Trustworthy Information Systems Handbook: Appendix F, Section 3
Web-Enabled Electronic Bidding System: Test Phase (Minnesota Department of Transportation)
Minnesota Department of Transportation (Mn/DOT)
TIS Evaluation Meeting Date:
22 July 1999
State Archives Staff:
Mary Klauda, Shawn Rounds
Sue Dwight, Gary Ericksen, Bill Gordon, Mike Martilla, Nancy Sannes, Gus Wagner, Joel Williams, Lynn Klessig (Office of the Attorney General, attorney for Mn/DOT legal issues), Charles Engelke (Info Tech, vendor)
The Transportation Department is charged with providing a balanced transportation system for the state that includes aeronautics, highways, motor carriers, ports, public transit, railroads, and pipelines. The department is the principal agency for developing, implementing, administering, consolidating, and coordinating state transportation policies, plans, and programs.
Electronic Bidding System (EBS)—Expedite, Bid Express
The Electronic Bidding System (Expedite) will allow Mn/DOT to distribute contract bid items to contractors who can then prepare and submit bids electronically (via Bid Express and the Internet) to Mn/DOT. A vendor, InfoTech, controls Expedite and Bid Express. Files transferred to Mn/DOT are brought into TRNS-PORT, an electronic system already in place in the department. If successful, the system will eliminate the need to retain a paper-based system of contract bids. During the pilot project, the department will continue to accept paper bids.
System Development Phase:
Test Phase: marketing and implementation of pilot project.
Mn/DOT chose to evaluate its Electronic Bidding System (EBS) for trustworthiness as the first part of a risk assessment of the system during its pilot phase. The process of distributing and submitting contract information and bids is not new to the department. However, the addition of an electronic bidding component to the existing system brings up more and new considerations on how system information is administered.
Several state and federal laws are, or will be, in place that pertain to EBS data. Of particular concern are laws governing circumstances for the use of digital signatures, since EBS will rely on digital signatures for authentication of bidders. There are no industry standards that exist for system data and data security. System security standards are being addressed agency-wide by Mn/DOT's Information Resource Management (IRM) units. The department has records retention schedules in place for agency data, but they are based on a paper system.
There are several legal issues involved with system data, particularly concerning proofs of proper execution of a bid, valid signatures and bid bonds, correct completion of bids, and proper authority for bid signatures. Existing system data is audited every two years, per statute. Auditors routinely look at procedures for accepting bids and verification of proper insurance. Some of the contract bid data is classified under the state's data practices act. None of the data contain personal information.
System documentation is complex because responsibilities extend to Mn/DOT's various IRM units, to the business units involved with deploying the system, and to the vendor, InfoTech. Documentation also applies to three systems, both internal and out-sourced: Expedite, Bid Express, and TRNS-PORT. System documentation is covered by department records retention schedules. Currently, system data resides on a mainframe, and access is strictly controlled in that environment. However, a variety of access issues need to be addressed as system data is moved from the mainframe to a client-server environment. The department's central IRM unit maintains documentation on system hardware. InfoTech heavily documents its software and maintains a revision history.
System Documentation—Policy and Procedures:
Some system documentation is covered by agency-wide IRM policies and procedures. TRNS-PORT programming conventions and procedures follow the guidelines and standards of the American Association of State Highway and Transportation Officials (AASHTO). Staff felt that sufficient documentation exists on development and testing procedures, applications, quality assurance and control checks, and data migration for EBS and TRNS-PORT. Documentation by Mn/DOT and InfoTech specifies standard training and terms-of-use agreements for all system users and personnel, including contractors.
System Security—User Authorization:
InfoTech and Mn/DOT both are responsible for EBS system security, but at different times, depending on the time of public bid openings. InfoTech handles documentation and implementation of security measures and access permissions from the time a contractor files a bid until the time of its public opening. After the public opening, responsibilities are passed on to Mn/DOT. User authorization is important to the system's success, and it is strictly controlled and monitored. Agency-wide user authorization policies also apply to EBS.
Since InfoTech is not a Minnesota company, bonding companies serve as the authenticating parties, enabling contractors to submit bids electronically. This issue is significant and may necessitate Mn/DOT's examining the level of trustworthiness for this system as well. The Secretary of State currently recommends that identities for digital signatures be established by a person's physical appearance. It was recommended that Mn/DOT obtain an Attorney General's opinion about changing any of these established procedures and requirements.
System Security—Internal and External:
Agency-wide IRM policy controls and monitors most aspects of internal system security. Adequate controls are in place, however, certain procedures, such as software and hardware sanitization and disposal, need further review. The department follows AASHTO's fixed schedule for reviewing security procedures and rules. Moving data from Expedite to TRNS-PORT will require additional security. There are procedures in place to control and monitor external system security.
Audit trails are maintained and users online actions are monitored adequately by InfoTech while bids are open. Mn/DOT tracks any addenda to bids after the public bid opening. Authorized users can access audit data, but cannot alter, add, or delete audit data. Access to audit trail software is controlled, protected, and monitored. Audit trails are backed-up every business day.
InfoTech relies on backup storage in the event of a disaster or system failure and has a mechanism in place to ensure the non-stop functioning of Expedite. Mn/DOT has a disaster plan in place that is reviewed periodically. Mn/DOT staff felt that additional back-up procedures need to be established for the client-server configuration and that there needs to be better off-site storage for backups.
Bid files are the primary records created by EBS. The bulk of the bid files require a seven-year retention period after bid letting is complete. Portions of the successful bid files have a twenty-year retention period. The system will retain, for each record, the original content, and format, context, and structure, along with a comprehensive set of metadata. For encrypted bid files, decryption keys must be retained as well since there needs to be a way to access the files. The department is developing a migration plan for the system's permanent/historical records.
next › ›: Appendix F, Section 4
TIS Handbook last updated July 2002, Version 4.