example, documents must be provided in hard copy on paper and in electronic form, recorded on CD-Rom, DVD-Rom.

What mistakes are most often encountered in the preparation of TK

The customer does not know on the basis of which document to prepare the terms of reference.

As a basis, you can take GOST 34.602-89 “Information technology. Set of standards for automated systems. The terms of reference for the creation of an automated system ”and fill out the document with the necessary material.

In different places of the same technical specifications there are contradictions.

Before publishing the technical specifications, it should be carefully checked. The customer should understand that if the terms of reference are not well developed, he risks getting poor-quality service, work, goods.

Short deadlines for the implementation of technical specifications.

Often there are terms of reference that spell out very tight deadlines. The customer is guided by his own motives, however, he risks getting poor-quality services, work, goods.

When preparing TK, we recommend that customers pay more attention to the section “Composition and content of work”. In this paragraph, you can detail the work and break them into separate stages, analyze the timing of each of the stages. This will provide a more objective picture of the timing of the entire ToR.

The terms of reference spell out requirements for non-existent products.

There are technical tasks in which the customer carefully analyzed the existing products on the market, selected the characteristics of each of the products that seemed attractive to him, and brought the requirements into one technical task. It may turn out that there is no product that meets all the requirements on the market.

In order to avoid this situation, we recommend that when drawing up TK, highlight the most significant characteristics that a number of products have. After preparing the terms of reference, the declared requirements for technical specifications  for compliance with real goods in the market.

When preparing TK for work / services, there are often options when a clear list of works / services is not fixed, the results of work are not defined / services.

In such cases, conflicts between the customer and the contractor are likely, since the services or work provided by the contractor will not meet the customer's expectations. To avoid this, the customer, when preparing the ToR, needs to pay more attention to the sections “Grounds for the work. The goals of creating the system ”and“ Composition and content of work ”. Practice shows that it is better to break the work into separate stages. Describe the requirements for each of the stages, fix the deadlines and results of work for each of the stages. These actions will improve control over the execution of work or the provision of services.

Conclusion

Properly drafted terms of reference will be useful both to the contractor and the customer. It will allow the contractor to adequately assess the scope of work without additional requests and clarifications, as well as offer the most suitable technical solution to the customer. To the customer - he will be able to get high-quality work to create a protection system that meets his expectations as much as possible.

Stanislav Shilyaev, Project Manager for Information Security at SKB Kontur

General provisions of the technical specifications

If you have a technically complex project (or a very specific one), then it must be in general terms that glossary of terms and definitions . Perhaps the glossary should explain some of your turns. To prevent confusion, immediately put everything in its place.

Project objectives

Be sure to specify in the technical task what goals your project has, why it is being created, how it will work, what should be the end result. Even if the contractor is working on a small part of the project, he must fully understand its structure, tasks, goals, technical solutions.

Functional requirements

All customer requirements can be divided into two types: functional and special.

Functional requirement  - These are the performance options that you want to see at home.

Special requirement  - these are the requirements by which the tasks set must be fulfilled. If there are no such requirements, then let the contractor decide for himself what and how he will use it when fulfilling your technical task.

The timing

The terms of reference must be specified in the terms of reference. Not in any case there should be a clear deadline, and penalties for disrupting the specified deadlines are described. The contractor must understand that this is not just a point of the technical task, but a real installation, if not completed, he risks incurring financial or other sanctions.

Reporting

If the project is large, and it takes several months to implement it, then break the work into stages, and set a clear time frame for each. After completing one or another stage, require reporting on the work performed. There should also be a report on the fact of the work performed.

Responsibility

If you are making a contract, the clause regarding liability will be in it. If you are only limited by the terms of reference, then it is worth describing there that for failure to meet deadlines, for not submitting the project, for disclosing the nuances of work to third parties, the contractor is responsible  in accordance with the law, but also you can set some of your fines and penalties.

Sore about the template of technical specifications for tenders

In my activity, I often come across a request to send a template of technical specifications for the creation / implementation / acquisition of software in order to include it in the tender documentation. Each time I ask myself what should include such a template, should it be one or several, and is such a template needed?

For myself, I found the answers, but other opinions have a place to be. Therefore, I will give my logic of reasoning and with great pleasure I will listen to read the reasoning of colleagues.

Technical task (TK) is the main part of the tender documentation, the purpose of which is to help the procurement initiator (buyer) make an unambiguous choice of a product / service / work with ensuring the best conditions for the execution of the contract. Providing the template for TK, the supplier expects that his TK will satisfy the buyer and will be taken as a basis. And, of course, the product of the supplier is fully consistent with such a specification, which is a plus.

It must be understood that during the evaluation of tender applications, the procurement initiator does not have the opportunity to verify the accuracy of all the data and understand how much his requirements are closed by the proposal of the next participant. And after signing the contract, the client is not profitable, and sometimes difficult from the point of view of justification, to terminate it.

Now consider the actions of the procurement participant (supplier). If I, as a performer, are interested in obtaining a contract with a client, then I will prepare a detailed explanatory note - an application for participation in the tender, I will study and comment on all points of the terms of reference. Even if my product “doesn’t know how to do something” today, I will have time to “teach it”, or after signing the contract there will be time to understand the client’s needs and offer an alternative. Of course, everything is within the law.

On the other hand, no matter how wonderful the technical specifications for the suppliers have done, and no matter what the detailed specifications have been created by the buyer, this will not have the expected effect for the supplier: the procurement initiator will be forced to conclude a contract with someone who will offer the best conditions for fulfilling the contract. The terms of reference do not allow guaranteed elimination of “disagreeable” participants, which is stipulated by law (the procurement procedure is aimed at the possibility of choosing and determining the winner).

The supplier’s classic question: “What to do? Fold your arms and hope for fortune? ” Of course not. The terms of reference should be prepared, but not according to the template, but for each tender. And for this I propose to pay attention to the moments described below, depending on the method of purchase.

Request for quotes and auction  - these are the methods of procurement at the lowest cost. Therefore, the terms of reference should be capacious:

● include a detailed description of what will be delivered, configured, installed or modified;

● fix a clear procedure for work / services, so that any potential bidder sees the volume and complexity and is afraid to accept responsibility by submitting an application for participation in the tender.

The terms of reference should include a description of the result, which is exactly what will allow the initiator to control the receipt of the expected at the stage of execution of the contract and, if necessary, reasonably terminate the contract.

Competition  - This is a procurement method for determining the supplier with the best conditions for the execution of the contract. Everything that is written above is applicable here, but at the same time there is an additional “lever”, which suppliers often forget about. It is about the criteria for evaluating applications.

The methodology for evaluating applications is described in detail in Decree of the Government of the Russian Federation dated November 28, 2013 No. 1085 “On approval of the Rules for evaluating applications, ..”. Highlight the performer’s strengths that are important to the client in the criteria for determining the winner.