E-Governance

STQC Role & Responsibilities

Standardisation

Testing

Quality

Certification

Standardization Testing & Quality Certification Directorate

Department of Information Technology

Govt. of India

STQC Services for IT Sector

Standards formulation

STQC

IT

Services

Software Quality

evaluation

ITeS Quality

Information Security

Quality Management in IT Industry

IT Service Management

STQC IT Network

Bangalore

Mohali

Solan

Delhi

Agartala

Guwahati

Pune

Goa

Thiru’Puram

Mumbai

Kolkata

Hyderabad

Chennai

Jaipur

Delhi

Kolkata

Bangalore

Hyderabad

Chennai

Guwahti

Pune

Jaipur

Certification Requirement - When

• Policy Makers/Administrators are interested to know about

fulfillment of objectives

• Solution Provider is interested to demonstrate about

Completion of a milestones

• Users expect System will deliver as promised.

• Funding agencies are interested to know about achievement

of output and outcome

• Procurement bodies are interested to know

“what was asked” versus “what is supplied” for the

release of payment

• System Architects wants to enforce implementation of

Standards

Challenges – How to Address

A Framework is required to ensure that

end-to-end systems and its components are conforming to the

requirements of RFP/contract

Solutions are complying with legal and regulatory requirements

Users are satisfied with the services

The Body which assess conformance should be Independent third

Party and Competent in its operation

Conformity Assessment –Risk based extentWhen applied correctly, conformity assessment can..

Provide purchaser with confidence in the suppliers, products or

services they purchase

Help businesses be competitive

Facilitate trust in procurement and supply

Create market advantage

Provide a visible link between standards and the market

However, if applied incorrectly, conformity assessment can also…

Be a burden of business by adding cost of demonstrating

compliance

Create barriers to procurement and supply

Inhibit innovation

Confuse the market

Conformity Assessment and Certification

Essential requirements of Conformity Assessment

and Certification in eGovernance

Quality Process in Government Organisation

Software Application Quality

Information Security Management System

IT Service Management

9

Quality Process in Government Organisation

Indian standard on Quality Management System-

requirements for service quality by Public Service

Organization. (IS:15700)

It is an Generic standard that enables an organization

to establish systems to provide quality services

consistently, effectively and efficiently.

It also provides for systems to ensure continual

improvement in services and process.

Key Elements are:◦ Citizen’s Charter.

◦ Service delivery process

◦ Complaints handling.

Software Application QualityDistribution Quality Characteristics

An Illustration

0

20

40

60

80

100Functionality

Reliability

Usability

Efficiency

Maintainability

Portability

Security

Documentation

Information Security

Information Security

Information Security Management System

Management Control

• Risk Assessment & Treatment• Security Policy• Organization of Information Security• Asset Management• Information System Acquisition• Compliance

Operational Control

• Human Resource• Physical & Environmental• Communication & Operations Management• Incident Management• Business Continuity Planning

Technical Control

• Identification & Authentication• Cryptographic Control• Access Control• Audit & Accountability• Acquisition, Development Maintenance

IT Service Management

S L M

F

I

N

A

N

C

E

IT SCM

Availability

Capacity

Management

Security

Service

DeskIncident

Management

Problem

Management

Change

Management

Configuration

Management

Release

Management

Service Support (Operational Management)

Govt. Employees

as IT Users

Government

Administrators

And Policy Maker

RFC

Service Delivery (Tactical Management)

Problem

Incident

S

L

A

CONTRACT

Audit

Systematic, independent and documented

process for obtaining audit evidence and

evaluating it objectively to determine the

extent to which audit criteria are fulfilled

Management System Audit(Basic Principles)

A systematic examination of the management system

• Existence (Intent)

Does the system meet the requirements of the relevant standard(e.g. ISO 20000)?

• Implementation

Does the organization do what the ITSMS requires?

• Effectiveness

Is the ITSMS effective for the organization’s business?

Auditor collects information & evidences during audit

Audit Phases

Opening Meeting

Audit Conduct

Findings & Conclusions

Closing Meeting

Audit Planning

Checklist Preparation

Plan Conduct Report Follow

up

Audit Follow Up

Surveillance

Preparation

Approval & Distribution

Initiating Audit

Document Review

Stage I Audit

Initiate

Stages of Audit

Documentation Review

Determine preparedness for

Stage 2 – location & site

Review status & understanding

Review scope and legal

requirements

Identifying the resources needed

for stage 2 audit

Provide a focus for stage 2 audit

plan

Readiness for Stage 2 audit –

implementation of Mgt. System

Conformance to audit criteria

Performance against key

objectives

Legal Compliance

Operational control of processes

Internal audit & Management

Review

Stage 1

Stage 2

Testing & Audit of

e-Governance Solutions

STQC Experience

e-Governance Projects handled by STQC MCA 21, Ministry of Corporate Affairs

National Service Delivery Gateway (NSDG)

India Portal

Passport Seva, Ministry of External Affairs

Income Tax

Rashtriya Swastha Bima Yogna (RSBY)

Municipality Applications

o NDMC, CMC Ltd.

o MCC, NIC Pune

o KUIDFC, CDAC Bangalore

o SUVIDHA, Nagarjuna Infotech, Hyderabad & Danlaw Technology India Ltd.

o MaiNet, ABM Knowledgeware Mumbai

o Nagrik, Oswal Data Systems, Indore

o Municipality Software Solutions - MoUD (10-States)

Other Applications

o Land Record Information System, NIC (16-States)

o Urban Registration Information System, NIC (2-States)

o Treasuries, MP & UP States

o AIEEE, UPTU, Haryana Counseling, NIC

o eNRICH-DRDA & eNRICH-CIC (North East) Web Portal, NIC

o Corporation Financials, e-Governments Foundation, Bangalore

o Human Resource Municipal Corporation, NIC Pune

Common Problems Observed in Projects User requirements (RFP/ Contract) – Missing/ Inadequately defined

Key Requirements (RFP/ Contract) – Not implemented/ Partially implemented,

deviations in requirements and requirements deferred

Architectural Deviations - Interoperability, Security & Performance related problems

Frequent failures/ system crash – Fatal errors, data loss & data corruption

Serious problems & functional gaps – No proper fixing, temporary workaround

Performance & Scalability – Slow response & over utilization of computing resources

Robustness, Stability & Availability – Frequent failures & crashes, abnormally long down

time & slow recovery

Integration & Interoperability - Incomplete workflow, No data exchange among

components & systems

Security of Software & Data – Wrongly configured systems, Inadequate authentication,

access control and audit logs

Usability – Cumbersome & lengthy navigations, poor messaging

Change Control – Informal/ unauthorized modifications carried out directly on production

system

Digitization & Data Migration Errors – Wrong/ unreliable data in the system

Code & Data Synchronization between DC & DR – DC/ DR switchover failure

Testing & Audit – Key Observations Documentation Issues:

o Missing/ Incomplete/ Incorrect documentation;

o Inconsistency-Among documentation/With application;

o Unclear/ ambiguous documentation;

o Ineffective document control (change & version control)

Functionality Issues:

o Run time fatal error, Data loss/ corruption;

o Wrong/ incomplete workflows;

o Business logic & Data validation errors;

o Transactions not traceable/ work items missing, Transactions wrongly rejected;

o Wrong calculations & incorrect rules;

o Interface problems (payment gateway, bank interface, etc.);

o Integration of various modules/ functions of the software not done;

o Interoperability problems among software modules

Web Site/Portal Issues:

o Inconsistent Home/ Web pages;

o Missing/ Broken links - Site links not working;

o Accessibility requirements as per W3C hardly met;

o Incorrect/ Obsolete contents;

o Important buttons/ keys disabled;

o Site map not available;

o Search function not available/ not working

Testing & Audit – Key ObservationsPerformance Issues:

o Extremely slow Home/ Web page loading, document downloading & uploading;

o Inability of system to sustain increase in transactions/ data volume;

o System crash at much lower users load as against specified requirements;

o Over utilization of system resources such as CPU, Memory, BW, etc.

Security Issues:o Weak Application Security; (SQL Injection, Privilege escalation, Data loss, Access Control, Error

handling/ Information leakage, Session Management, Denial of Services, Audit logs, etc.)

o Missing/ ineffective security policy (E.g., Password policy);

o Mis-configured/ vulnerable systems such as servers, firewalls, etc;

o Improper authentication & access control (access rights & authorizations);

o Inadequate confidentiality/ integrity (credentials transmitted in clear text) ;

o Risk assessment & BCP not done/ not tested;

o Inappropriate data backup & archival for disaster recovery;

o Inadequate physical security;

o Invalid digital signature working/ CRL not updated

Usability Issues:o Cumbersome/ lengthy navigation;

o Poor/ missing user instructions/ Help functions;

o Improper/ misleading messages for users;

o Accessibility requirements not addressed properly

Certification Schemes for eGovernance

Quality Assurance Framework and Conformity Assessment

requirements have been published

The overall framework covers 5 certification schemes

o Smart Card Certification (along NIC)

o Bio-metrics Device Certification (along UIDAI)

o Website Certification

o Information Security Management Systems Certification

o IT Service Management Certification

Software Testing and Quality Evaluation Framework Developed

Thanks