Annex 13
advertisement
Annex 13 - Award criteria questionnaire Under section 2.4.1 Overall methodology and management (max. 60 points) Compliance Comments, references to the section of the (Please offer Criterion answer yes/no) Criterion a) Overall organisation and infrastructure (20 points – minimum threshold 12 points) 1. The organisational structure that the tenderer intends to put in place to implement the required services (see section Provide here the reference(s) to the relevant section in "Error! Reference source not the offer. found. Error! Reference source not found." of these tender specifications) supported by a single structure chart (i.e. in case of a group of tenderers, one single chart for Yes/no the consortium as a whole) including the description of functions, roles, responsibilities and lines of reporting, location of each service as well as managing accidental or long term absences by any member of the team. 2. A description of the relationships between the various functional departments of the tenderer; or in the case of a consortium, a description of the governance of the Provide here the reference(s) to the relevant section in consortium, including the Yes/no the offer. allocation of roles between consortium members and the escalation model should a problem arise; 3. A description of the interaction model with the Commission and the other contractor of the Commission providing service desk services as the 2nd level support Yes/no Provide here the reference(s) to the relevant section in the offer. 1 4. A description of the human resources management at project level, and in particular, the integration of any new staff members into the project team; 5. A description of the mechanism to ensure that the project team follows a continuous training path to acquire the knowledge of the latest security threats and vulnerabilities linked with software development; 6. A description of the contractor's internal knowledge management system enabling staff working under this contract to properly distribute the acquired know-how and ensure a continuous improvement process 7. A description of the infrastructure and tools, deployed/hosted/managed at the tenderer's premises, that the tenderer proposes to use; Criterion Yes/no Provide here the reference(s) to the relevant section in the offer. Yes/no Provide here the reference(s) to the relevant section in the offer. Yes/no Provide here the reference(s) to the relevant section in the offer. Provide here the reference(s) to the relevant section in the offer. Yes/no Compliance Comments, references to the section of the (Please offer answer yes/no) Criterion b): Organisational and technical security measures to be put in place (10 points – minimum threshold 6 points) 1. Physical security - all controls defined in chapter 11 Physical security of ISO 27002:2013, 2. Logical document security (esp. of the development environment and handling of sensitive information) - all controls defined in chapter 8 Asset Management of ISO 27002:2013. Yes/no Provide here the reference(s) to the relevant section in the offer. Yes/no Provide here the reference(s) to the relevant section in the offer. 2 Compliance Comments, references to the section of the (Please offer answer yes/no) Criterion Criterion c): Security measures during the development phase (20 points – minimum threshold 12 points) 1.To ensure the independence of the entity that will be in charge of the verification of the Union Registry web application in accordance with the OWASP Application Security Verification Standard – version 3.0 dated October 2015 considering that: • a level 3 verification is requested; • verification cannot be performed by the same persons that take part into the development of the application to be verified. 2. To ensure the remediation of the security issues in accordance with the remediation flaws document provided in annex (see Annex 12), as an adaptation of the ALC_FLR component as standardized in the ISO 15408 Common criteria v3.2 standard). Provide here the reference(s) to the relevant section in the offer. Yes/no Provide here the reference(s) to the relevant section in the offer. Compliance (Please answer yes/no) Criterion Criterion d): Yes/no Comments, references to the section of the offer Quality assurance and control measures (10 points – minimum threshold 6 points) This criterion will assess the quality assurance and quality control system applied to the management of the framework contract, the implementation of the tasks under section 3.4, the quality assurance of the final deliverables as described under section 3.5, as well as Yes/no 3 the language quality check. The criterion will also assess the proposed methodology to improve the quality assurance and quality control system on the basis of lessons learned within the implementation of the tasks of this Framework contract. Provide here the reference(s) to the relevant section in the offer. Furthermore under this criterion the contractor must describe the mechanisms it will implement to ensure a proper risk management, in particular covering the risk of unavailability of staff assigned to tasks under this contract (both temporary as well as permanent unavailability) A low score will be attributed to those tenders who propose only a generic quality control system. This criterion will be assessed based on the description of the quality assurance and controls measures. Under section 2.4.2 Illustrative Assignment (max. 20 points) Criterion Compliance Comments, references to the section of the (Please offer answer yes/no) Criterion e) Illustrative assignment – quality and completeness (20 points, minimum 12 points) 4 1. This criterion will assess the degree to which the tender meets the requirements under section "Error! Reference source not found.". The tenderer's answers will be evaluated for quality (both technical as well as nontechnical e.g. structure, clarity, English), completeness with the requirements set out under the section "Error! Reference source not found.". Criterion Provide here the reference(s) to the relevant section in the offer. Yes/no Compliance Comments, references to the section of the (Please offer answer yes/no) Criterion f) Illustrative assignment - proposed security methodology and organisation of work (15 points, minimum 9 points) 1. This criterion will assess the suitability and strength of the proposed methodology for implementing the tasks under the illustrative assignment in terms of reaching a state of the art security (software security as well as process security) that could be independently verified based on industry standards. In describing the methodology the tenderer shall make a clear reference to the roles and responsibilities of the proposed experts' profiles as well as the communication within the tenderer's team and with the Commission. Furthermore, this criterion will also assess the proposed project plan, including a schedule per deliverable. Provide here the reference(s) to the relevant section in the offer. Yes/no 5 Criterion Compliance Comments, references to the section of the (Please offer answer yes/no) Criterion g) Illustrative assignment - quality control measures (5 points, minimum 3 points) 1. This criterion will assess the quality control and quality assurance measures applied to the tasks foreseen in the illustrative assignment concerning the quality of the deliverables, the documentation and language quality check, continuity of the service in case of absence of a member of the team. The quality control system should be detailed in the tender and specific to the tasks at hand; a generic quality system will result in a low score. Provide here the reference(s) to the relevant section in the offer. Yes/no 6
