S 2.81 Preselection of a suitable standard software product

Initiation responsibility: Procurer

Implementation responsibility: Procurer, Head of IT Section, Specialist Department

The preselection of a standard software product is based on the Requirements Catalogue drawn up by the Specialist Department and the IT Area. First, the body responsible for preselection should conduct a market analysis and draw up a tabular market overview based on the Requirements Catalogue. This table should comment on the products in question with regard to the points stipulated in the Requirements Catalogue.

The market overview should be drawn up by the IT Area. It can be compiled using product descriptions, declarations by the manufacturer, journals or information from retailers. Alternatively, an invitation to tender is possible and occasionally required. The Requirements Catalogue should be the basis of such an invitation to tender so that a market overview can be drawn up using the offers received.

Finally, the products contained in the market overview must be compared with the points contained in the Requirements Catalogue. To do this, the assessment scale in S 2.80 Drawing up a Requirements Catalogue for Standard Software can be used. On the basis of this information, it is determined which of the required product features are in place. In the event that certain required features are missing, the product is rejected. A total can be determined using the assessment of the importance of the various features of the products. A list of the most favourable products can then be drawn up based on these totals.

Example:

The features for a compression program as stated in the Requirements Catalogue are weighted as follows:

As a result, Product 3 is excluded as a necessary feature is not available. The most favourable product is thus Product 2, followed by Product 1 and 4.

This list and the market overview should then be submitted to the procurer so that he can check how far the products comply with internal and legal regulations. The procurer must also ensure that the other bodies whose stipulations must be adhered to, such as the Data Privacy Officer, the IT Security Officer or the Staff / Works Council, are involved in good time.

It must be decided how many and which candidates on the list should be tested. For obvious reasons the first two or three product leaders should be selected and tested as to whether they actually fulfil the most important criteria of the Requirements Catalogue. This is particularly important with regard to the necessary requirements. Test licences should be obtained and tests carried out as described in S 2.82 Developing a test plan for Standard Software and S 2.83 Testing Standard Software.

Besides to the criteria of the Requirements Catalogue, the decision can be based on the following points:

• References

If the manufacturer or distributor can provide reference installations for his product, the experience of this user can be included in the assessment of the product.

In the event that external test results or quality assurances are available for the software product (e.g. test results in journals, conformity tests according to accepted standards, tests and certificates according to relevant standards and norms, such as ISO 12119), these results should be taken into consideration during the preselection process.

• Product popularity

In the event that the product is widely spread, the individual user has little or no influence on the product manufacturer as far as troubleshooting or the implementation of certain functions is concerned. He can assume, however, that the product is further developed. There are often external tests carried out by journals or commissioned by the manufacturer. With popular products, weaknesses are generally more widely known which means that the user can assume that most weaknesses are already known and that the knowledge concerning weaknesses and remedies is distributed quickly, i.e. he can obtain help.

In case of a low degree of popularity, a user can have more influence on the manufacturer. External tests are generally not available as these are too expensive and time-consuming for products from small manufacturers. Products with a low degree of popularity do not usually contain more errors than those which are widely spread. The disadvantage is that these errors are often not detected as quickly, thus allowing swift elimination. If security breaches are involved, however, these are probably not known to potential attackers or they are not worthwhile targets.

• Cost-effectiveness / costs for purchase, operation, maintenance and training

Before the decision to purchase a certain product is taken, the following question should always be asked: Is the cost of the product proportionate to the benefits of the product? In addition to the initial purchase costs, the costs for operation, maintenance and training should be considered. It should be clarified, for example, whether the existing hardware platform has to be updated or whether training is needed for installation and operation.

When the decision has been taken to purchase a product, it should obviously be purchased from the least expensive supplier. This may have become clear from the market research.

Additional controls:

• Which provisions are in force?

• Does the selected software offer all functions stated in the Requirements Catalogue?

• Is the product compatible with the current IT infrastructure?

• Which additional costs are to be expected for training and maintenance, for example?

• Can installation and operation be carried out by existing staff, is additional staff necessary or does external advice have to be obtained?