Awarded to THOUGHT QUARTER LTD

Start date: Monday 11 April 2022
Value: £75,000
Company size: SME
University of Chester

Full Bespoke Applications Review with Remediation

5 Incomplete applications

5 SME, 0 large

11 Completed applications

11 SME, 0 large

Important dates

Published
Monday 14 February 2022
Deadline for asking questions
Monday 21 February 2022 at 11:59pm GMT
Closing date for applications
Monday 28 February 2022 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
We require a team to analyse and document the integrations and processes for several bespoke applications. These are built using PHP (also Laravel). We require these documented from an integration, process and security perspective and appropriate coding standards and fixes applied, once agreed, to any security concerns identified.
Latest start date
Monday 14 March 2022
Expected contract length
Location
No specific location, for example they can work remotely
Organisation the work is for
University of Chester
Budget range

About the work

Why the work is being done
This exercise is to enable us to give assurance to senior management that our bespoke applications estate is documented, fit for purpose, aligns with standard coding practice, has been subject to rigorous testing and is secure. The work needs to be completed as soon as practicable.
Problem to be solved
The identification, analysis and documentation of the processes of each bespoke application. In order to be able to audit the applications and to improve coding standards and security where appropriate.
Who the users are and what they need to do
Various users of multiple bespoke applications across the institution. As recently appointed Head of Applications I need to be able to assure my senior management that the bespoke estate is secure, documented, fit for purpose, aligns with standard coding practice and has been subject to rigorous testing.
Early market engagement
Any work that’s already been done
Existing team
We currently have a technical team with responsibility for the organisation’s business systems (including these bespoke applications). The team have the capability to understand PHP and SQL. However due to a number of vacancies within the team we are looking to plug this resource gap.
Current phase
Discovery

Work setup

Address where the work will take place
Remotely via VPN and RDP
Working arrangements
The individual/team will work remotely over VPN and RDP to connect to our systems. Access will be given to the front-end system to review and test the processes, and to the back-office systems (code and DB’s)
Access will initially be limited due to security and opened on a request-by-request basis. We will have members of the Team available to talk through permissions and processes as and when needed.
Security clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrate previous experience in analysing existing bespoke PHP/laravel applications
  • Demonstrate previous experience in documenting existing bespoke PHP/laravel applications
  • Demonstrate previous experience in remediating risks identified in existing bespoke PHP/laravel applications
  • Demonstrate previous experience in process analysis of existing bespoke PHP/laravel applications
Nice-to-have skills and experience

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
10
Proposal criteria
  • How they identified risks and dependencies and offered approaches to manage them
  • Approach and methodology
  • Technical solution
  • Value for money
Cultural fit criteria
  • work as a team with our organisation
  • take responsibility for their work
  • share knowledge and experience with our team members
  • have a no-blame culture and encourage people to learn from their mistakes
Payment approach
Time and materials
Additional assessment methods
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

75%

Cultural fit

5%

Price

20%

Questions asked by suppliers

1. Do you have an anticipated budget for this?
The initial budget is between £50,000 and £75,000. However, we appreciate that there may be potential issues yet to be discovered, so the full scope of the project is unknown. There is contingency for such a situation.
2. Expected length of the contract?
Again, the full scope of the project is unknown but we anticipate a maximum of three months.
3. Are these applications in version control (e.g. GitHub, Bitbucket, GitLab)? And is it possible for us to gain access to this as part of this project?
None of these applications are currently under version control.
4. Have you undertaken security penetration tests on any of these applications in the past?
Not to the best of our knowledge
5. Do you have an agreed coding standard used for PHP applications or do you need us to recommend one (e.g. PSR-2)?
Unfortunately no coding standard currently exists, so any recommendations would be helpful.
6. Do you have an established security policy or guidelines for digital services?
With regards to the bespoke applications there are no current security policy or guidelines for digital services. Any assistance in this area would be helpful.
7. Do you also require your hosting platform to be audited and reviewed as part of this project?
Yes, that would definitely be helpful.
8. How many bespoke applications are expected to be in scope?
We have identified circa 20 priority applications, there are approximately a further 20 which will require investigation.
9. Can you confirm what these bespoke applications are being used for?
They are being used for a myriad of services supporting the running of the University.
10. What version(s) of Laravel and PHP are the applications running?
Across the applications we are running various versions:
Laravel - versions 5 to 9
PHP - versions 5 to 8
11. To ensure we fully understand your needs could we ask for an extension of 1-2 days on the questions deadline please?
We are available and responding within appropriate timescales to any questions, for this reason we are unable to extend the Q&A period.
12. Does ‘a process perspective’ refer to: a) the input/output & transformations that the applications apply to data, b) the business processes that the applications support or c) the administrative processes underlying the support & operation of the applications?
Dependent upon the application in question it could be all three but in most cases a) and c).
13. An objective of assuring rigorous testing is mentioned, but this is not included in the work summary. Is testing required? If so, what is its scope, eg functional, performance, security?
The scope will be concentrated mainly on security in order to give assurance to senior management that our systems are secure.
14. Please could you share the planned timescales for the proposal submission for suppliers successfully shortlisted?
• Applications are open until 28 February
• All questions will be answered by 25 February
• Shortlisting will take place 01 to 03 March
• Evaluation will take place between 07 to 18 March
15. Please could you share the planned timescales for the proposal submission for suppliers successfully shortlisted?
• Applications are open until 28 February
• All questions will be answered by 25 February
• Shortlisting will take place 01 to 03 March
• Evaluation will take place between 07 to 18 March
16. What are the job roles of the evaluation panel please?
• Head of Applications & Projects
• Head of Strategy & Architecture
• Information Systems Manager
• Senior Web Developer
17. Please expand on your procurement process, what will the shortlisted firms need to do in the next phase e.g. evaluation will take place between 07 to 18 March. – What will this evaluation entail exactly?
Buyers will be interviewed via MS Teams (45 mins max) and questioned with regards their submission:
1. A short presentation (10 to 15 mins, PowerPoint (to be shared post presentation) showing their background, previous experiences, approach and methodology. For example,
a. What challenges you faced and way you addressed them?
b. How you defined and measured success?

2. Q&A regarding the presentation
3. General Q&A session
18. When do you expect this work to be completed?
We are currently working on the assumption that it should take no more than 3 months.
19. Please expand on your procurement process, what will the shortlisted firms need to do in the next phase e.g. evaluation will take place between 07 to 18 March. – What will this evaluation entail exactly?
Please note that during the evaluation a reference site's contact details will be requested and this will be followed up after the meeting.