request for proposal (rfp) for selection of it security · pdf filerequest for proposal (rfp)...

Document Type: Public of 103

IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai

RFP for Selection of IT Security Systems Integrator for Security Operations Centre RFP Ref No: BCC:CISO:RFP:104/01 Date : 15 March 2012

REQUEST FOR PROPOSAL (RFP)

FOR

SELECTION OF IT SECURITY SYSTEMS INTEGRATOR

FOR

SECURITY OPERATIONS CENTRE

RFP Reference No. BCC: CISO: RFP:104/01

Date : 15 March 2012

Bank of Baroda,

Baroda Corporate Centre,

C-26, G Block, Bandra Kurla Complex

Bandra (East),

Mumbai - 400 051.




Important Dates:

Sr. No.

Particulars Dates and Timelines

1 Issuance of RFP document by the Bank

00:00 hours on 15th March 2012

2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document


3 Pre-bid Meeting date/venue 15:00 hours on 03rd April 2012. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

4 Last Date of submission of RFP response

15:00 hours on 17th April 2012

5 Technical bid opening date / time / venue

16:00 hours 17th April 2012 Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

All times shown above are Indian Standard Time

Important Clarifications:

Following terms are used in the document interchangeably to mean:

Bank means “Bank of Baroda (including domestic operations, overseas operations, Overseas & Indian subsidiaries & Associate Banks)”

BCC means “Baroda Corporate Centre”.

BST means “Baroda Sun Tower”.

Security Systems Integrator(SSI), Recipient, Respondent, Bidder and Vendor generally means “Respondent to the RFP document” unless context specifies otherwise.

SIEM means Security Information and Event Management

DAM means Database Activity Monitoring

VA/VM means Vulnerability Assessment/Vulnerability Management

EPS means Events per second

DC means Bank‟s Data centre at Mumbai.

DR, DRS means Bank‟s Disaster Recovery centre at Hyderabad.

RFP means this “RFP document”




TABLE OF CONTENTS

SECTION – I ........................................................................................................................................................................ 5

1.1 INTRODUCTION AND DISCLAIMER .............................................................................................................. 5

1.2 INORMATION PROVIDED ................................................................................................................................. 5

1.3 FOR RESPONDENT ONLY ................................................................................................................................. 5

1.4 CONFIDENTIALITY ............................................................................................................................................ 5

1.5 DISCLAIMER ........................................................................................................................................................ 6

1.6 ELIGIBILITY CRITERIA. ................................................................................................................................... 6

1.7 COSTS BORNE BY RESPONDENTS .................................................................................................................. 6

1.8 NO LEGAL RELATIONSHIP .............................................................................................................................. 7

1.9 RECIPENT OBLIGATION TO INFORM ITSELF ............................................................................................ 7

1.10 EVALUATION OF BIDS .................................................................................................................................. 7

1.11 ERRORS AND OMISSIONS ............................................................................................................................ 7

1.12 ACCEPTANCE OF TERMS ............................................................................................................................. 8

1.13 RFP RESPONSE TERMS ................................................................................................................................. 8

1.14 NOTIFICATIONS ............................................................................................................................................ 13

1.15 DISQUALIFICATION..................................................................................................................................... 13

1.16 ERASINGS OR ALTERATIONS ................................................................................................................... 13

1.17 RIGHT TO REJECT BIDS ............................................................................................................................. 13

1.18 PROCESS & TIMEFRAME ........................................................................................................................... 14

1.19 OTHER TERMS AND CONDITIONS ........................................................................................................... 15

SECTION – II..................................................................................................................................................................... 16

2.1 BANK OF BARODA-INTRODUCTION ........................................................................................................... 16

2.2 PROJECT OBJECTIVE ...................................................................................................................................... 16

2.3 PROJECT SCOPE ................................................................................................................................................ 17

2.4 DELIVERABLES ................................................................................................................................................. 23

2.5 SERVICE LEVEL AGREEMENT ..................................................................................................................... 24

2.6 DEPLOYMENT ARCHITECTURE ................................................................................................................... 26

2.7 PROJECT TIMELINES ...................................................................................................................................... 27

2.8 DETAILS OF INFRASTRUCTURE AT BANK’S DC/DR ............................................................................... 28

SECTION – III ................................................................................................................................................................... 29

3.1 GENERAL TERMS AND CONDITIONS .......................................................................................................... 29

SECTION – IV ................................................................................................................................................................... 39

ANNEXURE-A : ELIGIBILITY CRITERIA.................................................................................................................. 39

ANNEXURE-B : SECURITY SYSTEM INTEGRATOR’S SELECTION/ EVALUATI-ON PROCESS ................. 42

ANNEXURE-C : COMPLIANCE CERTIFICATE ........................................................................................................ 46

ANNEXURE-D : TECHNICAL BID FORMAT ............................................................................................................. 47

ANNEXURE-E : SOC SOLUTIONS’ SPECIFICATIONS ............................................................................................ 51

ANNEXURE-F : PROFILE OF ONSITE MANPOWER AT DC & DR ....................................................................... 85




ANNEXURE-G : EXPERIENCE DETAILS ................................................................................................................... 88

ANNEXURE-H : PROPOSED TEAM PROFILE .......................................................................................................... 89

ANNEXURE-I : ESTIMATED EFFORT AND ELAPLSED TIME ............................................................................. 90

ANNEXURE-J : OEM DETAILS ..................................................................................................................................... 91

ANNEXURE-K : MANUFACTURER AUTHORIZATION FORM ............................................................................. 92

ANNEXURE-L : OEM SIZING CONFIRMATION ..................................................................................................... 93

ANNEXURE-M : COMMENTS ON TERMS & CONDITIONS & SERVICES/PRE BID QUERY FORMAT....... 94

ANNEXURE-N : COMMERCIAL BID FORMAT ........................................................................................................ 95

ANNEXURE-O : BILL OF MATERIAL ....................................................................................................................... 103




SECTION – I

1.1 INTRODUCTION AND DISCLAIMER

This Request for Proposal document (“RFP”) has been prepared solely to enable Bank of Baroda (“Bank”) in the selection of Security system Integrator through tender for setting up and operations of Security Operations Centre for the Bank, including its branches, subsidiaries, overseas branches etc.

The RFP document is not a recommendation, offer or invitation to enter into a contract, agreement or other arrangement in respect of the product and services. The provision of the product and services is subject to observance of selection process and appropriate documentation being agreed between the Bank and any successful Bidder as identified after

completion of the selection process as detailed in Annexure-B on Security System Integrator‟s Selection/Evaluation Process.

1.2 INORMATION PROVIDED

The RFP document contains statements derived from information that is believed to be true and reliable at the date obtained but does not purport to provide all of the information that may be necessary or desirable to enable an intending contracting party to determine whether or not to enter into a contract or arrangement with Bank in relation to the provision of services. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers gives any representation or warranty (whether oral or written), express or implied as to the accuracy, updating or completeness of any writings, information or statement given or made in this RFP document. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers has carried out or will carry out an independent audit or verification or investigation or due diligence exercise in relation to the contents of any part of the RFP document.

1.3 FOR RESPONDENT ONLY

The RFP document is intended solely for the information of the party to whom it is issued (“the Recipient” or “the Respondent”) i.e. Government Organization/PSU/PSE/ limited Company/partnership firm or an autonomous institution approved by GOI/RBI promoted. The RFP document can be downloaded from the Bank‟s corporate website ww.bankofbaroda.com

1.4 CONFIDENTIALITY

This document is meant for the specific use by the Respondents interested to participate in the current tendering process. This document in its




entirety is subject to Copyright laws. Bank expects the Bidders or any person acting on behalf of the Bidders to strictly adhere to the instructions given in the document and maintain confidentiality of information shared with them. The Bidders will be held responsible for any misuse of the information contained in the document and liable to be prosecuted by the Bank in the event of such a circumstance is brought to the notice of the Bank. By downloading the document, the interested party is subject to confidentiality clauses. Bank may update or revise the RFP document or any part of it. The Recipient acknowledges that any such revised or amended document shall be received subject to the same confidentiality terms.

The Recipient will not disclose or discuss the contents of the RFP document with any officer, employee, consultant, director, agent, or other person associated or affiliated in any way with the Bank or any of its customers or suppliers without prior written consent of the Bank.

1.5 DISCLAIMER

Subject to any law to the contrary, and to the maximum extent permitted by law, Bank and its directors, officers, employees, contractors, representatives, agents, and advisers disclaim all liability from any loss, claim, expense (including, without limitation, any legal fees, costs, charges, demands, actions, liabilities expenses or disbursements incurred therein or incidental thereto) or damage (whether foreseeable or not) (“Losses”) suffered by any person acting on or refraining from acting because of any presumptions or information (whether oral or written and whether express or implied), including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the Losses arises in connection with any ignorance, negligence, inattention, casualness, disregard, omission, default, lack of care, immature information, falsification or misrepresentation on the part of Bank or any of its directors, officers, employees, contractors, representatives, agents, or advisers.

1.6 ELIGIBILITY CRITERIA.

SSI who wish to bid should conform to the Eligibility Criteria as per Annexure-A : Eligibility Criteria except for clause nos 3 & 4. For meeting the eligibility criteria, 29.02.2012 would be considered as the date on which the Bidder should be eligible.

1.7 COSTS BORNE BY RESPONDENTS

All costs and expenses (whether in terms of time or money) incurred by the Recipient / Respondent in any way associated with the development, preparation and submission of responses, including but not limited to attendance at meetings, discussions, demonstrations, presentation etc. and




providing any additional information required by Bank, will be borne entirely and exclusively by the Recipient / Respondent. Stamp duty that may be incurred towards entering in to agreement with the successful Bidder for awarding the contract will be shared by the Bank and the successful Bidder in equal proportion.

1.8 NO LEGAL RELATIONSHIP

No binding legal relationship will exist between any of the Recipients / Respondents and the Bank until execution of a contractual agreement to the full satisfaction of the Bank.

1.9 RECIPENT OBLIGATION TO INFORM ITSELF

The Recipient must apply its own care and conduct its own investigation and analysis regarding any information contained in the RFP document and the meaning and impact of that information.

1.10 EVALUATION OF BIDS

The evaluation of the bids will be done as per evaluation criteria mentioned in Annexure-B “SECURITY SYSTEM INTEGRATOR‟S SELECTION/EVALUATION PROCESS” of this RFP document. The Bidders who do not qualify the eligibility criteria as stipulated under Annexure-A will not be considered for technical evaluation. A Bidder not eligible under Technical Bid will not be considered for opening of Commercial Bid.

However each Recipient acknowledges and accepts that the Bank may, in its sole and absolute discretion, apply whatever criteria it deems appropriate in the selection of organizations, not limited to those selection criteria set out in this RFP document.

The issuance of RFP document is merely an invitation to offer and must not be construed as any agreement or contract or arrangement nor would it be construed as material for any investigation or review to be carried out by a Recipient. The Recipient unconditionally acknowledges by submitting its response to this RFP document that it has not relied on any idea, information, statement, representation, or warranty given in this RFP document.

For meeting the requirements of eligibility criteria, 29.02.2012 would be considered as the date on which the Bidder should be eligible. For

Technical Evaluation criteria the date on the basis of which marks would be given would be 29.02.2012.

1.11 ERRORS AND OMISSIONS

Each Recipient should notify the Bank of any error, fault, omission, or discrepancy found in this RFP document upto 17:00 hrs IST 26th March




2012 as per the enclosed Annexure „M‟.

1.12 ACCEPTANCE OF TERMS

The Recipient will, by responding to the Bank‟s RFP document, be deemed to have accepted the terms as stated in this RFP document.

1.13 RFP RESPONSE TERMS

1.13.1 Application Money & Earnest Money

The Bidder will be required to submit Application Money of Rs.25,000/-(Rupees Twenty Five Thousand) by way of Banker‟s Cheque/Demand Draft/Pay Order favoring Bank of Baroda, Payable

in Mumbai, which is non refundable, must be submitted separately along with RFP response.

Earnest Money Deposit of Rs 10,00,000/- (Rupees Ten Lakhs only) has to be submitted by way of Demand Draft / Banker's Cheque / Pay Order drawn in favor of "Bank of Baroda” payable in Mumbai. Earnest Money Deposit will not carry any interest. The Earnest Money Deposit of unsuccessful Bidders will be refunded while intimating the rejection of the bid. The Earnest Money Deposit of the successful Bidder will be adjusted towards security deposit.

Application Money and Earnest Money Deposit should be delivered separately along with the sealed envelopes containing RFP responses and the Application Money and Earnest Money documents should not be put inside the sealed envelope containing RFP Response documents.

RFP document should be downloaded from the Tenders Section of the Bank‟s website, http://www.bankofbaroda.com.

The Earnest Money Deposit will be forfeited if:

The Bidder withdraws his tender before processing of the same.

The Bidder withdraws his tender after processing but before acceptance of “Work Order” to be issued by the Bank, in case the Bidder is selected by the Bank.

The selected Bidder withdraws his tender before furnishing Bank Guarantee/Security Deposit as required under this RFP.

The Bidder violates any of the provisions of the terms and conditions of this RFP specification.

If the selected Bidder fails to enter into the contract agreement with the Bank within 15 days of issuing the Work Order.




1.13.2 RFP Closing Date

RFP Response should be submitted to the officials indicated below not later than 15:00 hrs IST (Indian Standard Time) on 17th April 2012.

1.13.3 Format of Bids

The Bidders should use the formats prescribed by the Bank in the RFP for submitting both technical and commercial bids. Any deviation in this regard entails the Bidder for disqualification.

1.13.4 Submission of Bid

-2- Sets of Technical and -2- sets of Commercial Bids in separate sealed envelopes (Total -4- sealed envelopes – two sealed envelops for technical bid and 2 sealed envelopes for commercial bid) should be submitted. In addition Application money and Earnest Money Demand Drafts / Pay Orders which should be in a separate unsealed envelope should be submitted before the RFP closing date and time. The sealed envelopes containing technical proposal should be superscribed as “TECHNICAL PROPOSAL for Selection of Security Systems Integrator for setting up of Security Operations Centre” and the sealed envelopes containing the commercial proposal should be superscribed as “COMMERCIAL PROPOSAL for Selection of Security Systems Integrator for setting up of Security Operations Centre”. The e-mail address and phone/fax numbers of the Bidder should also be indicated on the sealed envelopes.

The soft copy of the technical proposal in MS-Word / Excel format should also be submitted in a CD along with hard copy of the technical proposal. It should be noted that in case of any discrepancy observed in information submitted by the Bidder in hard-copy and soft-copy, the hard-copy will be given precedence. However, in case of non-submission of any hard copy document, if the same is found submitted in the soft-copy and vice-versa, Bank reserves right to accept the same at its discretion.

The Bidder shall submit the proposals properly filed so that the papers are not loose. The Bidder shall submit the proposal in suitable file such that the papers do not bulge out and tear during scrutiny. All the pages of the proposal including documentary proofs

should be numbered as “Page ____ (current page) of _____ (Total pages)" and be signed by authorized signatory. The current page number should be a unique running serial number across the entire proposal.




List of Contents for Technical Bid:

The Technical Proposal should be as per the requirement of the Bank in prescribed formats as follows:

a. Index of contents submitted.

b. Compliance Certificate as per Annexure-C.

c. Technical Bid Format as per Annexure-D

d. SOC Solutions‟ Specifications Compliance as per Annexure-E

e. Profile of Onsite Manpower Compliance as per Annexure-F

f. Experience Details as per Annexure-G

g. Proposed Team Profile as per Annexure-H

h. Estimated Effort and Elapsed time as per Annexure-I

i. OEM Details as per Annexure-J

j. Manufacturer Authorization Form as per Annexure-K

k. OEM Sizing confirmation as per Annexure-L

l. Comments on Terms and Conditions & Services/ Pre Bid Query format as per Annexure-M

m. Masked Copy of Commercial Bid as per Annexure-N (i.e. a copy of the Commercial Bid without price figures)

n. Bill of Material as per Annexure-O

o. SIEM Solution detailed technical specification

p. Proposed deployment methodology and upgrade plan based on increase in EPS and storage requirements

q. Proposed SOC operations plan.

r. All the copies of certificates, documentary proofs, work orders, brochures etc should be clearly marked.

s. A CD containing soft copy of the technical proposal.

List of Contents for Commercial Bid

a. Commercial Bid as per Annexure-N.

RFP Response should be addressed to:

The Chief Information Security Officer 2nd Floor, Risk Management Department Bank of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), Mumbai 400 051.




RFP Response/Bids in the sealed envelopes as detailed above must be hand delivered to the Bank at the following address :

P.S.Rashtrawar(CISO) or Punit Kumar (Senior Manager-IT Security), IT Security Cell, Risk Management Dept, Bank of Baroda, 2nd Floor, Baroda Corporate Centre, C-26, G Block, Bandra Kurla Complex, Mumbai-400051.

Submission of bids by any mode other than hand delivery to the officials mentioned above is not allowed and will be considered invalid.

Bids submitted not as per the process and terms specified above will be rejected.

1.13.5 Registration of RFP

Registration of RFP response will be effected by the Bank by making an entry in a separate register kept for the purpose, upon receiving the RFP response in the above manner as detailed in this RFP. The RFP response must contain all documents, information, and details required by this RFP. If the submission to this RFP does not include all the documents and information required or is incomplete or submission is through Fax mode or e-mail or any mode other than hand delivery, the RFP is liable to be summarily rejected.

All submissions, including any accompanying documents, will become the property of Bank. The Recipient shall be deemed to have licensed, and granted all rights to the Bank to reproduce the whole or any portion of their submission for the purpose of evaluation, to disclose the contents of the submission to other Recipients who have registered a submission and to disclose and/or use the contents of the submission as the basis for any resulting RFP process, notwithstanding any copyright or other intellectual property right of the Recipient in the submission or accompanying documents.

1.13.6 Late RFP Policy

RFPs lodged after the deadline for lodgment of RFPs may be registered by the Bank and may be considered and evaluated by the evaluation team at the absolute discretion of the Bank. Respondents are to provide detailed evidence to substantiate the reasons for a late RFP submission. It should be clearly noted that Bank has no obligation to accept or act on any reason for a late submitted response to RFP.

1.13.7 RFP Validity Period

RFP responses will remain valid and open for evaluation according to their terms for a period of at least six (6) months from the RFP




closing date.

1.13.8 Requests for Information

All queries relating to the RFP, technical or otherwise, must be either in writing or by email only and will be entertained by the Bank only in respect of the queries received up to 17:00 hrs IST 26th March 2012. All queries should be addressed to the nominated point of contact as mentioned below.

Chief Information Security Officer (CISO) Bank of Baroda, 2nd Floor, Baroda Corporate Centre,

C26, G Block, Bandra Kurla Complex, Mumbai, 400 051 Tel No: 022-66985230/ 66985227

E-mail ID: [email protected]

The Bank will try to reply, without any obligation in respect thereof, every reasonable query raised by the Recipients in the manner specified.

However, the Bank will not answer any communication initiated by Respondents later than the date of pre bid meeting. Bank may in its absolute discretion seek, but being under no obligation to seek, additional information or material from any Respondent after the RFP closes and all such information and material provided will be taken to form part of that Respondent‟s response.

Respondents should invariably provide details of their email address as responses to queries will only be provided to the Respondent via email.

If Bank in its sole and absolute discretion deems that the originator of the query will gain an advantage by a response to a question, then Bank reserves the right to communicate such response to all Respondents.

Bank may in its sole and absolute discretion engage in discussion or negotiation with any Respondent (or simultaneously with more than one Respondents) after the RFP closes to improve or clarify any response.

1.13.9 Charges Terms and Taxes

By submitting the bid, the Bidder will be deemed to have accepted all the terms and conditions mentioned in the RFP document and the rates quoted by the Bidder will be adequate to complete such work according to the specifications and conditions attached thereto and the Bidder has taken into account all conditions and difficulties that may be encountered during the period of assignment and to




have quoted all the commercial rates, which shall include agreed price/ contract amount royalties, transportation, delivery, installation and all other facilities and services necessary for proper completion of the assignment, all taxes inter-alia custom duty, excise duty, VAT, Service tax, octroi etc except such as may be otherwise provided in the contract document for completion of the assignment.

The TDS amount on prevailing rate and work contract tax etc. shall be deducted from selected Bidder‟s running account/final bills. Necessary certificates shall be issued to the selected Bidder by the Bank.

1.14 NOTIFICATIONS

Bank will notify the Respondents in writing as soon as practicable, about the outcome of the RFP evaluation process, including whether the Respondent‟s RFP response has been accepted or rejected. Bank is not obliged to provide any reasons for any such acceptance or rejection.

1.15 DISQUALIFICATION

Any form of canvassing/lobbying/influence/query regarding short listing, status etc will result in disqualification.

1.16 ERASINGS OR ALTERATIONS

The offers containing overwriting, erasing or alterations may not be considered. There should be no hand written material corrections or alterations in the offer. Technical details must be completely filled up. Correct technical information of the services being offered must be filled in. Filling up of the information using terms such as OK, ACCEPTED, NOTED, AS GIVEN IN BROCHURE/MANUAL or any Special Characters such as -, “, @, _,# is not acceptable. The Bank may treat offers not adhering to these guidelines as unacceptable.

1.17 RIGHT TO REJECT BIDS

Bank reserves the absolute and unconditional right to reject the response to this RFP if it is not in accordance with its requirements and no further correspondence will be entertained by the Bank in the matter. The bid is

liable to be rejected if

It is not in conformity with any of the instructions, terms and conditions mentioned in this RFP document.

It is not accompanied by the requisite Application Money and EMD.

It is not properly/duly signed.




It is received through any mode other than hand delivery to the designated officials

It is received after expiry of the due date and time.

It is incomplete including non-furnishing the required documents.

It is evasive or contains incorrect information.

There is canvassing of any kind.

It is submitted anywhere other than the place mentioned under clause 1.13.4.

1.18 PROCESS & TIMEFRAME

Selection of a successful Bidder will involve a five (5) stage approach.

The following is an indicative timeframe for the technical bids opening. Bank reserves the right to vary this timeframe at its absolute and sole discretion should the need arise. Changes to the timeframe will be relayed to the affected Respondents during the process.

Sr. No.

Particulars Dates and Timelines

1 Issuance of RFP document by the Bank


2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document


3 Pre-bid Meeting date/venue 15:00 hours on 03rd April 2012. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

4 Last Date of submission of RFP response

15:00 hours on 17th April 2012

5 Technical bid opening date / time / venue

16:00 hours 17th April 2012 Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

All times shown above are Indian Standard Time

Receipt of RFP Bids

Evaluation of Bids

Award of Contract

STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5

Pre - bid Meeting

Issue Of RFP




The dates mentioned above are tentative dates and the Bidder acknowledges that it cannot hold the Bank responsible for breach of any of the dates.

Note: Bidders can depute their representative (only one) to attend the Technical bid opening process. No separate intimation will be given in this regard to the Bidders for deputing their representatives for technical bid opening.

1.19 OTHER TERMS AND CONDITIONS

The Bank reserves the right to:

Reject any and all responses received in response to the RFP, with or without assigning any reasons whatsoever.

Waive or change any formalities, irregularities, or inconsistencies in proposal format delivery.

To negotiate any aspect of proposal with any Bidder and negotiate with more than one Bidder at a time.

Extend the time for submission of all proposals.

Select the most responsive Bidders (in case no Bidder satisfies the eligibility criteria in totality).

Select the next most responsive Bidder if negotiations with the Bidder of choice fail to result in an agreement within a specified time frame.

Share the information/ clarifications provided in response to RFP by any Bidder, with any other Bidder(s) /others, in any form.

Cancel the RFP/Tender at any stage, without assigning any reason whatsoever.




SECTION – II

2.1 BANK OF BARODA-INTRODUCTION

Bank is one of the largest Public Sector Banks in India with over 33 million accounts and a Branch network of 3390 branches in India and 85 branches / offices in 26 countries overseas.

The aim of Bank‟s IT Strategy is to conduct a Technology Enabled Business Transformation of current business processes. Bank has selected Hewlett Packard India Sales Private Ltd. (HP) as the System Integrator for the Technology Enabled Business Transformation Project (Project Shikhar). Bank has implemented Finacle Core Banking Solution (CBS) in all the branches in India and in most of the overseas territories. Bank has its own Data Centre at Mumbai and Disaster Recovery Centre at Hyderabad.

Bank has expanded the installation of ATMs and issuance of Debit Cards

in India and overseas territories. At present Bank has installed 1800+ ATMs and issued more than 70 lac debit cards in India.

Bank has initiated process for Payment Card Industry-Data Security Standard Compliance for its Card data environment and also ISO27001 Certification for its DC & DR.

2.2 PROJECT OBJECTIVE

In view of the growing use of IT and the evolving threat environment, Bank‟s threat perception is also heightened. As a measure to further strengthen the Information Security, it has been decided to build a Security Operations Centre(SOC) equipped with set of tools such as Security Information and Event Management Tool, Database Access Monitoring tool, Vulnerability Management tool and Incident Management tool.

The Bank invites proposals from Security System Integrators/OEM‟s for design, development and implementation of an Enterprise-wide Security Operations center (SOC) to provide comprehensive information security monitoring. The Bank‟s objective for this project are as follows:

The selected Bidder will be responsible for implementing captive Security Operations Centre at its DC site in Mumbai and DR site at Hyderabad. Selected Bidder will also supply and install all the infrastructure required for operation of the SOC as per the broad objectives as outlined below.

1. Supply, install and maintain the Security Information and Event Management tool and its related hardware and software components with enterprise license. SIEM Solution offered should support sustained 10000EPS(Events per second) with 25% buffer capacity. Solution should be scalable upto 50000 EPS.

2. Supply, install and maintain the Database Activity Monitoring tool and monitor the Database activities.




3. Supply and install the Vulnerability Management tool and perform Vulnerability assessment and its management on periodic basis as per the schedule.

4. Supply and install the Incident Management tool, integrate all the tools with the Incident management tool and operate the same.

5. Ensure that all Logs are collected from all the in-scope devices.

6. Monitor the Logs, perform the correlation and forensic analysis, raise the incidents and inform the concerned department/vendors.

7. Coordinate and follow up with the concerned department and vendors for closure of the incident as per the Bank‟s procedure.

8. Ensure Archival, Purging and retention of logs for future analysis as per the Bank‟s security policies.

The selected Bidder will ensure knowledge transfer to the Bank at every stage of the project to enable the Bank to carry out the work as specified in this RFP in future after completion of this assignment.

Implementation and operation of SOC should conform to ISO27001 standards, Regulatory guidelines and Bank‟s Information Security policy.

2.3 PROJECT SCOPE

Selected Bidder should perform a detailed study of the Bank‟s IT Infrastructure and suggest a suitable solution to the Bank to build up a scalable Security Operations Centre primarily involving SIEM, DAM, Vulnerability Management and Incident management tool. Selected Bidder will be required to define baseline security level for collection of logs of various kinds of monitored devices. Following is broad scope of work :

2.3.1 Proposed methodology for SOC setup

Based on the study of the Bank‟s IT Infrastructure, vendor will suggest the detailed SOC implementation methodology acceptable to the Bank with timelines as per the RFP terms and conditions.

2.3.2 SOC Solution comprising Hardware, Software, and miscellaneous items supply

Vendor will provide end to end solution to the Bank which will include all the supplies, installation and integration of the supplied

tools with the existing infrastructure. Vendor will also perform maintenance and day to day operation of the system. Solution should be consisting of hardware, software, operating system, storage, analytical applications, tools and end to end implementation and management of SOC as per the technical and operational specifications of the Bank.




Vendor will also supply all the necessary equipments Rack, Layer 3 Switches, cables etc for integration of the components supplied for SOC.

Bank will supply only the space, power and a network point in the Server room. Bank will supply all the Desktop PCs required for SOC day to day operations. Vendor will have to suggest the Desktop PC Configuration for SOC operations centre. Following components/features are envisaged in SOC implementation.

2.3.3 SIEM solution and related components

i. Log Collection

Logs from all the in-scope devices located at the geographically dispersed location should be collected. Vendor should develop the baseline for the level of logs to be enabled from different components of IT infrastructure assets. The log baseline should be in line with global best practices. In case the systems/applications are writing logs to the local hard disks, solution should be capable to pull the logs from these devices through secure transfer. Only in case where remote log collection is not feasible, vendor should install agent on the servers and applications for collection of logs. Raw logs should be made available in case of legal requirement.

ii. Log Aggregation and Normalization

Logs collected from all the devices should be aggregated as per the user configured parameters. Logs from multiple disparate sources should be normalized in a common format for event analysis and correlation.

iii. Log Encryption, Compression and Transmission

Collected logs should be encrypted and compressed before the transmission to the remote Log Correlation Engine.

iv. Log Archival

Logs collected from all the devices should be stored in a non

tamperable format on the archival device in the compressed form. Collection of Logs and storage should comply with the Regulatory requirement and should maintain a chain of custody to provide the same in the court of law, in case the need arises. For correlation and report generation purpose, past -3- months log data should be available online. Logs prior to -3- months period should be stored on removable media.




Solution being provided should be scalable and user configurable to cater to the future requirement of the Bank.

Retrieval of archived logs should not require any proprietary tools/protocol and should be retrievable using open standards/protocols or else the retrieval tool should be provided to the Bank at no extra cost.

v. Log Correlation

Collected Logs should be correlated according to various predefined criteria for generation of alert and identification of the incident. The correlation rules should be predefined and also user configurable. Correlation rules should be customized by SSI on regular basis to reduce false positives. In any case

False negatives will not be permitted. In case of detection of any such incident, correlation rules must be customized immediately to capture such incidents.

vi. Alert Generation

Solution should be capable to generate alerts, register and send the same through message formats like SMTP, SMS Syslog, SNMP as per user configurable parameters.

vii. Event Viewer/Dashboard/Reports/Incident Management

SIEM Solution should provide web based facility to view security events and security posture of the Bank‟s Network and register incidents. Solution should have drill down capability to view deep inside the attack and analyze the attack pattern. Dash board should have filtering capability to view events based on various criteria like geographical location, Device type, attack type etc. Dashboard should have Role based as well as Discretionary access control facility to restrict access to incidents based on user security clearance level. Solution should provide various reports based on user configurable parameters and standard compliance reports like PCI-DSS, ISO27001, SOX, IT Act and regulatory reports.

Selected vendor will customize incident management/dashboard/reports for the Bank and will modify

the same as per the changing requirement of the Bank.

2.3.4 Database Activity Monitoring

Solution should provide Database activity monitoring capability for all the DBA and maintenance related access as well as transaction




related access by various applications including SQL queries. DAM tool has to be integrated with the SIEM tool, Incident Management tool.

2.3.5 Vulnerability Management Tool

The solution should be capable to monitor the infrastructure assets‟ vulnerability along with the location of such vulnerability and suggest the mitigation steps. Vulnerability scanning has to be performed on a periodic basis. VM tool has to be integrated with the SIEM solution, Incident Management and Security dashboard.

Vendor should assess the current environment against the baseline on periodic basis and ensure that Baseline is maintained on an ongoing basis.

2.3.6 Incident Management tool

Solution should be able to register any security event and generate trouble ticket. Solution should provide complete life cycle management(work flow) of trouble tickets from incident generation till closure of the incident. Solution should provide the logging facility to different levels of users to monitor and manage the incidents generated for closure of the same as per the defined workflow. Solution should be able to integrate with different tools such as SIEM tool, Database Activity Monitoring tool, Vulnerability Management tool etc. Incident management should include escalation as per the escalation matrix. Solution should be able to send the incident report in various forms like e-mail, SMS etc.

Bank has HP Open View tool. Bank may at its discretion ask Security System integrator to integrate the SIEM, DAM and VM tool with HP Open view and its components including future versions at no extra cost to the Bank.

2.3.7 SIEM Solution Hardware & software integration

Vendor will integrate all the Hardware and software components supplied under this RFP.

2.3.8 Integration with in-scope monitored devices

Configuration of the monitored devices will be out of scope of the vendor. However vendor will have to suggest the detailed commands/guidelines for integration of the in-scope devices with the SIEM, DAM and VM tools. Vendor will be required to integrate all the devices supplied as part of this RFP.




2.3.9 Development of Connectors for customized applications/

devices.

While it is expected that connectors for all the standard applications and devices will be readily available in the collector and Log management devices, connector for mostly in-house/custom built applications will need to be developed. SI team deployed for SOC operations will be expected to develop connector applications for the custom built applications specifically developed for Bank of Baroda.

2.3.10 Proof of concept testing of SIEM Solution, DAM. VM & Incident Management tools.

Bank may at its discretion ask the Bidders to demonstrate(POC) the

proposed solution to the Bank.

Bank would like the selected Bidder to perform a proof of concept testing in the Bank‟s environment with DC/DR cutover and meeting the Recovery Point(RPO) and Recovery time objective(RTO) of the proposed solution and demonstrate the SIEM solution capability for the following Use cases.

Use Cases for Internet Banking Transactions

Use Cases for ATM Transactions

Use Cases for RTGS / NEFT Transactions

Use Cases for CBS System

Use cases for Payment messaging solution

The solution shall support the various Use Cases in order to provide log collection, event correlation, Alert Generation and escalation.

Bank will have the right to reject the solution, if not satisfied with the proof of concept testing.

2.3.11 Benchmarking

Vendor will demonstrate the benchmarking tests to confirm compliance with the stated performance parameters.

2.3.12 Training to identified users.

Vendor will provide the detailed induction training and refresher training as per the official OEM curriculum by OEM to the persons nominated by the Bank. The training will be arranged by the vendor/OEM in their premises at the cost of the vendor. All expenses related to training shall be borne by the selected vendor




except lodging, boarding and travelling expenses of the Bank staff within India.

In addition to the above trainings, on site post implementation training and refresher training should be provided to the identified Bank staff.

Vendor will also be expected to conduct onsite executive level sessions advising the features of SOC and monitoring of the events through the web based Dashboard.

The trainings should include the architecture, hardware, software, integration, customization, policy installation, trouble shooting, reporting and other aspects of the system. Vendor will ensure knowledge transfer and will involve the Bank officials during implementation of the SOC components and day to day SOC

operations. Vendor shall provide comprehensive training manual, lecture notes, handouts and other training documentation during trainings. The persons in the above trainings may be different.

2.3.13 Workflow Automation.

Selected vendor will define the work flow automation so that applications are integrated and manual intervention is minimal.

2.3.14 SOC Operations.

Selected vendor will develop the work flow process for attending to the various functions at the SOC including the work flow for attending to the incidents generated. Vendor will develop documents such as user manual, systems manual for smooth functioning of SOC.

Vendor will configure the SIEM, DAM, VM and Incident Management tools implementation in consultation with the Bank to generate meaning full incidents/reports and reduce the generation of false positives and operate the SOC along with bank officials. Vendor will manage SOC operations in consultation with the Bank‟s team.

All the tools supplied as part of this RFP should be supplied with Enterprise wide License. Bank will have the right to use the tools for the functions provided by the tools in any manner and for any number of branches, offices, subsidiary units, joint ventures, irrespective of the

number of users, geographical location of the devices being monitored. Bank will also have a right to relocate any one or all the tools to different locations.




2.4 DELIVERABLES

Vendor has to manage the SOC on 24X7X365 basis and deliver the services and provide the reports to the Bank on periodic basis throughout the contract period for each of the services mentioned under project scope, in addition to providing other critical observations / methods/ improvements as deemed fit based on vendor‟s professional experience for each of the services mentioned above.

i. Supply and install all the hardware, software and peripheral components and supporting systems broadly consisting of Correlation Engine, Log Collection system, Log management and archival, Database Activity Monitoring, Vulnerability Management system and Incident management tools as per the Bank‟s existing requirement with provision for future expansion as per the requirements.

ii. Integrate all the systems supplied with the Incident Management and Dashboard viewing system.

iii. Monitor and advise security incident on 24X7X365 basis to the Bank and track the resolution of the same and close the incidents.

iv. Escalate the open incidents, as per the escalation matrix till resolution of the same.

v. Takeup the Vulnerability report and advise the mitigation steps to the concerned department.

vi. Continuously fine tune the SIEM, DAM and VM tools implementation to reduce false positives.

vii. Continuously improve the SOC operations to maximize the usage of tools.

viii. Provide secure web based incident management and dashboard facility to enable Bank to monitor the incidents status with drill down facility on various parameters.

ix. Manage archival of logs as per the Archival and retention policy of the Bank.

x. Provide comprehensive training, pre implementation as well as post implementation, to Bank‟s staff members on use of SIEM tool, DAM tool, VM tool and other components as per the official curriculum of the OEM vendors.

xi. Provide 24X7X365 comprehensive maintenance support(all parts

inclusive) at DC and DR to resolve any technical problem/issues.

xii. Vulnerability Scanning as per the defined frequency.

xiii. Remediation plan of deficiency observed in the VA has to be prepared by the onsite resource personnel.




xiv. Provide the complete set of Operation and System Manuals in -3- sets of Hardcopies as well as in Softcopies of all the systems/components provided as part of the SOC implementations.

xv. Define the SOC process manual.

xvi. Commercial tools should be provided for all the solution and freeware tools should not be provided.

2.5 SERVICE LEVEL AGREEMENT

Solution Uptime(Hardware/Software devices/components)

S.No. Service Area Service Level Penalty

1 Device(Hardware/Software)

component Failure

Problem should be resolved

within 24 hours

Nil for first failure and 10% for each repeat failures.

Problem resolved between 24 to 48 hours.

5% of monthly maintenance charges for 1st failure and 10% for each repeat failures.

Problem resolved between 48 to 72 hours.


Problem resolved between 3 days to 5 days.


Problem resolved between 5 days to 10 days.


Problem resolved beyond 10 days.

100% of monthly maintenance charges.

2 Set of Devices (Hardware/Software) component failure in HA mode leading to the complete disruption of the objective performed by the said devices

30% of monthly maintenance charges on each occasion. 100% charges if problem not resolved within 3 days.

3 Solution Uptime Uptime % calculated on

monthly basis

Penalty as XX% of all inclusive monthly charges calculated

based on SOC running expenditure.

99.5% and above NA

98% to 99.5% 5%

95% to 97.99% 8%

90% to 94.99% 15%

80% to 89.99% 30%




70% to 79.99% 50%

Less than 70% 100%

SOC Operations

S.No. Service Area Criticality Service Level

1 Monitoring & Log Analysis Services

Most Critical

24x7 event / log monitoring and correlation. Event alerts within 5 minutes of the event. Initiate response/Incident generation within 15 minutes Mitigation of security events / threats. Availability of relevant logs online for last 3 months. Real time dashboard view. Weekly report as on the specified day within 8 hours. Monthly consolidated report by 5th of every month. Quarterly Reports Standard / Exception reports.

2 Dedicated Onsite Resources as per Annexure „F‟

Critical As per roles and responsibilities mentioned under Annexure „F‟

3 Security Intelligence Services

Important Advisories within 12 hours of new global threats & vulnerabilities disclosures.

Penalty for failure to deliver as per SLA

Sr. No. Category Number of Defaults up to or Part thereof

Corresponding Penalty per instance

1 Most Critical 1 0.5%

2 Critical 2 0.2%

3 Important 3 0.1%

For repeat failure, same or higher penalty will be charged depending upon the delay in rectification of the problem.

Solution uptime is to be maintained without any consideration of devices in HA mode. If a function(like log collection, log management, log correlation) at the primary site is down, the same should be shifted to DR site within the SLA parameters.

SOC running expenditure will include all the AMC/Annual License fees, SOC manpower charges etc.

For hardware/software items whether under AMC or under warranty/free support, notional AMC/License fee shall be calculated at




8% of the asset value or their actual AMC cost after expiry of warranty period, whichever is higher, will be considered for the purpose of calculating penalty.

2.6 DEPLOYMENT ARCHITECTURE

The different components of SOC should be integrated through a Layer 3 switch in different VLANs as per the best practices. Bidder should provide the detailed architecture of the solution being offered based on the broad architecture as shown below. The architecture to be deployed has to be approved by the Bank.

In case a device goes down at DC, the function being performed by the device should be taken over by a corresponding device at DR site and vice versa.

In case the systems are not able to send the logs to the collector device, system should be able to extract the logs stored in the temporary memory of the devices at that site.

Solution should provide Recovery Point objective of 10 Minutes and Recovery Time objective of 1 Hours.




2.7 PROJECT TIMELINES

2.7.1 Delivery of all Hardware and Software Components

All the software and hardware components must be delivered within -4- to -8- weeks of issue of the confirm purchase order to the successful Bidder.

2.7.2 Induction Training

The training to the Bank official has to be provided involving similar Hardware/software components before the commencement of the project. First batch of comprehensive hands on training to the persons nominated by the Bank must be offered within –3- weeks of the issuance of the purchase order as per the OEM specified

curriculum prior to supply and installation of the software and hardware components.

2.7.3 Refresher Training

Refresher training has to be provided to the nominated persons after -3- years of commencement of the SOC operations as per the OEM specified curriculum.

The persons in the Induction training and refresher training may be different.

In addition to the above, on job training and awareness training should be provided by the selected vendor at least once in a year.

2.7.4 Implementation

All hardware and software components supplied under the scope must be implemented within -3- months of issuance of the purchase order. Training to the identified user has to be provided prior to supplying the solution to the Bank. Integration of devices for collection of logs will be done in a phased manner as per the following details:

For SIEM

Phase I : All networking and security devices like firewalls, IPSs, Routers, Switches and internet facing servers. This should be completed within -4- months of issuance of the purchase order.

Product warranty will start after successful completion of phase I.

Phase II : All standard applications and remaining devices within -6- months of issuance of the purchase order.

Phase III : All custom built applications involving development of connector application will be covered in this phase. This should be




completed within -3- months after initiation of the connector development.

For DAM

Phase I : All non critical databases should be integrated with DAM, within -4- months of issuance of the purchase order.

Phase II : All critical databases within -6- months of issuance of the purchase order.

The above timelines are tentative and may be extended at the discretion of the Bank at no extra cost to the Bank.

2.8 DETAILS OF INFRASTRUCTURE AT BANK’S DC/DR

Bank’s Data Centre

Bank has state of the art Data Centre at Mumbai with DR site at Hyderabad. DC has been established by M/s Hewlett Packard India Pvt. Ltd. Bank‟s DC is connected to all the Branches in India, overseas territories, Bank‟s subsidiaries and business partners like NFS, Visa Card, Master card, SWIFT, NSE, BSE etc. DC Operation is jointly managed by HP and the Bank‟s team. Bank has implemented various applications at DC and DR in the centralized environment. Irrespective of the present status of applications, systems, processes, interfaces, hardware, networking equipments, security devices etc implemented at DC/DR site, all future changes including new initiatives will be covered as part of the scope of work during the term of the engagement.

Network Architecture

Bank‟s has implemented its DC in Mumbai and DR site in Hyderabad with Link level and device level redundancies. Bank‟s DC and DR are connected to various branches through MPLS link, ISDN links. Bank‟s onsite ATMs are part of the branch network. Offsite ATMs and select remote branches are connected through VSATs. Bank‟s overseas branches/territories networks are managed by British Telecom and Cables and Wireless.

Details of IT Security Policy

Bank has IT Security Policy which has been reviewed by KPMG and approved by the Board of Directors. Bank also has 20 Standard and Guideline documents which is approved by the Top Management Steering committee(TMSC) on IT Security and 14 Procedure documents are in place. Bank also has Purging and

Archival policy and Business continuity plan approved by the Board of Directors.




SECTION – III

3.1GENERAL TERMS AND CONDITIONS

3.1.1 Term of Assignment

The selected Bidder under this RFP will be appointed for a period of -5- years.

3.1.2 Adherence to Terms and Conditions

The Bidders who wish to submit responses to this RFP should note that they should abide by all the terms and conditions contained in the RFP. Any clarification to pre bid response would also form part of

the RFP. If the responses contain any extraneous conditions put in by the Respondents, such responses may be disqualified and may not be considered for the selection process.

3.1.3 Execution of Agreement/NDA

The selected Bidder should execute a Service Level Agreement with the Bank which will remain valid for 64 months. The Service Level Agreement would include all the terms and conditions of the services to be extended as detailed herein and as may be prescribed or recommended by the Bank which will include a Non-disclosure Agreement clause. The selected Bidder should execute the Service Level Agreement with ND clause within -2- weeks from the date of acceptance of Work Order.

3.1.4 Issuance of purchase order

Bank will have the discretion, to procure/avail of any one or more of the product/services or part there of from the successful Bidder, any time during the tenure of the contract as per the contracted rates and terms and conditions. Bank may also defer the deployment of any product and services. Bank can at its discretion stop and restart any of the services at any time depending upon its need.

The quantity mentioned in the price Bid are only indicative. Bank also has a right to increase and decrease the quantity.

All the rates quoted by the success Bidder will remain valid during the period of the contract.




3.1.5 Annual Maintenance Contract(AMC)/Annual Recurring

License(ARL)

All the software patches, hardware and software components has to be replaced or upgraded at no extra cost to the Bank. AMC/ARL shall include supply, consultancy, manpower and updation/upgrade of all past released/future versions of the software and migration from old to new version without any extra cost to the Bank. Any failure in any part of the systems supplied has to be replaced or upgraded at no extra cost while maintaining the service levels(SLA) as mentioned in the relevant clause.

3.1.6 Problem Resolution

All the problems should be resolved within SLA time to the

satisfaction of the Bank. In case of the repeated problem, delay in resolving problem or if the vendor is not able to resolve a problem to the satisfaction of the Bank, the Bank has a right to call for the expert from the OEM vendor. Cost of such visit by OEM vendor expert will have to be borne by the vendor during the tenure of the contract.

3.1.7 Project Team Members

The key persons identified by the Security System Integrator for implementation should necessarily possess the following qualification/experience.

Should have in-depth knowledge of IT and Banking processes with a minimum of three years work experience in Information Security.

Should have knowledge of legal and Regulatory requirements towards analyzing and handling security incidents.

Should be a certified for tools to be implemented by the respective OEM vendor.

Should have experience of implementing such tools.

3.1.8 Substitution Of Project Team Members

During the assignment, the substitution of key staff identified for the

assignment will not be allowed by the Bank unless such substitution becomes unavoidable to overcome the undue delay or that such changes are critical to meet the obligation. In such circumstances, the selected Bidder, as the case may be, can do so only with the prior written concurrence of the Bank and by providing the replacement staff of the same level of qualifications and competence. If the Bank is not satisfied with the substitution, the Bank reserves




the right to terminate the contract and recover whatever payments(including past payments and payment made in advance) made by the Bank to the selected Bidder during the course of the assignment pursuant to this RFP. However, the Bank reserves the unconditional right to insist to the selected Bidder to replace any team member with another (with the qualifications and competence as required by the Bank) during the course of assignment pursuant to this RFP.

3.1.9 Professionalism

The selected Bidder should provide professional, objective and impartial advice at all times and hold the Bank‟s interest paramount and should observe the highest standard of ethics, values, code of

conduct, honesty and integrity while executing the assignment.

3.1.10 Adherence To Standards

The selected Bidder should use industry standards and best practices and also Bank‟s Information Security Policy while supplying products and services under the scope of work of this RFP document.

The selected Bidder should adhere to all the applicable laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities.

The Bank reserves the right to conduct an audit/ongoing audit of the consulting services provided by the selected Bidder.

The Bank reserves the right to ascertain information from the other Banks and institutions to which the Bidders have rendered their services for execution of similar projects.

3.1.11 Expenses

It may be noted that Bank will not pay any amount/expenses / charges / fees / traveling expenses / boarding expenses / lodging expenses / conveyance expenses / out of pocket expenses other than the “Agreed Price”.

3.1.12 Payment Terms

Bank will release the payment within 3 to 4 weeks of receiving the undisputed invoice, after deduction of any charges such as penalties etc applicable taxes at source of the agreed price to the selected Bidder. No advance payments will be made. Further, it may be noted that the mentioned criteria is only for the purpose of effecting agreed




price payment. The selected Bidder shall cover the entire scope including deliverables mentioned in Section II.

S.NO. Description Payment Terms

1 SIEM Solution components, Implementation charges

40% against delivery, installation and basic User acceptance testing.

10% after completion of Phase I.

10% after completion of Phase II

20% after completion of Phase III

10% after completion of -1- year from the closure of phase I.

Balance 10% after completion of -2- years from the closure of phase I.

2 DAM Solution 40% against delivery, installation and basic User acceptance testing.

20% after completion of Phase I.

20% after completion of Phase II.

10% after completion of -1- year from the closure of phase I .

Balance 10% after completion of -2- years from the closure of phase I.

3 VM Solution 90% after -1- month of satisfactory working of the system and balance 10% after -12- months.

4 AMC/ARLF/Yearly subscription of updates for Security devices

Half yearly basis after expiry of the period.

5 Training 100% after completion of Phase I.

6 Custom Connector development for applications

90% after -1- month of satisfactory working of connector and balance 10% after -6- months.

7 Manpower support

On quarterly basis at the end of each quarter.




8 All other items not included above

90% after satisfactory working of the item/service for -1- month and balance after -6- months.

All payments will be made on successful completion of the job to the satisfaction of the Bank and achievement of the objective as defined in the scope of work after deducting any penalty which may be chargeable irrespective of the invoice being paid.

3.1.13 Contract Performance Guarantee

The selected Bidder has to provide an unconditional and irrevocable performance guarantee for 5% of the contract value from a Public Sector Bank (other than Bank of Baroda) towards due performance

of the contract in accordance with the specifications, terms and conditions of this RFP document, within 15 days from the date of work order. The Performance Guarantee shall be for 67 months (60 months contract period plus 4 months delivery and installation of SOC components plus -3- months additional claim period) kept valid for the entire period of assignment and to be released at the end of the period of assignment.

3.1.14 Security Deposit

The selected Bidder has to deposit with the Bank an amount equivalent to 05(Five) % of the contract value towards security deposit for the entire period of assignment, within 15 days from the date of work order. Interest on the Security Deposit will be paid as per the applicable fixed deposit rate.

3.1.15 Single Point Of Contact

The selected Bidder has to provide details of single point of contact viz. name, designation, address, e-mail address, telephone/mobile no., fax no. etc.

3.1.16 Applicable Law And Jurisdiction Of Court

The Contract with the selected Bidder shall be governed in accordance with the laws of India for the time being in force and will be subject to the exclusive jurisdiction of courts at Mumbai.

3.1.17 Liquidated Damages (LD)

The Bank will consider the inability of the SI to deliver or install the equipment within the specified time limit, as a breach of contract




and would entail the payment of Liquidation Damages on the part of the SI. The liquidation damages represent an estimate of the loss or damage that the Bank may have suffered due to delay in performance of the obligations (relating to delivery, installation, Operationalization, implementation, training, acceptance, warranty, maintenance etc. of the Security Operations Center) by the SI. Installation will be treated as incomplete in one/all of the following situations:

i. Non-delivery of any component or other services mentioned in the order

ii. Non-delivery of supporting documentation

iii. Delivery/Availability, but no installation of the components and/or software

iv. No Integration

v. System operational, but unsatisfactory to the Bank

If the SI fails to deliver any or all of the Goods or perform the Services within the time period(s) specified in the Contract, the Bank shall, without prejudice to its other remedies under the Contract, deduct from the Contract Price, as liquidated damages, a sum equivalent to 0.50% of the complete contract amount until actual delivery or performance, per week or part thereof (3 days will be treated as a week); and the maximum deduction is 10% of the contract price. Once the maximum is reached, the Bank may consider termination of the contract.

LD is not applicable for delay due to reasons attributable to the Bank and Force Majeure. However, it is the responsibility of the SSI to prove that the delay is attributed to the Bank or Force Majeure. The selected Bidder shall submit the proof authenticated by the SSI and Bank‟s official that the delay is attributed to the Bank or Force Majeure along with the bills requesting payment.

If the delay is attributable to the Bank, or Force Majeure, or any other circumstances beyond the control of the SP, then the Bank will continue with the contract without claiming any Liquidated Damage. Bank reserves the right to adjust the penalty and Liquidated Damages if any against the Security Deposit.

3.1.18 Force Majeure

Any failure or delay by selected Bidder or Bank in the performance of its obligations, to the extent due to any failure or delay caused by fire, flood, earthquake or similar elements of nature, or acts of God, war, terrorism, riots, civil disorders, rebellions or revolutions, acts of governmental authorities or other events beyond the reasonable




control of non-performing party, is not a default or a ground for termination. The affected party shall notify the other party of the occurrence of a Force Majeure Event forthwith.

3.1.19 Authorized Signatory

The selected Bidder shall indicate the authorized signatories who can discuss and correspond with the Bank, with regard to the obligations under the contract. The selected Bidder shall submit at the time of signing the contract, a certified copy of the resolution of their Board, authenticated by Company Secretary/Director, authorizing an official or officials of the company or a Power of Attorney to discuss, sign agreements/contracts with the Bank. The selected Bidder shall furnish proof of identification for above purposes as required by the Bank.

3.1.20 Indemnity

The selected Bidder shall indemnify Bank and keep the Bank indemnified for any loss or damage, cost or consequences that Bank may sustain, suffer or incur on account of violation of intellectual property rights of third party by the selected Bidder. The selected Bidder shall always remain liable to the Bank for any Losses suffered by the Bank due to any technical error or negligence or fault on the part of the selected Bidder, and the selected Bidder also shall indemnify the Bank for the same.

3.1.21 Non Payment Of agreed price

If any of the items/activities as mentioned in the price bid and as mentioned in Annexure-N are not taken up by the Bank during the course of this assignment, the Bank will not pay the contracted agreed price quoted/agreed by the selected Bidder in the price bid against such activity/item.

3.1.22 Assignment

Neither the contract nor any rights granted under the contract may be sold, leased, assigned, or otherwise transferred, in whole or in part, by the selected Bidder without advance written consent of the Bank and any such sale, lease, assignment or transfer otherwise made by the selected Bidder shall be void and of no effect.

3.1.23 Non – Solicitation

The selected Bidder, during the term of the contract and for a period of two years thereafter shall not without the express written consent




of the Bank, directly or indirectly: a) recruit, hire, appoint or engage or attempt to recruit, hire, appoint or engage or discuss employment with or otherwise utilize the services of any person who has been an employee or associate or engaged in any capacity, by the Bank in rendering services in relation to the contract; or b) induce any person who shall have been an employee or associate of the Bank at any time to terminate his/ her relationship with the Bank.

3.1.24 No Employer-Employee Relationship

The selected Bidder or any of its holding/subsidiary/joint-venture/ affiliate / group / client companies or any of their employees / officers / staff / personnel / representatives/agents shall not, under any circumstances, be deemed to have any employer-employee relationship with the Bank or any of its employees/officers/

staff/representatives/ personnel/agents.

3.1.25 Vicarious Liability

The selected Bidder shall be the principal employer of the employees, agents, contractors, subcontractors etc., engaged by the selected Bidder and shall be vicariously liable for all the acts, deeds, matters or things, of such persons whether the same is within the scope of power or outside the scope of power, vested under the contract. No right of any employment in the Bank shall accrue or arise, by virtue of engagement of employees, agents, contractors, subcontractors etc., by the selected Bidder, for any assignment under the contract. All remuneration, claims, wages dues etc., of such employees, agents, contractors, subcontractors etc., of the selected Bidder shall be paid by the selected Bidder alone and the Bank shall not have any direct or indirect liability or obligation, to pay any charges, claims or wages of any of the selected Bidder‟s employees, agents, contractors, subcontractors etc. The selected Bidder shall agree to hold the Bank, its successors, assigns and administrators fully indemnified, and harmless against loss or liability, claims, actions or proceedings, if any, whatsoever nature that may arise or caused to the Bank through the action of selected Bidder‟s employees, agents, contractors, subcontractors etc.

3.1.26 Subcontracting

The selected Bidder shall not subcontract or permit anyone other than its personnel or the OEM supplier to perform any of the work, service or other performance required of the vendor under the contract without the prior written consent of the Bank.




3.1.27 Warranty and Product Support

All the hardware, software products supplied should carry a minimum warranty of -3- year from the date of operationalization of the system to the satisfaction of the Bank(ie. completion of phase I). All the support has to be provided on site. Remote access to the systems supplied will not be permitted. Date of start of warranty/Annual Maintenance/software license support of all the items supplied will be treated as started from the completion of phase I of the project.

3.1.28 Cancellation Of Contract And Compensation

The Bank reserves the right to cancel the contract of the selected Bidder and recover expenditure incurred by the Bank in any of the following circumstances. The Bank would provide 30 days notice to rectify any breach/ unsatisfactory progress if :

the selected Bidder commits a breach of any of the terms and conditions of the bid/contract;

the selected Bidder becomes insolvent or goes into liquidation voluntarily or otherwise;

an attachment is levied or continues to be levied for a period of 7 days upon effects of the bid;

the progress regarding execution of the contract, made by the selected Bidder is found to be unsatisfactory;

if deductions on account of penalty and liquidated damages exceeds more than 10% of the total contract price;

if the selected Bidder fails to complete the due performance of the contract in accordance with the agreed terms and conditions.

After the award of the contract, if the selected Bidder does not perform satisfactorily or delays execution of the contract, the Bank reserves the right to get the balance contract executed by another party of its choice by giving one month‟s notice for the same. In this event, the selected Bidder is bound to make good the additional expenditure, which the Bank may have to incur to select and carry out the execution of the balance of the contract. This clause is also applicable, if for any reason, the contract is cancelled.

The Bank reserves the right to recover any dues payable by the selected Bidder from any amount outstanding to the credit of the

selected Bidder, including the pending bills and/or invoking Bank Guarantee/Security Deposit, if any, under this contract.




3.1.29 Dispute Resolution

If a dispute, controversy or claim arises out of or relates to the contract, or breach, termination or invalidity thereof, and if such dispute, controversy or claim cannot be settled and resolved by the Parties through discussion and negotiation, then the Parties shall refer such dispute to arbitration. Both Parties may agree upon a single arbitrator or each Party shall appoint one arbitrator and the two appointed arbitrators shall thereupon appoint a third arbitrator. The arbitration shall be conducted in English and a written order shall be prepared. The venue of the arbitration shall be Mumbai. The arbitration shall be held in accordance with the Arbitration and Conciliation Act, 1996. The decision of the arbitrator shall be final and binding upon the Parties, provided that each Party shall at all times be entitled to obtain equitable, injunctive or similar relief from any court having jurisdiction in order to protect its intellectual property and confidential information.

3.1.30 Ownership of Deliverables

All the deliverables as per scope of this RFP will become the property of Bank of Baroda.

3.1.31 Project Timelines

The selected Bidder shall furnish an implementation schedule its entire scope, discuss the same with the Bank officials and arrive finally at a mutually agreed implementation schedule within the overall ambit of Nine months time. The selected Bidder shall be bound by the Implementation schedule so agreed.




SECTION – IV

ANNEXURE-A : ELIGIBILITY CRITERIA

Consultants who wish to bid should conform to the following criteria.

S.No. Eligibility Criteria Documents required Page

Ref. no

1 Should be either a Government

Organization/PSU/PSE/ partnership firm or

a limited Company

under Indian Laws

or /and an autonomous

Institution approved by GOI/RBI promoted

Partnership firm-Certified copy of Partnership Deed.

Limited Company-Certified copy of Certificate of Incorporation and Certificate of

Commencement of Business.

Reference of Act/Notification

For other eligible entities- Applicable documents.

2 Should have been in existence in India for three years as on 29th February 2012.

Partnership firm-Certified copy of Partnership Deed.

Limited Company-Certified copy of Certificate of Incorporation and Certificate of Commencement of Business.


3 Should have a minimum average annual turnover of Rs.50.00 crores (Rupees Fifty Crores) during last three financial years viz. 2008-09, 2009-10 and 2010-11.

Copy of audited Balance Sheet and P&L statement for the financial years 2008-09, 2009-10 and 2010-11.

4 Should have made net profits for the last 3 financial years viz. 2008-09, 2009-10 and 2010-11.

Copy of audited Balance Sheet and P&L statement for the financial years 2008-09, 2009-10

and 2010-11.

5 The Bidder should be OEM( Original Equipment Manufacturer) or their authorized representative in

Certificate of Incorporation or relevant letters from the SIEM tool, DAM tool and VM tool OEM‟s authorized signatory




India.

6 The Bidder must have experience of implementing Security Operations Centre involving same SIEM tool in India in at least -2- institutions out of which at least -1- institution should be from the following industry: Banking, insurance or the Stock exchanges.

Copy of purchase order

7 The Bidder should have been managing well established own Security Operations Centre (SOC) in India for the past -3- years

and should have provided services to at least -2- clients from Banking, Insurance or Stock exchanges involving monitoring of logs using a SIEM tool for at least -1- year.

Self declaration with details of SIEM tool and client references

8 The Bidder should have provided Managed Services(Operations) for Captive SOC to at least -1- institution for -1- year, on the same SIEM tool in India in the last -5- years. Or The Bidder should have been operating own SOC with the same SIEM tool in India at least since last -1- year.

Copy of purchase order

9 The Bidder must have at least 3 employees who are OEM Certified professionals on same SIEM tool.

As per Annexure G

10 The firm should not be blacklisted / barred by Government of India.

Self Declaration

11 The Bidder or its parent company or its subsidiary should not be existing System integrator maintaining IT Infrastructure at Data Centre-Mumbai and Disaster Recovery site- Hyderabad of the Bank.

Self Declaration by Bidder

12 The Bidder has to submit




declaration from the OEM that in case the Bidder fails to provide the services or the Bidder firm ceases its Business, OEM will step in and provide the Hardware/Software maintenance services at the same terms and conditions as agreed with the selected Bidder.

13 The OEM of SIEM tool should have been in existence in India for the last -2- years as on 29/02/2012 with its own support centre.

1. Partnership firm-Certified copy of Partnership Deed.

Limited Company-Certified copy of Certificate of Incorporation and Certificate of Commencement of Business.


2. List of support offices and manpower

14 SIEM Solution offered by the Bidder should be well known reputed solution implemented worldwide and the same should have been consistently rated high in the Leaders Quadrant in the last -3- years reports on Magic Quadrant for Security Information and Event Management by Gartner.

Please submit copy of such reports.

15 SIEM tool provided by the Bidder should support agent less mechanism for collecting logs.

Provide supporting documents from OEM.

NOTE: Same SIEM tool means the SIEM tool being quoted by the Bidder.

Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above eligibility criteria along with documentary proofs as specified above.

The fulfillment of above eligibility criteria except items 3 & 4 above, would be ascertained as of 29-02-2012.

Those who fulfill all the eligibility criteria as mentioned above are only eligible to take part in this bid exercise. Proposals of those Bidders, who do not fulfill the Eligibility Criteria as stated above fully, will be rejected.

Bidder/Bidders who have been appointed by the Bank for any other project and whose contract has been terminated before completion of the project are not eligible to bid in the proposed project.




ANNEXURE-B : SECURITY SYSTEM INTEGRATOR’S SELECTION/ EVALUATI-

ON PROCESS

Evaluation of Technical Bid

First, Technical bid documents will be evaluated for fulfillment of eligibility criteria. Technical bids of only those Bidders who fulfill the eligibility criteria fully as per Annexure-A will be taken up for further evaluation/selection process rejecting the remaining bids.

The evaluation/selection process will be done with combination of, technical competence and commercial aspects as detailed here below. A maximum of 100 marks will be allocated for the technical bid. The evaluation of functional and technical capabilities of the Bidders of this RFP will be completed first as per the following guidelines. The technical proposals only will be subjected for evaluation at this stage. The Bidders

scoring less than 75 marks (cut-off score) out of 100 marks in the technical evaluation shall not be considered for further selection process. Once the evaluation of technical proposals is completed, the Bidders who score equal to, or more than the prescribed cut-off score of 75 will only be short listed.

In case of less than -2- Bidders fails to score more than cut off marks, the cut off marks criteria will be relaxed to cut off marks of 60 in such a case and the top -2- Bidders will be evaluated as per rest of the evaluation criteria.

The evaluation of technical proposals, among other things, will be based on the following:

Prior experience of the Bidder in undertaking projects of similar nature.

Professional qualifications and experience of the key staff proposed/ identified for this assignment.

Methodology/Approach proposed for accomplishing the proposed project, Proof of Concept testing/ Activities / tasks, project planning, resource planning, effort estimate etc.

Various stages of technical evaluation are presented below:

1. Eligibility evaluation as per the criteria prescribed in Annexure-A.

2. Evaluation of technical proposals of Bidders qualified in eligibility evaluation, based on response and presentation

3. Arriving at the final score on technical proposal.

Presentation-cum-Interview

The Bidders who are qualified in eligibility evaluation, have to give presentation/interactions before panel of representatives of the Bank on the methodology/ approach, time frame for various activities, strengths of the Bidders in carrying out the tasks as per the RFP. The technical competence and capability of the Bidder should be clearly reflected in




the presentation. If any short listed Bidder fails to make such presentation, he will be eliminated from the evaluation process. Bank may at its discretion ask the Bidder to conduct proof of concept testing of the solution being provided to the Bank.

At the sole discretion and determination of the Bank, the Bank may add any other relevant criteria for evaluating the proposals received in response to this RFP.

Bank may, at its sole discretion, decide to seek more information from the Respondents in order to normalize the bids. However, Respondents will be notified separately, if such normalization exercise as part of the technical evaluation is resorted to.

Technical Evaluation Criteria:

The criteria for evaluation of technical bids is as under. Credentials and

other evaluation criteria will be computed as of 29-02-2012.




Criteria Evaluation Parameters Max

Mar

ks

Documents to

be submitted

Bidder Credentials

The number of years experience of providing Managed SOC services, from their own SOC in India in last 5 years.

For each year of experience 1 Copies of Work order and client reference. Maximum marks 5

Bidder is using same SIEM tool in their SOC 3 Details of the SIEM tool in vendor’s SOC.

The number of Managed SOC services assignments carried out, from their own SOC in India.

For each services assignment 1 Copies of Work order and client reference.

Maximum marks 3

The number of SOC Implementation assignments(Captive SOC) carried out at client premises.

For each SOC Implementation 1 Copies of Work order and client reference.

Additional marks for each implementation in a Bank, Insurance, Stock Exchanges in India

1

Additional marks for same SIEM tool 1

Maximum marks 9

The number of Managed SOC services assignments carried out at Client premises (Captive SOC).

For each services assignment 1 Copies of Work order and client reference.

Additional marks for SOC services in a Bank, Insurance, Stock Exchanges in India.

1

Additional marks for same SIEM tool 1

Maximum marks 9

The number of OEM certified personnel on SIEM solution being offered by the Bidder

For 3 certified employees 1 1. Copy of relevant Certificate; 2. Proof of employment with the Bidder.

For 4-5 certified employees 2

For more than 5 certified employees 3

Sub-total (Credentials) 32

OEM Technical Support: SIEM vendor has local presence in India with support centres in Mumbai

8 Bidder to provide details of support centre including the trained manpower and infrastructure details.

SOC Solution Specifications compliance 30

Methodology, Approach and Proof of concept testing.

Demonstration of in-depth understanding of the Bank’s project requirements through the technical proposal and presentation, with detailed broken-down activities to be performed, effort estimation, manpower to be deployed and results of proof of concept testing.

30 Subjective evaluation based on technical proposal and presentation

TOTAL MARKS 100

NOTE 1: Experience of last -5- years only will be counted in the Eligibility and Technical Evaluation of the Bids.

NOTE 2: SIEM tool implemented by Bidder should include SIEM tool installation, configuration and Hardware/Software maintenance for at least -1- year period in the last -5- years. NOTE 3: For Managed SOC services at client premises, regular manpower for day to day operations of SOC has to be provided for a minimum period of -1- year at the client premises.




NOTE 4: For manpower consideration, the Employee should be on the payroll of the Bidding company. For this proof in the form of employment letter duly accepted by the employee or suitable declaration jointly signed by the Employer and Employee stating date of joining on the Bidding company‟s letterhead should be submitted.

Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above evaluation criteria along with documentary proofs as specified there against.

Commercial Bid Evaluation Criteria

It may be noted that commercial bids will be subjected to following evaluation process.

Based on the technical evaluation criteria, each Bidder will be given certain marks. Only those Bidders scoring 75% (75 marks out of 100) or above in the technical evaluation will be short-listed for commercial evaluation.

Commercial Bids of the Bidders will be discounted at 10% per annum to arrive at the Present value of the Bid. All payments mentioned in the commercial bid will be considered as payable in the beginning of the year irrespective of the payment terms.

Example of Present value calculation

1st year

2nd Year

3rd Year

4th Year

5th Year Total

Total Cost 100 25 20 40 30 215

PV of individual years payments 100 22.73 16.53 30.05 20.49 189.80

Total Present Value 189.80

Present value of the Commercial Bids of Shortlisted bidders will be evaluated and the lowest bidder will be treated as successful Bidder.

Bank reserves the right to negotiate the price with the successful Bidder before awarding the contract. It may be noted that Bank will not entertain any price negotiations with any other Bidder, till the successful Bidder declines to accept the offer.

In the case of tie between two or more Bidders a fresh commercial bid

will be called upon from these Bidders for evaluation and selection of the Security System Integrator.

Bank may at its discretion go for the reverse auction. Terms and conditions of the reverse auction will be communicated to the eligible Bidders prior to the commencement of the reverse auction exercise.




ANNEXURE-C : COMPLIANCE CERTIFICATE

(on company‟s letterhead) To, Date : The Chief Manager(CISO) Risk Management Dept. Bank of Baroda 2rd Floor, Baroda Corporate Centre C-26, G Block, Bandra Kurla Complex, Bandra (East) Mumbai 400 051 Dear Sir, Ref: - RFP for selection of Security System Integrator for Security Operations Centre. 1. Having examined the Request for Proposal (RFP) including all annexures, the

receipt of which is hereby duly acknowledged, we, the undersigned offer to provide the desired services to supply, install Security Operations Centre and provide managed security services for the Bank‟s Information System Assets in conformity with the terms and conditions of the said RFP and in accordance with our proposal and the schedule of Prices indicated in the Price Bid and made part of this bid.

2. If our Bid is accepted, we undertake to complete the project within the scheduled time lines.

3. We confirm that this offer is valid for six months from the last date for submission of RFP to the Bank.

4. This Bid, together with your written acceptance thereof and your notification of award, shall constitute a binding Contract between us.

5. We undertake that in competing for and if the award is made to us, in executing the subject Contract, we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of Corruption Act 1988”.

6. We agree that the Bank is not bound to accept the lowest or any Bid that the Bank may receive.

7. We have not been barred/black-listed by Government of India / statutory authority in India and we have required approval, if any, to be appointed as a service provider.

8. We shall observe confidentiality of all the information passed on to us in course of the tendering process and shall not use the information for any other purpose than the current tender.

9. We confirm that we have obtained all necessary statutory and obligatory permission to carry out the assignment, if any.

Signed Dated Seal & Signature of the Bidder Phone No.: Fax: E-mail:




ANNEXURE-D : TECHNICAL BID FORMAT

Particulars to be provided by the Bidder in the technical proposal –

No

Particulars

Bidder to furnish details

Reference Page no

of relevant

document in RFP

response

1 Name of the Bidder

2 Date of establishment and constitution. Certified copy of “Partnership Deed” or “Certificate of Incorporation/commencement of business” should be submitted. For entities other than partnership firm and limited company, other relevant documents to be submitted.

3 Location of Registered Office /Corporate Office/ Mumbai office with addresses.

4 Mailing address of the Bidder

5 Names and designations of the persons authorized to make commitments to the Bank

6 Telephone and fax numbers of contact persons

7 E-mail addresses of contact persons

8

Details of:

Description of business and business background Service Profile & client profile

Domestic & International presence.

11 Gross annual turnover of the Bidder (not of the group)

Year 2008-09 Audited

Year 2009-10 Audited.


(Copy of audited financial statements for above years to be submitted)




No

Particulars


Reference Page no

of relevant

document in RFP

response

12

Net profit of the Bidder (not of the group)

Year 2008-09 Audited



(Copy of audited financial statements for above years to be submitted)

13

Experience of assignments executed successfully in the last -5- years as per the following details :

(For item nos. 13a to 13c, Name of the organization, time taken for execution of the assignment and documentary proofs in the form of copy of work order and Client reference are to be furnished)

As per Annexure G

13a Onsite SOC Implementation assignments.

13b Onsite SOC Operations assignments.

13c Offsite SOC operations assignments from remote SOC involving at least network and security devices log monitoring.

14 Details of the similar assignments on hand as on date (Name of the Bank, time projected for execution of the assignment and documentary proofs such as work order are to be furnished)

15 Names of the Engagement Manager, SOC operations Manager identified for SOC implementation and operations and their

professional qualifications and experience/expertise.

Details of similar assignments handled by the said Implementation manager. Documentary proofs for all the assertions are to be enclosed.

As per Annexure H




No

Particulars


Reference Page no

of relevant

document in RFP

response

16

Names of the other team members identified for this assignment and their professional qualifications and experience/expertise. (Should possess qualifications as mentioned in the RFP)

Documentary proofs for all the assertions in the form of Certificates, CVs, employment letter to be enclosed.

As per Annexure H

17

Names of the SIEM/DAM/VM Solution certified staff members.

(Copy of relevant certification)

18 Estimated work plan and time schedules for providing services for this assignment.

19 Details of the Bidder‟s proposed methodology/approach with reference to the scope of work.

20

Effort estimate and elapsed time are to be furnished.

As per Annexure-I

21

SIEM Tool & other softwares Name and their Version

22 Details of deliverables, other than the deliverables with reference to the scope of work.

The Bidder should provide detailed responses for each of the above items along with documentary proofs as prescribed there against and also as specified in Annexure-A (eligibility criteria) & Annexure B ( Bidder’s

Selection/Evaluation Process).

Declaration:

1. We confirm that we will abide by all the terms and conditions contained in the RFP.




2. We hereby unconditionally accept that Bank can at its absolute discretion apply whatever criteria it deems appropriate, not just limiting to those criteria set out in the RFP, in short listing of Bidders.

3. All the details mentioned by us are true and correct and if Bank observes any misrepresentation of facts on any matter at any stage, Bank has the absolute right to reject the proposal and disqualify us from the selection process.

4. We confirm that this response, for the purpose of short-listing, is valid for a period of six months, from the date of expiry of the last date for submission of response to RFP.

5. We confirm that we have noted the contents of the RFP and have ensured that there is no deviation in filing our response to the RFP and that the Bank will have the right to disqualify us in case of any such deviations.

Place:

Date: Seal & Signature of the Bidder




ANNEXURE-E : SOC SOLUTIONS’ SPECIFICATIONS

SIEM Specifications

S/N Evaluation Criteria

Max

Marks

* Comply

(YES/NO) or

C(Customization

Required)

Remarks

1 SIEM TOOL FEATURES AND ITS IMPLEMENTATION

300

a The solution should be scalable

to support minimum 1000 devices to upto 1500 devices with sustainable Events per Second (EPS) ranging from 10000 to 50000 with the ability to leverage the existing solution (hardware & software) with a capacity buffer of 25%. EPS specifies the ability of the solution to gather, store, monitor, correlate and report events per second.

Please provide how the solution will scale up from 10000 EPS to 50000 EPS ?

60

b The solution should be implemented on Hardened OS and database in Hardware / Appliance. The storage configuration must offer a RAID configuration to allow for protection from disk failure.

10

c The solution should have high Availability feature built in. There should be an automated switch over to secondary collector/Agent Server in case of failure on the primary collector/Agent Server. No performance degradation is permissible even in case of

10




collector/Agent Server failure. Please describe the architecture proposed to meet this requirement.

d The Solution should provide web based administration (both http and https)/ user interface (Thick Client) for device management and monitoring.

10

e The product preferably should not require (need for) separate administrators to maintain SIEM

software, hardware, OS and database.

10

f The system should leverage information about enterprise assets and known vulnerabilities while raising alerts and incidents.

30

g The system should be able to capture information about criticality ratings of assets and should leverage that information while performing correlation and raising alerts/incidents.

30

f The system should be able to integrate with popular tools like Nessus, nCircle, QualysGuard, Foundscan, ISS, Appscan , and other tools as Bank many choose to deploy/integrate in future. Please specify name of all VA tools which can be currently integrated.

20

i Support for the Integration to the Existing Firewalls, NIDS, NIPS, HIDS, Antivirus Solution), IPSec(VPN) Gateways, DHCP Server etc.

10

j Support for the Integration of Security Logs from the following devices/application systems:

50




Operating System: Windows 7, Win2K, Win2K3,Win2008, Sun Solaris, Linux,OS/2, HPUX, IBM AIX, different flavors of Unix, Novell Netware, DataBase Servers : Oracle, Sybase and SQL Servers & Foxpro DHCP Server : DHCP server supporting Devices and Operating systems.

Networking Hardware

Firewall: Cisco Pix, Cisco ASA, Checkpoint, Juniper IPS/IDS : Cisco IPS, Proventia, Checkpoint Routers : Cisco, 3 Com, Layer 2 and Layer 3 Switches ; Cisco, HP Procurve UTM Devices : Fortinet, Cyberroam Network Behavior Analysis Tools VPN Devices : Cisco, Checkpoint Virtualization : VMWare, Citrix, Microsoft Hypervisor Messaging: Microsoft Exchange Server, Lotus Notes Web Server ; IIS, Apache, Websphere Customized/Middleware Applications: Oracle Financials, BEA, Active Directory, Cisco ACS Risk Based and 2 Factor Authentication System : Arcot-ID with Webfort and Risk fort modules Identity and Access Management

System Antivirus Solutions: TrendMicro, Symantec Payment Messaging/Transaction Switching system: Base24, SWIFT, SFMS(Structured




Financial Messaging Solution), RBI-INFINET(Indian Financial Network), Cash Management Services This is an indicative list and the product should be capable of integrating the logs for other systems/OS/devices too, which may not be included in the list and may be deployed by the Bank at a later date.

(Please provide list of supported platforms/applications/tools)

k Event data must be enhanced in a manner that allows all content developed (filters, dashboard displays, reports) to be vendor agnostic (i.e.a currently deployed technology can be replaced with a similar technology without having to modify existing content on the log management of SOC solution).

10

m Please explain how the correlation rules, configuration files etc will be replicated to DR site to remain in sync with DC.

10

n Please explain how correlation of past data on tape will be performed. Whether it will affect the normal operation.

10

o Please provide Industry

recognition/ award/ certification received by the SIEM solution

30

2 SIEM TOOL LOG

MANAGEMENT

200

a At the time of storage, system should not filter any events. However, system should have the capability of filtering events during the course of correlation

10




and report generation.

b RAW logs that are received by the Collector/Agent/Logger/SIEM solution should be Authenticated (time-stamped), encrypted and compressed before being transmitted to the log management solution.

10

c The SIEM Solution Database should write logs in tamper proof manner. Once the logs are

written to the disk/database no one including SIEM or database/system administrator should be able to modify/tamper/delete the stored logs till correlation and archival of the same.

10

d There should be No parting of logs, or filtering of logs at any stages of log collection or log storage. Log collection process should satisfy the needs of Regulatory compliance, forensic evidence gathering and data retention policy.

10

e The solution should offer Single Global View of All the Data collected from in-scope devices across sites/geographies

20

f The solution should be able to collect raw logs in real-time to a Central Database from any IP Device including in house, customized and proprietary applications

20

g Solution should be capable to store logs in Raw format as per the user configurable parameters.

10




h The solution should not require agents for collection of the logs on individual devices. Secure ftp is allowed in case the device writes logs to local files and does not support log forwarding.

10

i The solution should be able to continue to collect log data during database backup, de-fragmentation and other management scenarios, without any disruption to service

10

j The collection devices support collection of logs via the following methods:

Syslog over UDP / TCP

Syslog NG

Cisco IDS via SecurePOP3 / Secure XML, SDEE

Check Point LEA

SNMP Version 2 & 3.

ODBC (to pull events from a remote database)

FTP (to pull a flat file of events from a remote device that can’t directly write to the network)

Windows Event Logging Protocol

XML

NetBIOS

Netflow

20

k Support for the systems (like Microsoft Windows Servers) log correlation without installing an agent on the local machine

10

l Connector Development tool/SDK availability for developing collection mechanism for home-grown or any other unsupported

20




/unknown applications.

m The Solution should have the capability to compress the logs by at least 70% for storage optimization. Documentary support should be provided.

20

n Data Archival solution should store information in tamper proof format and should comply with all the relevant Regulations.

10

3 SIEM TOOL LOG CORRELATION

200

a The solution should support correlation of logs from all the devices within an enterprise and all security scenarios like spoofing, authentication failures, etc. The solution must support multi-device, multi-event and multi-site correlation across the enterprise

30

b The system should support the following types of correlation: a) Rule-Based Correlation b) Vulnerability Based Correlation c) Statistical Based d) Historical Based e )Heuristic Based

20

c Solution should be able to monitor identities and activities of users across all devices.

20

d The system should display summarization of events

10

e The system should have out of the box rules for popular IDS/IPS, firewalls routers, switches, VPN devices, antivirus, operating systems, Databases and standard applications etc.

(Please attach list of supported devices/applications) and

30




specify number in the remarks column.)

f The rules should allow import/export in CSV, XML format etc.

10

g The system/solution have the ability to correlate all the fields in a log

10

h The system should allow a wizard based interface for rule creation. The rules should support logical operators for

specifying various conditions in rules.

30

i The solution should be able to detect Advanced persistent threat.

40

4 SIEM TOOL ALERTING & VIEWING REQUIREMENT

200

a Solution should allow setting up of alerts based on event types, system event, attacks, failure count, geographical location, department wise, etc.

10

b The solution should provide full forensic event playback to ensure comprehensive trend and historical analysis and reporting. This should be supported in https and thick client formats.

20

c Capability of Distributed viewing as well as single consolidated viewing and delegation of user rights across devices and access to individual components of the application.

20

d It should allow filtered view of events classified on the basis of severity/ /device/traffic-on-tcp or udp-port/location / segment to different teams, geographical

10




locations

e The system should support alert suppression for specific events like :

Number of duplicate alerts that come within specified time frame.

Suppression based on specified time frame.

Based on variables like Device IP address.

10

f The system should allow creating baselines of network activity and should provide a mechanism to raise alerts when baselines are crossed

20

g System should provide for watchlist feature to enable the user to populate the list based on various parameters like IP Address, URL etc.

10

h E-mail notifications should contain the contents of the report as an attachment capable of being saved as Excel and or PDF.

10

i The system provides configurable automated actions in response to security problem, sending E-mail Notifications, SMTP notification, SYSLOG notification, SNMP Notifications to operators.

10

j The system should have a provision of view filters when displaying the logs related to specific IP address, specific service or specific time duration or geographical location.

10

k The system should have an Event display Window for all alerts coming in real time

10




l The process should allow applying filters and sorting to query results.

10

m The solution should include the following categories of predefined graphs and queries out of the box:

m1 Firewall, including Top Firewall Interfaces, File Access through Firewall, and Login Failure Summary

10

m2 Database, such as Login Activity, Authorization Level and Authorization Level by User

10

m3 Intrusion detection, including Top Attack Signatures, Attack Type by Severity Level, and IDS /IPS Signature Summary

10

m4 Operations, such as Device Activity Analysis, Activity by Event Category, and Network over Time

10

m5 User, including Privilege Users Monitoring, Configuration Change Details and Activity by Specific Username

10

5 SIEM DASHBOARD FEATURES 150

a The dashboard should be a unified web based online portal and provide collaboration for the

following

1. SIEM events/incidents related alerts, log stoppage

alerts, monthly summary reports and analysis.

2. Threat advisory alerts relevant to assets being monitored with feeds from VA

tool.

3. Database activity alerts with feed from DAM, NBA and other

10




security tools.

4. Dashboard should be

customizable as per the individual user business need

Please provide the list of tools which can be integrated with the Dashboard

b The unified portal should allow users to view alerts raised through this portal.

10

c The unified portal should make use of qualified security event

and incident alerts raised from SIEM into useful periodic reports (weekly, monthly basis)

and analysis. These reports should be available for view or

download.

10

d The unified portal should provide summary of log

stoppage alerts and automatic suppression of alerts.

10

e The unified portal should

generate e-mail and SMS notifications for all critical/high

risk alerts triggered from SIEM log monitoring, vulnerability assessment.

10

f The unified portal should also allow users to initiate and track alert related mitigation action

items. The portal should allow reports to be generated on

pending mitigation activities based on ageing analysis.

5

g The vendor solution (portal)

should also provide 360* view of assets i.e. Asset Properties,

events & incidents, vulnerabilities and issue mitigation tracking mappable to

individual assets/users.

5




h The unified portal also should provide knowledge base and

best practices for various security vulnerabilities.

5

i Reports should be consolidated in an integrated online dashboard

5

j There should be a feature to create any kind of report from any of the available data from

the feeds like top incidents by application, by hosts, users etc.

5

k Vendor should design report format for management reporting including heat maps,

executive score cards for top management that covers

security performance of different business units, compliance, asset status

5

l Dashboard should display asset list and capture details including name, location, owner,

value, business unit, IP address, platform details

5

m Dashboard should capture the security status of assets and highlight risk level for each

asset. The asset status & risk scores should be consolidated at a higher level to report on

overall security status of bank, status of different business

units within the bank, status of key locations

5

n Dashboard should have

graphical display of asset security status based on

locations, business units. Graphical display should support different methods of

representing information including bar charts, pie charts, line charts as relevant to the

5




information that is represented. Dashboard should support drill

down graphs to click and move to the level of individual assets

o Dashboard should capture risks in each asset. Dashboard should have the provision to

click on the asset and track mitigation status corresponding to risks

5

p Dashboard should support reporting for consolidated

relevant compliance across all major standards and regulatory requirements. This includes ISO

27001, BS25999, ISO 20000, RBI regulations, IT ACT, PCI

DSS standards, SOX etc

5

q Dashboard should support different views relevant for

different stake holders including top management, operations team, Information Security

Department

5

r Dashboard should support

export of data to multiple formats including CSV, XML, Excel, PDF, word formats

5

s Dashboard should be Capable of Distributed viewing as well as single consolidated viewing and delegation of user rights across devices and access to individual components of the application.

5

t Ability to provide an intuitive user interface with features such as display correlated events, unlimited drill down to packet

level event details, simultaneous access to real-time, raw logs and historical events, customizable at-a-glance security view for administrators. The drill down should be directly from the

5




dashboard using a single mouse click.

u The dashboard should display the security status of IT infrastructure in the bank. Dashboard should have graphical display of asset status based on locations, business units etc.

5

v Dashboard should capture risks in each asset. There should be a graphical representation of risks

across business units. Dashboard should support drill down graphs to move to the level of individual assets

5

w Compliance to SLA should be captured in the dashboard

5

x The system should have a facility to view Summary of all Dashboard views for the entire enterprise.

5

y The system should permit setting up geographical maps/images on real time dashboards as a placeholder for alerts.

5

6 SIEM TOOL REPORTS 150

a List out a full list of reports offered by the solution specifying reports included for each supported device type?

10

b Please list reports for all included compliance packages including what are offered for the list below.

Indian Information Technology Act 2000 including all amendments

Sarbanes-Oxley (SOX)

50




Gramm-Leach Bliley Act (GLBA)

Basel II

Payment Card Industry (PCI)

ISO27001

Federal Information Security Management Act of 2002 (FISMA)

UK Data protection Act

(Please specify all such compliance reports and indicate the numbers against each report category.)

c The reports should be available in the following exported formats: a) PDF b) XLS c) CSV

10

d The system should have the capability to Schedule Reports and transmit the same through e-mail on periodic basis. All raw log format fields should be available for query using the solution

10

e The solution should provide a process for creating and save adhoc log queries. This process should use standard syntax such as wildcards and regular expressions.

10

f Compliance and security relevant reports should be available out of the box. The platform must be able to customize the out of the box reports as well. (please specify no of reports available in Remarks column

20

g Variety of reports with the availability of the management

20




level reporting with full capability to customize and create new reports according to business requirements.

h The system should allow email of scheduled reports to recipients with size limitations in case of email gateway limitations

10

i System should have inbuilt query analysis capability and should not require any third party or physically separate solution.

10

7 SIEM TOOL FORENSIC AND HISTORICAL DATA ANALYSIS

100

a The solution should provide flexible dashboard interface customized to individual user preferences allowing the examination of a specific event or a holistic view of the systems within the enterprise

40

b Access Rights to run tool should be defined

15

c The solution should provide quick and easy access to real-time as well as historical operational data

15

d The solution should provide full forensic event tracking to ensure comprehensive trend and historical analysis and reporting

30

8 SIEM TOOL PURGING, ARCHIVAL AND RETENTION

OF LOGS

150

a The platform should provide tiered storage strategy for the online, archival, backup and restoration of event log information. The platform should optimally manage the storage of an event from the moment it is

10




created to when it is no longer needed. All logs are managed from the time of generation to retirement of logs

b The platform should provide entire Information Life cycle management solution for log retention and purging after log retention period is over

10

c The platform should provide solutions for online and offline storage of logs which is need for

faster correlation analysis and log retention.

10

d The platform should enable offline storage of logs with automated tools for log purging and retrieval from offline storage

10

e The solution should compress the logs by at-least 70% before writing to the storage. The compression should be high to achieve substantial cost savings for the bank for the long term retention needs of the logs for regulatory compliance. Please explain the event collection and storage process from collection to storage to reporting. Also detail how the data is compressed if any during the storage process.

(Please explain the process of periodic backup of data.)

20

f Log Management Solution should have minimum usable Storage capacity of 15 TB with support for different RAID levels and should be expandable as per the Bank requirements.

10

g System should have capacity to maintain the logs for 3 months online and other logs should be

10




archived.

h System should provide for the backup facility for data, configuration and whole system on secondary storage such as LTO tapes.

10

i Solution should be capable of retrieving the archived logs for analysis, correlation and reporting purposes.

10

j System should provide support for event playback

10

k Solution should be capable to replicate logs in Synchronous as well as Asynchronous mode.

10

l Archival solution should support NFS and CIFS formats for retrieval of data.

10

m Solution should have capability to integrate with external storage (DAS, NAS, SAN and tape library) as may be required by the Bank.

20

9 SECURITY FEATURES OF THE

SIEM SOLUTION

100

a Log transmission between thick Client & Engine should support SSL ver 2.0, ver 3.0 encryption

5

b Ability to gather information on real time threats and zero day attacks issued by anti-virus or IDS vendors or audit logs and add this information as intelligence feed in to the SIEM solution via patches

10

c Details of Archival Information (Please provide details)

5

d The system should have a provision for the authorization for the different levels of users on

10




the SIEM on the basis of their roles.

e The system should maintain the audit trail for the management activities of individual users and administrators accessing and using the application

10

f The system should have the ability to create and assign role-based views

10

g The system should have a mechanism for protection of

unauthorized access on the Log Database by system administrator.

10

h Solution should be capable to track Access-list violations

10

i Solution should display the health status of the SIEM Solution.

5

j The system shall have a robust and proven database. The vendor should synchronize with OEM master database and update on periodic basis.

5

k The vendor shall commit to supporting new version release of the supported products within six months of their release.

5

l The vendor solution should provide user accounts with granular access permissions and roles to different accounts. Specify the types of permissions that can be applied and the process for applying the permissions. For authentication the system shall support LDAP including Microsoft’s Active Directory.

10




m Solution should support IPv6 in future at no extra cost to the Bank, as and when deployed by the Bank.

5

10 SOC SUPPORT AND OPERATIONS

300

a Technical Support should be available through OEM or the registered partners of OEM. Please specify proposed Technical Support framework to be provided to the Bank.

10

b Training & certification for persons nominated by the bank

10

c Vendor should monitor security events to detect attacks and raise the alerts for any suspicious events that may lead to security breach in BANK environment. Monitoring should be done on 24/7 basis with onsite personnel for Datacenter and DR. Vendor should provide the operations team as given in the specifications.

10

d Vendor should develop, update and maintain log baselines for all platforms at the Bank.

10

e Vendor should coordinate with IT operations to implement and maintain the log baselines on production systems.

10

f Vendor should detect both internal & external attacks.

10

g Vendor operations team at the Bank should send alerts with details to designated personnel (the Bank /other service providers).

10

h Vendor should provide 10




coordinated rapid response to any security incident. Vendor should contain attack & coordinate restoration of services

i Vendor should maintain a knowledge base of alerts, incidents and mitigation steps

10

j Evidence for any security incident should be made available for legal and regulatory purposes

20

k Vendor should provide multiple

reports to the Bank including daily, weekly and monthly reports. Vendor should also have the provision to provide the Bank reports, on demand on a case to case basis. Reporting requirements will be as per the baseline arrived at during the setup phase

30

l Vendor should conduct forensic analysis for security incidents

10

m Vendor should do root cause analysis for security incidents and coordinate implementation of controls to prevent reoccurrence.

10

n Vendor should bring workflow processes and work with the Bank to build in to their service desk

10

o Vendor should manage the log storage including online , offline and archival

10

p Vendor should add/delete/modify rules, reports and dashboards based on the Bank requirements

10

q Vendor should do other administrative tasks including

10




regular backup of system, restoration, installation, health check monitoring, agent installation/removal

r Vendor should manage any faults in the SIEM solution and resolve them.

10

s All deliverables including reports should undergo Quality Assurance process through a team that is dedicated for this function and is separate from the

team for security monitoring

15

t QA team should define quality metrics, measurement frequency and reporting periodicity

15

u QA team should review reports, operating procedures, administrative activities on a daily basis to identify quality issues

15

v QA team should submit daily, weekly and monthly QA reports to the Bank management

15

w Vendor team lead and SOC manager are responsible for managing the security monitoring team and ensuring satisfactory performance

10

11 DATABASE ACTIVITY

MONITORING TOOL

400

a Solution can be either software based or appliance based. In case of software based solution, please mention the hardware configuration being offered.

10

b Solution should be able to receive feeds from a mirrored port as well as from the agents installed on the database servers.

10




c For monitoring DBA activities, an agent should be deployed on database servers and there should be only one agent for monitoring DB activities including local DB local DB traffic and the network DB traffic.

10

d Agents should have only minimal overhead for the production DB servers. The CPU utilization on the DB server should not increase beyond 5% of the present utilization.

20

e Agent should support different versions Windows, Unix, Linux and their different flavors.

10

f Audit trail should be stored within the solution in encrypted flat files and it should not be stored in any database.

10

g Solution components (Agents and manager) should be managed centrally.

10

h Solution should support below DB platforms, their different flavors and versions

Oracle

MS-SQL Server

Sybase

Base24

Please provide a list of all the supported Databases and their flavors

30

i Solution detect sensitive data types, such as credit card numbers etc, in database objects.

20

j Solution should have Database vulnerability assessment tests for assessing the vulnerabilities and mis-configurations of

30




database servers, and their OS platforms. Oss and RDBMSs are tested for known exploits and mis-configurations. The product should identify missing patches.

k The product should have pre-defined reports and support custom report generation. Please provide list of reports readily available.

20

l The solution should offer virtual patching capabilities (protecting

the database from known vulnerabilities without deploying a patch or script on the system).

10

m The solution should support high availability

10

n The product should be able to be installed in sniffing(promiscuous) mode or inline mode.

20

o Solution should have built-in bypass for inline mode.

10

p The solution should not use the native database auditing functionality.

10

q Solution should be able to integrate with the SIEM solution, Dashbaord and Incident Management solution being proposed by the vendor.

30

r The data transferred between the agent and the appliance should be through an encrypted channel.

20

s The solution should capture at least the following activity by user/role

Update, insert,

delete(DML)

Schema/Object changes

80




(DDL)

Manipulation of accounts,

roles and privileges (DCL)

Backend SQL query

updates.

t Please provide Industry

recognition/ award/ certification received by the DAM tool

30

12 VULNERABILITY MANAGEMENT TOOL

300

1. Solution should at minimum

support assessments of all the platforms in the DC and DR environment of the bank. Please

provide list of supported platforms.

5

2. The application should be web based which can be installed centrally and accessed by users

across organization in different offices

5

3. The application should have comprehensive predefined security configuration

assessment checks (settings) for different supported platforms as per industry standards such as

ISO27001, PCI-DSS, OWASP etc.

10

4. The application should have all security configuration setting checks recommended by CIS for

the supported platforms.

5

5. The application should allow

organizations to create multiple assessment profiles for any supported platform.

5

6. The application should allow organizations to create different profiles as per their organization

requirements.

5


organizations to customize the

5




checks as per the organization policy and requirements.

8. The application should provide Secure Configuration Document

for all the platforms. These SCDs should have crisp step-by-step implementation (How-to

configure) steps for all checks

5

9. The application should allow organizations to create asset

details of all servers and devices with their IP, platform details,

owner, location, department and value of the asset.

2


organizations to manage asset details.

2

11. The application should allow organizations to choose an assessment profile at asset level.

2

12. The application should allow search of assets based on IP, Location, Owner and

Department.

5

13. The application should support

multiple approaches for vulnerability assessment,

a. Automated Vulnerability

Assessment (over the network)

b. Manual Vulnerability Assessment in case automated VA is not

allowed.

2

14. The application should perform the vulnerability assessment

remotely over the network without any manual

intervention.

5

15. The application should not require any of their agents to be

pre-installed in the target assets to enable automated VA.

2

16. The application should allow 2




organizations to schedule the VA of selected assets for a pre-

defined date and time.


organization to know the status of the scheduled automated VAs. In case of issues, the

application should provide appropriate information at asset level and check level.

5

18. The application should provide scripts or light-weight

executables to manually collect the security configuration data from the assets.

2

19. The application should support upload of the security

configuration data for detailed assessment and analysis.

5

20. The application should provide

option to raise exceptions for unsafe checks at asset level with appropriate reason.

5

21. The application should maintain these exceptions at asset level

till such time the exceptions are flagged off.

2

22. The application should report

the exceptions accordingly in VA Reports.

2

23. The application should generate reports and analysis

a. Summary Report of

assets scheduled for VA b. VA Report

Asset Level Report

with Analysis

Asset Level Report

with safe and unsafe values

c. Trend Reports

Vulnerability Status of

an Asset over multiple VA Cycles

10




Vulnerability

Summary over multiple VA Cycles


export of reports to different formats such as PDF, MS-

EXCEL etc.

5

25. The application should have a Dashboard which shows

important statistics including, Vulnerability Assessment status, Trend of VA outcome

over the period, Assets pending VA for longer period of time, etc.

5

26. The application should support users to be created and authenticated in the application

5

27. The application should allow the organization hierarchy to be

defined with multiple levels

2

28. The application should control the privilege to manage assets,

ability to create reports and access to reports and analysis based on privileges assigned and

based on hierarchical level of the user

5

29. The application should have strong application security controls such as,

a. Password and account policy

b. Assignment of privileges to users/roles at granular level

c. Detailed Audit trails

10

30. Application should support

broad range of systems, their different versions, flavors,

vendor products Make and models such as Operating Systems

Network and security devices

10




Standard applications such as Web servers,

Mail Server etc Please provide list of such

supported systems.

31. Please provide Industry recognition/ award/ certification

received by the VM tool

10

32. Does the proposed solution support risk-based scoring

metrics ?

5

33. Proposed solution should

perform Intelligent port scanning for service identification running on non-

standard ports and also support scanning throttling/ rate

limiting speed.

5

34. Solution should be capable of Policy Compliance, Baseline

Policy Scan

5

35. Proposed solution should have ability to control multiple

scanning instances from a centralized location/console

5

36. Scanning engines should support parallel scan windows to increase the scan speed

5

37. Proposed solution should have configurable performance

options to avoid target device/network saturation. Please provide details.

5

38. Proposed solution should have ability to search vulnerability check database by vulnerability

name, CVE, patch #/name, /advisory #, bulletin #, category

(e.g. OS, database, web, etc…)

5

39. Proposed solution should have the ability to include/exclude

specific vulnerability checks into a scanning policy

5

40. Proposed solution should have 5




granular control over what ports are included in the port scan

41. Proposed solution should provide a network topology map

to have high level overview

5

42. Proposed solution should support following discovery

options - ICMP, DNS lookup, TCP port ping, UDP port ping

5

43. Proposed solution should be

able to integrate with SIEM, Incident management and

Dashboard solutions- Please provide list of such solutions

10


support correlation of new threats / Vulnerabilities with

the existing infrastructure

5

45. Proposed solution should provide an executive dashboard

to give overall security posture of the network / systems

5


generates scanned reports in HTML, PDF, XML and CSV

formats

5

47. Proposed solution should support compliance report

generation for PCI DSS, OWASP, SoX, FISMA, Basel II, ISO

27001, SANS Top 20, COSO / COBIT

5

48. Proposed solution should have

the ability to generate custom reports

5


ability to search current and historical data By IP, Hostname,

Network or Vulnerability

5

50. Report generated by Proposed solution should display both

open and closed vulnerabilities

5

51. Proposed solution should generate reports based on

5




hosts, networks, geographies or departments / business units

52. Proposed solution should generate report to view total # of

vulnerabilities over time period including specific ones like - only high or medium or low

5

53. Proposed solution should generate following reports

54. Types and # of systems: Host

breakdown by OS (both % and #)

5

55. Can this be further broken down into workstations, servers, and network devices?

5

56. Vulnerabilities found by criticality (critical, high,

medium, low)

4

57. Top X vulnerabilities (by occurrence)

4

58. Top X critical/high vulnerabilities (by occurrence)

4

59. Average vulnerabilities per

system (workstation, server, network device); Alternatively

could be risk rating per system

4

60. Top X most vulnerable systems 4

61. Proposed solution should produce an asset-centric report,

i.e. according to how business units are organized, rather than

scan-centric or network-centric reports

5


the ability to generate custom reports.

5

13 INCIDENT MANAGEMENT

SOLUTION

300

a Solution should include Trouble Ticket workflow customized to user requirements and adhoc workflows capabilities.

25




b Solution should support role based assignment of incidents in its workflow process.

20

c Solution should be able to detect, initiate or import events from security automation tools.

(Please provide list of such supported tools)

30

d Consolidates incident data across business units and locations in an access control repository.

10

e Should provide dashboard for tracking and reporting of costs, related incidents, loss and recovery.

10

f Solution should automatically notify a person on registration of the incident.

10

g Solution should be able to register incidents manually.

10

h Solution should be integrated with Active Directory and should support Single Signon.

10

i Solution should allow automatic creation of Trouble ticket whenever any alert is generated.

10

j Incident management should allow administrators to assign incidents, write notes and provide for automatic and manual escalation of open incidents.

20

k Solution should provide for automatic and manual escalation of outstanding incidents.

20

l Solution should be able to integrate(two way integration) with 3rd party ticketing solution

20




like HP Opneview, CA Unicentre etc. (Please specify).

m Solution should be able to generate the trouble ticket in the 3rd party applications.

20

n Outstanding Trouble Ticket report generation should be available.

20

o Trouble Ticket reports should be customizable as per the user need.

20

p Action taken, incident status, lesions learned should be recorded and should be available as dashboard view and reports.

20

q Solution documents false positives.

10

r Solution should maintain incident history and audit trail with capability to aggregate incidents of similar nature and show as one incident and their closure.

15

14 PERFORMANCE & EVENT SCALABILITY

100

a Solution should be capable to scale up(by installing additional components) when the EPS or Device limits or Database limits have reached their limits. Explain how and what procedures are required to increment the support of the collection of additional events or devices once the EPS or Device limits have reached their limits SIEM, and DAM solutions.

60

b Robust & scalable architecture to handle high volumes of data(feeds) Please provide details for each of the major components being provided as part of the solution.

20




c The solution should support a distributed architecture in future should the need arise to segregate management and collection. Vendor should provide documentation related to distributed architecture support.

20

15 DATABASE MANAGEMENT SYSTEM

50

a Solutions should use Database Management System. Retrieval of

data from Database should not require any proprietary protocol/tool or else the same has to be provided by the vendor at no extra cost to the Bank.

50

* For specifications with reply of ‘Y’ and ‘C-Customization required’, it will be presumed that the price of the feature is included in the commercial quote by the Bidder including customization, if any. Bidder should additionally mention in the remarks column the details of customization in brief.




ANNEXURE-F : PROFILE OF ONSITE MANPOWER AT DC & DR

S.No

.

Job Profile Qualification and Skills Total

Manpower

Comp

lying Y/N

Rema

rks

L1 SOC

Operator

Location :

DC-

Mumbai & DR

Hyderabad

BE/B.Tech./Science Graduate

SIEM trained

1 year experience in IT/information security

Experience in 24X7 monitoring

Job Role

Incident detection

24X7 monitoring of incidents and raise alerts

Incident reporting and escalation

Report creation

Security patch advisories

System health monitoring

4 (for

DC)

1 (for

DR)

L2 SOC Analyst(Loc

ation : DC-

Mumbai

SIEM Certified/Trained

CCNA/CEH Certified

VM Tool certified/Trained( at least 1 resource)

2 years experience in IT and minimum 1 years in information security

Experience in Event Correlation and Analysis

Experience in vulnerability assessments, Penetration testing

Experience in handling events thrown by DAM tool.

Experience in patch management, configuration management

Experience in implementation and management of security gateways, VPNs

Thorough understanding of TCP/IP, networking concepts and internet protocols

Job Role

SIEM product administration

Incident Validation

Detailed analysis of attacks and Incident Response

Solution recommendation for vulnerabilities

Implementation of patches and secure configuration of servers

Manage security devices

Risk analysis for change management for security devices

Escalation point for device issue resolution

Resolve escalation

Identify missed incidents

Maintain knowledge base

VA Tool administration

2




Defining Security Baselines

Prepare VA schedule and perform VA scans against baseline securities as per the

schedule.

Analyze VA report and take steps to reduce false positives.

Submit VA Scan report to the concerned departments and suggest remediation

steps.

Follow up with concerned departments/vendor on the remediation

steps taken.

Resolve user queries

L3 SOC

Manager

Location :

DC-Mumbai

CISSP/CISA

CCNA Certified

3+ years experience in IT & minimum 2 years in information security

Certified in SIEM Tool being deployed

Should have experience of DAM tools operations

Comprehensive management experience in leading large scale security operations

Experience in roll out of SIM, vulnerability management products

Experience in setting up SOC processes

Domain experience in threats and vulnerabilities

Knowledge of system administration of Windows, Unix platforms and networking

devices like Firewalls, IPS/IDS, Switches,

Routers, VPN Gateways etc.

Thorough understanding of TCP/IP, networking concepts.

Job Role

Track Incident detection and reporting

Incident closure

Incident escalation

Identify new alert requirement

Ensure services are being provided within SLA parameters

Performing periodic DR drill.

Followup up departments for closure of various reports/incidents and escalate the

long outstanding issues.

1

The above job roles are only indicative. Detailed job roles will be provided to the successful Bidder.




Manpower Support working days schedule.

S.No. Job Profile Place No of Shifts Working days

1 SOC Operator DC 3 365

2 SOC Analyst DC 2 Monday to Saturday except Sunday and Bank holidays

3 SOC Manager DC 1 Monday to Saturday except

Sunday and Bank holidays

4 SOC Operator DR 1 Monday to Saturday except

Sunday and Bank holidays

Shift : 8 Hours a day. In case of exigencies, L2 and L3 should be available on Sundays and Holidays as well. If a lower level person does not report on duty, then higher level person will be expected to perform the job of lower level person and payment will be made as per the payment structure of lower level person only. In case of absence of any of the resource person, standby manpower may be provided by the vendor. If Bank is not satisfied with the performance of the standby personnel, Bank may not accept such standby manpower and in such cases, charges on actual basis of manpower support will be paid to the vendor subject to adherence of SLA conditions. The above details are only indicative figures and may undergo change as per the requirement of the Bank from time to time. Per Man day charges( for the purpose of deduction on account of absence) = Charges per man year/(12X Number of working days in a month)




ANNEXURE-G : EXPERIENCE DETAILS

DETAILS OF SOC IMPLEMENTATION AND SOC MANAGEMENT EXPERIENCE

Sl. No.

Name of

the Client and

place of implementatio

n

Client segment Bank/

Insurance/Stock

Exchange or Others

Date of PO and date of completion of assignment

Brief Scope

of work

Name of Lead consult

ant

Details of SIEM Tool/ DAM and VM tool

implementation and manageme

nt

Contact

person details of the client

Page Ref. No.

Please submit copy of Purchase order and Client letter. Place: Date: Seal and Signature of Bidder:




ANNEXURE-H : PROPOSED TEAM PROFILE

Sl No

Name of Proposed Engagement Manager /Proposed Team Member

Date of Joining

Prof. Qualifications

Age and total experience

Certifications/ Accreditations

Experience in SIEM/DAM/VM Solution implementation and operations

IT Security Expertise In terms of years and areas of expertise

Documentary proofs are to be enclosed to substantiate the claims made. Place: Date: Seal and signature of the Bidder




ANNEXURE-I : ESTIMATED EFFORT AND ELAPLSED TIME

Sl No

Activities

Ela

pse

d T

ime

Eff

ort

in

Man

day

s

Nu

mb

er

of

team

mem

bers

wh

o w

ill

be

dep

loy

ed

Remarks

1

SIEM Solution Implementation(Configuration of networking devices for log monitoring will be the Bank’s responsibility however vendor will suggest the required steps for such configuration)

Please submit detailed implementation plan

2 Regular Management and Monitoring of SIEM implementation at DC Site on 24X7X365 basis

NA NA Please submit Manpower deployment plan as per your assessment

3 Regular Management and Monitoring of SIEM implementation at DR site on 24X7X365 basis

NA NA Please submit Manpower deployment plan as per your assessment

4 DAM Tool Implementation and regular monitoring


5 Vulnerability Management tool implementation and monitoring


Place: Date: Seal and Signature of Bidder:




ANNEXURE-J : OEM DETAILS

The vendor must provide the following details for the original manufacturers of the products proposed to be provided: Name of the Product with full specifications (please enclose Brochure if available)

1. Name of the Manufacturer

2. No. of years in business

3. Address of the Manufacturer

4. Contact details like phone, fax, email

5. PAN number and Sales Tax number

6. List of Manufacturing locations (world wide)

7. Description of manufacturing locations

8. Description of production facilities

9. Description of inspection & testing facilities

10. Certifications possessed by the manufacturer (ISO etc.)

11. Any other information about the manufacturer

12. Industry Recognitions

Place: Date: Seal and signature of the bidder




ANNEXURE-K : MANUFACTURER AUTHORIZATION FORM Performa of letter to be given by the OEM of devices/hardware to the bank on OEM letterhead by authorized signatory.

Date: To, The General Manager (Risk Management) Bank of Baroda 2nd floor, Baroda Corporate Centre Bandra Kurla Complex, Bandra (East) Mumbai 400 051

Dear Sir, We ……………………………………………………………… (Name of the Manufacturer) who are established and reputable manufacturers of …………………………………… having factories at ………, …………, ………, …………… and …………… do hereby authorize M/s ……………………… (who is the vendor submitting its bid pursuant to the Request for Proposal issued by the Bank) to submit a Bid and negotiate and conclude a contract with you for supply of equipments and softwares manufactured by us against the Request for Proposal received from your Bank by the Vendor and we have duly authorized the Vendor for this purpose. We hereby extend our guarantee and warranty as per terms and conditions of the RFP and the contract for the equipment and softwares offered for supply against this RFP by the above-mentioned Vendor, and hereby undertake to perform the obligations as set out in the RFP in respect of such equipments and softwares. In case the vendor does not perform its duties as per the terms and conditions stipulated in the RFP for maintaining the hardware, softwares during warranty/post warranty period, we shall takeover the maintenance of the hardware, software and related components, supplied by the vendor under same terms and conditions or more favorable terms and conditions to the Bank without any additional cost to the Bank. Yours Faithfully Authorized Signatory (Name: Phone No. Fax E_mail ) (This letter should be on the letterhead of the Manufacturer duly signed by an authorized signatory)




ANNEXURE-L : OEM SIZING CONFIRMATION

Performa of letter to be given by the OEM of SIEM and DAM Solution to the bank on OEM letterhead by authorized signatory. Date: To The General Manager (Risk Management) Bank of Baroda 2nd floor, Baroda Corporate Centre Bandra Kurla Complex, Bandra (East) Mumbai 400 051 Sir, Sub: RFP for implementation of Security Operations Centre-Sizing Confirmation We as Original Equipment Manufacturers of SIEM/DAM solution have sized the hardware/software and license requirement based on information provided by the bank in its’ Tender #....... and in accordance with the tender and Service Level requirements and assure the bank that the sizing is for the DC and DR sites envisaged in the tender. However, if the sizing of the hardware including CPUs, Memory, Hard Disk is found to be inadequate in meeting the tender and the Service Level requirements given by the bank, then we will upgrade the proposed hardware including CPUs, Memory, Hard Disk without any additional cost to the bank. Yours faithfully, Authorized Signatory Designation Vendor’s corporate name




ANNEXURE-M : COMMENTS ON TERMS & CONDITIONS & SERVICES/PRE BID QUERY FORMAT

Please submit your pre bid queries in the format as mentioned below.

Please provide your comments on the Terms & conditions in this section. You are requested to categorize your comments under appropriate headings such as those pertaining to the Scope of work, Terms & Conditions etc. You are also requested to provide a reference of the page number, state the clarification point and the comment/ suggestion/ deviation that you propose as shown below.

Sr. No.

RFP Page no. #

RFP Point / Section #

Clarification point as stated in the tender document

Comment/ Suggestion/ Deviation/ Query

Place: Date: Seal and signature of the Bidder

ANNEXURE-N : COMMERCIAL BID FORMAT

Commercial Bid Format (Amt in Rupees)

Part A

S.n

o.

(a).

Item (B)

Hig

h

Avail

ab

ilit

y

(Red

un

da

ncy

)

Un

its

(C)

Un

it C

ost

(R

s.)

(D)

(in

cl

of

all

tax

es)

To

tal

E =

C X

D

1st y

ear

2n

d y

ear (

F)

incl

of

taxes

3rd

yea

r (G

) in

cl o

f ta

xes

4th

year (

H)

incl

of

taxes

5th

year (

I) i

ncl

of

taxes

To

tal

Co

st(

in R

s)

(J =

E+

F+

G+

H+

I)

(In

cl

of

all

ta

xes)

Bill of

Material

Line

items

Remark (g)

1 Correlation Engine

Box (Data Center) -

Should support HA

Yes

X

X

X

X

1a AMC Cost X X X

2 Correlation Engine

Box (DRS) - Should

support HA

No

X

X

X

X

2a AMC Cost X X X

3 Log Management

(Data Centre) - Should

support HA

Yes

X

X

X

X

3a AMC Cost X X X

4 Log Management

(DRS) - Should

support HA

No

X

X

X

X

4a AMC Cost X X X

Confidential of 103 IT Security Cell,

Risk Management Dept., Baroda Corporate

Centre, Bank of Baroda

Mumbai-400051

RFP for Selection of IT Security Integrator for Security Operations Centre

Print Date 14-Mar-12 & Time 3:19:58 PM

RFP Ref No: BCC:CISO:RFP:103/02 Date : 03 June 2011

5 Log Storage(Data

Centre) with 15 TB

usable storage

capacity with RAID

support and

synchronous

replication and log

retrieval capability

over the network

No

X

X

X

X

5a AMC Cost X X X

6 Log Storage(DR) with

15 TB usable storage

capacity with RAID

support and

synchronous

replication capability

over the network

No

X

X

X

X

6a AMC Cost X X X

7 Collector Box (Data

Center) – with support

for RAID and should

support HA

Yes

X

X

X

X

7a AMC Cost X X X

8 Collector Box (DR)

- with RAID level 1

and should support

HA

No

X

X

X

X

8a AMC Cost X X X




Mumbai-400051




9 Log Collector with

500 EPS Software (for

remote locations)

No 27

X

X

X

X

9a AMC Cost X X X

10 Database Activity

Monitoring Solution

at DC(Appliance)

No

X

X

X

X

10a AMC Cost X X X

11 Database Activity

Monitoring Solution

at DR (Appliance)

No

X

X

X

X

11a AMC Cost X X X

12 Vulnerability

Management solution

for DC inclusive of

Hardware

No

X

X

X

X

12a AMC Cost X X X

13 Incident Management

tool inclusive of

Hardware

No

X

X

X

X

13a AMC Cost X X X




Mumbai-400051




14 Desktop PC Intel I5

2.4GHz Processor,

4GB RAM, 4TB

Harddisk, Internal

LTO-4 Tape Drive

with backward

compatibility. (Please

provide price breakup

of PC and Tape drive )

for DC & DR.

2

X

X

X

X

14a AMC Cost X X X

15 Additional Hardware/

Software requirements

(if any)

X

X

X

X

15a AMC Cost X X X

16 Cost of training for

Bank staff for OEM

certified courses

2 Sessi

ons

X

X

X

X

17 Display (Wall

mountable, minimum

32” LED TV) with

cables

2

X

X

X

X

18 Custom connector

development for

approx 20 applications

X

X

X

X

18a AMC Cost X X X




Mumbai-400051




19 Incremental cost of

upgrade for 15000

EPS ( from 10000

EPS).

X

X

X

X

Please provide all the

possible components which may be needed

for such upgrade and

their price breakup.

19a AMC Cost X X X


upgrade for 20000

EPS ( from 15000

EPS).

X

X

X

X

Please provide all the

possible components

which may be needed for such upgrade and

their price breakup.

20a AMC Cost X X X


upgrade for 25TB

usable storage

space(from 15TB).

X

X

X

X

21a AMC Cost X X X


upgrade for 35TB

usable storage

space(from 25TB).

X

X

X

X

22a AMC Cost X X X

23 24 Port -1Gigabit (non

blocking) L3 Switch

for DC/DR with

2X10GB uplink ports

3 (2

for DC

& 1 for

DR)

X

X

X

X

23a AMC Cost X X X




Mumbai-400051




24 Misc. other items

Hardware, Software,

License fee,

subscription fee,

service charge, rack,

cables, cabling work

etc which are not

included above for

operation of SOC as

per this RFP terms

and conditions for DC

and DR.

X

X

X

X

Any other hardware,

software, service, consumables, license

item/component not

covered above which is required for operation of

SOC..

24a AMC Cost X X X

28 SOC Operations

manpower support

28a L1 SOC Operator 5

28b L2 SOC Analyst 2

28c L3 SOC Manager 1

Total Cost

Note:

1. All the prices quoted above are inclusive of all taxes, octroi etc.

2. The above price will remain valid for the terms of the contract.

3. Please provide price breakup of individual line items, if the line items is comprising of various harrdware/software/service

components preferably in Excel format.

4. Please provide Annual Maintenance charges for all the applicable line items below their product costs.

5. The product costs mentioned in the price bid should include all the implementation related costs including but not limited to installation, integration, testing and operationalization of the item.

6. Annual Maintenance Charges(AMC) will include all costs such as AMC of hardware items, Annual recurring license fee, version upgrade, patch upgrade etc.




Mumbai-400051




7. Please provide complete project implementation methodoligy, deployment architecture, bill of material to be supplied for the

above line items.

8. All prices are to be quoted by the Bidder. Bank may at its discretion remove the redundant components and other components

at DC and DR.

9. All capacities defined in Bytes are native capacity unless specifically specified.

Note : Please Leave the space blank wherever the charges are not applicable.

Declaration by bidder: We, M/s _________________, hereby confirm that all the items including Services as required for making

system operational as per requirement of the Bank have been included in the commercial bid. Further, we understand that Bank

reserve the right to use reverse auction method.

Prices of major components must be broken down.

Part B

Total Cost of Ownership Calculation format:

Total cost

Fixed One time cost

Procurement & implementation cost

Recurring/Incremental Cost

1st year

2nd

year

3rd

year

4th

year

5th

year

Total Recurring Cost

Total Cost

Total Cost in Part ‘A’ and Part B should match.

TCO based on present value of all the future payments will be calculated at discount rate of 10% and evaluation of bids will be done on present values basis. Discount rates will apply to all items beginning from 2nd year. Provide AMC/ License fee/ subscription fee/ Renewal fee details for each component of Hardware and Software and give year wise breakup during the -5- years time span.




Mumbai-400051




Pricing of major components of the solution must be broken down. Note:

1. The Bank may add further devices / servers/applications under the scope of the project at a future date. 2. In case the Bank adds devices / servers at a later date and brings the same under the scope of this contract, pro rata

charges per month and per device shall be calculated on the basis of cost derived at from the final BOM. 3. Bank reserves the right to reduce or increase the quantity and also defer the procurement of a particular

component and/or service under the scope of this RFP. 4. It is expected that vendor will submit the comprehensive proposal for AMC. In case any part is not covered under

AMC, the same should be clearly specified along with the price and MTBF(Mean time between failure) value. Place: Date : Seal & Signature of the bidder

ANNEXURE-O : BILL OF MATERIAL

Please submit complete Bill of Material as per the following format for the materials to be supplied under this RFP preferably in Excel format including the proposed upgrade.

Sr. No.

Item Name

Make/ Model No.

Configuration/ Details/ Specifications

Brief Function of Item

Commercial Bid Line item (Leave blank if not

applicable)

Qty Page ref. no. of Brochure enclosed.

Remarks

Place: Date: Seal and signature of the Bidder Bank Of Baroda, IT Security Cell, Risk Management Department 2nd Floor, Bank Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), MUMBAI – 400051.

End of Document