The river Radika
IT Security of e-Tax< Home |

 

 

 

IT SECURITY AUDIT OF E-TAX - February 2, 2007

The e-Gov Project invites all Auditing companies registered in Macedonia or USA, performing IT security audits, to submit their proposals for IT security audit of the e-Tax system. The system is administrated by the Public revenue office of Republic of Macedonia and it is part of the services provided by the Office for large tax payers.

All interested parties can download the tender documents by directly clicking on this link.

The deadline for submitting bids is Friday, March 9 2007 at 15:00 hours local time

Companies submitting tender documentation in alphabetical order:

1. KPMG

2. Net Bit

3. PWC

After reviewing and evaluating all 3 bids, e-Gov Project decided to sign the contract with PriceWaterhouseCoopers - PWC.

QUESTIONS & ANSWERS

1. Our firm is a globally integrated network of firms. When we apply for a tender in a specific country, our usual strategy is to use our local branch as the legal bidder and to bring in credentials and experience from our
worldwide network. Can you please confirm that this "network approach" is acceptable in the frame of this project (i.e. if we bid with our local entity, credentials for other offices will be receivable) or if additional documentation is requested (support letters from the other countries...).

As long as the by the bidder proposed contractor is either registered in USA or in Macedonia that company may use partners from other countries, except of course from countries any USAID project is prohibited from working with. It must be clear by the submitted information that no partner comes from any of those countries. The requested information about registration should focus on the partner to be the contractor. Any relevant reference from previously conducted work or international competence that will positively affect the completion of the task here can be used.

2. The offer and the audit report shall be both written in English. Please explain what do you mean by audit report? Shall an example of the audit report be submitted as part of the offer? The final audit report will be prepared after the whole audit is finished.

The Contractor will be requested to document its finding by the audit in a written report. The information in the Invitation to Bid states that this document shall be written in English. The Invitation to bid does not include any request for any example of audit report to be submitted together with the bid.

3. Our company is a local provider of IT services and consulting for IT systems, and part of this is the IT Security Check. Please explain what do you mean by auditing companies?

Only companies duly registered as having auditing as its main activities are invited to submit bids. “Auditing” in this context is not restricted to IT security auditing but the Invitation to Bid requests the bidder to document its experience of such auditing.

4. Do you limit the penetration testing to the infrastructure layer, therefore application level security tests are not included?

Penetration test should be performed on the infrastructure and application level.

5. In your document it states that the auditors should master the Macedonian language in written form. Is the application written using the Macedonian language?

Yes

6. How large is the External Network Range?

There are 8 external IP addresses

7. Approximately how many hosts are expected to be found?

Two hosts

8. Do you wish to have Client-Side attacks performed?

Not at this stage

9. What language is the application written in?

e-Tax services application is developed in Java, with Websphere application server.

10. What type of profile are you looking to have the auditor use during the assessment? Anonymous or Authenticated?

Both

11. For Anonymous profile: How many input pages will the examiner have access to before being prompted with log in?

Only one page

12. For Authenticated: How many different user profiles are there?

In eTax services application there are two different profiles: system administrators and tax payers. Within each profile, users with different privileges are assigned.

13. How many different user profiles do you want tested?

Both, system administrator and tax payers

14. Will the auditor be expected to perform examination of the application design and support documentation or source code?

The auditor should examine the functionality of the software application, not the source code.

15. Please clarify what you mean by “historical data” including the period for which historical data is available?

This means analysis of data stored on the server since the official launch of the system in July 2006 (excluding data submitted by the taxpayers) which can be related with security issues.

16. Will the auditor be expected to include, in the scope of penetration testing, wireless networking or remote access servers, if such exists.

Wireless networks or remote access servers should not be included in the penetration test.

17. Do system administrators and taxpayers use separate clients for login and working with the system?

The e-Tax application is web based application and the only one client for all users is any web browser.

e-Gov Project is implemented by Internews Network
Dane Krapcev 18 | 1000 Skopje | Macedonia | Ph. +389 (02) 3231 104 | Fax +389 (02) 3220 636
USIAD MacedoniaInternews Network