Department of Science and Technology Republic of South Africa
Specification
Digital Signature Application
1. INTRODUCTION
The Department of Science and Technology (DST) has 100 employees in Pretoria and Cape Town responsible for approving documents that are legally binding.
As a government department, DST must promote transparent administration and recognise the right of access to information, excluding information that is
specifically protected by law.
The DST's internal Business Processes move between officials and units for approval, and it is therefore critical to ensure the management of paperless
workflow processes, legally binding and compliant electronic transactions that have an audit trail to follow.
2. BACKGROUND
The DST procured an electronic signature package that is used to sign documents electronically and save them in the DOC/X format. The current signature package is out dated and is not compliant to the Electronic Communication Transaction (ECT) Act.
3. PURPOSE OF THIS DOCUMENT
The purpose of this document is to outline DST Digital Signature Requirements and to acquire quotations from vendors.
4. CONFIGURATION REQUIREMENTS FOR A DIGITAL
SIGNATURE APPLICATION
The DST digital signature requirements are as stipulated below:
4.1 Signing and Verifying Process
a) Must work with all standard file formats stipulated below using certificate IDs:
• Microsoft word, Outlook & Excel
• Adobe PDF
• Open Document, ODT, & ODS (Optional)
• JPEG & TIFF (Optional)
b) Allow a user to embed digital signature anywhere directly into the document. c) The digital signature system must provide a method for specifying which
d) The digital signature system must provide a method for modifying the data to include in the data to be signed without violating the integrity of existing signatures.
e) The digital signature system must protect against database object spoofing. f) Allow multiple signatures to be placed into a document.
g) If signature verification fails because data was changed, the digital signature system must be capable of identifying for the user which data element was changed.
h) The digital signature system must include a timestamp with the signed data to show when the signature was generated. This timestamp must be
protected by the digital signature.
i) The digital signature system must verify that the signer’s certificate was valid at the time of signing.
j) The digital signature system must retrieve the current date and time from a central, trusted source such as the database server or a timestamp
authority.
k) Upon signature verification, the digital signature system must verify that the signer’s certificate has not been modified or revoked. The certificate chain should be verified up to and including the root certificate.
l) Certify a document with a visible and hidden signature so that recipients can verify authenticity with or without seeing a visible signature on the page. m) Automatically embed certificate data to support long-term validation. n) Certify a document while leaving portions of it available for form filling,
signatures, or comments.
o) All documents must not leave the DST repository.
4.2 Security and Cryptography
d) The digital signature system must be able to use both software and hardware cryptographic tokens.
e) The digital signature system must be able to detect any tempering of signing keys.
f) The digital signature system must provide an interface that allows the use of third-party security products.
g) Signature certificate must have court-admissible validity data (e.g. name, IP address, etc.).
h) Validate all signatures, confirming the identity of everyone who signed the document.
i) Validate document integrity by tracking all previously signed versions of a document to verify changes made during the document’s lifecycle.
4.3 Integration
a) The digital signature system must easily integrate into the application to enable signing and verifying automatically (application referred in point 4.1.a).
b) Integrate into workflows within our Content Management Systems. c) Must work on a PC and Mac (OS Independent).
d) Must support the following browsers (Firefox, Safari, and Internet Explore). e) Must allow users to sign using the following mobile technology (e.g. Ipad,
iPhone and Galaxy).
f) Allow users to use a signature pad option.
4.4 Standards
The proposed solution must meet the requirements of the (ECT) Act and can comply with the following standards:
a) ISO-IEC 9796 b) ISO-IEC 14888
c) ISO-IEC15945 d) ISO-IEC 9798
4.5 Training
a) The vendor must train all DST users. b) Must offer classes for administrators. c) Must offer classes for users.
d) Must offer training onsite.
e) Training material / manuals must be provided for participants during classes. f) Training material must be available in electronic format.
g) Training must be customised for our implementation. h) Must offer a train the trainer type of course as well.
5. SERVICES REQUIRED
a) To configure and install digital signature application at the DST and all branches.
b) To deploy relevant packages to all DST users where necessary.
c) To define a user requirements document at the initiation of the project in order for the project to be successful. This will also enable the project team to know exactly what is required during the delivery of the project.
d) Provide a technical specification document.
e) To ensure the interoperability of the system in a diversified software environment.
f) To provide first and second level support to DST. g) To evaluate user acceptance and skills requirements.
6. DELIVERABLES
A comprehensive report that provides the status of the Project: (i) Identifying challenges and best practices in respect of:
o Accessibility, performance and turnaround time
o Technology equipment and infrastructure
o Preventive maintenance plan of equipment
7. TIME FRAMES
a) Vendor must submit a project plan.
8. CONSULTANT REQUIREMENTS
8.1 The consultant must:a) Be in a position to assume work as soon as possible.
b) Demonstrate strong organizational and project management skills.
c) Be appropriately qualified with sufficient background of the digital signature sector.
d) Have good strategy development skills. e) Have good business analyst skills.
a) Service providers must note the criteria to be applied in deciding on the successful provider.
b) All proposals received will be evaluated by a panel on the basis of functionality (100%).
c) The 80/20 preference point system (pps) will be applicable to this bid.
With regards to functionality the following criteria and maximum value of each criterion will be applicable:
CRITERIA WEIGHTS
Experience and implementation reference 20
Integration as per 4.3 20
Interoperability, Platform independent and mobile compatibility
20
Originality, methodology and relevance of the proposed work plan
20
Capacity to deliver within the specified time frames and availability of existing resources
20
TOTAL SCORE 100
d) Service providers will require 60 points to qualify for further evaluation.
e) Service providers might be requested to do an oral presentation of their service should DST deem it necessary.
10. DETAILS OF THE PROPOSAL
a) Consultants must submit to the DST, a Project Plan inclusive of milestones and time-scales, as well as the estimated person/days for the completion of the project.
b) An analysis of costs must be given to cover the full contract amount in South African Rands (including VAT), and where possible, costs should be linked with specific tasks to be undertaken.
c) The application should also include the CVs of the consultants and/or staff who will participate in the project, demonstrating experience in the field of information gathering, information management and information analysis. d) The name and contact details (telephone and/or mobile, fax and email) of
the project leader. e) Scope of the study.
f) An implementation plan (including timeframes with broad work breakdown structures).
g) An outline of the methodology to be applied in carrying out the project.
11. PROCEDURE
a) Regular meetings will be held with the DST throughout the duration of the project.
b) The payment plan will be negotiated and agreed to between the DST and the consultant. However, the final payment will be made after the
completion of the project and acceptance of the final report by both DST and the other party.
c) The consultant will solely be responsible for all administrative issues related to the project.
d) They will also be informed that copyright rests with the department and the department will decide on the publication of the information, if necessary.
12. SERVICE LEVEL AGREEMENT
a) If necessary, short-listed applicants may be requested to make a presentation of their proposal and will be duly informed.
b) DST and the appointed consultant will enter into a service level agreement.
c) The successful service provider will be expected to conduct a briefing session with the DST and all relevant stakeholders prior to the work being conducted and the whole team of the appointed service provider will be required to attend the briefing session.
d) The consultant will be responsible for ensuring that the agreed deliverables are produced to a quality standard, on time and within the budget.
e) The consultant will work in close collaboration with the DST so as to ensure that the objectives of the department are accommodated by this project.
f) DST will evaluate the draft final report and request the consultant to effect revisions and additions, if necessary, before the final payment is made. g) The consultant will explain and elucidate the final report at a meeting
arranged by the DST.
13. PROPRIETARY RIGHTS
a) The proprietary rights with regard to copyrights, patents and any other similar rights that may result from the consultant carrying out the assignment shall belong to the DST.
b) The final product of all work done shall, on completion of the brief of the assignment, be delivered to the DST.
c) The consultant shall agree that all rights, to be acknowledged, understood and adhered to by the consultant on acceptance of the bid by the DST including, without limitation, all intellectual proprietary rights in and to any material or information including all computer programmes, e-data and documentation related to the project belong to the DST.
e) The consultant shall deliver any or all such material, data and information to the DST upon request.
14. CONCLUSION
The closing date for submission of the quotation to the DST is 23 August 2013 at 12h00, no late proposals will be considered. A briefing session will be held on Tuesday the 20 of August 2013 at the DST from 11: 00 – 12: 00. Prospective providers are therefore advised to attend the session to clarify the department’s specifications. Proposals should be delivered to: Building 53, CSIR Campus, Meiring Naude Road Pretoria, 0001, faxed to 086 681 0013 or emailed to
senzod@dst.gov.za . Queries/requests for further information may be directed to Mr S M Dlamini at Tel: 012 843 6611.
NB: Please note that the DST reserves the right not to accept the lowest quote or not to proceed with this project. All costs that the consultant may incur due to the preparation of such quotation and project plan for the DST shall be the sole responsibility of the consultant.