Specifications: Item UOM Frequency / Measuring Unit No. Unit One Day Size No. Unit One Month Size Quantity Specifications

Page 1
Specifications
Template Title: 2. SYSTEM DEVELOPMENT

Item Type: Services
Item Type: Local
Frequency / No. Unit No. Unit

UOM Quantity
Item Measuring unit One Day Size One Month Size
Specifications
2.1 Activity unit 1 1

Requirements
1. Tenderers need to develop online applications i-SPKP System no
Users
more than 24 months from the date of SST and please suggest the development period
and
application (month). Please submit a suggested time period and complete
Analysis
in detail in Appendix A3: Project Implementation Schedule).
2. The tenderer must complete the first phase (go live) within 12 months
from the date of SST and please state the development proposal period (months).
3. The proposed module development for phase 1 is as follows: 1.

Land Public Transport Licensing Module 2. Management Module
Administration 3. Profile Management Module 4. Driver Card Management Module
5. Intermediary Business License Management Module 6. Management Module
Fees 7. Meeting Management Module 8. Counter Management Module
However, the proposed development of these modules for phase 1
and phase 2 will be discussed and confirmed during the requirements session
users.
4. Documents submitted to the needs and analysis phase are as follows

the following are not limited to: a) System Development Plan b) Report
BRS Review c) System Requirements Specification (SRS)
5. The tenderer must include the following in the proposal

tender (not limited to): 1. Activities to be carried out during the study
needs (Examples: Interviews, workshops, meetings, questionnaires) 2.
How the tenderer intends to carry out needs research activities 3.
Submission of needs study 4. Involvement required from the parties
Government 5. Dependence (Please complete Appendix A1: Proposal
I-SPKP System Development)
6. Tenderers should develop, implement, maintain, integration

and prepare implementation strategies and plans based on priorities
and project time period. It should show all tasks and activities,
duration and duration of implementation, relationship between activities, submission and
resources responsible for each task / activity.
7. The tenderer shall prepare a System Development Plan

describe aspects of planning in the conduct of activities
system development to be carried out.
8. The tenderer must obtain the needs of the consumer as a whole
for the development of the i-SPKP System.
9. The tenderer must review the Business Requirement document
Page 1/60
Page 2
Specification (BRS) provided by the Government and refined

The BRS as well as issued a comprehensive report in
a period of one month from the date of SST. The report must have
Government approval.
10. The tenderer must implement the analysis process for the i-SPKP System
according to the Civil Sector Application System Engineering Guide (KRISA) which
published by the Administrative Modernization and Management Planning Unit
Malaysia (MAMPU).
11. The tenderer shall ensure the production of system requirements specifications
or 'System Requirement Specification' (SRS) through a detailed study
on the business needs information that has been obtained. Needs information
business is available not limited to BRS documents that have been
provided by the Government. Successful tenderers will receive a copy
BRS document as a reference to prepare the SRS. Everything
findings and recommendations during the analysis phase should be documented.
12. The tenderer shall develop the SRS document and obtain
confirmation and approval by the Government. The tenderer shall
submit SRS table of contents as well as SRS overview
proposed.
13. The tenderer shall manage all preparations, SMEs, accommodation

(inside or outside Government premises), eating and drinking and implementation of activities
development of these needs such as workshops, seminars, meetings and others
until fully completed at no additional cost to
Government.
14. The tenderer must provide the tools / software

required for project management, system development and testing.
All tool costs must be borne by the tenderer (If any) without any
additional costs to the Government and will become Government Ownership. Example
: Microsoft Project. (Please complete Appendix A2: Proposed Specifications
Hardware and Software and also provide related brochures)
15. SRS documents shall include but are not limited to: a)
Functional Needs b) Non-Functional Needs
16. In the Function Specification, the tenderer must describe the function
available in the system (not limited to): a) The best design
technique for the i-SPKP (eg process or data driven, etc.) b) The description
on the design technique and how its going to be implemented. c) Business
rules for SPKP. d) Process diagrams. e) Other related documentation.

Shape
1. The tenderer must design and prepare the submission documents
System
according to the Civil Sector Application System Engineering Guide (KRISA) which
published by the Administrative Modernization and Management Planning Unit
Malaysia (MAMPU).
2. Tenderer MUST implement system based development

best practices such as referring to relevant standards (e.g.
IEEE Std 1012 ™: 2016 - IEEE Standard for System, Software and Hardware
Verification and Validation, Capability Maturity Model Integration (CMMI) or
QMS ISO 9001) to ensure software quality can be achieved.
3. The submission documents to the design phase are as follows no
Page 2/60
Page 3
limited to: a) System Design Specifications b) Data Migration Plan c)

Data Migration Specifications d) System Integration Plan e) Integration Specifications
System
4. Activities under this phase are as follows not limited to: a)

Architectural Design b) Technology Determination c) Database Design d)
User Interface Design e) System Transaction Design f)
Data Migration Design g) Data Integration Design
5. The tenderer must submit an unlimited system design

to: i) have good security features including audit trail,
server logs, data encryption (decryption / decryption), auto log-off, biometric
device for authentication of identity cards, PKI and other security features
as required; ii) have strategies that can improve performance when
the number of users increased; iii) scalable in the future; and iv) take
calculate availability (Please complete Appendix A1: Recommendations
I-SPKP System Development)
6. The tenderer must submit the 'System Design Specification' document

(SDS) which was reviewed and approved by the Government before
system development is implemented.
7. The i-SPKP system is located in the MAMPU Public Sector Data Center (PDSA)
in a 'virtualization' environment. Tenderers should recommend
comprehensive and secure system design. (Please complete
Appendix A1: Proposed i-SPKP System Development)
8. The tenderer must properly configure the environment

'development', 'staging' and 'production' in PDSA Putrajaya and DRC
('Disaster Recovery Center') at PDSA Bandar Enstek to be set
by the Government. The Government reserves the right to change the location of the data center and DRC
before any installation is performed. Only Malaysian citizens
only allowed to enter PDSA.
9. The tenderer shall carry out the design walk-through with the parties
Government as part of the verification and approval process.
Tenderers can only start system development after earning
design approval from the Government.
10. Tenderers need to develop online applications for the i-SPKP System
so that the application can support the licensing process and processes
government-determined enforcement. The i-SPKP system
proposed should be able to make an analysis (report) for
aims to support the formulation of new government policies. The i-SPKP system
proposed should improve the delivery of government services
through the provision of end-to-end and comprehensive online services.
The application system can be accessed by the user at all times without any hassle
interference in accordance with SLA as in Appendix A10: Service Level
Agreement. General Features of the Application - Proposed system development
must be flexible, scalable and easy to maintain where augmentation
new processes can be easily developed by the Government. Developed
with two languages, namely Bahasa Melayu and English.
11. The proposed i-SPKP system should have a Paperless concept

Environment that seeks to improve the operational efficiency of APAD and CVLB
through the use of electronic forms (e-forms) which aims to: a)
Reduce paper usage. b) Reduce counter management to
counter c) Implement electronic financial rules electronically
Page 3/60
Page 4
with the issuance of fast and accurate payment bills. d) Use

high security technology for the issuance of licenses / permits
12. The proposed i-SPKP system should be coordinated

information or a combination of information to avoid duplication
the information contained in the forms alone
(stand-alone forms).
13. The proposed i-SPKP system should assist APAD and LPKP
collect results more efficiently, controlled and efficiently: a) All results
the government must be coordinated with the government accounting system
federation (iGFMAS); b) The system complies with all regulations
finance agencies and the Accountant General's Department; c) System necessary
able to manage the financial process for 3 different agencies namely APAD,
LPKP Sabah and LPKP Sarawak
14. The proposed i-SPKP system should be able to generate and

ensure accurate and uniform statistics by creating one
centralized database so that statistical reports can be self-generated
by the user. All records in the main database will be copied
by daily replication automatically based on the design
proposed by the tenderer and the time set by the Government.
15. The system is able to integrate with other systems flexibly and easily
to be improved. The implementation approach adopts technology no
limited to web-based, mobile web, mobile apps. Setting up the site
interactive with the user submitting the application,
information updates, status checks and online payments.
The system notifies notifications via email or other communication media
on the status of the application or related actions.
16. Provide facilities to generate simulation, modeling, analysis,

forecasting and predictive analysis according to the current needs of APAD and
LPKP. Provide flexible reports according to APAD LPKP requirements.
Provide audit trail facilities for applications including time logs, dates,
IP address and User ID for entry, amendment and deletion
against critical data. The tenderer must ensure that the system
developed able to inform application / transaction notifications
users of any failure to process or system.
17. The application developed must be accessible through various

platforms, browsers (browsers such as Internet Explorer, Google Chrome, Safari,
Mozilla Firefox, etc.) and media (mobile and PC). Use of technology in
in application development to enable applications to be accessed
via web-based and mobile web automatically if user
using mobile hardware. Mobile application developed
can support various smartphone operating platforms (example:
iOS, Android, Huawei)
18. The tenderer must ensure that the system developed can
supports any changes / improvements to the operating system,
hardware and networks with minimal change. Petender
must review and recommend data field addition management
or information
have a checklistinthat
the there
relevant
are modules especially
always changes the modules
or additions
without involving programming. Checklist updates are possible
by own users who have access.
Page 4/60
Page 5
19. The tenderer must ensure that the form (e-form) is completed with
help index in the following forms (but not limited to): a) FAQ b)
Mouse over c) Tool tips
20. The proposed application can be accessed through various channels

the following (but not limited to): a) Agency Website b) Interface
Agency c) Mobile Application d) live chat (working period)
21. Application security features i) The system must be capable of

provides single sign-on facility based on multi-factor
authentication. Authentication uses (not limited to) Active
Directory (if necessary) ii) Every Transaction must be fully accepted
system response response is as follows: a) = 4 seconds for simple
transaction (Login, landing, info display) b) = 9 seconds for transaction medium
(search, form submission) c) = 15 seconds for complex (montly report
generations, integration) iii) The system must be able to operate
approximately 12,000 (internal and external users) simultaneously without adding
system response time
iv) The tenderer shall ensure that the proposed system

has the following security requirements (but is not limited to): a)
Make sure user passwords or passwords are not easy to guess
through 'brute force', 'dictionary' or any other attack b) Prompt
change the password or 'pass phrase' at a specified time c)
Users are divided into specific groups, where each group
will have its own access level (access control) to use
system. User group changes are easy to make, with
user requirements have the appropriate level of access. d) Encryption
(encryption) User ID and password. e) Ensure the system does not
provide any backdoor access that can be exploited and that
will affect the integrity and availability of data.
v) Tenderers must ensure that data security has

the following conditions (but not limited to): a) Must be able to support
encryption methods for sensitive data that cannot be disseminated without
through proper channels and procedures b) This solution is needed for
maintain consistency, accuracy and integrity of data at all times c)
Secure Socket Layer (SSL) will be used to secure all transactions
system trading
22. Data Entry and Verification i) Tenderers must ensure

the system developed supports document upload activities within
format (unlimited) to doc, docx, pdf, excel, csv, text report ii) Tenderer
must ensure that the developed system can upload documents
10MB maximum size per document (will be verified in URS session)
iii) The system must provide access to the system administrator for
restrict access control, set or administer user access
at various levels of user groups. iv) Provide a mechanism for
perform authentication of data entered by the user
(applies to data entered manually) at the time of data entry.
23. Platform i) Tenderer shall propose application development

web i-SPKP system using the 'programming language'
accordingly. Iflanguage,
programming there are certain functional
tenderers constraints
can suggest the use on use
of language
other programming along with the main programming language.
The programming language to be used must be approved
Page 5/60
Page 6
Government first. If suggesting a programming language

which involves a license, please submit the recurring price and cost
required. Please state.
ii) Tenderers need to suggest development tools to be used.

All development tool license costs must be borne by the tenderer (If
available) at no additional cost to the Government. Development tools
used will be the property of the Government. Please specify inside
Appendix A2: Proposed Hardware and Software Specifications
iii) Tenderers need to suggest the architectural pattern used in

system development is not limited to Model-View-Controller. Please
specify.
iv) Tenderers need to recommend the framework used for

development of this system. Please state.
v) The development of this system should prioritize separation of code no

limited to model, view, controller, javascript and CSS vi) Provide
workflow management system and management facilities as well
monitoring.
vii) Tenderers should suggest tools to manage the source

code. The proposed software should provide the 'software' function
versioning, Continuous Integration / Continuous Development '(CI / CD) and
other appropriate system development project management functions.
Please specify in Appendix A2: Proposed Hardware Specifications and
Software
24. User Friendly i) Provide an interactive site

user-friendly by offering applications and updates
information and status check online. ii) Competent system
notify users via email / system about
application status or related actions. iii) This system
must support World Wide Web Consortium (W3C)
25. Database i) Enterprise Relational Database Management System

(RDBMS) is recommended for use with this system. ii) Tenderers need
configure a database that can support High features
Availability (HA), Integration Services, Business Intelligent (BI), Reporting
Services, Security and others. iii) The tenderer must ensure
database development i-SPKP system is implemented according to
Public Sector 'Data Dictionary' standard (DDSA) MAMPU. Supplier necessary
according to the standard format for the 'table' and 'field' names that have been set
by the Government. iv) Tenderers are required to design a database
(Database Architecture) for the entire system
26. Service Delivery i) This proposed system will support

high availability. The design should meet the following requirements
(but not limited to): a) High availability failover b) No or minimum
downtime for system maintenance ii) Tenderer must ensure
that the system has a minimum availability of 99.5% iii) Tenderer
shall ensure that the system has requirements
high reliability
27. Capacity i) The tenderer shall ensure that the solution
proposed (including the hardware used) can support the load
current and expectations on the new system within the next five (5) years
come. ii) The tenderer must ensure that the capacity of the system
Page 6/60
Page 7
has the following conditions (but is not limited to): a) This system
expected to provide acceptable level of performance during peak load
b) This system is expected to handle burst levels of activity at any duration
without crashing
28. Extensibility / Flexibility The tenderer must ensure that the system
provided has the following flexibility (but not limited
to): a) The solution shall be extensible in order to address future
functionality and changes without having to be completely rewritten b) The
architecture shall be innovative and flexible enough to accommodate related
technological changes that could be leveraged in the future c) Additional
channels of information delivery should be supported in the future with no
significant changes to the architecture.
29. STANDARDIZATION DATA i) Tenderers must use the format

Public Sector Data Dictionary (DDSA) relevant ii) Recommendations
the solution for the developed application must use
standards as follows: a. Common look and feel across all screens and
modules b. Our conventions b. Abbreviation iii) Tenderer shall
review and implement standardization data on all existing data
system during the data migration process so that no data overlaps
and all data is at a high level of integrity. iv) Tenderer
shall review and update existing data that is affected
due to the standardization data process so that the data does not provide
different meanings. v) The tenderer must document all
work related to standardization data and needs to be verified by
Government.
30. SECURITY OF INFORMATION i) Tenderer shall ensure the characteristics

ICT security of the application system to be developed includes
software, hardware and information are based on the Guidelines and
circular issued by the Government of Malaysia and still in force.
Tenderers need to ensure the security of information, which among other things
to maintain confidentiality, integrity and availability. ii) Tenderer
shall ensure that information security aspects are possible
implemented as protective measures (preventive), prevention
(preventive), detective (detective) and recovery (recovery) in business
ensuring the security of information. iii) The tenderer must ensure
all aspects of information security that include the following aspects: a)
Application system security for all supplied modules and
module interfacing with other applications (if any) b) Security
ICT infrastructure such as servers, operating systems, base systems
31. Secure Sockets Layer (SSL) SSL / TLS Digital certificate used by the server
the application system must be supplied by a licensed Certification Authority
and registered with the Malaysian Communications and Multimedia Commission
(MCMC) so that the digital signature is valid under the Signature Act
Digital 1997

Integration
1. The submission documents are as follows are not limited to: a) Report
System Integration Test
2. Tenderers should review and implement integration with the system

outside. The tenderer must submit a System Integration Plan
presented and received confirmation of all system owners involved
with integration to ensure integration activities get support and
Page 7/60
Page 8
cooperation. Integration will involve the following agencies / third parties: 1.

Road Transport Department (JPJ); 2. Royal Malaysian Police (PDRM); 3.
Accountant General's Department of Malaysia (AGD); 4. National Registration Department
(JPN); 5. Financial institutions (FPX); 6. Malaysian Government Public Key
Infrastructure (MyGPKI); 7. Malaysian Government Central Data Exchange
(MyGDX), MAMPU; a) Malaysian Cooperative Commission (SKM) b) Department
Registration of Societies (ROS) 8. Companies Commission of Malaysia (SSM); 9.
Malaysian Insolvency Department (MDI); 10. 14 Terminal
3. However, the Government reserves the right to

reduce / increase the number or change the proposed agency
if it is found that there is a lack of agency that has been specified for
implement the integration process. The integration requirements mentioned above
is based on current studies and the Government reserves the right to amend
or add other requirements if necessary and the tenderer is necessary
implement those requirements.
4. The integration proposal for the operator terminal is as follows (no

limited to): 1. South Integrated Terminal 2. ITT Gombak 3. Terminal
Perlis Integrated Public Transport 4. Shahab Perdana Terminal, Alor
Setar 5. Penang Sentral Terminal 6. Meru Raya Terminal, Ipoh 7. Terminal 1
Seremban 8. Melaka Sentral Terminal 9. Larkin Sentral Terminal 10. Terminal
Kuantan Sentral 11. Kelantan 12. Terengganu 13. Genting Awana Terminal
14. Klia / Klia2 Terminal However, the Government reserves the right to
reduce the number or change the proposed terminal if
found to be unavailable terminal that has been specified for
implement the integration process. The integration requirements mentioned above
is based on current studies and the Government reserves the right to amend
or add other requirements if necessary and the tenderer is necessary
implement those requirements.
5. The Tenderer shall submit the System Integration Specification

presented and obtained system owner confirmation to ensure
the validity and specifications generated meet the data integration requirements.
6. The tenderer must translate or realize the Integration Plan

System and System Integration Specifications to program code in language
programming that has been selected, installed and subsequently executed
testing for the system according to the activities that have been
stated in the Civil Sector Application System Engineering Guide
(KRISA) issued by the Administrative Modernization and Planning Unit
Malaysian Management (MAMPU) according to the Implementation Schedule.
7. Tenderers need to suggest Integration tools to be used.

All Integration tools license costs must be borne by the tenderer (If
available) at no additional cost to the Government. Integration tools that
used will be the property of the Government.
8. Tenderers should provide interface / integration with various

agencies and systems used including data exchange
9. Tenderers need to ensure that the i-SPKP system is capable of translating

trade messages from various integrated systems and various supports
protocol / trade message format (not limited to) such as: b) XML d)
HTTPs e) JSON f) Secure FTP g) Secure SMTP h) Ms Excel i) Text Files j)
CSV
10. The tenderer must configure the integration server provided
Page 8/60
Page 9
by the government as a platform for integration between Service Providers systems

with the i-SPKP System
11. The tenderer must implement a secure integration process for

data transfer and exchange of information between agencies and systems.
12. The tenderer shall work with the Agency and the company
represent the agency and implement integration on both sides (end to
end) until successful and provide a comprehensive solution for
successful System Integration Plan.
13. Tenderers need to ensure data integration strategy (not limited to):
a) Develop data integration action framework and integration plan b)
Provide data that needs to be integrated c) Develop a program
integration d) Integration Testing e) Implement data integration
using programs that will be developed in a production environment
14. Tenderers need to ensure that the integration between i-SPKP and agencies /
the system is not interrupted in the event of a disruption to an integration
with the agency / system involved.
15. Tenderers are required to provide integration monitoring facilities

(integration monitoring facilities). Tenderers need to ensure integration in
between all existing systems are interoperable (Interoperability).
The tenderer must ensure that the integration architecture is capable
supports future system integration requirements. For the purpose of
access control over the application system to be developed, control
security (authorization key) needs to be applied to APIs and applications
which will be developed. The tenderer must ensure that all data
obtained from the implementation of this integration can be displayed in the system
i-SPKP or related application system. If there is any problem
on integration, relevant Government employees will receive notifications
by email to enable the government to take appropriate action.
16. Tenderer must provide i-SPKP integration with payment

gateway for online payment purposes using direct debit
through the Financial Process Exchange (FPX) and by credit card.
17. Tenderers should develop a dashboard for monitoring

integration status between related systems. The dashboard
should be displayed graphically, statistics, reports and others according to
Government needs. Among the data needed for monitoring
The government is as follows: i. Number of successful data transactions received and
sent ii. Number of unsuccessful data transactions and sent iii. Status
integration gateway on the relevant hosts. iv. Information / data that
related from all integrated systems.
18. The tenderer must use the tools suggested by the tenderer
for the purpose of implementing integration in this project. If the tool
inappropriate and does not meet the integration requirements for this project, the Government
reserves the right to suggest tenderers using other tools more
accordingly.
19. All implementation of this system integration is under the responsibility

tenderer without incurring any cost to the Government at any time
needs analysis, design, development, implementation, testing and
maintenance if there are any changes within the contract period
and warranty.
Page 9/60
Page 10
20. All implementation of system integration must be documented and validated

by the Government to avoid any problems in the future.
21. Tenderers need to bear the cost of integration with a third party (if any)
until the expiration of the i-SPKP system warranty
22. The government will help to get approval from

agencies / third parties and any DATA costs incurred will
borne by the government while the cost of integration has to be borne by
Petender
23. Road Transport Department (JPJ) 23.1 General Requirements 23.1.1 Parties
Tenderers need to provide System improvement services
mySIKAP JPJ to meet the needs of the i-SPKP System in a period
agreed by JPJ including 2 months warranty period (warranty). Cost calculation
services are based on mandays. 23.1.2 The Tenderer needs
provide and implement services in the Digital Technology Division JPJ,
Cyberjaya. Any implementation requirements in other locations need to be obtained
written permission from the Government. 23.1.3 The Tenderer shall
work with existing JPJ contractors to ensure that none
interference with the mySIKAP JPJ System. 23.1.4 The Tenderer needs
responsible for any damage / bugs that occur
due to the improvements that have been made
23.1.5 The Tenderer must submit all sources and source code
developed by Tenderer or jointly with staff
Government in accordance with existing system development environment and procedures
(development, testing and production environment) and all resources
and the source code is the property of the Government. 23.1.6 Parties
The tenderer shall conduct tests on each application unit for
proves that the app can work and maintain performance
designated. Next, a thorough test on the system should
carried out to prove that the application system has been synchronized
and well corrected to produce guaranteed performance
as in this tender specification. 23.1.7 The Tenderer is required
conduct the initial test (System Integration Test Provisional Acceptance Test)
which involves the Government before asking the Government
witnessed final accreditation (User / Final Acc
23.1.8 The Tenderer is required to provide guarantee services for

a period of two (2) months for this improvement after the Transfer to process
Production. 23.1.9 Submission only starts from the expiration date
guarantee and Certificate of Final Acceptance can be issued.
23.2 Technical Requirements And Scope Of Work 23.2.1 The Tenderer needs
provide mySIKAP JPJ System improvement services for
meet the requirements of the i-SPKP System which is NOT LIMITED to
requirements as follows: i) Development of integration point
new in mySIKAP System; ii) Amendment of existing integration points in the System
mySIKAP; iii) Development of new screens in mySIKAP System; iv) Amendment
existing screen in mySIKAP System; and v) Development / amendment at all
JPJ delivery channels involved;
23.2.2 The Tenderer must provide improvement services

JPS mySIKAP system for Vehicle Licensing Module as follows:
i) Sending information from the i-SPKP System for: a) Offer Letter
Approval (STK); b) Letter of Approval (SK); c) APAD / LPKP Permit; d) Permit
E-Hailing vehicles; ii) Review of information from JPS mySIKAP System for:
Page 10/60
Page 11
a) Bus Vehicles; b) Taxi Vehicles; c) e-Hailing Vehicles;

and d) Goods Vehicles;

JPS mySIKAP system for the Automotive Engineering Module as follows:
i) Review of Approval Offer Letter (STK) information from the System
i-SPKP for: a) Application for Technical Approval of Service Vehicles
Public; b) Technical Vehicle Technical Approval Application;

JPS mySIKAP system for Driving Licensing Module as follows: i)
Review of information from JPS mySIKAP System for: License Information
PSV (e-Hailing taxi); a) Name b) Date of license issued c) Type of License d)
Start Date e) Expiry Date f) License class g) Code of Use

JPS mySIKAP system for Enforcement Module as follows: i)
Review of information from the i-SPKP System for: a) Vehicles; b) Company; c)
Permit; d) Terminal; and e) Driver Card. ii) Review of information from the System
mySIKAP JPJ for: a) Mistakes; b) Blacklist action; and c)
Case result. iii) Sending information to the i-SPKP System for: a) Recommendations
suspension / revocation of vehicle service license as well as termination of suspension / revocation.
b) Blacklist of vehicle service license blacklist as well as termination list
black.
23.2.6 The Tenderer shall implement the development / amendment

joint-venture system with JPJ contractors / employees involved.
23.2.7 The Tenderer must perform the service and deliverable

involved according to the system development phase as follows: a) Verification
Consumer Needs: Consumer Needs Specification b) Design:
System Design Specifications c) Development of Unit Testing System:
Test Unit Report d) System Integration Test (SIT): Test script test scenario
e) User Acceptance Testing (UAT): Test scenario test script f)
Deployment: Deployment form
23.2.8 The Tenderer shall conduct briefings, briefings, services

consulting, handover and handholding to the JPJ application team for
services involved within this scope at no additional cost
(within the warranty period). This includes the need to provide materials and
related documentation.
23.2.9 The Tenderer must provide a system development team

(developer) who has experience and expertise covers but does not
limited to the following technology categories: i) Front End: JAVA, JSP, Javascript,
ZK Framework ii) Back End: COBOL, DB2, CICS, PHP iii) Mobile Application:
Ionic iv) Integration: SOAP XML, DATA POWER
23.2.10 The Tenderer must implement development services

system according to the Best Practices methodology, namely the phases of development: i)
Requirement Studies should be done where
detailed discussions with users; ii) System Design
and Database; iii) Application development or amendment; iv) Testing
which are detailed namely Unit Testing, System Integration Testing and Testing
Consumer Acceptance should be done after development work or
amendment completed; v) Performance Test (Performance Test) and Testing
Application Security Test, if required; and vi)
Implement deployment to Development Environment and in Environment
Page 11/60
Page 12
Testing as well as to the Training Environment and Production Environment after

certified by the Government.
23.2.11 The Tenderer must submit the Planning Schedule

Project Implementation before the project is implemented.
24. The Accountant General's Department of Malaysia (AGD) Tenderers must provide
integration with the iGFMAS system as follows (not limited to): a)
Batch integration (SFTP) b) Encryption and Decryption Method c) File Naming
Convention as stipulated d) Email notification

Testing
1. The tenderer shall perform system testing as
Acceptance
activities that have been specified in the System Engineering Guide
(UAT PAT)
Public Sector Application (KRISA) published by the Modernization Unit
Malaysian Administration and Management Planning (MAMPU) according to the Schedule
Implementation.
2. Tenderer MUST implement at least

the following tests: 1. Unit / component testing 2. Testing
Integration (SIT) (if applicable) 3. Migration Testing (if applicable) 4.
System Testing 5. Acceptance Testing i) User Acceptance Test (UAT) ii)
Provisional Acceptance Test (PAT) includes Non-Functional test such as
Performance Test, Load Test, Stress test and Security Test. iii) Final
Acceptance Test (FAT)
3. The tenderer MUST prepare and submit the following documents

to the Government: a) Master Test Plan b) Test script c) Requirement
Traceability Matrix d) Integration Test Report (SIT) e) Migration Test Report f)
System Test Report g) Acceptance Test Report i) User Report
Acceptance Test (UAT) ii) PAT Report ii) FAT Report
4. Tenderer MUST cooperate (such as information, documents,

report required) with all parties involved with
system development including service providers IV V.
5. Tenderer MUST ensure the system can accommodate [specify

number] concurrent users during peak hours. System developed
should be able to meet the response time according to
transaction categories are as follows: i. Simple transactions such as login,
display - 2 to 4 seconds ii. Medium (medium) transactions such as search,
form submission - 5 to 9 seconds iii. Complex transactions such as
report generation, integration with external systems - 10 to 15 seconds
6. The tenderer shall conduct a Provisional Acceptance Test (PAT)

includes functional and non-functional testing of the application system
SPKP. This test must be done before the i-SPKP application system
launched (go live). Tenderers need to assess the system capabilities inside
real environment. Functional tests can be performed selectively
while non-functional tests should include performance tests, tests
loads, stress tests and even safety tests.
7. The tenderer must ensure that the system that has been developed meets
user-defined functional and non-functional requirements.
8. The tenderer shall suggest an isolated test environment

(separate environment).
9. The tenderer is responsible for providing an environment for
Page 12/60
Page 13
UAT and PAT testing. This includes application software, hardware and data
tests required by the Government to conduct tests.
10. The tenderer must ensure that the test environment is environmentally friendly
controlled (control environment)
11. The tenderer must ensure the system is free from critical errors (quality
severity bugs) which can affect system operation before submitting
system to the Government. The tests that need to be performed are
as follows (not limited to): a) Installation testing b) Unit Testing c)
Function testing d) System testing e) System Integration testing f) Exception
testing g) Business scenario testing h) Usability testing i) Connectivity testing j)
Backup and restore testing k) Disaster Recovery testing l) High Availability
Failover testing m) Clustering / Load Balancing / Failover testing n) Others (If
any)
12. The tenderer must explain the objectives of the necessary tests
implemented as listed above and the approach used
to perform the test.
13. The tenderer should explain the test methodology and approach
will be used to test the i-SPKP system. (Please complete Appendix A1:
Proposed i-SPKP System Development)
14. Tenderers should use a detailed testing methodology

and comprehensive to ensure the quality of the system submitted to
Government.
15. The tenderer shall suggest the tools to be used for

system testing. (Please complete Appendix A2: Proposed Specifications
Hardware and Software and also provide related brochures)
16. The tenderer must provide all the requirements, utilities, testing tools
required by the Government for the purpose of testing UAT PAT.
2.6 Final Activity unit 1 1

Acceptance
1. The submission document to the FAT phase of warranty is as follows no
Test (FAT)
limited to: a) Data Migration Report b) Test Termination Report c)
Warranty
System User Manual d) System Submission Report
2 The tenderer shall propose a FAT period. FAT period

at least 4 months.
3. The warranty period for the i-SPKP System that has been developed is
at least twelve (12) months after FAT. Please state
proposed warranty period.
4. Tenderers are required to provide support services and

maintenance within the warranty period of the developed system
after Final Acceptance Certificate (FAC)
signed. During this warranty period, all services are repaired and
maintenance should be provided free of charge.
5. Tenderers must provide transition management services

to the Government to ensure that the transition process to the new system runs smoothly
smoothly and successfully adopt the organizational systems, processes and models
new.
6. The tenderer should explain the management approach, activities, scope

services, roles and responsibilities of all parties involved with
Page 13/60
Page 14
transition management.
7. Tenderers are required to provide technical support services for

The i-SPKP system includes 'onsite services' throughout the warranty period such as
specified in Appendix A10 - Service Level Agreement. Petender
need to complete contact information for internal technical support
Appendix A1: Proposed Development of the i-SPKP System.
8. The tenderer must submit the Corrective Maintenance report

(CM) to the MOT to review all CM work and compliance
SLA as stated in Appendix A10 - Service Level Agreement.
9. Tenderers are required to ensure the best quality of service, quality,

efficient and fast
10. The tenderer must have a hotline (Single Point of Contact) and
helpdesk that can be contacted 24/7 by the Government in the matter
project related and support throughout the warranty period and
maintenance
11. Tenderers are required to provide Helpdesk services for

internal and external users for any technical and usage issues
i-SPKP system. The tenderer must prepare a monitoring report
the following Helpdesk performance (not limited to): a) Call / log each
weeks, months or other periods; b) Chart / number of calls / logs; c) Total
calls / logs by type;
12. The tenderer must provide support in the form of telephone

support, on-call support and on-site support within the warranty period.
13. The tenderer shall provide officers for support services

will be placed in the APAD office during the FAT warranty period. Officer
should be involved with system development.
14. Tenderers must provide 24X7 (24X7) support services

support service) to the Government during the implementation and guarantee period
warranty.
15. Tenderers are required to provide support services to all

system components and it will be operated on-site (it will be
handled on-site).
16. Tenderers shall provide current support services

system implementation and warranty period as follows
(not limited to): a) System failure b) Corrective maintenance c)
Preventive maintenance d) Emergency maintenance e) Software maintenance
17. Tenderers must provide automatic application for preventive

maintenance tasks such as regular housekeeping, transaction logs cleanup and
database tuning within the warranty period.
MAINTENANCE 18. The tenderer shall perform maintenance

prevention and repair throughout the warranty period. The tenderer shall
states the maintenance of the system / application / software to be provided.
System / application maintenance should be at least 2 times
a minimum of one year includes software upgrades and large patches
within the warranty period. The tenderer has to bear all the costs involved
for this maintenance. Tenderers must carry out activities
preventive maintenance outside of office hours to ensure
the smooth running of the Government system is not disturbed, except at other times which
Page 14/60
Page 15
agreed by both parties. Upon completion of maintenance activities

prevention, Tenderer shall test the entire system for
ensure the system is fully functional, able to operate well and
stable. The tenderer must perform performance tuning within the period
warranty period (during the warranty support period).
19. Tenderer shall perform maintenance maintenance when

complaint made. Repair maintenance services should be obtained
from the original manufacturer / manufacturer of the software. All those costs
is under the responsibility of the Tenderer. The tenderer shall
solve any problems according to the agreed SLA starting
from the time the complaint was made. The tenderer must make a backup of everything
files and data as well as make installation and reconfiguration if
the hardware used needs to be repaired. The tenderer shall
obtain confirmation of authorized officer (stamp and signature)
after the maintenance work is completed to confirm
restoration work has been done perfectly. The tenderer shall
submit one (1) copy of the maintenance confirmation form to
Government for the purpose of updating records
20. Tenderer must state the cost of Change Request for 1 manday.
Please state.
Post Implementation Review (PIR) 21. Tenderers shall implement

Post Implementation Review (PIR) between 3 to 6 months after
Go Live phase to ensure the effectiveness of project implementation and
improvements needed for the project.
22. Disaster Recovery Center (DRC) i) Tenderer shall install,

configure, test, maintain all applications involved
with DR at the Public Sector Data Center (PDSA). Ii) The tenderer shall
ensure that operating systems, applications, data and software are
synchronized between the Data Center and DR. iii) The tenderer shall
perform Preventive Maintenance (PM) and Corrective Maintenance (CM)
on applications in DR scheduled at least 2 times a year
and when application or software changes occur. iv) The tenderer shall
conduct simulations and DR Test at least once a year. v)
Tenderers must include DR activities in the Implementation Plan
Project. vi) Tenderers should be directly involved together
DR team of the Government, MAMPU and the parties appointed by
Government in the event of a disaster (before, during and after) and
perform recovery on identified critical applications.
Template Title: 2.3 MODULE DEVELOPMENT

Item Type: Services
Item Type: Local
Frequency
No. Unit No. Unit
/
UOM Size Size Quantity
Item Unit
A day A month
Size
Specifications
Page 15/60
Page 16
2.3.1 Requirements Activity 1 1

Am and unit
Management
The submission documents for the development phase are as follows
Administration
not limited to: a) Database Documentation b) Documentation
Source Code
The tenderer must translate or realize the 'System

Requirement Specification '(SRS) and' System Design Specification '
(SDS) to program code in a programming language that has been
selected, installed and subsequently perform system testing
as the activities outlined in the Guide
Civil Sector Application System Engineering (KRISA) published by
Malaysian Administrative Modernization and Management Planning Unit
(MAMPU) according to the agreed Implementation Schedule.
The tenderer shall ensure that the development of the system shall
using best practices Secured Software Development Life Cycle
(SSDLC) with reference to The Open Web Application Security
Project (OWASP) Top Application Risks - 2017
The tenderer must provide the number of programmers

adequate, skilled and in accordance with the project implementation schedule.
OWNERSHIP AND INTELLECTUAL PROPERTY RIGHT (IPR) (a) Source

Code All source code that has been developed, documentation as well
the operating manual provided is the property of the Government.
It must be supplied in the form of hard copy and also soft copy
and certified by the government. (b) Intellectual Property Right (IPR)
The IPR for the system application developed will be the property
Government entirely. (c) Copyright Copyright for system applications that
developed will be the sole property of the Government.
The tenderer MUST propose an Administrative Management function

includes (not limited to) the following: a) Management
User Group b) Divisional Administrator Management c) Management
Users d) Password Management e) Code Configuration Management
System f) Client Charter Management / Act g) Portal Management h)
User KPI Management i) Audit Trail Management j) Management
Consumer Control k) Licensing Policy Management.
The tenderer MUST ensure that this Administrative Management Function is

is essentially a shared functionality for all three agencies
implementers (APAD, LPKP Sabah LPKP Sarawak) but
its supervision is separate at the implementing agency level
respectively. For example, shared modules are as follows
following: a) User Group Management b) Division Administrator c)
User d) Password e) User KPI f) Audit Trail g) Control
Users Meanwhile, the remaining modules are featured
specific according to the needs and operational requirements of the implementing agency
respectively based on existing Acts and regulations. This module
is for internal use by APAD officers, Sabah CVLB and
Sarawak CVLB only.
The tenderer MUST suggest a system that takes into account (no
limited to) the following features: a) New Registration / add b)
Page 16/60
Page 17
Update c) Deactivate / delete (delete) d) Save e) No.

allows multiple applications as long as the original application
has not been completed or completed
'Tenderer MUST recommend a system capable of

implement the following (not limited to) things: a) Integration
with identified stakeholders b) Store data
(historical data) as well as auto archiving / data archiving function c) Transactions
completely online d) Check data / cross reference (cross
reference) with the application criteria that have been set e) Print
(for specific data) f) Management of uploaded documents. g)
Management of delivery / distribution of information, where the applicant
can ask questions interactively and responses are also provided
interactively to help with online application.
System Demonstration i) Only tenderers have passed the technical assessment

and shortlisted will be called for presentation and
system demonstration. The tenderer must present the proposal
solution and demonstration of the system to be determined by
Government. ii) The purpose of the demonstration of this system is to provide
a clearer explanation to the Government. Tenderer may not
use this opportunity as a space to gather information
(unsolicited information) or opportunity to complete a proposal
tender with more and better information. iii) Any expenses
for the preparation and purpose of demonstrations including developing
product demonstration shall be fully borne by the tenderer.
The government will not bear any costs involved for
implementation of system demonstration. iv) The tenderer will be removed
if it fails to perform a system demonstration or fails
comply with any of the terms and conditions set.
v) The location for the system demonstration session will be held in the Klang Valley.
vi) The description of the demo is as in Appendix A11 -
Demonstration vii) 'Tenderer MUST ensure the system is developed
for the purpose of this demonstration be able to perform
processes for New applications on an 'end-to-end' basis
2.3.2 Activity
1 1
Management unit
Profile
The tenderer MUST propose a Profile Management function
includes (not limited to) the following: a) Profile registration
b) Updating information
'Tenderer MUST ensure this Profile Management Function is

implementer (APAD, LPKP Sabah LPKP Sarawak), but
respectively.
Tenderers MUST take note that each user who

will use this system need to be registered and have a password
respectively. Users will consist of (not limited to) the following: a)
APAD Officer, Sabah CVLB and Sarawak CVLB b) Operator /
Public Transport Service License c) Government agencies d) Agents
Individuals appointed by the operator / licensee to deal with
APAD / CVLB on licensing issues e) Other appointed third parties /
want to deal with APAD / LPKP
Page 17/60
Page 18
limited to) the following features: a) New Registration b) Update c)
Deactivate (delete) d) Save e) Reject f) Confirmation
between users (between agents Operators) - cross reference /
acknowledgment g) Does not allow multiple applications as long as
the original application has not been completed or completed
The tenderer MUST suggest a system capable of

implement the following (not limited to) things: a) Integration
with identified stakeholders b) Upload
documents by the operator c) Storing data (historical data) as well as
auto archiving / data archiving function d) Online transactions
completely e) Review data / cross reference (Cross Reference) with
predetermined application criteria f) Print (for data
specific) g) Management of uploaded documents. h) Management
delivery / distribution of information, where applicants can
ask questions interactively and responses are also provided
interactive to help with online applications.
2.3.3 Activity
1 1
Management unit
Licensing
The tenderer MUST propose a Licensing Management function
Transportation
includes (not limited to) the following: a) Application
Land Public
New (New application) / Addition of License / Vehicle permit b)
Renewal Application c) Application for Change of Conditions d)
License Revocation Application e) Duplicate Application f) Withdrawal
Read
The tenderer MUST ensure that the Licensing Management Function is

respectively.
limited to) the following features: a) New / added b) Update c)
Deactivate (delete) d) Save e) Do not allow
multiple applications as long as the original application has not been completed
or completed
The tenderer MUST suggest a system that takes into account the method
approval (not limited to) the following features: a)
Use of GPKI Affordable tokens b) Use of PKI (purpose
digital signature) b) Approval implemented according to stage
power of approval
Tenderer MUST ensure the Licensing Management function -

new application / addition of vehicle license / permit, which
includes (not limited to) the following: a) Issuance of Letters
Approval Offer b) Addition of vehicle license / permit c)
Upload documents by operator d) Print e) Integration with parties
identified interests f) Storing data (historical
data) as well as auto archiving / data archiving function g) Transactions on top
full line (including payment) h) Check data / refer
cross (Cross Reference) with the application criteria that have been
set i) Issuance of digital license and digital security features j)
Management of uploaded documents. k) Management
Page 18/60
Page 19


license renewal application, which includes (not limited to)
the following: a) Application to renew the operator's license b)
Application to renew vehicle license / vehicle permit c)
Further age limit application d) Upload documents by operator e)
Print f) Integration with existing stakeholders
identified g) Storing data (historical data) as well as auto function
archiving / data archiving h) Completely online transaction
(including payment) i) Check data / cross reference (Cross
Reference) with predetermined application criteria (incl
operator performance reporting review) j) Issuance of digital license and
digital security features k) Management of uploaded documents. l)

application to Change the Terms, which includes (not limited to)
the following: a) Application to change the conditions of the operator's license b)
Application to change the conditions of the vehicle license / vehicle permit c)
Application to change the corporate color condition of the vehicle d) Production
letter of approval for application to change conditions e) Upload
documents by the operator f) Print g) Integration with the parties
identified interests h) Storing data (historical
data) as well as auto archiving / data archiving functions i) Transactions on top
full line (including payment) j) Check data / cross reference
(Cross Reference) with the application criteria that have been set
(including operator performance reporting review) k) Issuance of license
digital and digital security features l) Document management
Uploaded. m) Management of information delivery / distribution, where
applicants can ask questions and responses interactively

duplicate application, which includes (not limited to) items
following: a) Duplicate application of operator license b) Application
duplicate vehicle license / vehicle permit c) Upload documents by
operator d) Print e) Integration with stakeholders who
has been identified f) Storing data (historical data) as well as auto function
archiving / data archiving g) Completely online transaction
(including payment) h) Check data / cross reference (Cross
operator performance reporting review) i) Issuance of digital license and
digital security features j) Management of uploaded documents.
k) Management of delivery / distribution of information, where the applicant

Issuance of License, which includes (not limited to) items
following: a) Application to license a vehicle over the age limit b)
Upload documents by operator c) Print d) Integration with parties
identified interests e) Storing data (historical
data) as well as auto archiving / data archiving function f) Transactions on top
Page 19/60
Page 20
full line (including payment) g) Check data / refer

set h) Issuance of digital and security licenses
digital i) Management of uploaded documents. j) Management
2.3.4 Activity
1 1
Card Management unit
Driver
The tenderer MUST recommend the Driver Card Management function
includes (not limited to) the following: a) Application
New b) Renewal Application c) Application
Cancellation

respectively.
or completed
power of approval
'Tenderer MUST ensure Driver Card Management function -

new applications, which include (not limited to) items
following: a) New driver card application b) Upload documents by
operator c) Printing d) Integration with stakeholders who
has been identified e) Storing data (historical data) as well as auto function
archiving / data archiving f) Completely online transaction
(including payment) g) Check data / cross reference (Cross
Reference) with the application criteria that have been set h)
Digital license issuance and digital security features i)
Management of uploaded documents. j) Management
interactive to help with online applications
Tenderer MUST ensure the Driver Card Management function -

renewal application, which includes (not limited to)
the following: a) Driver card renewal application b) Upload
documents by the operator c) Print d) Integration with the parties
set (including driver performance reporting review) h)
Digital license issuance and digital security features i)
Page 20/60
Page 21
Management of uploaded documents. j) Management

Tenderer MUST ensure the Driver Card Management function -

cancellation application, which includes (not limited to)
the following: a) Driver card cancellation application b) Upload
set h) Management of uploaded documents i) Management
2.3.5 Activity
1 1
Management unit
Read
The tenderer MUST recommend the Business License Management function
Business
Intermediaries include (not limited to) the following: a)
Intermediary
E-Hailing Operator Management (EHO) b) Permit Management
Vehicle (EVP)

respectively.
or completed
power of approval
The tenderer MUST ensure the Business License Management function

Intermediary - Management of EHO Operators, which includes (no
limited to) the following: a) New Application / Quota Increase
Vehicle b) Renewal Application c) Conditional Change Application d)
EHO License Submission Application e) Print f) Integration with
identified stakeholders g) Storing data
(historical data) as well as auto archiving / data archiving function h) Transactions
fully online (including payment) i) Check
data / cross reference (Cross Reference) with the application criteria
has been set (including operator performance reporting review) j)
Issuance of digital licenses and digital security features k) Management
documents uploaded l) Management of delivery / distribution
Page 21/60
Page 22
information, where applicants can ask questions interactively

and responses are also given interactively to help matters
online application.
The tenderer MUST ensure the Business License Management function

Intermediary - Vehicle Permit Management (EVP), which includes
(not limited to) the following: a) EVP Registration b)
EVP Conversion Application c) EVP Cancellation Application d)
EVP Submission Application e) Print f) Integration with parties
identified interests g) Storing data (historical
data) as well as auto archiving / data archiving function h) Transactions on top
full line (including payment) i) Check data / cross reference
(Cross Reference) with the application criteria that have been set j)
Management of uploaded documents k) Management
2.3.6 Activity
1 1
Management unit
Compliance
Tenderer MUST recommend a compliance Management function
includes (not limited to) the following: a) Management
Compliance Action b) Withdrawal / Termination Management
Suspension / Cancellation c) Training Preparation Management
The tenderer MUST ensure that this Compliance Management Function is

respectively.
limited to) the following features: a) New b) Update c) Save d)
Does not allow multiple applications as long as the application
the original has not been completed or completed
power of approval
Tenderer MUST ensure the Compliance Management - Action function

Compliance, which includes (not limited to) the following: a)
Upload documents by operator / third party b) Print c) Integration
with identified stakeholders d) Storing data
(historical data) as well as auto archiving / data archiving function e) Transactions
completely online f) Review data / cross reference (Cross
operator performance reporting review) g) Production of digital documents
(suspension / cancellation notice) and digital security features h)
Management of uploaded documents i) Management
The tenderer MUST ensure the Compliance Management - Withdrawal function
Page 22/60
Page 23
/ termination of suspension, which includes (not limited to)

the following: a) Upload documents by operator / third party b)
Print c) Integration with existing stakeholders
identified d) Storing data (historical data) as well as auto function
archiving / data archiving e) Completely online transaction
(issuance of suspension / cancellation notification) f) Check
has been set (including operator performance reporting review) g)
Issuance of digital documents (suspension / cancellation notice) and
digital security features h) Management of uploaded documents i)
Tenderer MUST ensure the training Management function - Application

new, which includes (not limited to) the following: a)
Print b) Integration with existing stakeholders
identified c) Storing data (historical data) as well as auto function
archiving / data archiving d) Completely online transaction
(payment application) e) Check data / cross reference (Cross
Reference) with the application criteria that have been set f)
Digital document production and digital security features
g) Management of uploaded documents h) Management

renew, which includes (not limited to) the following: a)
Upload documents by applicant b) Print c) Integration with parties
identified interests d) Storing data (historical
data) as well as auto archiving / data archiving function e) Transaction on top
full line (issuance of suspension / cancellation notification) f)
Check data / cross reference (Cross Reference) with criteria
predefined applications (including reporting reviews
applicant performance) g) Issuance of digital documents (notice
suspension / cancellation) and digital security features

cancellation, which includes (not limited to) the following: a)
Upload documents by applicant b) Print c) Integration with parties
identified interests d) Storing data (historical
data) as well as auto archiving / data archiving function e) Transaction on top
full line (issuance of suspension / cancellation notification) f)
Check data / cross reference (Cross Reference) with criteria
predefined application g) Issuance of digital documents (notice
suspension / cancellation) and digital security features h)

preparation of a report, which includes (not limited to) items
following: a) Upload the document by the applicant b) Print c) Integration
with identified stakeholders d) Storing data
(historical data) as well as auto archiving / data archiving function e) Transactions
Page 23/60
Page 24
completely online (notification notification

suspension / cancellation) f) Data review / cross reference (Cross
operator performance reporting review) g) Production of digital documents
(suspension / cancellation notice) and digital security features h)
2.3.7 Activity
1 1
Management unit
Licensing and
The tenderer MUST recommend the Licensing Management function and
Enforcement
Railway Enforcement includes (not limited to)
Train
the following: a) New Railway License Application b)
Train License Renewal Application c) Registration Notice
Train Accidents / Service Interruptions d) Application for Activities
in the Railway Protection Zone e) Quality Assurance Management
The tenderer MUST ensure the Licensing Management Function

Enforcement of this Railway is basically is
shared functionality for the three implementing agencies (APAD, LPKP
Sabah LPKP Sarawak), but its supervision is separate in
level of the implementing agency respectively. - Currently, this function
will apply to APAD only. - Tenderers NEED to make sure
This function can be used by Sabah CVLB / Sarawak CVLB
if needed in the future
limited to) the following features: a) New Registration b) Update c)
or completed
power of approval
Tenderer MUST ensure the Railway Licensing Management function -

New Train License Application, which includes (unlimited
to) the following: a) Registration of New applications b) Load
upload documents by operator c) Print d) Integration with parties
set h) Digital and characteristic document production
digital security i) Management of uploaded documents j)

Railway License Renewal Application, which includes (no
limited to) the following: a) Renewal application registration
Page 24/60
Page 25
b) Upload documents by operator c) Print d) Integration with

identified stakeholders e) Storing data
(historical data) as well as auto archiving / data archiving function f) Transactions
fully online (including payment) g) Check
has been set h) Digital and characteristic document production

Annual Fee Payment (involves new application module
renew), which includes (not limited to) the following: a)
Issuance of payment reminder notification b) Upload documents
by the operator c) Print d) Integration with stakeholders
which has been identified e) Storing data (historical data) as well as functions
auto archiving / data archiving f) Online transactions
fully (including payment) g) Review data / cross reference
(including operator performance reporting review) h) Production
digital documents and digital security features i) Management
documents uploaded j) Management of delivery / distribution
information, where applicants can ask questions interactively
and responses are also given interactively to help matters
online application.
The tenderer MUST ensure the Enforcement Management function

Railway - Registration of Railway Accident / Disruption Notice
Services, which include (not limited to) the following:
a) Registration of Railway Accident / Service Interruption Notice
b) Upload documents by operator c) Print d) Integration with
identified stakeholders e) Storing data
(historical data) as well as auto archiving / data archiving function f) Check
has been set (including operator performance reporting review) g)
Digital document production and digital security features h)

Railways - Application for Activities in the Railway Protection Zone, which
includes (not limited to) the following: a) Registration
Application for Activities in the Railway Protection Zone b) Upload
identified interests e) Online transactions
in full (including payment) f) Storing data (historical data)
as well as auto archiving / data archiving function g) Check data / refer
Page 25/60
Page 26

Railway - Quality Assurance Management, which includes (unlimited)
to) the following: a) Registration of the Inspection Notification
will be implemented on the operator b) Upload the document by
operators c) Use of car applications by enforcement officers
to upload the results of the inspection carried out d) Print e)
Integration with identified stakeholders f)
Storing data (historical data) as well as auto archiving / data function
archiving g) Check data / cross reference with
predetermined application criteria h) Issuance of reporting
on the results of the inspection i) Management of uploaded documents j)
2.3.8 Activity
1 1
Management unit
Payment
The tenderer MUST recommend the Payment Management function, which
includes (not limited to) the following: a) Payment
online b) Counter Payment c) Collection Adjustment
Results
The tenderer MUST ensure that the Profile Management Function is in order
it is essentially a shared functionality of the three implementing agencies
(APAD, LPKP Sabah LPKP Sarawak), but the supervision is
separately at the level of the respective implementing agencies.
Tenderers MUST recommend a system that takes into account (no

limited to) the following features: a) Registration of new payments b)
power of approval
'Tenderer MUST ensure Payment Management function -

Online Payments, which include (not limited to)
the following: a) Receipt of payment online through
portal b) Print e) Integration with stakeholders who have
archiving / data archiving h) Check data / cross reference (Cross
Reference) with the application criteria that have been set i)
Issuance of digital receipts and digital security features j)
Management of uploaded documents k) Management
Tenderer MUST ensure Payment Management function -

Payment at the Counter, which includes (not limited to) items
following: a) Receipt of payment manually at the counter b)
Print e) Integration with existing stakeholders
Page 26/60
Page 27
archiving / data archiving h) Check data / cross reference (Cross
Issuance of digital receipts and digital security features j)
Management of uploaded documents
Tenderer MUST ensure Payment Management function -

Revenue Collection Adjustments, which include (not limited to)
the following: a) Preparation of financial reporting according to procedures
government finance b) Printing e) Integration with stakeholders
which has been identified g) Storing data (historical data) as well as functions
auto archiving / data archiving h) Check data / cross reference (Cross
Management of uploaded documents
2.3.9 Activity
1 1
Management unit
Licensing
The tenderer MUST recommend the Licensing Management function
Terminal /
Terminal / Depot / Ticket Agent which includes (not limited to)
Depot / Agent
the following: a) New Application for Terminal / Depot / Agent License
Tickets
Tickets b) Application for Renewal of Terminal / Depot / Ticket Agent License c)
Application for Change of Terminal / Deposit License / Ticket Agent Conditions d)
Audit / Rating Registration for Terminal / Depot License / Ticket Agent e)
Terminal / Depot / Ticket Agent Cancellation Application
The tenderer MUST ensure the Licensing Management Function

This Terminal / Depot / Ticket Agent is basically functional
shared for all three implementing agencies (APAD, LPKP Sabah LPKP
Sarawak), but its supervision is separate at the level
respective implementing agencies. - For now, this function will
applicable in APAD only. - Tenderers NEED to ensure this function
can be used by LPKP Sabah / LPKP Sarawak if
needed in the future
etender MUST suggest a system that takes into account (unlimited)

to) the following features: a) New Registration b) Update c) Deactivate
Delete (delete) d) Save e) Do not allow applications
double as long as the original application has not been completed or
completed
power of approval
etender MUST ensure the Licensing Management function

Terminal / Depot / Ticket Agent - New Application Terminal / Depot / Agent
Tickets, which include (not limited to) the following: a)
New application registration b) Upload documents by operator
c) Print d) Integration with stakeholders who have
identified e) Storing data (historical data) as well as auto function
archiving / data archiving f) Completely online transaction
(including payment) g) Check data / cross reference (Cross
Digital document production and digital security features i)
Management of uploaded documents j) Management
Page 27/60
Page 28
The tenderer MUST ensure the Licensing Management function

Terminal / Depot / Ticket Agent - Renewal Application
Terminal / Depot / Ticket Agent, which includes (not limited to)
the following: a) Renewal application registration b) Upload
set (including operator performance reporting review) h)

Terminal / Depot / Ticket Agent - Request to Change Terms
the following: a) Registration of application for change of conditions b) Upload
set (including operator performance reporting review) h)

Terminal / Depot / Ticket Agent - Audit Registration / Rating
the following: a) Audit / rating registration for Terminal / Depot / Agent
Ticket b) Registration Notification Examination audit / rating to be
implemented on Terminal / Depot / Ticket Agent b) Upload documents
by the operator c) Use of car applications by employees
enforcement to upload the results of the audit inspection / rating
implemented d) Print e) Integration with stakeholders who
has been identified f) Storing data (historical data) as well as auto function
archiving / data archiving g) Checking data / cross reference (Cross
Issuance of reporting on inspection results i) Management
uploaded documents
2.3.10 Activity
1 1
Management unit
Meeting
The tenderer MUST propose a Meeting Management function
includes (not limited to) the following: a) Member Management
Page 28/60
Page 29
Meeting Committee b) Registration of Meetings c) Updates
Meeting Information d) Review and Display of Meeting Information e)
Management of Confirmation of Meeting Results
The tenderer MUST ensure that the Meeting Management Function is

respectively. This module is for internal use by officers
APAD, Sabah CVLB and Sarawak CVLB only.
limited to) the following features: a) New Registration / add b)
power of approval
Tenderer MUST ensure the Meeting Management function -

Management of Meeting Committee Members, which includes (no
limited to) the following: a) Registration / addition of new members
b) Print c) Store data (historical data) and auto function
archiving / data archiving d) Checking data / cross reference (Cross
Reference) with the application criteria that have been set e)
Issue meeting notifications to members

Meeting Registration, which includes (not limited to) matters
following: a) Meeting registration b) Printing c) Storing data
(historical data) as well as auto archiving / data archiving function d) Check
has been set e) Issue meeting notifications to members

Update of Meeting Information, which includes (unlimited)
to) the following: a) Update of meeting information
(change / cancel) b) Print c) Save data (historical data)
as well as auto archiving / data archiving function d) Check data / refer
set e) Issue meeting notifications to members
Tenderer MUST ensure the Meeting Management - Review function

and Meeting Information Display, which includes (unlimited)
to) the following: a) Perform information review
meeting b) Implement review of meeting information display c)
Check the application data in the system and make sure there are none
overlapping applications are presented in the meeting d) Checking
status of application that has not been approved / postponed in the meeting
the previous e) Prints f) Storing data (historical data) as well as
auto archiving / data archiving function g) Issue notifications
meeting to members
Page 29/60
Page 30
Confirmation of Meeting Results, which includes (unlimited)
to) the following: a) Implement decision verification
meetings according to the approved approval level c)
Check the application data in the system and make sure there are none
duplication of applications presented in the meeting d)
Provide reporting on results from previous meetings
e) Print f) Storing data (historical data) as well as auto archiving function
/ data archiving g) Issue meeting notifications to members
2.3.11 Activity
1 1
Management unit
Dashboard and
Tenderer MUST recommend the Dashboard Management function and
Report
Reports that include (not limited to) the following: a)
Dashboard Maintenance b) Dashboard Display c) Trend View
d) Report Generation e) Export Report
Tenderer MUST ensure Dashboard Management Functions and

This report is essentially a shared function for
the three implementing agencies (APAD, LPKP Sabah LPKP Sarawak), will
but its supervision is separate at the implementing agency level
Tenderer MUST ensure the Dashboard Management function and

Report - Dashboard Maintenance, which includes (unlimited
to) the following: a) Perform dashboard maintenance
b) Check data / cross reference (Cross Reference) with criteria
predefined applications c) Integration of data in the system d)
Print d) Storing data (historical data) and auto archiving function /
data archiving

Report - Dashboard view, which includes (not limited to)
the following: a) Check data / cross reference (Cross Reference)
with predetermined application criteria c) Data integration
in the system d) Print d) Store data (historical data) and functions
auto archiving / data archiving

Report - Trend View, which includes (not limited to)
in the system d) Print d) Store data (historical data) and functions
auto archiving / data archiving

Reports - Report Generation, which includes (not limited to)
with predetermined application criteria b) Generate reporting
based on any data available in the system through methods
'drop down menu' c) Ability to generate reporting in a
periodic or 'ad hoc' d) Ability to generate reporting
standard as well as dynamic c) Integration of data in the system d)
Print e) Storing data (historical data) and auto archiving function /
data archiving
Page 30/60
Page 31
Reports - Export Reports, which include (not limited to)
the following: a) Ability to 'export' reports in format
excel, PDF, csv b) Review data / cross reference (Cross Reference)
in the system d) Print e) Store data (historical data) as well as functions
auto archiving / data archiving f) Generate reporting regularly and
'ad-hoc'
2.3.12 Activity
1 1
Management unit
Counter
The tenderer MUST propose a Counter Management function
includes (not limited to) the following: a) Review and
Application Status Search b) Payment c) Print
The tenderer MUST ensure that this Counter Management Function is

limited to) the following features: a) Review b) Update c) Deactivate /
Delete d) Save e) Do not allow applications
double as long as the original application has not been completed or
completed
power of approval
Tenderer MUST ensure the counter Management function - Review and

Application Status Search, which includes (not limited to)
the following: a) Review and search of application / profile status
operator b) Print c) Store data (historical data) as well as functions
auto archiving / data archiving d) Online transactions
fully (including payment) e) Review data / cross reference
Tenderer MUST ensure the counter Management function - Review and

Application Status Search, which includes (not limited to)
the following: a) Review and search of application / profile status
operator b) Print c) Store data (historical data) as well as functions
auto archiving / data archiving d) Online transactions
fully (including payment) e) Review data / cross reference
Tenderer MUST ensure the counter Management function - Payment,

which includes (not limited to) the following: a) Accept
all types of payment manually at the counter b) Print receipt c)
archiving d) Check data / cross reference (Cross Reference) with
predetermined application criteria
Tenderer MUST ensure the counter Management function - Print,

which includes (not limited to) the following: a) Functions
Page 31/60
Page 32
This
theseprint is specifically
agencies for Sabah
will continue CVLB
to practice and Sarawak
vehicle CVLB because
license printing
manually using serial paper and security features b)
archiving c) Check data / cross reference with
predetermined application criteria
2.3.13 Activity
1 1
Management unit
Application
The tenderer MUST propose the Cross-Application Management function
Rentas
Boundaries that include (not limited to) the following: a)
Borders
New Application for Cross-Border
Tenderer MUST ensure Cross Application Application Functions

This boundary is essentially a shared function for
the three implementing agencies (APAD, LPKP Sabah LPKP Sarawak), will
but its supervision is separate at the implementing agency level
respectively.
limited to) the following features: a) Registration of new applications b)
power of approval
The tenderer MUST ensure the Cross Application Management function

Borders - New Application, which includes (unlimited
to) the following: a) Registration of New applications b) Load
upload documents by operator c) Print d) Integration with parties
2.3.14 Activity
1 1
Management unit
Car Applications
The tenderer MUST recommend the Mobile Application Management function
includes (not limited to) the following: a) Revision For
Enforcement b) Application Status Check c) Update process
audit (Railway Enforcement Terminal Licensing Management)
Tenderer MUST ensure this Mobile Application Management Function

is essentially a shared function for all three
implementing agency (APAD, LPKP Sabah LPKP Sarawak), but
respectively.
Page 32/60
Page 33
The tenderer
limited to) theMUST suggest
following a system
features: that takes
a) Reach into
access to account (no
the profile
operator b) Access to check status of application c) Access to
audit process update (Terminal Licensing Management
Railway Enforcement) d) Delivery of any notification
regarding the profile of the operator / application made
Tenderer MUST ensure the Mobile Application Management function -

Revision For Enforcement, which includes (not limited to)
in the system d) Ability to check on validity
printed document information compared to information /
digital documents e) Provide alternative review methods if at
enforcement area / time no internet access
The tenderer MUST suggest a method or technology for

alternative enforcement review in the event of an incident where
the area / time does not have access to the internet.
Template Title: 1. EQUIPMENT AND HARDWARE

Item Type: Products
Item Type: Local
UOM Price Type Quantity

Item
Specifications
1.1 Web unit Standard Standard 3

Application
Year made (please specify)
Firewall
Proposed brand model (please specify)
Please attach brochure
SYSTEM HARDWARE AND PERFORMANCE REQUIREMENTS The

proposed solution must provide web application protection from data breaches
and web defacement on an appliance platform and based on a hardened
operating system.
The proposed solution must support High-Availability configuration in

Active / Passive and Active / Active manner natively. The proposed solution must
have the capability to support minimum of 200Mbps web traffic throughput.
The proposed solution must support minimum of 500,000 concurrent

connection. The proposed solution must support minimum of 30,000 HTTP
transactions per second.
The proposed solution must support minimum of 12,000 HTTPS transactions

per second. The proposed solution must support minimum of 10,000 HTTP
connections per second
The proposed solution must come with a minimum of 2 x 1GB Ethernet Copper
ports with bypass capability for data path and 1 dedicated 1GB Ethernet
Copper port for management purposes.
Page 33/60
Page 34
The proposed solution must have recognition from the body / orgatization as
below: 1) Latest / current ICSA Lab certification. 2) Recommendation status
from NSS Labs. 3) Leader or strong performers in FORRESTER WAF WAVE
2020 4) LEADERS or CHALLENGERS in GARTNER MAGIC QUADRANT for
WAF 2019
The proposed solution must be able to be deployed in the following deployment

type configuration: 1. Reverse Proxy Deployment a. Full Reverse Proxy
Mode / Two-Armed Reverse Proxy Mode b. One-Armed Proxy Mode The
proposed solution must be developed based on reverse proxy architecture.
COMPREHESIVE APPLICATION SECURITY REQUIREMENTS The proposed
solution must provide complete protection against all of the latest / current
OWASP TOP 10 Vulnerabilities. The proposed solution must provide best
practice for planning and defending against attacks by ANONYMOUS. The
proposed solution must provide details steps in defending applications-based
DDoS attacks. The proposed solution must provide protection against Top Web
Application Threats listed by PCI COUNCIL or other security organizations.
The proposed solution must provide input / protocol validation of: 1.

HTTP / HTTPS 0.9 / 1.0 / 1.1and HTTP / 2.0 (HTTP version 2.0) 2. FTP / FTPS -
Control and restrict specific FTP Command (s) (ie MGET, GET, MPUT, PUT,
etc) 3. XML 4. IPv4 and IPv6 5. Websocket
The proposed solution must support Proxy Protocol support for HTTPS and
WebSocket services. The proposed solution must provide form input protection
which include the ability to validate parameter types, input sizes, input
characters and other form input values. The proposed solution must provide
server cloaking that suppresses identifiable server information in web
application responses. The proposed solution must provide data theft and data
loss protection to inspect outgoing data and to either mask sensitive
information or to block the entire response. Data theft can be configured to
protect Card information, Identity numbers or even Custom patterns. The
proposed solution must provide request forgery protection to identify and block
unsolicited requests from spoofing clients.
The proposed solution must provide session tempering protection to protect

against unauthorized alteration or to prevent third party impersonation attacks.
This has to include cookie encryption capabilties. The proposed solution must
provide session riding and clickjacking protection to prevent malicious
JavaScript form attacks. The proposed solution must provide anti-virus and
malware protection to ensure that infected files are not uploaded to the web
application. The proposed solution must provide protection against Slow Client
attacks. The proposed solution must provide protection against brute force
attacks. The proposed solution must provide protection against Denial of
Service attacks.
The proposed solution must provide comprehensive IP Reputation protection

which includes the following: 1. IP reputation blocklist database 2. Anonymous
Proxies 3. Satellite ISP Identity 4. TOR nodes 5. GEO IP awareness with
custom GEO IP entries for blacklist or whitelist 6. Public proxy 7. Known HTTP
Attack Sources 8. Known SSH Attack Sources 9. Fake crawlers
The proposed solution must be able to apply Geo IP and IP Reputation Policy
enforcement at both network layer and Layer 7. The proposed solution must
provide Finger Print Evasion where administrators can change the system
generated tokens. The proposed solution must be able to employ both negative
and positive security models. The proposed solution must provide Client
Page 34/60
Page 35
fingerprinting and CAPTCHA challenge integration to differentiate between

human, bots and suspicious clients. The proposed solution must provide
Perfect Forward Secrecy (PFS) with ECDSA and RSA certificates and
associated ciphers to enhance SSL security. The proposed solution must
provide URL encryption to prevent original URLs nor the directory structure
from being exposed externally. The proposed solution must provide True File
type / MIME checks for file uploads to prevents a hacker from changing a file
extension. The proposed solution must provide JSON payload inspection
where the administrator can define gran
The proposed solution must provide authentication and authorization

integration that includes the following: 1. LDAP 2. Active Directory 3. RADIUS
4. Local user database 5. SAML 2.0 6. Client certificates validation using
OCSP and CRL 7. Single Sign-On 8. Azure AD 9. RSA SecurID for OTP 10.
CA SiteMinder 11. SMS Passcode 12. Kerberos v5 13. Multi-Domain support
14. Two-Factor authentication 15. OpenID
The proposed solution must provide admin account password complexity which
combines password policies like minimum strength, expiry and maximum
retries before account lockout. The proposed solution must provide Role-Based
Access Control for REST APIv3 The proposed solution must be able to be do
Two-Factor Authentication for Administrator Access and Role-Based Access
Control. The proposed solution must provide load balancing feature to
distribute Layer4 / Layer 7 traffic to multiple backend servers with integrated
application monitoring. The proposed solution must also support layer 7
persistence method. The proposed solution must support Load Balancing
across Server Name Resolution The proposed solution must provide Layer 7
content routing capabilities that allow administrators to map URL domains to
different backend servers. The proposed solution must provide SSL offloading
capabilities, thereby freeing up the processing power of the servers and
making them more efficient.
The proposed solution must provide Instant SSL capabilities to convert HTTP
based applications to HTTPS without having to touch the application code. The
proposed solution must provide a mode where it can encrypt plaintext HTTP on
behalf of the web applications, redirecting incoming HTTP requests to the
HTTPS service and rewriting http hyperlinks in the response to https. No
changes should be required to the backend servers or application code. The
proposed solution must provide the following blocking capabilities: 1.
connection reset 2. send custom error response page 3. redirect the request or
4. block the offending client IP (s) for a time period.
The proposed solution must provide capability to selectively release Locked out
client IP address from the lockout client list. The solution must provide HTML
rewriting functionality. It should be possible to add, delete and edit request and
response headers, translate URL spaces, rewrite or redirect the URL in the
request, and rewrite the response body. Regular expression like syntax should
be available for the required text manipulations. The proposed solution must
provide the ability to define different policies for different applications and
provide canned policies for common applications like Outlook Web Access,
SharePoint and Oracle. The proposed solution management components must
include facilities to develop custom signatures that identify specific, unique
risks associated with protected applications, preferably assisted through a
regex tool.
The proposed solution must provide integrated file caching to cache selected
outgoing responses, outbound response compression and connection
Page 35/60
Page 36
pooling / TCP multiplexing capabilities that improves content delivery while

decreasing backend server load. The proposed solution must provide rate
control capabilities to control the number of application sessions being created
and / or how many times a client can access a given resource. The proposed
solution must provide virtual system capabilities that has its own dedicated
NAT rules, ACL, VLAN, routes, and interface configuration. This will enable
multi-realm security and management as well as to enable multi-tenancy within
the same organization. The proposed solution must support integration with
active DDoS protection that will provide comprehensive protection from all
types of DDoS attacks. The proposed solution technology must be available on
physical appliance.
The proposed solution must provide advanced protection against web scraping
or harvesting threats. The proposed solution must provide URL profile
optimization. Many applications generate different URLs for similar content.
URL optimizers can be used to coalesce such URLs into a single profile for
easier management and better system performance. The proposed solution
must be able to integrate with suggested HSM for added security in SSL / TLS
transactions in a hardened physical device that stores all SSL / TLS certificates
in tamper-proof hardware for additional security. The proposed solution must
provide HTTP Strict Transport Security (HSTS) protection. The proposed
solution must provide Subject Alternative Name (SAN) Certificate CSR support.
The proposed solution must support granular binding of security policies,
where security Policies can now bind at a URL or domain level. This allows
having separate policies for applications that are on the same server and IP.
The proposed solution must include vulnerability remediation service that

enables automatic scanning, remediation, and maintenance of web application
policies. This will allow administrators to scan applications for vulnerabilities
on-demand or on a schedule. Detected vulnerabilities can be mitigated by
pushing configuration changes to the proposed Web Application Firewall's
security policy. This can happen either automatically based on a schedule, or
manually in a single click. Administrators can also audit each vulnerability's
history and view logs of blocked requests for each vulnerability separately.
The proposed solution must support Advance Threat Detection / Advance

Threat Protection feature to scan all files uploaded through multipart / form-data
messages with multiple malware scanners that utilize different types of
detection techniques to check for anomalies in the uploaded files, and to
provide defense against zero day attacks. The proposed solution must be able
to send blocked client IP information to a connected next generation firewall.
This allows the next generation firewall to block such clients at the perimeter
and not allow them into the network. The proposed solution must be able to
blacklist known attack source IP address / addresses
The proposed solution must come with predefined security policy for known
applications but not limited to the below: 1. Drupal 2. Joomla 3. SharePoint
2010/2013/2016/2019 4. OWA 2007/2010/2013/2016 5. Oracle Web
Application 6. SAML
The proposed solution must support Credential Spraying Detection and

Credential Stuffing Detection. The proposed solution must support Tarpitting
where the WAF puts the client on a queue that is slowed down for a defined
period. The proposed solution must support integration with reCAPTCHAv3, in
addition to reCAPTCHAv2. The proposed solution must support Client Profiling
Page 36/60
Page 37
as well as Client Risk scoring mechanism. The proposed solution must support
Comment Spam / Referrer Spam detection by Inspection of links sent in HTML
Form parameters (as POST requests) or injected in HTTP Referer headers.
COMPREHENSIVE SYSTEM MANAGEMENT The proposed solution must
come with attack source Geo Heat map that provide the geo location of attacks
originated along with the no of attacks detected. The proposed solution must
be able to work entirely by itself in providing full security features, full
management and full logging capabilities without the needs of a separate
management device / appliance. The proposed solution must also provide full
reporting and analysis capabilties without the needs of a separate
reporting / analysis device / appliance. The proposed solution must provide easy
tuning with useful non-invasive state that allows administrators to test security
policies before actively applying them against live traffic. The proposed solution
must provide a single click fix button that shall provide explaination of the
attack, recommended fix to the attack and dedicated fix according to the
recommendation given.
The proposed solution must provide exception profiling that allows

heuristics-based tuning of the existing firewall rules. The proposed solution
must provide adaptive profiling that analyze the incoming and outgoing traffic to
build a profile of the Web application that contains all accessed URLs and
allowed form parameters. "The proposed solution must provide the integration
capabilties with SIEM solution including to the following not limited to: 1.
ArcSight 2. IBM QRadar 3. RSA enVision 4. Splunk 5. Symantec SIM 6. AMQP
Formatting 7. Custom log format "To ensure compliance with General Data
Protection Regulations (GDPR), the proposed solution must be able to have
Log Encryption and Problem Report Encryption capabilities. The proposed
solution must provide customizable role-based administration access for
different management tasks such as administrator, auditor, network manager
and application / security manager.
The proposed solution must provide web application vulnerability scanner

integration with industry leading vulnerability vendor such as IBM Appscan
(7.9 / 9.0) and Cenzic Hailstorm (6.6) as well as not limited to: 1. HPE Fortify
OnDemand 2. HPE Fortify WebInspect 3. ImmuniWeb 4. Rapid7 5. Nessus 6.
Denim ThreadFix (The Denim ThreadFix tool provides the capability to
translate the reports from multiple scanners into a format that can be imported
into the proposed solution. This integration should allows the proposed solution
to integrate with over 20 different vulnerability scanners for simplified virtual
patching of vulnerabilities.)
The proposed solution must provide comprehensive logging capability that

includes the following: 1. web firewall / security violation logs 2. web
access / succesful request logs 3. audit / administration logs 4. network / network
violation logs 5. system logs The proposed solution must provide
comprehensive built-in reporting modules that consist of: 1. Security report 2.
PCI DSS report 3. Administartion / Audit report 4. Config summary report 5.
Aggregated system traffic report 6. Client traffic report 7. Service traffic report
8. Server traffic report 9. custom template report
The proposed solution must provide schedule based capabilities to allow

automatic report generation and delivery to intended recipients. The proposed
solution must provide interactive, drill-down report capabilties for in-depth
report queries. The proposed solution must provide trusted host exception that
allows trusted host to bypass security policy inspection. The proposed solution
must provide a “template” based feature to create security policy and
Page 37/60
Page 38
sub-policy templates and apply them to different application on the same or

different device. The proposed solution must have the ability to track all
security policy changes and have the ability to record both pre and post values
for each change.
The proposed solution must support REST APIv3 or a fully compliant OpenAPI
Standard. The proposed solution must support configuration JSON checkpoints
that provide administrators a human-readable configuration file. These files are
JSON formatted files which can be modified and downloaded from the
proposed solution. Furthermore, they can also be stored in a version-controlled
repository, such as Git or CVS.
The proposed solution must come with 3 years principle support (inclusive
security and firmware updates, with hardware / replacement support) Service
level agreement (SLA) for the proposed solution must tight back with the
application SLA as per mention in Appendix A10: SLA The tenderer shall
provide letter of authorization from the technology principle (Appendix A9:
Principal / Technology Partner Confirmation Letter)
The tenderer shall provide administration certified training for minimum of 10

pax provided by principle
1.2 Activity unit Standard Standard 3

Hardware
Security
Module Please attach brochure
(HSM)
General Requirement Password Authentication for easy management
Minimum 2MB Memory Minimum Partion: 5
Technical Specification Supported Operating Systems • Windows, Linux,

Solaris, AIX • Virtual: VMware, Hyper-V, Xen, KVM
API Support • PKCS # 11, Java (JCA / JCE), Microsoft CAPI and CNG, OpenSSL
• REST API for administration
Cryptography • Full Suite B support • Asymmetric: RSA, DSA, Diffie-Hellman,

Elliptic Curve Cryptography (ECDSA, ECDH, Ed25519, ECIES) with named,
user-defined and Brainpool curves, KCDSA, and more • Symmetric: AES,
AES-GCM, Triple DES, DES, ARIA, SEED, RC2, RC4, RC5, CAST, and more
• Hash / Message Digest / HMAC: SHA-1, SHA-2, SHA-3, SM2, SM3, SM4 and
more • Key Derivation: SP800-108 Counter Mode • Key Wrapping: SP800-38F
• Random Number Generation: designed to comply with AIS 20/31 to DRG.4
using HW based true noise source alongside NIST 800-90A compliant
CTR-DRBG • Digital Wallet Encryption: BIP32 • 5G Cryptographic Mechanisms
for Subscriber Authentication: Milenage, Tuak, and COMP128
Security Certifications • FIPS 140-2 Level 3 - Password and Multi-Factor

(PED) • eIDAS CC EAL4 + (AVA_VAN.5 and ALC_FLR.2) against the
Protection Profile 419221-5 *
Host Interface • 2 options: 4 Gigabit ethernet ports with Port Bonding, or 2 x

10G fiber network connectivity and 2 x 1G with Port Bonding • IPv4 and IPv6
Physical Characteristics • Standard 1U 19in. rack mount appliance •

Dimensions: 19 ”x 21” x 1.725 ”(482.6mm x 533.4mm x 43.815mm) • Weight:
28lb (12.7kg) • Input Voltage: 100-240V, 50-60Hz • Power Consumption: 110W
Page 38/60
Page 39
maximum, 84W typical • Heat Dissipation: 376BTU / hr maximum, 287BTU / hr

typical • Temperature: operating 0 ° C - 35 ° C, storage -20 ° C - 60 ° C • Relative
Humidity: 5% to 95% (38 ° C) non-condensing
Safety Environmental Compliance • UL, CSA, CE • FCC, CE, VCCI, C-TICK,
KC Mark • RoHS2, WEEE • TAA • India BIS [IS 13252 (Part 1) / IEC 60950-1]
Reliability • Dual hot-swap power supplies • Field-serviceable components •
Mean Time Between Failure (MTBF) 171,308 hrs Management Monitoring •
HA disaster recovery • Backup and restore hardware to hardware on-premises
or in the cloud • SNMP, Syslog
Standard Performance • RSA-2048: 1,000 tps
The proposed solution must come with 3 years principle support (inclusive
onsite support, parts, labor, security update and firmware update) Service
level agreement (SLA) for the proposed solution must tight back with the
application SLA as per mention in Appendix A10: SLA The tenderer shall
provide letter of authorization from the technology principle. (Appendix A9:
Principal / Technology Partner Confirmation Letter)
1.3 unit Standard Standard 70

Biometric
with smart
card Please attach brochure.
reader
General Requirements The proposed solution must be able to do fingerprint
scanning with operational and accurate sensor. The proposed solution must be
able to read Malaysia MyKad.
The proposed solution must be able to do match-on-card application to verify

the identity of the ownership of the MyKad through thumbrint scanning. The
proposed solution must be robust and reliable for population registration or
customer acquisition. The proposed solution must be able to integrate with
i-SPKP system applications such as information registration and thumbprint
validation. The tenderer shall provide any related software / SDK required for
this solution. The proposed solution must be compatible to be used with
operating system but not limited to Windows, Linux or Android platforms.
The proposed solution must be able to guide user to ensure good finger
placement. Security Requirements The proposed solution must be able to
detect fake finger including but not limited to paper, latex or transparent film.
The proposed solution must have security mode to secure communication
between device and host. The proposed solution must have image and
template encryption for confidentiality
Warranty and Maintenance The proposed solution must come with 3 years
hardware replacement. The tenderer shall provide letter of authorization from
the technology principle. (Appendix A9: Principal Confirmation Letter /
Technology Partner) The proposed distribution location as per APPENDIX A12
- Proposed Biometric Card Reader Distribution Location. The Government
reserves the right to change the distribution location and it will be finalized in
user requirement phase.
Template Title: 3. SOFTWARE
Item Type: Products
Page 39/60
Page 40
Item Type: Local
UOM Price Type Quantity

Item
Specifications

Operating
Linux Enterprise minimum 26 units (please specify brand). Petender
System
shall recommend the appropriate operating system quantity
according to the proposed design.
At least 3 years license's subscription (please specify)
The subscription for licenses shall include support from the principle. (Please
provide support letter from principle, Appendix A9: Letter of Confirmation
Principal / Technology Partner)
The Tenderer shall supply, install and configure proposed operating system
for the VM provided by government.

Reporting
Reporting tool, data integration tool and BI tool (Please specify brand / version)
tool, data
(Please provide support letter from principle / technology partner, Appendix A9
integration
: Principal / Technology Partner Confirmation Letter)
tool and BI
tool The BI tool should be an Integrated platform for Business analytics and data
integration The BI tool MUST be open source based Technology MUST
provide subscription model of purchase at least for 3 years All the tools
needed to comply with this compliance sheet MUST be covered by a single
subscription plan without any need to purchase add-ons
The license shall be provided for minimum 8 core processor
The proposed solution must include license for Production, Staging and
Development.
General Requirements Must be able to support for Business Intelligence

Tools Enterprise Suite (Business Intelligence System) which include: i.
Unified and incorporated presentation layer with existing homepage (Single
sign-on); ii. Business Intelligence Platform; and iii. Database and Application
Integration with existing system. The components of Business Intelligence
tools should consist of: i. Dashboard designer ii. Reports; self service and
designer iii. Data Analysis self service iv.Data Integration; v. AI / ML integration
vi.Out of box Google Map integration
The Business Intelligence System MUST be able to be upgraded and

expanded to keep up with usage volume and integrated with other
applications and databases in future. The Business Intelligence tool MUST be
operated with unlimited user licenses as per registered users (unlimited
licenses) The Business Intelligence tools MUST support multi browser eg IE,
Firefox, Safari, Google Chrome etc. The Business Intelligence tools MUST
support common tablet interface namely Apple Ipad (iOS) and Android Tab.
Features of Business Intelligence Tools: Data Integration The ability to deliver

powerful extract, transform and load (ETL) or Web services (SOAP / JSON /
WSDL) capabilities using an intuitive meta driven and rich graphical design
environment. Real time Streaming data support using Kafka, MQ etc. The
ability to produce transformation library. The ability to support advanced data
Page 40/60
Page 41
warehousing. The ability to access and integrate disparate data from multiple
applications and databases. The ability to scale up, cluster, optimized, cache
in order to meet large data requirements. Intuitive drag-and-drop interface to
simplify the creation of analytic data pipelines Direct access to complete
analytics, including charts, visualizations and reporting from any step of data
integration
Integration of advanced analytic models from R, Python, Scala and Weka that
incorporate libraries, such as scikit-learn, Spark MLlib, Tensorflow and Keras,
into the data flow Enterprise-grade administration, scalability, load balancing,
containerization and security capabilities Filtering and contextual analysis of
streaming data in AWS Kinesis and Kafka The ability to trigger or alert users
based on business rules through email or any other communications.
Features of Business Intelligence Tools: Dashboard Visual development for

dashboards designer The dashboard SHOULD at least consists of: i. Google
Map; ii.Portal and mashup integration to seamlessly integrate business
analytics with other web application iii. Rich visualizations with navigation,
drill-down capabilities and a library of filter controls The ability to display
graphical view (chart type) that consists of (but not limited to): i.Bubble chart
ii.heat map iii.Stacked bar; iv. Line, donuts, pie chart v. Histograms;
The ability to mix or combine chart types on a single chart eg a Bar chart
having a Line Chart superimposed on it. The ability to produce 2D and 3D
chart views. The ability to provide out of box support or integrate seamlessly
with Google Map. It MUST include the simple way to mark or update location
of project for users with the correct permissions. The user SHOULD be able
to do so with a combination of entering general search terms (eg location of
a town), longitude / latitude and using the map overlay itself (used in the
dashboard). The ability to support print function eg print to file or screen
capture. The ability to allow users to drill down from interactive graphical view
into underlying report and analysis. The ability to be updated automatically
and dynamically to reflect new information on chart when the data changes.
Features of Business Intelligence Tools: Reporting The ability to allow users

to create their own ad-hoc reports based on centralized business rules,
without any technical knowledge of SQL. The ability to access and format
data from RDMS and XML sources and produce in various formats like PDF,
HTML, MMS ACCESS, Rich Text, Plain Text etc. The ability to produce
output in popular formats (not limited to): HTML, Excel, CSV, PDF and RTF.
The ability to produce wizard-driven authoring supporting report templates,
metadata-based query creation, sorting, and filtering. The ability to provide
interactive 'drag and drop' web interface for user self -service report creation
and perform search for data inquiry. The ability to support print function.
These reports SHOULD be print-friendly, allowing users to directly print
reports with their printers. The ability to store the report template so that the
user can use it later.
Rich graphical pixel-perfect report designer for power users The ability for the
system administrator to do housekeeping, fine tuning and performance
optimization for the report template set by the users.
Features of Business Intelligence Tools: Data Analysis The ability to view

data 'dimensionally' eg view project by region, by roles, by client etc. The
ability to dynamically drill down into greater detail of records. Extreme scale of
in-memory data caching for speed-of-thought analysis on large data volumes
using a drag-and-drop paradigm The ability to produce interactive drilling into
Page 41/60
Page 42
cross-tabulating data (Cross-tab Reports) or Pivot dimensions. It MUST

support multi-dimensional data and letting users select what dimensions and
measures to explore. The ability to optimize response times to complex
analytical queries. The ability to provide large numbers of physical and virtual
dimensions to allow for analysis by multiple attributes. The ability to support
trend analysis by (but not limited to): i. Weekly basis; ii. Monthly basis;
iii.Yearly basis. iv.Quarterly; v. Predefined period.
System Security Users under this system would NOT have to use two
different systems to log on. There MUST be one set of security credentials.
The system and its components MUST shield themselves from malicious
internet attacks. The system MUST be able to handle common web
application attacks and to be mitigated by the system, specifically SQL
injection, XSS. The system MUST have mechanisms to avoid phishing
attacks.
3.3 Database Activity unit Standard Standard 1

software for
General Enteprise based database software for Production system (Please
Production
specify brand / version) (Please provide support letter from principle /
system
technology partner, Appendix A9: Principal / Technology Confirmation Letter
Partner) At least 3 years license's subscription (please specify)
The database platform MUST be open source based Technology The

database MUST be supported Commercially with Enterprise version The
database MUST provide subscription model of purchase The production
support MUST be provided on 24x7 basis, covered by the subscription. All
the tools needed to comply with this compliance sheet MUST be covered by a
single subscription plan without any need to purchase add-ons
Core DB Functionalities The database MUST provide ACID transaction

support The database MUST support nested Transactions The database
MUST provide Crash recovery Database Technology should have single
engine to handle all type of workload like OLTP, OLAP, Clustering etc. The
database MUST have a cost based Optimizer The database MUST support
both consistency and scalability without compromising on the other one The
database MUST not tie down key RDBMS features eg consistency with
storage engine The database MUST support multi-versioning of records while
modification, which would help in better concurrency The database MUST
provide Wide array of indexing support (eg clustered, B-tree, full text, block
range, index for multi-value column etc.) The database MUST support
Materialized views
Database MUST support different unstructured datatypes eg JSON, Hstore

etc The database MUST provide User-defined datatypes and Wide range of
datatype support The database MUST provide Spatial / GIS support The
database MUST provide Multi-terabyte database capable The database
MUST provide High-speed, parallel data loader The database vendor MUST
provide tools for database server side Connection pooling The database
MUST support Globalization The database MUST provide Federated
databases / database links The database MUST support Distributed
transactions The database MUST support Data partitioning. The database
platform MUST have table partitioning feature to split the data of one table on
multiple disks. The table partitioning MUST be easy to implement with a
CREATE TABLE or ALTER TABLE statements. The database MUST provide
Wait-based performance diagnostics The database MUST provide Online
documentation
Page 42/60
Page 43
Security Features The database MUST provide User login / password

authentication "The database MUST provide Group / role support The
database MUST provide support for External authentication eg LDAP The
database MUST provide auditing capabilities The database MUST support
Data encryption The database MUST provide Built-in SQL firewall The
database MUST provide Code obfuscation for server side code eg for User
Defined Functions in Database High Availability and Data Protection Features
The database MUST provide Built-in replication The database MUST provide
capability to setup replication without a need of archiving of transaction logs
The database MUST provide Warm Standby database The database MUST
provide Hot Standby database The database MUST provide Online backup
The database MUST provide Parallel restore
The database MUST provide Point-in-time recovery The database MUST

provide facility to take backup from the Standby database The database
MUST provide Online operations The subscription MUST include tools for
setting up database level redundancy and auto-failover to standby database
in case Primary / Master database fails. The High Availability tool MUST allow
the setup with 2 database nodes (or more if needed) The HA setup (with 2
database nodes or more) should provision facility to avoid split brain sceanrio
Development Capabilities The database platform MUST provide Stored

procedures, Functions, Triggers support The database MUST provide
Analytic SQL functions The database MUST provide Optimizer hints The
database MUST provide support for SEQUENCES The database MUST
support Rule Engine The database MUST provide Materialized Views support
The database MUST support recursive queries The database MUST provide
Wide range support for connectors (JDBC, ODBC, .NET, etc.)
Management and Tooling The database MUST provide Enterprise Manager

Tool to monitor and manage clusters without any additional cost. It MUST be
possible to deploy the tool in customer's datacentre. The database MUST
provide GUI Client side development / administration tools The database
MUST provide Automated patch notification and management The database
MUST provide Performance monitoring The database MUST provide SQL
capture / profiling The database MUST provide Job scheduler The database
MUST provide Command line utilities The subscription MUST include a tool
for Administrators to take backup of multiple databases from single backup
server. It MUST be possible to deploy the tool in customer's data center. The
database platform MUST include features to capture performance snapshots
which can be later used for analyzing performance and bottlenecks The
vendor should provide tools to replicate and syncrhonize data to other
database - SQL Server
Operation Support Monitoring system to monitor the database basic health

and slow queries. 24/7 business and operation support shall be provided. In
the event of any security vulnerability found in the 'Product', the original
software provider shall release a patch to fix the vulnerability issue the
following period based on severity and risk factor below: • Emergency critical
- 24 hours • High - 2 weeks • Medium - 8 weeks • Low - 12 weeks
3.4 Database Activity unit Standard Standard 1

software for
General Enteprise based database software for Staging / Development system
Staging
(Please specify brand / version) (Please provide support letter from principle /
system
technology partner, Appendix A9: Principal / Technology Confirmation Letter
Partner) At least 3 years license's subscription (please specify)
Page 43/60
Page 44
The database platform MUST be open source based Technology The

database MUST be supported Commercially with Enterprise version The
database MUST provide subscription model of purchase The production
support MUST be provided on 24x7 basis, covered by the subscription. All
the tools needed to comply with this compliance sheet MUST be covered by a
single subscription plan without any need to purchase add-ons
Core DB Functionalities The database MUST provide ACID transaction
support The database MUST support nested Transactions The database
MUST provide Crash recovery Database Technology should have single
engine to handle all type of workload like OLTP, OLAP, Clustering etc. The
database MUST have a cost based Optimizer The database MUST support
both consistency and scalability without compromising on the other one The
database MUST not tie down key RDBMS features eg consistency with
storage engine The database MUST support multi-versioning of records while
modification, which would help in better concurrency The database MUST
provide Wide array of indexing support (eg clustered, B-tree, full text, block
range, index for multi-value column etc.) The database MUST support
Materialized views Database MUST support different unstructured datatypes
eg JSON, Hstore etc
The database MUST provide User-defined datatypes and Wide range of

datatype support The database MUST provide Spatial / GIS support The
database MUST provide Multi-terabyte database capable The database
MUST provide High-speed, parallel data loader The database vendor MUST
provide tools for database server side Connection pooling The database
MUST support Globalization The database MUST provide Federated
databases / database links The database MUST support Distributed
transactions The database MUST support Data partitioning. The database
platform MUST have table partitioning feature to split the data of one table on
multiple disks. The table partitioning MUST be easy to implement with a
CREATE TABLE or ALTER TABLE statements. The database MUST provide
Wait-based performance diagnostics The database MUST provide Online
documentation
Security Features The database MUST provide User login / password

authentication The database MUST provide Group / role support The database
MUST provide support for External authentication eg LDAP The database
MUST provide auditing capabilities The database MUST support Data
encryption The database MUST provide Built-in SQL firewall The database
MUST provide Code obfuscation for server side code eg for User Defined
Functions in Database High Availability and Data Protection Features The
database MUST provide Built-in replication The database MUST provide
capability to setup replication without a need of archiving of transaction logs
The database MUST provide Warm Standby database The database MUST
provide Hot Standby database The database MUST provide Online backup
The database MUST provide Parallel restore The database MUST provide
Point-in-time recovery
The database MUST provide facility to take backup from the Standby
database The database MUST provide Online operations The subscription
MUST include tools for setting up database level redundancy and
auto-failover to standby database in case Primary / Master database fails. The
High Availability tool MUST allow the setup with 2 database nodes (or more if
needed) The HA setup (with 2 database nodes or more) should provision
facility to avoid split brain scenario
Page 44/60
Page 45
Development Capabilities The database platform MUST provide Stored

procedures, Functions, Triggers support The database MUST provide
Analytic SQL functions The database MUST provide Optimizer hints The
database MUST provide support for SEQUENCES The database MUST
support Rule Engine The database MUST provide Materialized Views support
The
Widedatabase MUSTfor
range support support recursive
connectors queries
(JDBC, The database
ODBC, MUST provide
.NET, etc.)
Management and Tooling The database MUST provide Enterprise Manager

Tool to monitor and manage clusters without any additional cost. It MUST be
possible to deploy the tool in customer's datacentre. The database MUST
provide GUI Client side development / administration tools The database
MUST provide Automated patch notification and management The database
MUST provide Performance monitoring The database MUST provide SQL
capture / profiling The database MUST provide Job scheduler The database
MUST provide Command line utilities The subscription MUST include a tool
for Administrators to take backup of multiple databases from single backup
server. It MUST be possible to deploy the tool in customer's datacenter. The
database platform MUST include features to capture performance snapshots
which can be later used for analyzing performance and bottlenecks The
vendor should provide tools to replicate and synchronize data to other
database - SQL Server
Operation Support Monitoring system to monitor the database basic health

and slow queries. 24/7 business and operation support shall be provided. In
the event of any security vulnerability found in the 'Product', the original
software provider shall release a patch to fix the vulnerability issue the
following period based on severity and risk factor below: • Emergency critical
- 24 hours • High - 2 weeks • Medium - 8 weeks • Low - 12 weeks

Performance
General Performance Monitoring Tool for Application (Please specify
Monitoring
brand / version) (Please provide support letter from principle / technology
Tool for
partner, Appendix A9: Principal / Technology Partner Confirmation Letter) At
Application
at least 1 years license's subscription (please specify)
Tenderer's must have experience and familiar with enterprise systems, and
government systems Tenderer's must have their own local enterprise
architect to advise on strategic APM deployment in order to work effectively
with the banking systems, platforms and technologies Tenderer must be able
to advise and support in DevOps implementation
"APPLICATION MONITORING Provide a top-down approach that starts from

the end user perspective and provides end-to-end visibility across the entire
infrastructure for all application types "Single dashboard for all end user
information, for all applications, structured to represent the organization's
business services One-click navigation from dashboards to end-user analysis
console Notify immediately upon performance issues or application failures
For each application, show real-time and historical performance, including a
snapshot of performance over the last 24 hours and over the last 30 days
Present location and infrastructure performance in context of selected
application Application, location, transactions, user's experience, and
infrastructure performance (tier based perspective) perspectives on single
screen
Integrate to monitoring from outside the data center into a single integrated
Dashboard that provides quick domain isolation whether the problem is within
Page 45/60
Page 46
or outside of the data center. Users should be able to define their own
specific reporting views and make them available to others
DIGITAL EXPERIENCE MANAGEMENT Able to monitor and trace each

individual transaction from user experience to their method calls and
database queries Able to measure and provide visually complete metric for
user experience monitoring Able to provide session replay to playback user
actions for incident investigation Able to monitor mobile applications and
provide crash report, app version distribution, geographic regions and user
path through app Able to simulate transactions via proactive synthetic
monitoring from a cross global network to provide 24x7 monitoring on key
business transactions
DEEP DIVE DIAGNOSTICS AND ROOT CAUSE ANALYSIS Able to have

clear path from the code execution standpoint to the URL rendered, to the
user request and where it came from. End-to-End Monitoring from browser to
data center of all user interactions, 24x7, in production Able to pin point cause
from front end to back end tier end to end with zero configuration (agents
preconfigured with the standard classes and default performance thresholds),
auto-discovers and auto adapts Minimal Configuration that involves no code
changes Visibility beyond page views of Web 2.0 AJAX frameworks Keep
track user interactions into visits and Click-Paths Auto-detection of landing
pages and service entry points Always-on tracing, recording and monitoring
of all (not just selected) transactions Transactional, end-to-end view across
technology silos / systems / services Error rates per application and business
transaction Automatic alerting based on error rates per interval
Scheduled and pluggable synthetic end-user monitoring Monitor Node.JS and

NGINX Tracing of ALL Individual Transactions, NOT just aggregated
Transactions No Source-Code Changes Required (Java, .NET, Javascript,
Web pages) Tracing Across Web and AJAX Applications Tracing Across Java
and .NET Applications Tracing Across Web Servers (Apache, IIS, Java-based
and more) Tracing Across Multiple Tiers / Servers Tightly tie J2EE and .Net
application server monitoring to end-user experience, to database monitoring
Able to correlate each individual transaction from user experience to their
method calls and database queries 1-click to root-cause and automated
hotspot detection Inter-tier time analysis to spot network problems
Able to auto-detect mobile devices, version, vendor, browser and Bandwidth

Able to auto-detect impact of 3rd party CDN content Able to support Mobile
User Experience through the use of iphone, android and blackberry Able to
auto-detect frustrated visits, click path page actions errors and able to drill
down to server side Provide a web dashboard with an easy-to-use UI that has
more than 10 different tiles to choose from to create dashboard metrics.
Dashboard view can be shared via link, and offered drill down capability onto
the transaction details. Web Dashboard to provide out of the analytics box
use-case. Able to integrate with orchestration and test tools for better DevOps
operations
MANAGEMENT ADMINISTRATION Install the Agent with zero prior

knowledge and associated configuration with a single script Install all Agent
components with a single installation (infrastructure, network, host,
java / .NET / others, logs, etc.) Install the Management Cluster with a single
installer and no dependencies on third party software Scale the Management
Cluster with a single script and no configuration Configure the System for
High Availability in a single step Perform a version update with a single click
Page 46/60
Page 47
ENTERPRISE UNIFIED MONITORING Auto-discovery of all stack

components and their dependencies Full-stack visibility into every process on
the monitored host - regardless of the technology Integration of Application,
Host, CPU, Network, Disk, Virtualization, DataCenter and Cloud metrics
within a single model Cloud Infrastructure metrics seamlessly combined with
application metrics (for AWS, Azure, OpenStack, VMWare, etc) Auto-injection
into all Docker hosted applications Designed for Micro-Services Native
integration and instrumentation of PaaS environments (CloudFoundry,
OpenShift) Zero configuration Real User Monitoring (RUM) 100% individual
user visibility (every user click) 100% of all transactions - from browser to DB
Fully integrated Synthetic monitoring Fully integrated Log Monitoring API
exposed: Ability to push data in and pull data out Enterprise Scalability
(Deployments over 100,000 Hosts) Active-Active Cluster supporting multiple
management nodes
AI-POWERED ANALYTICS EMBEDDED EXPERTISE Self-learning AI

automatically locates problem inflicting components and identifies root causes
- eliminating alert spam Full replay of problem lifecycle for post-mortem
analysis Automatic determination of business impact related to detected
problems Expert knowledge built-in to identify top findings and recommended
optimizations AI-powered VoiceOps (natural language interface) and
ChatOps Reduce need for "Eyes on Glass" manually correlating dashboards
CERTIFICATIONS Docker Certified Solution RedHat Certified Solution (Open

Shift Open Stack)
3.6 Digital Activity unit Standard Standard 1

Signing
General Digital Siging Solution should accommodate all environment
Solution
proposed including Production, Development, Staging and Disaster
Recovery (DRC) (Please specify brand / version) (Please provide support letter
from principle / technology partner, Appendix A9: Letter of Confirmation
Principal / Technology Partner)
The tenderers shall design, supply, deliver, implement, maintain and support
Digital Document Signing for APAD, LPKP Sabah LPKP Sarawak and
provide warranty for the hardware if there is any. The proposed design and
deployment plan should be adapted in Production / Development / Staging and
Disaster Recovery (DRC). The design of the proposed PKI solution should
cover but not limited to the following entities / components or similar: a.
Software License b. Software Integration API c. Digital Organization
Certificate issued under Adobe Approved Trust List (AATL) program for
APAD, LPKP Sabah and LPKP Sarawak (should be valid for 3 years) d.
Government issued GPKI digital certificate and must support latest version of
GPKI Agent that provided by government (MAMPU)
The tenderer MUST include certificate lifecycle for requesting and renewal of
AATL digital certificate, which shall cover but not limited to: a. Key Generation
b. Creating Certificate Signing Request c. Installation of digital certificate
The tenderer MUST ensure that this process will not require the Digital
Document Signing solution to be offline for unreasonable period.
IMPLEMENTATION OF DIGITAL DOCUMENT SIGNING SOLUTION The

Digital Document Signing solution must comply with; a. Digital Signature Act
1997 b. Digital Signature Regulation 1998 c. Infrastructure Services Policy
Page 47/60
Page 48
Government Public Key (GPKI) through Administrative Development Circular

Public No. 3 of 2015 d. PDF Advanced Electronic Signatures (PAdES) e.
PAdES-Long Term Validation (LTV) Profile
Must use MAMPU Date / Time Stamp service if there is any or Must use a
Malaysian Recognized Date / Time Stamp Service The digitally signing
document must be appeared as a valid document even though the digital
certificate is expired or revoked in the future. A digital certificate used in the
solution must be valid at the time of signing. It must be verified using a valid
CRL for MAMPU GPKI issued digital certificate and OCSP for the AATL
Organization Certificate. The solution MUST be able to integrate with
proposed system, MAMPU GPKI and other required services that required to
complete proposed system
The proposed tender MUST support the usage of both RSA (minimum
2048-bit key) and ECC (minimum 256-bit key) type of digital certificate. The
tenderer must provide an ECC type of AATL Organization digital certificate
The proposed tender may use hash function of SHA2 with 256-bit digest size,
however the use 384 or 512 digest size is encouraged. SHA-3 with 224, 256,
284 or 512 is also permittable. The use of SHA-1 and SHA-2 with 224 digest
size are prohibited in any part of the solution. The tenderer must ensure that
the proposed solution shall have the ability to cover various type of digital
certificates and keypairs storage such as crypto usb token or roaming. The
tenderers must be able to use digital certificate issued by MAMPU
Government PKI in their proposed Digital Document Signing solution. The
solution must be able to support TLS 1.3. The use of SSLv2, SSLv3, TLS 1.0
and TLS 1.1 are prohibited in any part of the solution.
INTEGRATION SERVICES WITH PROPOSED APPLICATION The system

integration between Digital Document Signing solution and proposed
application which covers i) Digital signing performed by a user hold GPKI
digital certificate ii) Digital signing performed at the server side using AATL
Organization certificate Preferable integration with the proposed solution and
proposed application is using API and / or Webservices. The development will
consist of the data exchange between PKI and proposed application. The
tenderer needs to ensure all the data transmit must be encrypted The
tenderer needs to ensure all the digital document or data shall never leave
and kept outside the proposed environment. Only a message digest can be
used outside the environment for the purpose of creating digital signature and
requesting time token from Timestamping server. Tenderer application must
have logging capability (audit trail)
Tenderer must provide complete documentation contained sufficient

information for any integration process involved.
Reporting Tenderer shall be able to provide report / statistic on the

usage / transaction that will be determined by agencies
Software Maintenance support: a. 3 year after go-live period for any

defect, bug fix, software update / upgrade b. Assists to integrate with other
agencies application / system using existing delivered design and software
Technical advice and skill sharing: a. Shares product knowledge Expertise b.

Provide technical information and recommends best practices for managing
software, application, and database c. Delivers onsite technical activities d.
The tenderer must assist agencies personnel in trouble shooting the
problems.
Page 48/60
Page 49

Vulnerability
Vulnerability Assessment Software (Please specify brand / version) At least 3
Assessment
years license's subscription (please specify)
Software
The proposed Vulnerability Assessment solution must come with unlimited
IPs license with unlimited scanning. The proposed Vulnerability Assessment
solution must has the industry's lowest false positive rate with six-sigma
accuracy (measured at .32 defects per 1 million scans). The proposed
Vulnerability Assessment solution must be CVE compatible and provide at
at least 10 years of CVE coverage. Must more than 55,000 CVE. Vendor must
state these numbers. The proposed Vulnerability Assessment solution must
support at least 450 compliance and configuration templates to audit
configuration compliance against CIS benchmarks and other best practices.
The solution must support a variety of scan engine platforms to include
Windows, Linux, Mac OS, as well as Virtual Appliances.
A virtual appliance must be available for scan engines and for centralized
console at no additional cost, ie, included within the licensed bundle. Virtual
appliance must be available for HyperV and VMware platform. The proposed
Vulnerability Assessment solution must support fully automate updating of
vulnerability feeds from the vendor on a daily schedule. The proposed
Vulnerability Assessment solution must provide an offline update process to
update the vulnerability feeds in air gapped networks. The proposed
Vulnerability Assessment solution must support secure web-based
administration / console. The proposed Vulnerability Assessment solution must
support the ability to produce reports in the following report formats: PDF,
HTML, CSV and XML The proposed Vulnerability Assessment solution must
provide the ability to automatically email reports.
Template Title: 4. SERVICES
Item Type: Services

Item Type: Local
Frequency / No. Unit No. Unit

UOM Quantity
Item Measuring unit One Day Size One Month Size
Specifications
4.1 Months 1 24
Management
The tenderer must work with the Government Project Team
Project
will be appointed by the Government to manage the implementation of the Project.
The tenderer must complete the project within 24 months and fail
the tenderer adheres to the project period, may cause the tenderer to be charged
fines for each day late based on the following formula:
((BLR + 1%) / 365) x value scope of delayed work x no of days delayed
Tenderers need to submit a complete project implementation schedule

in the form of a Gantt chart. Please complete document A3: Implementation Schedule
Project.
Tenderers need to submit a complete project implementation schedule

in the form of a Gantt chart. Please complete document A3: Implementation Schedule
Page 49/60
Page 50
Project. The team members involved MUST be experienced, knowledgeable,

qualified and trained to implement this project. Tenderers need
provide adequate project team members to ensure this project
runs smoothly and according to a predetermined period.
The tenderer MUST have: (i) At least two (2) people

personnel with Certified Professional Engineering Requirements
(CPRE); (ii) At least one (1) SME who has worked
in related domains; and (iii) At least one personnel who
has Certified Tester Foundation Level (CTFL)
The project team structure is not limited to the following: a) Certified Project
Manager b) SME for business solution needs (Business Solution) c)
SME for technical solution requirements (Technical Solution) d) Team
development e) Change management team
team) f) Integration team g) Migration team h) PMO team i) Team
Quality Testing / Assurance j) Infrastructure and Security Team
The Project Manager must be an experienced person

(at least 5 years in ICT project management) and
have a Project Management certificate that is still in the validity period
(certified Project Management). Please attach the certificate in the Appendix
A8: Project Team Biodata
Tenderers need to provide a Team Lead for each team

have at least five (5) years of experience and
knowledge in related fields.
The proposed structure for the Development Team should have a role
but not limited to: a) Lead Business Analyst b) Business Analysts
c) Lead Solutions Architect d) Solution Designers (In the areas of Security,
Database, Network) e) Developers f) Testers g) Infrastructure Engineers
h) Integration Engineers i) Trainers (Management, Technical and End-User)
j) Technical Writers k) Others (Please specify)
The tenderer should propose an internal project management methodology

Appendix A1 - Proposed i-SPKP System Development.
Tenderer will not change or replace any key personnel

without first obtaining written permission from the Government.
If for appropriate reasons, the tenderer needs to replace
any staff, the tenderer will provide a replacement with the person
having equivalent or higher qualifications and experience,
which is considered acceptable by the Government.
Tenderers need to submit the following information in the project proposal: a)

Project Organization Chart. Please complete Appendix A6: Organization Chart
Project Team b) List of Project Teams. Please complete Appendix A7:
List of Project Teams c) Complete CV of key members of the Project Team
as well as related certificates. Please complete Appendix A8: Project Team Biodata d)
Roles and Responsibilities of each element in the Project Organization Chart
proposed.
Tenderers must also provide consulting services from

main and local principal (if required) for (not limited to): a)
Installation b) Configuration c) Design d) Development of software
and the Tenderer database shall comply with the Management Guidelines
Public Sector ICT Project (PPrISA) in project management and
produced documentation related to the Project.
Page 50/60
Page 51
Tenderers must have company experience in the field

system development. (Please enclose the certificate and state in Appendix A5:
Tenderer Experience)
Tenderers must have experience in the implementation of the Project

involving system integration and data migration (Please submit
system / integration experience information made in Appendix A5:
Tenderer Experience)
Tenderers must have experience in hardware supply
ICT and software. Please specify in Appendix A5: Tenderer Experience
The tenderer must provide document management facilities

(versioning) for all documents provided in this project. (Please
complete Appendix A2: Proposed Hardware and Software Specifications
and also provide related brochures)
The tenderer must comply with all rules, guidelines, circulars

and others currently in force.
Project Monitoring and Reporting i) Tenderers shall provide and

submit a report to enable the Project Technical Committee and
The Project Steering Committee monitors the project implementation status.
Reports should be prepared and submitted throughout the project period. ii) Tenderer
shall prepare the project status report as follows but not
limited to: a) Project Progress Status Report (Weekly) b) Report
Project Progress Status (Monthly) c) Project Status Report for
Management (Monthly) d) Any report requested when necessary. iii)
Weekly, Monthly Reports and other status reports shall
includes the following not limited to: a) Project activities (Events
important previous week) b) Documentation of overall project progress;
c) Issues / Problems / Risks / Incidents d) Milestones e) Activities planned on
next week f) Application for change if any g) Information
Finance Report should follow the PPRISA template
iv) Tenderers need to provide Standard Operating Procedure for

management and operation of the i-SPKP system
Risk Management i) The Tenderer shall propose a Management Plan

Risk, which will identify possible possible issues
affect the smooth implementation of the project including non-compliance
acceptance criteria for submission or non-compliance with a deadline
set out in the contract.
ii) Project Management Plan should take into account matters

the following but not limited to: a) Risks expected to
faced; b) Impact of the risk; c) Method used for
addressing risks (including approaches, tools and resources that
required); d) When and how often the risk occurs; e) Risk categories; f) Factors
contributing risks; and g) Reporting format. iii) Management Plan
Risk should be constantly updated throughout the project period for
ensure continuous project risk detection.
Issue Management i) The Tenderer shall propose an Issue Management Plan

which will describe the approach to the management of possible issues
arises during the implementation of the project ii) The tenderer shall highlight
Page 51/60
Page 52
all project-related issues arising throughout the implementation of the project.

All project issues should be identified, documented, managed with
well monitored by the Tenderer.
Quality Assurance i) The tenderer must propose a management plan

qualities that describe the procedures, methodologies and policies of the committee
the project will be used to ensure that the project is implemented according to
agreed quality. ii) The tenderer must explain
how
to allquality
projectmanagement plans
teams / project will be implemented
committees. The tendererand communicated
shall
ensure that the proposed methods and procedures are used during
project implementation. iii) Tenderer must ensure acceptance test
and commissioning is implemented effectively, so that before the system
operating, the system has proven capable of fulfilling that performance
required including in terms of safety and reliability (reliability).
Change Request i) Tenderer must meet

any application for amendment (within the scope of the project) by the government. ii)
The tenderer shall propose an amendment application mechanism
will be used.
All documentation under this project must be submitted to

government within two (2) months after the system is implemented. All
manual / document must be original. Number of documentation required
is at least three (3) hardcopy and softcopy copies
including diagrams, editable drawings. All documentation must be
get confirmation from both parties, contractors and parties
Government.
All source code that has been developed, documentation and manual
the operations provided will be the property of the Government. It must be
supplied in the form of hardcopy and also soft copy.
The tenderer must conduct a questionnaire to the target user

before and after system implementation.
4.2 Data Activity unit 1 1

Migration
The tenderer must perform data migration for the system involved
as follows (not limited to): 1. APAD ATTITUDE System 2. System
LPKP Sarawak ATTITUDE (Driver Card) 4. LPKP e-SPKP System 5. System
APAD E-Hailing Licensing 6. Sabah CVLB E-Hailing Licensing System 7.
LPKP Sarawak E-Hailing Licensing System 8. LPKP Driver Card System
Sabah 9. Cross-Border System 10. Terminal Licensing System
Land Public Transport (STEAD)
The tenderer must present and submit the Data Migration Plan
from existing APP LPKP systems to i-SPKP System as well
obtain system owner confirmation to ensure strategies, methods
and data migration implementation schedule meets user needs.
The tenderer must present and submit the Migration Specification

Data for data migration from existing systems to i-SPKP System as well
obtain system owner verification to ensure validity and
the resulting specifications meet the requirements of data migration.
Migration plans and the work involved should include: a. Extracting,

translate and load data (Extract, Transform, Load) of existing systems
to i-SPKP; b. Ensure the process of migration and data translation
Page 52/60
Page 53
shall be performed without any interruption or downtime that is not

designed. The tenderer is fully responsible for the loss of data
during the migration process; c. Preparing Migration Plan, Plan
Testing and performing capability tests on the data
has been migrated; d. Prepare a test report containing
percentage of clean data and invalid data
The tenderer shall perform the data migration as has been

approved in the Data Migration Plan and Data Migration Specifications. Petender
is required to prepare a contingency plan in the event of a current disruption
migration process. Tenderers are required to provide as well as have
ability (high scalability) to perform data migration and migration processes
system. The tenderer is responsible for all that action
taken during the migration process.
Data migration strategies must take into account (not limited to); a. Volume
of data to be converted to i-SPKP. b. Feasibility of data to be converted to
SPKP. c. Availability of data to be converted to SPKP.
The tenderer must ensure that all data involved in the process
data migration has been reviewed, tested and usable within the system
SPKP. The tenderer must give full cooperation to any
the contractor who maintains the existing system owned by the Government of Consumption
any tools in the data migration process are under the responsibility
fully Tenderer.
Tenderers need to suggest migration tools to be used. All

the cost of the migration tools license must be borne by the tenderer (If any) without
any additional costs to the Government. Migration tools used
will be the property of the Government. Please specify in Appendix A2:
Hardware and Software Specification Suggestions (If any)

Management
Tenderers need to propose and submit a Management Plan
Changes
Changes that need to be implemented during the implementation of i-SPKP.
Tenderers must plan Change Management activities and be managed

jointly by the Change Management Team consisting of
Government tenderers and project teams. Tenderers should recommend
change management team for this project.
Change management plans should include programs and activities for

convey awareness and gain system acceptance from
the following user groups: a) APAD and CVLB officers and staff b)
Officers and staff of the Information Technology Unit c) Agencies that
involved d) Relevant External Users
Tenderers need to propose a change management plan

includes the following: a) Approaches and methodologies that will
used. b) Change management plan (activities, timeline, budget, resources
required) c) Benefits of activities carried out
The proposed change management approach is necessary as well

contains identified change management issues, cause analysis
and effects and suggestions for immediate solutions needed for
resolve those issues.
The Tenderer shall determine the Software Change Management and
Page 53/60
Page 54
version control process as well as need to get approval from the party
Government. For any changes to the application, the tenderer is required
provide full documentation including proposed changes, impacts
to the system in terms of outcome functions / additional features to the system.
The tenderer must obtain approval from the Government for
all proposed changes before implementing those changes at
in a production environment. Tenderers must perform testing
comprehensive for any changes / improvements to the system
implemented during operation and warranty period to ensure
changes in the system meet the needs of the Government and none
impact on other functions of the System.
Tenderers shall implement Change Management and activities

capacity building such as Management Plan
Changes provided by the tenderer and approved by the Government at
Analysis and Design stage. Change Management Plan shall
in line with the Transition Management Plan provided
by the tenderer and approved by the Government.
Tenderers should monitor and report user readiness for

implement planned changes and identify actions
corrections that need to be taken to achieve project implementation objectives
Tenderers must submit training and management reports
changes after completing the change management session
including user feedback and a user feedback form
complete contains.
Roadshow Tenderer MUST suggest a roadshow schedule for APAD,

Sabah CVLB and Sarawak CVLB, which need to be detailed in the Appendix
A5 - Customer Consumer Training. The purpose of the 'roadshow' session is to
provide information to the operator / licensee about
iSPKP system and system benefits to their licensing matters.
This scheduled roadshow session needs to be implemented in 2 phases. Phase 1

: 50% complete system development Phase 2: 90% complete system development
The tenderer MUST provide a roadshow requirement for the number of participants
(not limited to) as follows: APAD Estimated 38 sessions, 1 session
maximum 50 people Session location at least in 4 places (North
(Penang), Central (Klang Valley), South (Johor Bahru) East (Kuala
Trengganu) Target Group: Bus Operator, Truck Operator, Taxi Operator,
Train Operator, LPKP Sabah Terminal Operator Estimated 15 sessions, 1 session
maximum 50 people Session location at least in 3 branches (City
Kinabalu, Sandakan and Tawau) Target Group: Bus Operators, Operators
truck, Taxi Operator LPKP Sarawak Estimated 15 sessions, 1 session maximum 50
people Minimum number of participants per session: 750 pax Session location
at least in 3 branches (Kuching, Miri and Sibu) Group
Target: Bus Operator, Truck Operator, Budget General Taxi Operator Budget 1
session, maximum 100 people Klang Valley Location Target Group:
Various categories such as the Public, etc.
The tenderer must bear all the costs of implementing the roadshow
such as the provision of booths, materials, etc.
Tenderer MUST provide information / materials to be used for

such roadshow sessions, in the form of slides, briefings or in the form of documents
other appropriate. The contents of the information / roadshow material will be
discussed during the user needs review session and MUST be approved
Page 54/60
Page 55
by the Government. The tenderer must bear all costs for

change management (not limited to) interior design, programs,
montage / gimmicks, souvenirs, event management as well as food and drink for
the guests. Tenderers MUST take note that all
planning related to change management will be discussed together
and MUST be approved by the Government before it is finalized
or implemented.
Promotional Video Promotional Materials Tenderers MUST provide promotional videos

(teaser and full video) which includes introduction and information about
system developed. The tenderer MUST ensure that the video
This promotion covers all types of licensing conducted at APAD,
LPKP Sabah and LPKP Sarawak. The tenderer MUST ensure the video
The promotions produced can be used in conjunction with APAD,
LPKP Sabah and LPKP Sarawak. Tenderer MUST guarantee
that all sources of information provided are not borrowed,
plagiarized and does not infringe intellectual property, copyright, or trade secret
the other party. Tenderer is fully RESPONSIBLE if available
any claim from any party over copyright infringement
the. Tenderers MUST take note that all content
promotional videos will be discussed during the user needs review session
and the video MUST be approved by the Government.
Tenderer Promotional Materials MUST provide promotional materials (no

limited to) as follows a) Pamphlet / brochure b) Poster c) Pregnancy
The tenderer MUST ensure that the promotional materials produced can
used jointly by APAD, LPKP Sabah and LPKP Sarawak
The tenderer MUST assure that all the information

used in the preparation of these promotional materials is not
borrowed, plagiarized and does not infringe intellectual property, copyright, or
trade secret of another party. Tenderer is fully RESPONSIBLE if
there are any claims from any party to the breach
the copyright.
Tenderer MUST ensure the specification (minimum) pamphlets / brochures such as

following: a) Paper: Artpaper 157gm b) Size: A4 (29.7cm x 21cm) c) Print:
4 colors (Full color) d) Packaging: Fold 3 Minimum amount NEEDED
supplied is 5,000 pieces of Acrylic Pamplet Holder at least 20
unit
Tenderer MUST ensure the specification (minimum) of the poster as follows: a)

Paper: Artpaper 128gm b) Size: A3 (29.7cm x 42cm) c) Print: 4 colors
(Full color) The minimum amount that MUST be supplied is 200 pieces
Tenderer MUST ensure Bunting and Tripod Stand specifications (minimum)

as follows: a) Size: + - 85cm x 200 cm b) Material: Aluminum (Stand) c)
Print Material: Synthetic Paper d) Print: 4C + Matt e) Print Resolution
: 1200 dpi f) Storage: Bag The minimum amount that MUST be supplied
is 20 sets
Tenderers MUST take note that all content

promotional materials will be discussed during the needs review session
user and MUST be approved before print is made.
Tenderers CAN suggest other promotional materials other than

what is stated above
Online Training / Digital User Manual Tenderer MUST provide
Page 55/60
Page 56
materials for training purposes and online reference (unlimited

to) as follows: a) Training video b) Training manual
Tenderers should provide online training materials based on

categories of target users are not limited to: a) External users b)
Internal users c) Relevant agencies
External users are as follows (not limited to): a) Operators

public vehicles (buses, taxis, freight vehicles) b) Licensees
vehicle (sightseeing bus) c) Intermediary business licensee d)
Terminal licensee
intermediary e) Train
business operatorAgent
g) Tenderer f) TaxiMUST
Driverprovide
at least 1 set of training / reference materials for each type
operator.
Internal users are as follows (not limited to): a) Officers

Process b) Counter Officer c) Supervisor d) Approval e) Management f) Officer
Finance g) IT Officers
Users of relevant agencies are as follows (not limited to): a)

JPJ Enforcement b) PUSPAKOM
The tenderer MUST take note that the materials / documents are
provided will be used as a reference to officers and
also users outside this system. The tenderer MUST ensure the materials
training / reference specifically produced for the use of each agency - APAD,
LPKP Sabah and LPKP Sarawak. Any diversity / variation of the system in
between the three Agencies needs to be detailed.
Tenderer MUST ensure training / reference materials are produced in

bilingual - Bahasa Malaysia and English.
Tenderers MUST take note that all content

training materials and references will be discussed during the study session
user requirements and MUST be approved before material is finalized /
molds are made.
4.4 Training Activity unit 1 1

Users
Tenderers must perform adequate and unlimited training
and
to the Government, Stakeholders, operating companies, taxi drivers and
Customers
users (including government agencies) of the i-SPKP system. please complete
Appendix A4: Change Management and Training.
Tenderer must explain the following requirements (not limited to)

for training and TOT: a) Approaches and strategies b) Activities that will
implemented c) Submission for training and ToT d) Involvement that
required on behalf of the Government e) Proposed implementation schedule f) Others
(Please complete Appendix A1: Proposed i-SPKP System Development)
The tenderer must include a detailed description of

training materials to be used for this project. a) Types of training and
materials for training and ToT b) Equipment and hardware for training and
ToT c) The environment required for training and ToT such as laboratory
computers, conference rooms, etc. (if necessary) (Please complete Appendix A1:
Proposed i-SPKP System Development)
Tenderers should provide manuals and documentation for all

training and ToT. The tenderer shall ensure that all training materials and
ToT is complete and submitted to the Government
Page 56/60
Page 57
at least 2 weeks before the proposed training date. Petender

can only continue training / ToT after obtaining consent
from the Government. The tenderer is responsible for providing
environment for laithan and ToT. This includes the provision of equipment and
hardware, software and data required.
Training and ToT schedules should be implemented in stages for

ensure that the day-to-day operations of the Government are not affected.
Tenderers are responsible for training internal users when

there are major changes in the system (if necessary). Re-training only
involves such changes only.
The training period (especially for Government personnel) shall
finalized jointly by the tenderer and the Government. Training period
such shall be appropriate and assist the Government to
use the system effectively.
If more than 30% of the participants are dissatisfied with the training
such, the tenderer needs to improve the training module and implement
re-training at no cost.
Consumer Training (External) Tenderers should develop modules

training for target users (not limited to): a) Operators
public vehicles (buses, taxis, freight vehicles) b) Licensees
vehicle (sightseeing bus) c) Intermediary business licensee d)
Terminal licensee e) Train operator f) Taxi Driver
intermediary business g) Agents
Tenderers MUST recommend training schedules for users and

customers who need to be detailed in Appendix A5 - Consumer Training
Clients The purpose of the training session is to provide introductory training
to operators / licensees on how to use
iSPKP system.
Tenderer MUST provide training needs for target users

(not limited to) as follows: APAD Estimated 16 sessions, 1 session
maximum 100 people Session location at least in 4 locations namely North
Trengganu) LPKP Sabah Estimated 4 sessions, 1 session maximum 100 people
Session location at least 3 branches (Kota Kinabalu, Sandakan
and Tawau) LPKP Sarawak Estimated 4 sessions, 1 session maximum 100 people
Session locations at least 3 branches (Kuching, Miri and Sibu)
The tenderer must bear all training costs including meals and
drinking for the participants. Training locations are proposed at government premises.
Tenderers MUST note that all training modules

including reference material will be discussed during the needs study session
consumer and MUST be approved by the Government prior to the material
finalized / training implemented.
Consumer Training (Internal) Training for APAD Officers, Sabah CVLB,

CVLB Sarawak Tenderer Related Agencies should develop modules
training for target users (not limited to): a) Process Officer b)
Counter Officer c) Supervisor d) Approval e) Management f) System Administrator g)
Module Administrator i) Financial Officer
Tenderer MUST recommend training schedule for APAD officers,

Sabah CVLB, Sarawak CVLB and other related agencies (no
Page 57/60
Page 58
limited to) JPJ, Puspakom, SSM and others, which need to be detailed in
in Appendix A5 - Customer Consumer Training. The purpose of the training session
is to provide introductory training to officers
licensing APAD, Sabah CVLB, Sarawak CVLB and related agencies
others on how to use the iSPKP system.
'The tenderer MUST provide training requirements for the number of participants (no
limited to) as follows: APAD Estimated 20 sessions, 1 session
at least 25 people Training location at least at 4 (North
Trengganu) LPKP Sabah Estimated 6 sessions, 1 session at least 20
people Training Location: Sabah LPKP Sarawak Estimated 6 sessions, 1 session
at least 25 people Training Location: Sarawak Other Related Agencies
Estimated 4 sessions, 1 session of at least 30 people Training Locations:
Klang Valley Tenderer must bear all training costs
including food and drink for the participants. Priority will be given
for this session this will be held at Government-owned premises / locations.
Tenderers MUST note that all training modules and

references will be discussed during the user needs review session and
MUST be approved before material is finalized / training implemented.
Train the Trainer Tenderer MUST suggest a program training schedule

Train-The-Trainer (TTT) for APAD, LPKP Sabah and LPKP officers
Sarawak, which needs to be detailed in Appendix A5 - Consumer Training
Customers. The purpose of the TTT program is to train officers
APAD, Sabah CVLB, skilled and credible Sarawak CVLB
to train and mentor other officers at
their respective agencies on how to use the iSPKP system.
The tenderer MUST provide training requirements for the number of participants (no
limited to) as follows: Estimated 5 sessions, 1 session at least
10 people, 1 session for at least 5 days

MUST be approved by the Government before the material is finalized or
training is implemented.
4.5 Training Activity unit 1 1

Technical
Training and ToT for IT personnel should include (unlimited)
to): a) Operation, administration and maintenance of each hardware
and software b) Database administration and maintenance c)
Administration and maintenance of operating systems d) Backup and
restore e) Development tools f) Reporting tools g) Basic / Intermediate
troubleshooting h) Others
The tenderer should describe the training approach taken for

ensure IT personnel (not limited to): a) Understand the picture
overall, set up and system functions b) Understand the main functions and
system support c) Ability to install, operate and
maintain the system d) Ability to fine tune and configure the system
e) Understand system specifications and configuration f) Others (Please specify)
Tenderers MUST recommend technical training schedules for officers

APAD, Sabah CVLB and Sarawak CVLB, which need to be detailed in
Appendix A5 - Customer Consumer Training
Page 58/60
Page 59
Tenderer MUST provide comprehensive technical training for

technology used for i-SPKP development (not limited to)
following: a) Framework b) Database c) BI Tools d) Mobile Application
limited to) as follows: Estimated 4 sessions, 1 session at least 5
people 1 session at least 5 days

Certified Technical Training (Certified Training) Tenderer MUST
recommend a Certified Technical Training schedule for
APAD officers, Sabah CVLB and Sarawak CVLB, as needed
detailed in Appendix A5 - Customer Consumer Training
The tenderer MUST provide a variety of technical training (unlimited

to) the following: a) Project Management Professional (at least 5
people) b) CompTIA Server + (at least 2 people) c) CompTIA
Security (at least 2 people) d) Certified Information System
Security Professional Prep Course (CISSP) (at least 3 people) e)
SEC542 - GWAPT Web App Penetration Testing and Ethical Hacking
(at least 1 person)
4.6. Activity unit 1 1

Transfer
Tenderer MUST recommend technology transfer training schedule /
Technology
transfer of technology (TOT) for APAD, Sabah CVLB and
Sarawak CVLB, which needs to be detailed in Appendix A5 - Training
Customer Users
limited to) as follows: Estimated 6 sessions, 1 session maximum 15 people 1
session for at least 3 days

4.7 Secure Activity unit 1 1

Posture
Successful tenderers MUST appoint a third party for
Assessment
conduct SPA activities with the following conditions: (a) Third parties
(SPA)
who are not involved in the development and implementation of the i-SPKP project; (b)
The third party has nothing to do with the tenderer from
in terms of management, finance and ownership (share); (c) Third parties who
will be appointed MUST get approval from the Government; (d)
Appointed third parties MUST have recognized qualifications
i.e. has one of the following certificates: (i) GIAC Penetration Tester
(GPEN); (ii) GIAC Web Application; (iii) Penetration Tester (GWAPT); (iv)
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN); (v)
CompTIA Security +; (vi) EC-Council Certified Ethical Hacker (CEH); (vii)
EC-Council Certified Security Analyst (ECSA); or (viii) Offensive Security
Certified Professional (OSCP).
Successful tenderers MUST meet the following conditions: (a)
Page 59/60
Page 60
Submit a copy of the certificate for the third party implementing the SPA
to the Government; (b) The appointed third party shall have
at least seven (7) years of experience in ICT security;
(c) A third party appointed to implement the SPA will report directly
to the Government Project Manager; and (d) Appointed third parties
implement SPA activities in project implementation to ensure
developed configurations and systems are safe to use.
Tenderer level is required to perform vulnerability assessment

as a security assessment activity on i-SPKP applications and
ICT infrastructure related to it before go-live. This activity as well
shall cover and not be limited to: a) Network Penetration
Testing Assessment; b) Web Application Security Assessment; i. SQL
Injection ii. Broken Authentication and Session Management iii. Cross-Site
Scripting (XSS) iv. Insecure Direct Object References v. Security
Misconfiguration vi. Sensitive Data Exposure vii. Missing Function Level
Access Control viii. Cross-Site Request Forgery (CSRF) ix.Using Components
with Known Vulnerabilities x. Unvalidated Redirects and Forwards "c)
Database Security Assessment d) Host Assessment
e) Web service (API) assessment f) Other activities as

stated in General Circular Letter No. 3 of 2009 - Line
Public Sector Network and ICT System Security Level Guide g)
SPA results report and documentation
Tenderer MUST provide a comprehensive report with

include all findings from all assessments. Report
the shall contain the following: a. Decisions and / or
assessment findings involved. b. Suggestions for correction
deficiencies in security control and reduce or
eliminates identified weaknesses.
The report format SHOULD include the following is not limited

to: a. Executive summary b. Objectives of assessment c. Scope of work
d. Methodology used e. Tools that have been used f. Every single output of
assessment performed
Third parties / other companies / appointed external consultants shall

prepare one (1) detailed report on the implementation of the SPA and
one (1) executive summary report for top management.
The SPA activity report must be presented to the Government.
Tenderers are required to carry out corrective and strengthening activities to

on the findings of the SPA Report at no cost to the Government.
Tenderers are required to perform a post-assessment test after the activity

correction and strengthening are implemented until all the weaknesses are
Medium, High and Critical risk improved.
Page 60/60

Specifications: Item UOM Frequency / Measuring Unit No. Unit One Day Size No. Unit One Month Size Quantity Specifications

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Specifications: Item UOM Frequency / Measuring Unit No. Unit One Day Size No. Unit One Month Size Quantity Specifications

Uploaded by

Copyright:

Available Formats

Page 1

Template Title: 2. SYSTEM DEVELOPMENT

Frequency / No. Unit No. Unit

2.1 Activity unit 1 1

3. The proposed module development for phase 1 is as follows: 1.

4. Documents submitted to the needs and analysis phase are as follows

5. The tenderer must include the following in the proposal

6. Tenderers should develop, implement, maintain, integration

7. The tenderer shall prepare a System Development Plan

9. The tenderer must review the Business Requirement document

Speciﬁcation (BRS) provided by the Government and reﬁned

13. The tenderer shall manage all preparations, SMEs, accommodation

14. The tenderer must provide the tools / software

2.2 Activity unit 1 1

2. Tenderer MUST implement system based development

3. The submission documents to the design phase are as follows no

limited to: a) System Design Speciﬁcations b) Data Migration Plan c)

4. Activities under this phase are as follows not limited to: a)

5. The tenderer must submit an unlimited system design

6. The tenderer must submit the 'System Design Speciﬁcation' document

8. The tenderer must properly conﬁgure the environment

11. The proposed i-SPKP system should have a Paperless concept

with the issuance of fast and accurate payment bills. d) Use

12. The proposed i-SPKP system should be coordinated

14. The proposed i-SPKP system should be able to generate and

16. Provide facilities to generate simulation, modeling, analysis,

17. The application developed must be accessible through various

20. The proposed application can be accessed through various channels

21. Application security features i) The system must be capable of

iv) The tenderer shall ensure that the proposed system

v) Tenderers must ensure that data security has

22. Data Entry and Veriﬁcation i) Tenderers must ensure

23. Platform i) Tenderer shall propose application development

Government ﬁrst. If suggesting a programming language

ii) Tenderers need to suggest development tools to be used.

iii) Tenderers need to suggest the architectural pattern used in

iv) Tenderers need to recommend the framework used for

v) The development of this system should prioritize separation of code no

vii) Tenderers should suggest tools to manage the source

24. User Friendly i) Provide an interactive site

25. Database i) Enterprise Relational Database Management System

26. Service Delivery i) This proposed system will support

29. STANDARDIZATION DATA i) Tenderers must use the format

30. SECURITY OF INFORMATION i) Tenderer shall ensure the characteristics

2.4 Activity unit 1 1

2. Tenderers should review and implement integration with the system

cooperation. Integration will involve the following agencies / third parties: 1.

3. However, the Government reserves the right to

4. The integration proposal for the operator terminal is as follows (no

5. The Tenderer shall submit the System Integration Speciﬁcation

6. The tenderer must translate or realize the Integration Plan

7. Tenderers need to suggest Integration tools to be used.

8. Tenderers should provide interface / integration with various

9. Tenderers need to ensure that the i-SPKP system is capable of translating

by the government as a platform for integration between Service Providers systems

11. The tenderer must implement a secure integration process for

15. Tenderers are required to provide integration monitoring facilities

16. Tenderer must provide i-SPKP integration with payment

17. Tenderers should develop a dashboard for monitoring

19. All implementation of this system integration is under the responsibility

20. All implementation of system integration must be documented and validated

22. The government will help to get approval from

23.1.8 The Tenderer is required to provide guarantee services for