request for proposal (rfp) for selection of service ... · request for proposal (rfp) for selection...
TRANSCRIPT
REQUEST FOR PROPOSAL (RFP)
FOR
Selection of Service Provider
for conducting
Vulnerability Assessment and Penetration Testing
of
Internet facing Applications and Infrastructure
Reference No. BCC: CISO: RFP:107/17
Date : 05 May 2015
Bank of Baroda,
Baroda Corporate Centre,
C-26, G Block, Bandra Kurla Complex
Bandra (East),
Mumbai - 400 051.
Document Classification : Public Page 2 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Important Dates:
Sr. No.
Particulars Dates and Timelines
1 Issuance of RFP document by the Bank
00:00 hours IST on 5th May 2015
2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document
17:00 hours IST on 16th May 2015
3 Pre-bid Meeting date/venue 15:00 hours IST on 21st May 2015. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051
4 Last Date of submission of RFP response
15:00 hours IST on 5th June 2015
5 Technical bid opening date / time / venue
16:00 hours IST 5th June 2015 Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051
Important Clarifications:
Following terms are used in the document interchangeably to mean:
Bank means “Bank of Baroda (including domestic operations, overseas operations, Overseas & Indian subsidiaries & Associate Banks)”
BCC means “Baroda Corporate Centre”.
BST means “Baroda Sun Tower”.
RBI Guidelines/RBI Working group report/RBI means recommendations of Working group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for implementation vide circular no RBI//2010-11/494 DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29,2011
Recipient, Respondent, Bidder and Vendor means “Respondent to the RFP document”.
Auditor/Consultant would mean Auditing/Consulting firms, Service Provider
SP Means “Service Provider”, selected vendor, successful bidder
ASP means “Application Service Provider”
DC means Bank‟s Data centre at Mumbai.
DR, DRS means Bank‟s Disaster Recovery centre at Hyderabad.
BFSI means Banking, Financial Services and Insurance.
RFP means this “RFP document”
Consultant(Bidder), Bank shall be individually referred to as “Party” and collectively as “Parties”.
Document Classification : Public Page 3 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
TABLE OF CONTENTS
SECTION – I .................................................................................................................................................... 4
1.1 INTRODUCTION AND DISCLAIMER ....................................................................................................... 4
1.2 INORMATION PROVIDED ...................................................................................................................... 4
1.3 FOR RESPONDENT ONLY...................................................................................................................... 4
1.4 CONFIDENTIALITY ............................................................................................................................... 4
1.5 DISCLAIMER ........................................................................................................................................ 5
1.6 ELIGIBILITY CRITERIA. ........................................................................................................................ 5
1.7 COSTS BORNE BY RESPONDENTS ........................................................................................................ 5
1.8 NO LEGAL RELATIONSHIP .................................................................................................................... 5
1.9 RECIPENT OBLIGATION TO INFORM ITSELF ........................................................................................ 5
1.10 EVALUATION OF BIDS ...................................................................................................................... 6
1.11 ERRORS AND OMISSIONS ................................................................................................................. 6
1.12 ACCEPTANCE OF TERMS .................................................................................................................. 6
1.13 RFP RESPONSE TERMS .................................................................................................................... 6
1.14 NOTIFICATIONS ............................................................................................................................. 11
1.15 DISQUALIFICATION ........................................................................................................................ 11
1.16 ERASINGS OR ALTERATIONS .......................................................................................................... 11
1.17 RIGHT TO REJECT BIDS ................................................................................................................. 11
1.18 PROCESS & TIMEFRAME ................................................................................................................ 12
1.19 OTHER TERMS AND CONDITIONS ................................................................................................... 13
SECTION – II ................................................................................................................................................. 14
2.1 BANK OF BARODA-INTRODUCTION .................................................................................................... 14
2.2 PROJECT OBJECTIVE ........................................................................................................................ 14
2.3 PROJECT SCOPE ................................................................................................................................ 14
2.4 DETAILS OF INFRASTRUCTURE AT BANK’S DC/DR ............................................................................ 20
SECTION – III ................................................................................................................................................ 22
3.1 GENERAL TERMS AND CONDITIONS ................................................................................................... 22
SECTION – IV ................................................................................................................................................ 29
ANNEXURE-A : ELIGIBILITY CRITERIA .......................................................................................................... 29
ANNEXURE-B : CONSULTANT’S SELECTION/EVALUATION PROCESS ............................................................. 31
ANNEXURE-C : COMPLIANCE CERTIFICATE .................................................................................................. 36
ANNEXURE-D : TECHNICAL BID FORMAT ...................................................................................................... 37
ANNEXURE-E : EXPERIENCE DETAILS........................................................................................................... 40
ANNEXURE-F : ESTIMATED EFFORT AND ELAPLSED TIME ............................................................................ 41
ANNEXURE-G : DETAILS OF TOOLS AND TEAM MEMBERS TRAINED/CERTIFIED ON TOOLS .......................... 42
ANNEXURE-H : PROPOSED TEAM PROFILE ................................................................................................... 43
ANNEXURE-I : COMMENTS ON TERMS & CONDITIONS & SERVICES/PRE BID QUERY FORMAT ...................... 44
ANNEXURE-J : COMMERCIAL BID FORMAT ................................................................................................... 45
Document Classification : Public Page 4 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
SECTION – I
1.1 INTRODUCTION AND DISCLAIMER
This Request for Proposal document (“RFP”) has been prepared solely to enable Bank of Baroda (“Bank”) in the selection of suitable organizations for conducting Vulnerability Assessment and Penetration Testing of Internet facing Applications and underlying infrastructure.
The RFP document is not a recommendation, offer or invitation to enter into a contract, agreement or other arrangement in respect of the services. The provision of the services is subject to observance of selection process and appropriate documentation being agreed between the Bank and any successful Bidder as identified after completion of the selection process as detailed in Annexure-B on Service Provider‟s Selection/Evaluation Process.
1.2 INORMATION PROVIDED
The RFP document contains statements derived from information that is believed to be true and reliable at the date obtained but does not purport to provide all of the information that may be necessary or desirable to enable an intending contracting party to determine whether or not to enter into a contract or arrangement with Bank in relation to the provision of services. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers gives any representation or warranty (whether oral or written), express or implied as to the accuracy, updating or completeness of any writings, information or statement given or made in this RFP document. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers has carried out or will carry out an independent audit or verification or investigation or due diligence exercise in relation to the contents of any part of the RFP document.
1.3 FOR RESPONDENT ONLY
The RFP document is intended solely for the information of the party to whom it is issued (“the Recipient” or “the Respondent”) i.e. Government Organization/PSU/ limited Company, partnership firm, LLP.
1.4 CONFIDENTIALITY
This document is meant for the specific use by the Respondents interested to participate in the current tendering process. This document in its entirety is subject to Copyright laws. Bank expects the Bidders or any person acting on behalf of the Bidders to strictly adhere to the instructions given in the document and maintain confidentiality of information. The Bidders will be held responsible for any misuse of the information contained in the document and liable to be prosecuted by the Bank in the event of such a circumstance is brought to the notice of the Bank. By downloading the document, the interested party is subject to confidentiality clauses. Bank may update or revise the RFP document or any part of it. The Recipient acknowledges that any such revised or amended document shall be received subject to the same confidentiality terms.
Document Classification : Public Page 5 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
The Recipient will not disclose or discuss the contents of the RFP document with any officer, employee, consultant, director, agent, or other person associated or affiliated in any way with the Bank or any of its customers or suppliers without prior written consent of the Bank.
1.5 DISCLAIMER
Subject to any law to the contrary, and to the maximum extent permitted by law, Bank and its directors, officers, employees, contractors, representatives, agents, and advisers disclaim all liability from any loss, claim, expense (including, without limitation, any legal fees, costs, charges, demands, actions, liabilities expenses or disbursements incurred therein or incidental thereto) or damage (whether foreseeable or not) (“Losses”) suffered by any person acting on or refraining from acting because of any presumptions or information (whether oral or written and whether express or implied), including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the Losses arises in connection with any ignorance, negligence, inattention, casualness, disregard, omission, default, lack of care, immature information, falsification or misrepresentation on the part of Bank or any of its directors, officers, employees, contractors, representatives, agents, or advisers.
1.6 ELIGIBILITY CRITERIA.
Service Providers who wish to bid should conform to the Eligibility Criteria as per Annexure-A.
1.7 COSTS BORNE BY RESPONDENTS
All costs and expenses (whether in terms of time or money) incurred by the Recipient / Respondent in any way associated with the development, preparation and submission of responses, including but not limited to attendance at meetings, discussions, demonstrations, presentation etc. and providing any additional information required by Bank, will be borne entirely and exclusively by the Recipient / Respondent. Stamp duty that may be incurred towards entering in to agreement with the successful Bidder for awarding the contract will be shared by the Bank and the successful Bidder in equal proportion.
1.8 NO LEGAL RELATIONSHIP
No binding legal relationship will exist between any of the Recipients / Respondents and the Bank until execution of a contractual agreement to the full satisfaction of the Bank.
1.9 RECIPENT OBLIGATION TO INFORM ITSELF
The Recipient must apply its own care and conduct its own investigation and analysis regarding any information contained in the RFP document and the meaning and impact of that information.
Document Classification : Public Page 6 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
1.10 EVALUATION OF BIDS
The evaluation of the bids will be done as per evaluation criteria mentioned in Annexure-B “CONSULTANT‟S SELECTION/EVALUATION PROCESS” of this RFP document. The Bidders who do not qualify the Eligibility criteria as stipulated under Annexure-A will not be considered for technical evaluation. A Bidder not eligible under Technical Bid will not be considered for opening of Commercial Bid.
However each Recipient acknowledges and accepts that the Bank may, in its sole and absolute discretion, apply whatever criteria it deems appropriate in the selection of organizations, not limited to those selection criteria set out in this RFP document.
The issuance of RFP document is merely an invitation to offer and must not be construed as any agreement or contract or arrangement nor would it be construed as material for any investigation or review to be carried out by a Recipient. The Recipient unconditionally acknowledges by submitting its response to this RFP document that it has not relied on any idea, information, statement, representation, or warranty given in this RFP document.
For meeting the requirements of Eligibility criteria, 31.12.2014 would be considered as the date on which the Bidder should be eligible. For Technical Evaluation criteria the date on the basis of which marks would be given would be 31.12.2014.
1.11 ERRORS AND OMISSIONS
Each Recipient should notify the Bank of any error, fault, omission, or discrepancy found in this RFP document upto 17:00 hrs IST 16th May 2015 as per the enclosed Annexure „I‟.
1.12 ACCEPTANCE OF TERMS
The Recipient will, by responding to the Bank‟s RFP document, be deemed to have accepted the terms as stated in this RFP document.
1.13 RFP RESPONSE TERMS
1.13.1 Application Money & Earnest Money
The Bidder will be required to submit Application Money of Rs.5,000/-(Rupees Five Thousand) by way of Bankers
Cheque/Demand Draft/Pay Order favoring Bank of Baroda, Payable in Mumbai, which is non refundable, must be submitted separately along with RFP response.
Earnest Money Deposit of Rs 100,000/- (Rupees One Lakh only) has to be submitted by way of Demand Draft / Banker's Cheque / Pay Order drawn in favor of "Bank of Baroda” payable in Mumbai. Earnest Money Deposit will not carry any interest. The Earnest Money Deposit of unsuccessful Bidders will be refunded while intimating the rejection of the bid. The Earnest Money Deposit of the Successful Bidder will be adjusted towards Security Deposit.
Document Classification : Public Page 7 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Application Money and Earnest Money Deposit should be delivered separately along with the sealed envelopes containing RFP responses and the Application Money and Earnest Money documents should not be put inside the sealed envelope containing RFP Response documents.
RFP document should be downloaded from the Tenders Section of the Bank‟s website, http://www.bankofbaroda.com.
The Earnest Money Deposit will be forfeited if:
The Bidder withdraws his tender before processing of the same.
The Bidder withdraws his tender after processing but before acceptance of “Work Order” to be issued by the Bank, in case the Bidder is selected by the Bank.
The selected Bidder withdraws his tender before furnishing Bank Guarantee/Security Deposit as required under this RFP.
The Bidder violates any of the provisions of the terms and conditions of this RFP specification.
If the selected Bidder fails to enter into the contract agreement with the Bank within 15 days of issuing the Letter of Intent.
1.13.2 RFP Closing Date
RFP Response should be submitted to the officials indicated below not later than 15:00 hrs IST (Indian Standard Time) on 5th June 2015.
1.13.3 Format of Bids
The Bidders should use the formats prescribed by the Bank in the RFP for submitting both technical and commercial bids. Any deviation in this regard entails the Bidder for disqualification.
1.13.4 Submission of Bid
-2- Sets of Bids should be submitted along with Application money and Earnest Money Demand Drafts / Pay Orders which should be in a separate unsealed envelope, before the RFP closing date and time.
Each set(sealed master envelop) should contain -1- sealed Technical and -1- sealed Commercial Bids in separate sealed envelopes.
Sealed Master envelop should be superscribed as PROPOSAL for appointment of Auditor/Consultant for VAPT of Internet facing applications and Infrastructure”
The sealed envelopes containing Technical proposal should be superscribed as “TECHNICAL PROPOSAL for appointment of Auditor/Consultant for VAPT of Internet facing applications and Infrastructure” and the sealed envelopes containing the Commercial proposal should be superscribed as “COMMERCIAL PROPOSAL for appointment of Auditor/Consultant for VAPT of Internet facing applications and Infrastructure”. The e-mail address and phone/fax
Document Classification : Public Page 8 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
numbers of the Bidder should also be indicated on the sealed envelopes.
The soft copy of the technical proposal in MS-Word / Excel format should also be submitted in a CD along with hard copy of the technical proposal. It should be noted that in case of any discrepancy observed in information submitted by the Bidder in hard-copy and soft-copy, the hard-copy will be given precedence. However, in case of non-submission of any hard copy document, if the same is found submitted in the soft-copy and vice-versa, Bank reserves right to accept the same at its discretion.
The Bidder shall submit the proposals properly filed so that the papers are not loose. The Bidder shall submit the proposal in suitable file such that the papers do not bulge out and tear during scrutiny. All the pages of the proposal including documentary proofs should be numbered as “Page ____ (current page) of _____ (Total pages)" and be signed by authorized signatory. The current page number should be a unique running serial number across the entire proposal.
List of Contents for Technical Bid:
The Technical Proposal should be as per the requirement of the Bank in prescribed formats as follows:
a. Index of contents submitted.
b. Compliance Certificate as per Annexure-C.
c. Technical Bid Format as per Annexure-D
d. Experience details as per Annexure-E
e. Estimated Effort and Elapsed time as per Annexure-F
f. Details of Tools and Team members trained/Certified on Tools as per Annexure-G
g. Proposed Team Profile as per Annexure-H
h. Comments on Terms and Conditions & Services as per Annexure-I
i. Masked Copy of Commercial Bid as per Annexure-J (i.e. a copy of the Commercial Bid without price figures)
j. All the copies of certificates, documentary proofs, work orders, brochures etc should be clearly marked.
k. A CD containing soft copy of the proposal
List of Contents for Commercial Bid
a. Commercial Bid as per Annexure-J.
RFP Response should be addressed to:
The Chief Information Security Officer 2nd Floor, Risk Management Department Bank of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), Mumbai 400 051.
Document Classification : Public Page 9 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
RFP Response/Bids in the sealed envelopes as detailed above must be hand delivered to the Bank at the following address :
Chief Information Security Officer or Chief Manager-IT Security, IT Security Cell, Risk Management Dept, Bank of Baroda, 2nd Floor, Baroda Corporate Centre, C-26, G Block, Bandra Kurla Complex, Mumbai-400051.
Submission of bids by any mode other than hand delivery to the officials mentioned above is not allowed and will be considered invalid.
Bids submitted not as per the process and terms specified above will be rejected.
1.13.5 Registration of RFP
Registration of RFP response will be effected by the Bank by making an entry in a separate register kept for the purpose, upon receiving the RFP response in the above manner as detailed in this RFP. The RFP response must contain all documents, information, and details required by this RFP. If the submission to this RFP does not include all the documents and information required or is incomplete or submission is through Fax mode or e-mail or any mode other than hand delivery, the RFP is liable to be summarily rejected.
All submissions, including any accompanying documents, will become the property of Bank. The Recipient shall be deemed to have licensed, and granted all rights to the Bank to reproduce the whole or any portion of their submission for the purpose of evaluation, to disclose the contents of the submission to other Recipients who have registered a submission and to disclose and/or use the contents of the submission as the basis for any resulting RFP process, notwithstanding any copyright or other intellectual property right of the Recipient in the submission or accompanying documents.
1.13.6 Late RFP Policy
RFPs lodged after the deadline for lodgment of RFPs may be registered by the Bank and may be considered and evaluated by the evaluation team at the absolute discretion of the Bank. Respondents are to provide detailed evidence to substantiate the reasons for a late RFP submission. It should be clearly noted that Bank has no obligation to accept or act on any reason for a late submitted response to RFP.
1.13.7 RFP Validity Period
RFP responses will remain valid and open for evaluation according to their terms for a period of at least six (6) months from the RFP closing date.
Document Classification : Public Page 10 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
1.13.8 Requests for Information
All queries relating to the RFP, technical or otherwise, must be either in writing or by email only and will be entertained by the Bank only in respect of the queries received up to 17:00 hrs IST 16th May 2015. All queries should be addressed to the nominated point of contact as mentioned below.
Chief Information Security Officer (CISO) Bank of Baroda, 2nd Floor, Baroda Corporate Centre,
C26, G Block, Bandra Kurla Complex, Mumbai, 400 051 Tel No: 022-66985230/ 66985227 E-mail ID: [email protected]
The Bank will try to reply, without any obligation in respect thereof, every reasonable query raised by the Recipients in the manner specified.
However, the Bank will not answer any communication initiated by Respondents later than the date of pre bid meeting. Bank may in its absolute discretion seek, but being under no obligation to seek, additional information or material from any Respondent after the RFP closes and all such information and material provided will be taken to form part of that Respondent‟s response.
Respondents should invariably provide details of their email address as responses to queries will only be provided to the Respondent via email.
If Bank in its sole and absolute discretion deems that the originator of the query will gain an advantage by a response to a question, then Bank reserves the right to communicate such response to all Respondents.
Bank may in its sole and absolute discretion engage in discussion or negotiation with any Respondent (or simultaneously with more than one Respondents) after the RFP closes to improve or clarify any response.
1.13.9 Charges Terms
By submitting the bid, the Bidder will be deemed to have accepted all the terms and conditions mentioned in the RFP document and the rates quoted by the Bidder will be adequate to complete such work
according to the specifications and conditions attached thereto and the Consultant has taken into account all conditions and difficulties that may be encountered during the period of assignment and to have quoted all the commercial rates, which shall include agreed price/ contract amount with taxes, royalties, VAT and other duties and all other facilities and services necessary for proper completion of the assignment, except such as may be otherwise provided in the contract document for completion of the assignment. The service tax would be paid by the Bank at actuals.
Document Classification : Public Page 11 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
The TDS amount on prevailing rate and work contract tax etc. shall be deducted from selected Bidder‟s running account/final bills. Necessary certificates shall be issued to the selected Bidder by the Bank.
All taxes, levies, cess and duties in respect of this contract except service tax shall be payable by the selected Bidder and the Bank will not be liable for any claim whatsoever in this respect during the period of contract. Service tax payable on the payment of contract amount will be borne by the Bank.
1.14 NOTIFICATIONS
Bank will notify the Respondents in writing as soon as practicable, about the outcome of the RFP evaluation process, including whether the Respondent‟s
RFP response has been accepted or rejected. Bank is not obliged to provide any reasons for any such acceptance or rejection.
1.15 DISQUALIFICATION
Any form of canvassing/lobbying/influence/query regarding short listing, status etc will result in disqualification.
1.16 ERASINGS OR ALTERATIONS
The offers containing overwriting, erasing or alterations may not be considered. There should be no hand written material corrections or alterations in the offer. Technical details must be completely filled up. Correct technical information of the services being offered must be filled in. Filling up of the information using terms such as OK, ACCEPTED, NOTED, AS GIVEN IN BROCHURE/MANUAL or any Special Characters such as -, “, @, _,# is not acceptable. The Bank may treat offers not adhering to these guidelines as unacceptable.
1.17 RIGHT TO REJECT BIDS
Bank reserves the absolute and unconditional right to reject the response to this RFP if it is not in accordance with its requirements and no further correspondence will be entertained by the Bank in the matter. The bid is
liable to be rejected if
It is not in conformity with any of the instructions, terms and conditions mentioned in this RFP document.
It is not accompanied by the requisite Application Money and EMD.
It is not properly/duly signed.
It is received through any mode other than hand delivery to the designated officials.
It is received after expiry of the due date and time.
Document Classification : Public Page 12 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
It is incomplete including non-furnishing the required documents.
It is evasive or contains incorrect information.
There is canvassing of any kind.
It is submitted anywhere other than the place mentioned under clause 1.13.4.
1.18 PROCESS & TIMEFRAME
Selection of a successful Bidder will involve a five (5) stage approach. The approach follows the Indian Government‟s Central Vigilance Commission (CVC) guidelines.
The following is an indicative timeframe for the selection process. Bank reserves the right to vary this timeframe at its absolute and sole discretion should the need arise. Changes to the timeframe will be relayed to the affected Respondents during the process.
Sr. No.
Particulars Dates and Timelines
1 Issuance of RFP document by the Bank
00:00 hours IST on 5th May 2015
2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document
17:00 hours IST on 16th May 2015
3 Pre-bid Meeting date/venue 15:00 hours IST on 21st May 2015. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051
4 Last Date of submission of RFP response
15:00 hours IST on 5th June 2015
5 Technical bid opening date / time / venue
16:00 hours IST 5th June 2015 Bank Of Baroda, Baroda Corporate
Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051
The dates mentioned above are tentative dates and the Bidder acknowledges that it cannot hold the Bank responsible for breach of any of the dates.
Note: Bidders can depute their representative (only one) to attend the Technical bid opening process. No separate intimation will be given in this regard to the Bidders for deputing their representatives for technical bid opening. Only those Bidders who qualify in the Technical Evaluation process will be invited for Commercial Bids opening.
Receipt of RFP Bids
Evaluation of Bids
Award of Contract
STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5
Pre - bid Meeting
Issue Of RFP
Document Classification : Public Page 13 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
1.19 OTHER TERMS AND CONDITIONS
The Bank reserves the right to:
Reject any and all responses received in response to the RFP, with or without assigning any reasons whatsoever.
Waive or change any formalities, irregularities, or inconsistencies in proposal format delivery.
To negotiate any aspect of proposal with any Bidder and negotiate with more than one Bidder at a time.
Extend the time for submission of all proposals.
Select the most responsive Bidders (in case no Bidder satisfies the eligibility criteria in totality).
Select the next most responsive Bidder if negotiations with the Bidder of choice fail to result in an agreement within a specified time frame.
Share the information/ clarifications provided in response to RFP by any Bidder, with any other Bidder(s) /others, in any form.
Cancel the RFP/Tender at any stage, without assigning any reason whatsoever.
Document Classification : Public Page 14 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
SECTION – II
2.1 BANK OF BARODA-INTRODUCTION
Bank is one of the largest Public Sector Banks in India with over 33 million accounts and a Branch network of 5090 branches in India and 104 branches / offices in 26 countries overseas.
Bank has Hewlett Packard India Sales Private Ltd. (HP) as the System Integrator for the Technology enabled Business Transformation Project (Project Shikhar). Bank has implemented Core Banking Solution (CBS) in all the branches in India and in most of the overseas territories. Bank has its own Data Centre at Mumbai and Disaster Recovery Centre at Hyderabad and also Near Site in Mumbai. Bank‟s Data Centre & DR Sites are certified for ISO27001:2005.
Bank has expanded the installation of ATMs and issuance of Debit Cards in India and overseas territories. At present Bank has installed 8000+ ATMs and issued more than 2 Crore debit cards in India.
2.2 PROJECT OBJECTIVE
The Bank wishes to appoint competent Service Provider (SP) for carrying out Vulnerability Assessment and Penetration Testing of internet facing applications and underlying infrastructure deployed at Bank‟s Data Centre, Mumbai, Disaster Recovery Centre, and Hyderabad. Bank‟s website is hosted on the service provider‟s site.
Based on the contents of the RFP, the selected Bidder shall be required to independently arrive at approach and methodology, based on industry best practices and RBI guidelines, suitable for the Bank, after taking into consideration the effort estimate for completion of the same and the resource and the equipment requirements. The approach and methodology will be approved by the Bank.
The Bank expressly stipulates that the Consultant‟s selection under this RFP is on the understanding that this RFP contains only the principal provisions for the entire assignment and that delivery of the deliverables and the services in connection therewith are only a part of the assignment. The selected Bidder shall be required to undertake to perform all such tasks, render requisite services and make available such resources as may be required for the successful completion of the entire assignment at no additional cost to the Bank.
2.3 PROJECT SCOPE
Vulnerability Assessment and Penetration Testing should cover the Bank‟s Information System Infrastructure which includes Networking systems, Security devices, Servers, Databases, Applications Systems accessible with public IP‟s, websites maintained at Bank‟s premises in Mumbai & Hyderabad including Bank‟s website hosted at the Service Provider‟s Data Centre. Selected bidder should carry out an assessment of Threat & Vulnerabilities assessments and assess the risks in Bank‟s Information Technology Infrastructure. This will include identifying existing threats if any and
Document Classification : Public Page 15 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
suggest remedial solutions and recommendations of the same to mitigate all identified risks, with the objective of enhancing the security of Information Systems. In addition to the remote Assessment, selected Bidder shall also perform the onsite assessment of the assets under the Scope of the RFP. Period of Assignment will be Two years. The frequency for conducting VAPT should be at half yearly. However, the Bank at its own discretion can change the frequency.
2.3.1. VAPT activities : VAPT should be comprehensive but not limited to following activities:
Network Scanning
Port Scanning
System Identification & Trusted System Scanning
Vulnerability Scanning
Malware Scanning
Spoofing
Scenario Analysis
Application Security Testing & Code Review
OS Fingerprinting
Service Fingerprinting
Access Control Mapping
Denial Of Service (DOS) Attacks
DDOS Attacks
Authorization Testing
Lockout Testing
Password Cracking
Cookie Security
Functional validations
Containment Measure Testing
War Dialing
DMZ Network Architecture Review
Firewall Rule Base Review
Server Assessment (OS Security Configuration)
Security Device Assessment
Network Device Assessment
Database Assessment
Website Assessment (Process)
Vulnerability Research & Verification
IDS/IPS review & Fine tuning of Signatures
Man in the Middle attack
Man in the browser attack
Any other attacks
2.3.2. Website/Web – Application Assessment : Website/Web- Application assessment should be done as per latest OWASP guidelines including but not limited to the following :
Document Classification : Public Page 16 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security misconfiguration
Insecure Cryptographic Storage
Sensitive Data Exposure
Failure to Restrict URL Access
Missing Function Level Access Control
Cross-Site Request Forgery (CSRF)
Using Known Vulnerable Components
Un-validated Redirects and Forwards
Insufficient Transport Layer Protection
Any other attacks, which are vulnerable to the web sites and web
Applications
2.3.3. Broad Details of the systems are given below:
Device Type Quantity(DC) Quantity (DR)
Servers 81 81
Databases * 23 23
Network Devices 4 4
Security Devices 4 4
VAPT External Internet IPs : 11
* Please note that the databases are already included in server count. Please note that the list provided above is the tentative list. There may be 10% increase in list provided. SP should keep provision for the same while bidding.
2.3.4. List of Applications
Application Details
E-Banking Domestic
Transaction Banking with other value added services such as
shopping mall, bill payment, tax payment etc. Application has
separate modules for Retail & Corporate customers.
Application is integrated with NEFT/RTGS payment system.
Application is also integrated with Arcot solution for Risk
based multi factor authentication (Both retail & corporate).
Digital signing is implemented for corporate ebanking
customers.
E-Banking International
(Australia, Botswana, Fiji,
Ghana, Kenya, Mauritius, New
Zealand, Oman, Seychelles,
Tanzania, UAE, Uganda, UK,
USA)
Transaction banking facility. Application has Separate
modules for Retail & Corporate customers. Application is also
integrated with Arcot solution for Risk based multi factor
authentication (Both retail & corporate).
IPG : Internet Payment Gateway
Internet Payment Gateway to facilitate ecommerce transaction
using credit/debit cards. Application has Moto & SSL
interfaces for Merchant integration.
Bank of Baroda Website Bank of Baroda Public Web site.
Cash Management System Cash Management System facilitates bulk remittances.
Document Classification : Public Page 17 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
(CMS)
BOB KM (Intranet) Bank’s Intranet portal used by employees.
Online Trading On line trading platform provide trading facility to the
customers. Application is also integrated with depositary
application.
Mobile OTP Mobile Client application used to generate OTP used for 2
factor authentication.
Mobile Banking Mobile Banking facility with transaction and value added
services such as mobile top up, ticketing and other m-
commerce transactions.
Application Virtualization Application and infrastructure used to support application
virtualization.
E-mail system Corporate E-mail System used by the Bank.
2.3.5. VAPT Phases : Vendor has to undertake VAPT/Security testing in phased manner as described below:
Phase I: Conduct VAPT/Security testing as per the scope, Evaluation & Submission of Preliminary Reports of findings and discussions on the finding. Phase II: Submission of Final Report
2.3.5.1. Phase I
a. Conduct VAPT as per the scope defined in RFP without disturbing operations The Bank will call upon the selected Bidder, on placement of the order, to carry
out demonstration and/or walkthrough, and/or presentation and demonstration of all or specific aspects of the VAPT activity.
VAPT schedule to be provided 7 working days prior to the start of activity along with the team member details. A dedicated Project Manager shall be nominated, who will be the single point of contact for VAPT Activity in Mumbai and other locations.
Execute Vulnerability Assessment and Penetration testing of Bank’s IT Infrastructure and Applications as per the scope on the written permission of the Bank and in the presence of Bank’s Officials.
b. Detailing the Security Gaps
Detailing the System setup used and the tests conducted in assessment.
Analysis of the findings and Document the security gaps i.e. vulnerability, security flaws, loopholes, threats, etc. observed during the course of the VAPT activity as per the scope of work.
Document recommendations and solutions for addressing these security gaps and categorize the identified security gaps based on their criticality.
Chart a roadmap for the Bank to ensure compliance and address these security gaps.
Document Classification : Public Page 18 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
c. Addressing the Security Gaps Recommend Actionable fixes for systems vulnerabilities in design or otherwise
for application systems and network infrastructure. If recommendations for Risk Mitigation /Removal could not be implemented as suggested, alternate solutions to be provided.
Suggest changes/modifications in the Security Policies implemented along with Security Architecture including Network and Applications of the Bank to address the same.
The Draft report of the VAPT findings should be submitted to the Bank for Management comment.
2.3.5.2. Phase II
a. Submission of Final Reports The Service Provider should submit the final report of VAPT findings as per the report format mentioned in Deliverables. All the VAPT reports submitted should be signed by technically qualified persons and he/she should take ownership of document and he/she is responsible and accountable for the document/report submitted to the Bank. The final report has to be submitted within -2- months of submission of the initial draft report. Service provider will also submit the Executive Summary Report of the Bank’s Internet facing environment.
b. Acceptance of the Report The Report shall be accepted on complying with the formats of VAPT Report as mentioned in the RFP and acceptance of the audit findings.
2.3.6. Deliverables
The deliverables for VAPT activity are as follows:-
a. Execution of Vulnerability Assessment and Penetration Testing for the identified network devices, security devices, servers, applications, websites, interfaces(part of application) etc. as per the Scope mentioned in this RFP and Analysis of the findings and guidance for resolution of the same
b. VAPT Report The VAPT Report should contain the following:- Identification of Auditee (Address & contact information)
Dates and Locations of VAPT
Terms of reference
Standards followed
Document Classification : Public Page 19 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Summary of audit findings including identification tests, tools used and results of tests performed (like vulnerability assessment, penetration testing, application security assessment, website assessment, etc.)
o Tools used and methodology employed
o Positive security aspects identified
o List of vulnerabilities identified
o Description of vulnerability
o Risk rating or severity of vulnerability
o Category of Risk: Very High / High / Medium / Low
o Test cases used for assessing the vulnerabilities
o Illustration of the test cases
o Applicable screenshots.
Analysis of vulnerabilities and issues of concern Recommendations for corrective action Personnel involved in the audit
The Service Provider may further provide any other required information as per the approach adopted by them and which they feel is relevant to the audit process. All the gaps, deficiencies, vulnerabilities observed shall be thoroughly discussed with respective bank officials before finalization of the report.
The VAPT Report should comprise the following sub reports:- VAPT Report – Executive Summary: - The vendor should submit a report to
summarize the Scope, Approach, Findings and recommendations, in a manner suitable for senior management. Selected Bidder will also detail the positive findings(No Gap found) for various tests conducted.
VAPT Report – Core Findings along with Risk Analysis: The vendor should submit a report bringing out the core findings of the VAPT conducted for network devices, security devices, servers and websites. VAPT Report – Detailed Findings/Checklists: The detailed findings of the VAPT would be brought out in this report which will cover in details all aspects viz. identification of vulnerabilities/threats in the systems (specific to equipments/resources –indicating name and IP address of the equipment with Office and Department name), identifications of threat sources, identification of Risk, Identification of inherent weaknesses, Servers/Resources affected with IP Addresses etc. Report should classify the observations into Critical /Non Critical category and asses the category of Risk Implication as VERY HIGH/HIGH/MEDIUM/LOW RISK based on the impact. The various checklist formats, designed and used for conducting the VAPT activity as per the scope, should also be included in the report separately for Servers (different for different OS), application, Network equipments ,security equipments etc , so that they
Document Classification : Public Page 20 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
provide minimum domain wise baseline security standard /practices to achieve a reasonably secure IT environment for technologies deployed by the Bank. The Reports should be substantiated with the help of snap shots/evidences /documents etc. from where the observations were made.
VAPT Report – In Depth Analysis of findings /Corrective Measures & Recommendations along with Risk Analysis: - The findings of the entire VAPT Process should be critically analyzed and controls should be suggested as corrective /preventive measures for strengthening / safeguarding the IT assets of the Bank against existing and future threats in the short /long term. Report should contain suggestions/recommendations for improvement in the systems wherever required. If recommendations for Risk Mitigation /Removal could not be implemented as suggested, alternate solutions to be provided. Also, if the formal procedures are not in place for any activity, evaluate the process & the associated risks and give recommendations for improvement as per the best practices. Separate reports should be provided for international territories.
Separate reports should be provided for common infrastructure assets and Applications.
Documentation Format All documents will be handed over in three copies, signed, legible, neatly and
robustly bound on A-4 size, good-quality paper. The place of submission of Reports shall be informed to selected bidder.
Soft copies of all the documents properly encrypted in MS Word /MS Excel /PDF format also to be submitted in CDs/DVDs along with the hard copies.
All documents shall be in plain English.
2.4 DETAILS OF INFRASTRUCTURE AT BANK’S DC/DR
Bank’s Data Centre
Bank has state of the art Data Centre at Mumbai with DR site at Hyderabad. DC has been established by M/s Hewlett Packard India Pvt. Ltd. Bank‟s DC is connected to all the Branches in India, overseas territories, Bank‟s subsidiaries and business partners like NFS, Visa Card, Master card, SWIFT, NSE, BSE etc. DC Operation is jointly managed by HP and the Bank‟s team. Bank has implemented various applications at DC and DR in the centralized environment. Irrespective of the present status of applications, systems, processes, interfaces, hardware, networking equipments, security devices etc implemented at DC/DR site, all future changes including new initiatives will be covered as part of the scope of work during the term of the engagement. Bank has also implemented a Near Site in Mumbai.
Document Classification : Public Page 21 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Network Architecture
Bank has implemented its DC in Mumbai and DR site in Hyderabad with Link level and device level redundancies. Bank‟s DC and DR are connected to various branches through MPLS link, ISDN links. Bank‟s onsite ATMs are part of the branch network. Offsite ATMs and select remote branches are connected through VSATs. Bank‟s overseas branches/territories networks are managed by British Telecom and Cables and Wireless.
Details of IT Security Policy
Bank has IT Security Policy approved by the Board of Directors. Bank also has 21 Standard and Guideline documents which is approved by the Top Management Steering committee(TMSC) on IT Security and 14 Procedure documents in place.
Bank also has Purging and Archival policy and Business continuity plan approved by the Board of Directors.
Document Classification : Public Page 22 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
SECTION – III
3.1 GENERAL TERMS AND CONDITIONS
3.1.1 Term of Assignment
The selected Bidder under this RFP will be appointed for a period of Two Years for the Bank including its subsidiaries, overseas branches/territories to perform the activities as per Scope of Work.
However, if for any reason the work is not completed to the satisfaction of the Bank within the stipulated time, the period of contract would be extended at Bank‟s discretion at no extra cost.
3.1.2 Adherence to Terms and Conditions
The Bidders who wish to submit responses to this RFP should note that they should abide (in true intent and spirit) by all the terms and conditions contained in the RFP. If the responses contain any extraneous conditions put in by the Respondents, such responses may be disqualified and may not be considered for the selection process.
3.1.3 Execution of Agreement/NDA
The selected Bidder should execute a Service Level Agreement with the Bank which will remain valid for at least 42 months. The Service Level Agreement would include all the terms and conditions of the services to be extended as detailed herein and as may be prescribed or recommended by the Bank which will include a Non-disclosure Agreement clause. The selected Bidder should execute the Service Level Agreement with ND clause within -2- weeks from the date of acceptance of Work Order.
The date of agreement shall be treated as date of engagement and the time-line for completion of the assignment shall be worked out with reference to this date.
3.1.4 Issuance of Work/purchase order
Bank will issue letter of Intent to the successful Bidder. Successful Bidder will have to sign the Agreement with the Bank within -15- Days of issuance of Letter of Intent as per RFP terms and conditions.
Following signing of the agreement and fulfilling other conditions of Letter of Intent, Bank will issue the Work/Purchase order for carrying out the task as per the RFP.
Bank will have the discretion, to avail any one or more services from the successful Bidder, any time during the tenure of the contract as per the contracted rates and terms and conditions.
Document Classification : Public Page 23 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
3.1.5 Substitution Of Project Team Members
During the assignment, the substitution of key staff identified for the assignment will not be allowed by the Bank unless such substitution becomes unavoidable to overcome the undue delay or that such changes are critical to meet the obligation. In such circumstances, the selected Bidder, as the case may be, can do so only with the prior written concurrence of the Bank and by providing the replacement staff of the same level of qualifications and competence. If the Bank is not satisfied with the substitution, the Bank reserves the right to terminate the contract and recover whatever payments(including past payments and payment made in advance) made by the Bank to the selected Bidder during the course of the assignment pursuant to this RFP besides claiming an amount equal to the contract value as liquidated damages. However, the Bank reserves the unconditional right to insist to the selected Bidder to replace any team member with another (with the qualifications and competence as required by the Bank) during the course of assignment pursuant to this RFP.
3.1.6 Software/Hardware requirements
All the softwares, hardware equipments like Laptops, tools etc to carry out the assignment has to be brought by the selected Bidder at no extra cost. Selected Bidder will use audit tools that are licensed and not the trial
versions. Auditor should disclose the details of automated tools used for
accomplishing the audit process. The auditor must have the valid license of the
said automated tool(s). Details of the Audit tools to be used should be provided as
per Annexure ‘G’.
3.1.7 Professionalism
The selected Bidder should provide professional, objective and impartial advice at all times and hold the Bank‟s interest paramount and should observe the highest standard of ethics, values, code of conduct, honesty and integrity while executing the assignment.
3.1.8 Alternative Approaches
In case the Bank is unable to rectify the gaps mentioned in the VAPT report, selected Bidder should suggest the alternative approaches to help the Bank to remediate the gaps.
3.1.9 Adherence To Standards
The selected Bidder should use the latest ISO27001 and PCI-DSS standards, RBI and Cert-In Guidelines in carrying out task as per Scope of Work.
The selected Bidder should adhere to all the applicable laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities.
Document Classification : Public Page 24 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
The Bank and Regulatory bodies such as RBI reserves the right to conduct an audit/ongoing audit of the consulting services provided by the selected Bidder.
The Bank reserves the right to ascertain information from the other Banks and institutions to which the Bidders have rendered their services for execution of similar projects.
3.1.10 Expenses
It may be noted that Bank will not pay any amount/expenses / charges / fees / traveling expenses / boarding expenses / lodging expenses / conveyance expenses / out of pocket expenses other than the “Agreed Price”.
For any additional work not covered by the scope of work in this RFP,
Bank will pay on the per man day cost basis.
3.1.11 Payment Terms
The SP‟s fees will be paid in the following manner for each item/activity which is described in the Commercial Proposal (Annexure B):
a. 70% of the professional fee on the completion of the specific line item and submission of initial report for Management Comment.
b. Balance 30% of the professional fees on submission of
Final Report to the Bank
All invoices will be paid by the Bank within a period of 45 days from the date of receipt of undisputed invoices. Any dispute regarding the invoice will be communicated to the Selected Bidder within 15 days from the date of receipt of the invoice. After the dispute is resolved, Bank shall make payment within 30 days from the date the dispute stands resolved.
3.1.12 Contract Performance Guarantee
The selected Bidder has to provide an unconditional and irrevocable performance guarantee for 10% of the contract value from a Public Sector Bank (other than Bank of Baroda) towards due performance of the contract in accordance with the specifications, terms and conditions of this RFP document, within 15 days from the issuance of Letter of Intent. The Performance Guarantee shall be valid for 27 months (24 months plus -3- months additional claim period) for the entire period of assignment and to be released after -3- months of the period of assignment.
3.1.13 Security Deposit
The selected Bidder has to deposit with the Bank an amount equivalent to 5% (Five) of the contract value towards security deposit
Document Classification : Public Page 25 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
for the entire period of assignment, within 15 days from the date of issuance of Letter of Intent. Interest on the Security Deposit will be paid as per the applicable fixed deposit rate.
3.1.14 Single Point Of Contact
The selected Bidder has to provide details of single point of contact viz. name, designation, address, e-mail address, telephone/mobile no., fax no. etc.
3.1.15 Applicable Law And Jurisdiction Of Court
The Contract with the selected Bidder shall be governed in accordance with the laws of India for the time being in force and will be subject to the exclusive jurisdiction of courts at Mumbai.
3.1.16 Liquidated Damages (LD)
The Bank will impose a penalty, of Rs. 20,000/- (Rupees Twenty thousand only) per week or part thereof, for delay in not adhering to the time schedules. If the selected Bidder fails to complete the due performance of the contract in accordance to the specifications and conditions agreed during the final contract negotiation, the Bank reserves the right either to cancel the contract or to accept performance already made by the selected Bidder. The Bank reserves the right to recover an amount equal to the value of contract by the Bank as Liquidated Damages for non-performance. Both the above are independent of each other and are applicable separately and concurrently. However the same would not be applicable for reasons attributable to the Bank and Force Majeure. However, it is the responsibility of the bidder to prove that the delay is attributed to the Bank and Force Majeure. The selected Bidder shall submit the proof authenticated by the Bidder to the Bank‟s official that the delay is attributed to the Bank and/or Force Majeure along with the bills requesting payment.
3.1.17 Force Majeure
Any failure or delay by selected Bidder or Bank in the performance of its obligations, to the extent due to any failure or delay caused by fire, flood, earthquake or similar elements of nature, or acts of God, war, terrorism, riots, civil disorders, rebellions or revolutions, acts of governmental authorities or other events beyond the reasonable control of non-performing party, is not a default or a ground for termination. The affected party shall notify the other party of the occurrence of a Force Majeure Event forthwith.
3.1.18 Authorized Signatory
The selected Bidder shall indicate the authorized signatories who can discuss and correspond with the Bank, with regard to the obligations under the contract. The selected Bidder shall submit at the time of
Document Classification : Public Page 26 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
signing the contract, a certified copy of the resolution of their Board, authenticated by Company Secretary/Director, authorizing an official or officials of the company or a Power of Attorney to discuss, sign agreements/contracts with the Bank. The selected Bidder shall furnish proof of identification for above purposes as required by the Bank.
3.1.19 Indemnity
The selected Bidder shall indemnify Bank and keep the Bank indemnified for any loss or damage, cost or consequences that Bank may sustain, suffer or incur on account of violation of intellectual property rights of third party by the selected Bidder. The selected Bidder shall always remain liable to the Bank for any Losses suffered by the Bank due to any technical error or negligence or fault on the part of the selected Bidder, and the selected Bidder also shall indemnify the Bank for the same.
3.1.20 Non Payment Of agreed price
If any of the items/activities as mentioned in the price bid and as mentioned in Annexure-J are not taken up by the Bank during the course of this assignment, the Bank will not pay the contracted price quoted/agreed by the selected Bidder in the price bid against such activity/item.
3.1.21 Assignment
Neither the contract nor any rights granted under the contract may be sold, leased, assigned, or otherwise transferred, in whole or in part, by the selected Bidder without advance written consent of the Bank and any such sale, lease, assignment or transfer otherwise made by the selected Bidder shall be void and of no effect.
3.1.22 Non – Solicitation
The selected Bidder, during the term of the contract and for a period of two years thereafter shall not without the express written consent of the Bank, directly or indirectly: a) recruit, hire, appoint or engage or attempt to recruit, hire, appoint or engage or discuss employment with or otherwise utilize the services of any person who has been an employee or associate or engaged in any capacity, by the Bank in rendering services in relation to the contract; or b) induce any person who shall have been an employee or associate of the Bank at any time to terminate his/ her relationship with the Bank.
3.1.23 No Employer-Employee Relationship
The selected Bidder or any of its holding/subsidiary/joint-venture/ affiliate / group / client companies or any of their employees / officers / staff / personnel / representatives/agents shall not, under any circumstances, be deemed to have any employer-employee
Document Classification : Public Page 27 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
relationship with the Bank or any of its employees/officers/ staff/representatives/ personnel/agents.
3.1.24 Vicarious Liability
The selected Bidder shall be the principal employer of the employees, agents, contractors, subcontractors etc., engaged by the selected Bidder and shall be vicariously liable for all the acts, deeds, matters or things, of such persons whether the same is within the scope of power or outside the scope of power, vested under the contract. No right of any employment in the Bank shall accrue or arise, by virtue of engagement of employees, agents, contractors, subcontractors etc., by the selected Bidder, for any assignment under the contract. All remuneration, claims, wages dues etc., of such employees, agents, contractors, subcontractors etc., of the selected Bidder shall be paid by the selected Bidder alone and the Bank shall not have any direct or indirect liability or obligation, to pay any charges, claims or wages of any of the selected Bidder‟s employees, agents, contractors, subcontractors etc. The selected Bidder shall agree to hold the Bank, its successors, assigns and administrators fully indemnified, and harmless against loss or liability, claims, actions or proceedings, if any, whatsoever nature that may arise or caused to the Bank through the action of selected Bidder‟s employees, agents, contractors, subcontractors etc.
3.1.25 Subcontracting
The selected Bidder shall not subcontract or permit anyone other than its personnel to perform any of the work, service or other performance required of the vendor under the contract without the prior written consent of the Bank.
3.1.26 Cancellation Of Contract And Compensation
The Bank reserves the right to cancel the contract of the selected Bidder and recover expenditure incurred by the Bank in any of the following circumstances. The Bank would provide 30 days notice to rectify any breach/ unsatisfactory progress if :
the selected Bidder commits a breach of any of the terms and conditions of the bid/contract;
the selected Bidder becomes insolvent or goes into liquidation
voluntarily or otherwise;
an attachment is levied or continues to be levied for a period of 7 days upon effects of the bid;
the progress regarding execution of the contract, made by the selected Bidder is found to be unsatisfactory;
if deductions on account of penalty and liquidated damages exceeds more than 10% of the total contract price;
if the selected Bidder fails to complete the due performance of the contract in accordance with the agreed terms and conditions.
Document Classification : Public Page 28 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
After the award of the contract, if the selected Bidder does not perform satisfactorily or delays execution of the contract, the Bank reserves the right to get the balance contract executed by another party of its choice by giving one month‟s notice for the same. In this event, the selected Bidder is bound to make good the additional expenditure, which the Bank may have to incur to select and carry out the execution of the balance of the contract. This clause is also applicable, if for any reason, the contract is cancelled.
The Bank reserves the right to recover any dues payable by the selected Bidder from any amount outstanding to the credit of the selected Bidder, including the pending bills and/or invoking Bank Guarantee/Security Deposit, if any, under this contract.
3.1.27 Dispute Resolution
If a dispute, controversy or claim arises out of or relates to the contract, or breach, termination or invalidity thereof, and if such dispute, controversy or claim cannot be settled and resolved by the Parties through discussion and negotiation, then the Parties shall refer such dispute to arbitration. Both Parties may agree upon a single arbitrator or each Party shall appoint one arbitrator and the two appointed arbitrators shall thereupon appoint a third arbitrator. The arbitration shall be conducted in English and a written order shall be prepared. The venue of the arbitration shall be Mumbai. The arbitration shall be held in accordance with the Arbitration and Conciliation Act, 1996. The decision of the arbitrator shall be final and binding upon the Parties, provided that each Party shall at all times be entitled to obtain equitable, injunctive or similar relief from any court having jurisdiction in order to protect its intellectual property and confidential information.
3.1.28 Ownership of Deliverables
All the deliverables as per scope of this RFP will become the property of Bank of Baroda.
3.1.29 Project Timelines
The selected Bidder shall furnish a schedule of assessment within -7- days of issuance of Purchase order. VAPT schedule has to be mutually
agreed by both the parties. In certain situations, Bank may be required to defer the scheduled activity due to non availability of the production environment for VAPT for whatever may be the reason. In such a situation, VAPT activity has to be deferred however the same has to be within the overall contract validity period.
Final VAPT report has to be submitted within -2- months of issuance of the initial Draft report after considering the Management comments on the Draft report.
Document Classification : Public Page 29 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
SECTION – IV
ANNEXURE-A : ELIGIBILITY CRITERIA
Consultants who wish to bid should conform to the following criteria as of 31.12.2014 except for clause nos 3 & 4.
S.No. Eligibility Criteria Documents required Page
Ref. no
1 Should be either a Government
Organization/PSU/PSE/ partnership firm/LLP or
a limited Company
under Indian Laws
or /and an autonomous
Institution approved by GOI/RBI promoted
Partnership firm-Certified copy of Partnership Deed.
Limited Company-Certified copy of Certificate of Incorporation and Certificate of Commencement of Business.
Reference of Act/Notification
For other eligible entities- Applicable documents.
2 Should have been in existence in India for five years as on 31/12/2014.
Partnership firm-Certified copy of Partnership Deed.
Limited Company-Certified copy of Certificate of Incorporation and Certificate of Commencement of Business.
For other eligible entities- Applicable documents.
3 Should have a minimum average annual turnover of Rs.25.00 crores (Rupees Twenty Five Crores) during last three financial years viz. 20011-12, 2012-13 and 2013-14 and at least 25% revenue must have come from the testing & Consulting services.
Copy of audited Balance Sheet and P&L statement for the financial years 2011-12, 2012-13 and 2013-14.
4 Should have made net profits for the last 3 financial years viz. 2011-12, 2012-13 and 2013-
14.
Copy of audited Balance Sheet and P&L statement for the financial years 2011-12, 2012-
13 and 2013-14.
5 The Bidder should be empanelled by CERT –In as Information Security Audit Organization and should remain in panel up to 31st March, 2017 during the currency of contract.
6 Should have conducted VAPT for at least two Banks‟ in last 3 years.
Copy of purchase order and Client certificate.
Document Classification : Public Page 30 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
7 Bidder should have at least 5 years experience in offering Information Security Services such as Security assessment, defining security policies procedures & baselines, Risk Assessment, security consulting assignments to clients in India.
Copy of purchase order and Client certificate.
8 Must have on rolls at least one Engagement Manager and one additional member who have similar experience as that of the Engagement Manager Engagement Manager would
have been personally involved in at least two similar assignments.
As per Annexure G
9 The consultants conducting VAPT should be a certified penetration testers and their registration/certificate should be current. ( attach proof)
As per Annexure G
10 The firm should not be blacklisted / barred by Government of India or any regulatory/Statutory body in India.
Self Declaration
11 Must not be Internet facing application implementer/Solution providers, assistance providers for implementation with an alliance with Bank‟s SI Hewlett Packard in Bank of Baroda‟s Project.
Self Declaration
Subcontracting of any work related to the scope of RFP is not allowed.
Those who fulfill all the eligibility criteria as mentioned above are only eligible to take part in this bid exercise.
Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above eligibility criteria along with documentary proofs as specified above.
The fulfillment of above eligibility criteria except items 3 & 4 above, would be ascertained as of 31.12.2014.
Bidder/Bidders who have been appointed by the Bank for any other project and whose contract has been terminated before completion of the project are not eligible to bid in the proposed project.
Proposals of those Bidders, who do not fulfill the Eligibility Criteria as stated above fully, will be rejected.
Document Classification : Public Page 31 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-B : CONSULTANT’S SELECTION/EVALUATION PROCESS
Evaluation of Technical Bid
First, Technical bid documents will be evaluated for fulfillment of eligibility criteria. Technical bids of only those Bidders who fulfill the eligibility criteria fully as per Annexure-A will be taken up for further evaluation/selection process rejecting the remaining bids.
The evaluation/selection process will be done with combination of, technical competence and commercial aspects as detailed here below. A maximum of 100 marks will be allocated for the technical bid. The evaluation of functional and technical capabilities of the Bidders of this RFP will be completed first as per the following guidelines. The technical proposals only will be subjected for evaluation at this stage. The Bidders scoring less than 75 marks (cut-off score) out of 100 marks in the technical evaluation shall not be considered for further selection process. Once the evaluation of technical proposals is completed, the Bidders who score equal to, or more than the prescribed cut-off score of 75 will only be short listed.
The evaluation of technical proposals, among other things, will be based on the following:
Prior experience of the Bidder in undertaking projects of similar nature.
Professional qualifications and experience of the key staff proposed/ identified for this assignment.
Methodology/Approach proposed for accomplishing the proposed project, Activities / tasks, project planning, resource planning, effort estimate etc.
Various stages of technical evaluation are presented below:
1. Eligibility evaluation as per the criteria prescribed in Annexure-A.
2. Evaluation of technical proposals of Bidders qualified in eligibility evaluation, based on response and presentation
3. Arriving at the final score on technical proposal.
Presentation-cum-Interview
The Bidders who are qualified in eligibility evaluation, have to give presentation/interactions before panel of representatives of Bank on the methodology/ approach, time frame for various activities, strengths of the Bidders in carrying out the tasks as per the scope of the RFP detailed under section II of the RFP. The technical competence and capability of the Bidder should be clearly reflected in the presentation. If any short listed Bidder fails to make such presentation, he will be eliminated from the evaluation process.
At the sole discretion and determination of the Bank, the Bank may add any other relevant criteria for evaluating the proposals received in response to this RFP.
Bank may, at its sole discretion, decide to seek more information from the Respondents in order to normalize the bids. However, Respondents will be notified separately, if such normalization exercise as part of the technical evaluation is resorted to.
Document Classification : Public Page 32 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Technical Evaluation Criteria:
Technical criteria are classified under 3 heads - Credentials, Manpower & Tools and Approach & Methodology. The table below highlights the parameters under the technical criteria and scoring methodology.
Criteria Evaluation Parameters Max Marks
Documents to be
submitted
Credentials (please refer NOTE 1 to 2)
Must possess experience in conducting VA & PT of IT Infrastructure ( Servers, Network devices, Security Devices, Databases) of Data Centre / Disaster recovery for at least 1
Bank in India in each of the last 4 years e.g. 2011, 2012, 2013, 2014
For each year of experience (Marks per credential 3)
12 Copies of Work order and Client certificate.
Must possess experience in conducting VA & PT of IT Infrastructure ( Servers, Network devices, Security Devices, Databases) of Data Centre / Disaster recovery for at least 2 Banks in India in 4 years e.g. 2011,2012,2013,2014
For each consultancy assignment (Marks per credential 4)
8
Additional Marks per assignment in Large Bank in India having minimum 500 branches (Marks per credential 5)
10
Must have extensive experience in VA & PT of any one of the Internet facing applications e.g. internet banking, cash management system, online trading, Payment Gateway for at least 1 Bank in India in each of the last 4 years e.g.,2011,2012, 2013, 2014
For each year of experience (Marks per credential 3)
12
Must have extensive experience in VA & PT of Internet facing applications e.g. Internet banking, Cash management system, Online trading, Internet Payment Gateway
for at least 2 Banks in India in the last 4 years e.g.,2011,2012, 2013, 2014
For each consultancy assignment (Marks per credential 4)
8
Additional Marks per assignment in Large Bank in India having minimum 500 branches (Marks per credential 5)
10
Sub-total (Credentials) 60
Document Classification : Public Page 33 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Manpower (please refer NOTE3)
Engagement Manager should have handled such projects in the firm for at least three years
4 1. Copy of relevant Certificate; 2. Proof of employment with the Bidder.
Onsite Team Leader(Technical) responsible should have handled such projects in firm for at least 4 years
4
Proposed team members must have experience in executing similar projects in banks out of which at least one should be a public sector bank
(Marks per Team member experience 2)
6
Team Members to be deployed should be Certified on any one or more certifications such as CCE, GCFE, CEH, and CCFE.
(Marks per Team member credentials 2)
6
Details of Tools to be deployed and persons Trained on those tools
3 Marks for each licensed tool Additional -2- marks for certified team member on the same licensed tool
10 As per annexure and copy of the certification
Subtotal of Manpower and Tools user 30
Methodology & Approach
Demonstration of in-depth understanding of the Bank‟s project requirements through the technical proposal and presentation.
5 Subjective evaluation based on technical proposal and presentation
Technical Proposal with detailed broken-down activities to be performed, effort estimation, manpower to be deployed for each of the major activities.
5 Subjective evaluation based on technical proposal and presentation
TOTAL MARKS 100
NOTE 1: Experience of last -4- years only will be counted in the Technical Evaluation of the Bids. NOTE 2: For manpower consideration, the Employee should be on the payroll of the Bidding Company. For this proof in the form of employment letter duly accepted by the employee or suitable declaration jointly signed by the Employer and Employee stating date of joining on the Bidding company‟s letterhead should be submitted.
Document Classification : Public Page 34 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above evaluation criteria along with documentary proofs as specified there against.
Techno Commercial Bid Evaluation Criteria
It may be noted that commercial bids will be subjected to following evaluation process.
Based on the technical evaluation criteria, each Bidder will be given certain marks. Only those Bidders scoring 75% (75 marks out of 100) or above in the technical evaluation will be short-listed for commercial evaluation.
Commercial quote provided by the Bidder whose Technical Bid qualifies will be discounted as per the formula given below. A comprehensive “Score (S)” will be arrived at after considering the commercial quote and
the marks obtained in technical evaluation with relative weights of 40% for commercial score and 60% for technical score. The Bidder with the highest score will be declared successful:
Computation Methodology for arriving at “Least Price / Least Quote” :
Cut - Off score for technical bid will be 75 marks.
In case there is only one bidder having technical score of 75 or more, Bank may, at its discretion, also consider the next highest technical scorer with minimum score of 50. In case, no Bidder is having technical score of 75 or more, Bank may, at its discretion, qualify 2 top scoring Bidders with minimum score of 50 in technical evaluation and compute the “Score” as per the table below.
Bank will give 60% weightage to technical score while comparing the commercial quote. The procedure is as under:
A Comprehensive Score (S)‟ will be calculated for all qualified Bidders using the following formula:
Comprehensive Score (S) : (X*CLow /C)*100 + (1-X)*(T)
Where C stands for Commercial price quoted, CLow stands for the price quote of the lowest Commercial bid value. T stands for technical evaluation score. X is the Commercial bid weightage factor and is equal to 0.4. While computing the comprehensive score (S) as per above formula, the values of (CLow / C * X) and (T) * (1-X)) will be considered only upto 3 decimals and the other decimals will be ignored.
Example:
If -3- Bidders A, B and C participated in the RFP process. Bidders A,B, and C get 75,80 and 90 marks in technical evaluation. Bidders Commercial Bids are valued at 120,100 and 110 for A, B and C respectively. As all the Bidders are obtaining marks above or equal to cut-off, all the -3- bidders are eligible for Commercial Bid opening. Following is the techno-commercial calculation of the -3- bids.
Document Classification : Public Page 35 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
S.No.
Bidder Technical Evaluation Marks
(T)
Evaluated Bid Price (C)
(CLow / C) * 0.40*100
(T) * 0.60 Comprehensive Score (S)=(CLow*40/C)+(T*0.60)
1 A 75 120 (100/120) * 40=
33.333
(75) * 0.60 = 45
78.333
2 B 80 100 (100/100) * 40=
40.00
(80) * 0.60 = 48
88.000
3 C 90 110 (100/110) * 40=
36.363
(90) * 0.60 = 54
90.363
In the above example, Bidder C, with the highest comprehensive score of 90.363 becomes the successful Bidder.
Bank reserves the right to negotiate the price with the successful Bidder before awarding the contract. It may be noted that Bank will not entertain any price negotiations with any other Bidder, till the successful Bidder declines to accept the offer.
In the case of tie between two or more Bidders a fresh commercial bid will be called upon from these Bidders for evaluation and selection of the Consultant.
Document Classification : Public Page 36 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-C : COMPLIANCE CERTIFICATE
(On company‟s letterhead) To, Date : The Chief Information Security Officer(CISO) Risk Management Dept. Bank of Baroda 2rd Floor, Baroda Corporate Centre C-26, G Block, Bandra Kurla Complex, Bandra (East) Mumbai 400 051 Dear Sir, Ref: - RFP for selection of Selection of Service Provider for conducting VAPT of Internet facing Applications/Infrastructure. 1. Having examined the Request for Proposal (RPF) including all annexures, the
receipt of which is hereby duly acknowledged, we, the undersigned offer to provide the desired services for the Bank‟s Information System Assets at select business units of the Bank in conformity with the terms and conditions of the said RFP and in accordance with our proposal and the schedule of Prices indicated in the Price Bid and made part of this bid. 2. If our Bid is accepted, we undertake to complete the project within the
scheduled time lines. 3. We confirm that this offer is valid for six months from the last date for
submission of RFP to the Bank. 4. This Bid, together with your written acceptance thereof and your notification of
award, shall constitute a binding Contract between us. 5. We undertake that in competing for and if the award is made to us, in executing
the subject Contract, we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of Corruption Act 1988”.
6. We agree that the Bank is not bound to accept the lowest or any Bid that the Bank may receive.
7. We have not been barred/black-listed by any regulatory / statutory authority in India and we have required approval, if any, to be appointed as a service provider.
8. We shall observe confidentiality of all the information passed on to us in course of the tendering process and shall not use the information for any other purpose than the current tender.
9. We confirm that we have obtained all necessary statutory and obligatory permission to carry out the assignment, if any.
Signed Dated Seal & Signature of the Bidder
Phone No.: Fax: E-mail:
Document Classification : Public Page 37 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-D : TECHNICAL BID FORMAT
Particulars to be provided by the Bidder in the technical proposal –
No
Particulars
Bidder to furnish details
Reference Page no
of relevant
document in RFP
response
1 Name of the Bidder
2 Date of establishment and constitution. Certified copy of “Partnership Deed” or “Certificate of Incorporation/commencement of business” should be submitted. For entities other than partnership firm and limited company, other relevant documents to be submitted.
3 Location of Registered Office /Corporate Office/ Mumbai office with addresses.
4 Mailing address of the Bidder
5 Names and designations of the persons authorized to make commitments to the Bank
6 Telephone and fax numbers of contact persons
7 E-mail addresses of contact persons
8
Details of:
Description of business and business background
Service Profile & client profile
Domestic & International presence.
9 Whether the consulting process confirms to ISO
9001(2000), ISO27001 standards and if so, furnish details
of compliance.
10 Details of experience/knowledge possessed in the areas of
Project Planning and management review, Resource
Planning, Role and Responsibility definition, Co-
ordination across multiple functionaries
11 Gross annual turnover of the Bidder (not of the group)
Year ending in 2012 Audited
Year ending in 2013 Audited.
Year ending in 2014 Audited.
Document Classification : Public Page 38 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
No
Particulars
Bidder to furnish details
Reference
Page no of
relevant document
in RFP response
(Copy of audited financial statements for above years to be submitted)
12
Net profit of the Bidder (not of the group)
Year ending in 2012 Audited
Year ending in 2013 Audited.
Year ending in 2014 Audited.
(Copy of audited financial statements for above years to be submitted)
Tangible Net worth of the Bidder (not of the group)
Year ending in 2013
Year ending in 2014
13
Experience of assignments executed successfully as Consultant for providing VAPT services to the Banks in India in the last -4- years:
14 Details of the similar assignments on hand as on date (Name of the Bank, time projected for execution of the assignment and documentary proofs such as work order are to be furnished)
15 Details of Engagement Manager, Team Leader and Team Members.
Details of similar assignments handled by the said
employee/consultant : Documentary proofs for all the
assertions are to be enclosed in the form of
Certificates, CVs, employment letter etc to be enclosed.
As per Annexure H
15.a Name of the Engagement Manager identified for this assignment and his professional qualifications and experience/expertise
15.b Name of Onsite Team Leader
15.c
Names of the other team members identified for this assignment
Document Classification : Public Page 39 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
No
Particulars
Bidder to furnish details
Reference
Page no of
relevant document
in RFP response
18 Estimated work plan and time schedules for providing services for this assignment.
19 Effort estimate and elapsed time are to be furnished.
As per Annexure-F
20 Details of inputs, infrastructure requirements required by the Bidder to execute this assignment.
21
Details of the Bidder‟s proposed methodology/approach with reference to the scope of work.
22
Details of deliverables, other than the deliverables with reference to the scope of work.
The Bidder should provide detailed responses for each of the above items along with documentary proofs as prescribed there against and also as specified in Annexure-A (eligibility criteria) & Annexure B ( Bidder’s Selection/Evaluation Process).
Declaration:
1. We confirm that we will abide by all the terms and conditions contained in the RFP.
2. We hereby unconditionally accept that Bank can at its absolute discretion apply whatever criteria it deems appropriate, not just limiting to those criteria set out in the RFP, in short listing of Bidders.
3. All the details mentioned by us are true and correct and if Bank observes any misrepresentation of facts on any matter at any stage, Bank has the absolute right to reject the proposal and disqualify us from the selection process.
4. We confirm that this response, for the purpose of short-listing, is valid for a
period of six months, from the date of expiry of the last date for submission of response to RFP.
5. We confirm that we have noted the contents of the RFP and have ensured that there is no deviation in filing our response to the RFP and that the Bank will have the right to disqualify us in case of any such deviations.
Place:
Date: Seal & Signature of the Bidder
Document Classification : Public Page 40 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-E : EXPERIENCE DETAILS
DETAILS OF VAPT ASSIGNMENTS CARRIED OUT IN INDIA
Sl. No.
Name of
the Client
Client segment Bank or BFSI or Others
Date of PO
Date of completion
of assignment
Brief Scope
of Work
Name of Lead consult
ant
Contact
person details of the client
RFP respon
se Page Ref. No.
Please submit copy of Purchase order and Client Certificate Place: Date: Seal and Signature of Bidder
Document Classification : Public Page 41 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-F : ESTIMATED EFFORT AND ELAPLSED TIME
Sl No
Activities as per Scope of Work
Elapsed
Time
Effort in Man days for
1st assignm
ent
Number of team members to be deployed for 1st assignm
ent
Effort in Man days for repeat
assignment
Number of team members to be deploye
d for repeat
assignment
Remarks
1.
Vulnerability Assessment &
Penetration Testing for Internet facing infrastructure hosted in Bank‟s environment at DC & DR
2. Vulnerability Assessment & Penetration Testing for Internet facing Applications hosted in Bank‟s environment (For a set of 11 IPs)
3. Vulnerability Assessment & Penetration Testing of Bank‟s Website www.bankofbaaroda.com hosted at outsourced environment
4. VAPT for Application (Repeat/New application) hosted at DC/DR
TOTAL MAN DAYS
Place: Date: Seal and Signature of Bidder
Document Classification : Public Page 42 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-G : DETAILS OF TOOLS AND TEAM MEMBERS
TRAINED/CERTIFIED ON TOOLS
Sl. No.
Name of Tool
Date of Procurement
License Details and Validity
Names of Employee certified on Tool
Names of Employee Trained on Tool
Page Ref. of CV
Documentary proofs are to be enclosed to substantiate the claims made. Place: Date: Seal and signature of the Bidder
Document Classification : Public Page 43 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-H : PROPOSED TEAM PROFILE
S.N
o.
Nam
e o
f
Pro
posed
En
gagem
en
t M
an
ager
/Pro
posed
Team
Leader/
Team
Mem
bers
Pro
f. Q
uali
ficati
on
s
Cert
ific
ati
on
s/
Accre
dit
ati
on
s
VA
& P
T e
xpert
ise (M
en
tion
if
he h
as w
ork
ed i
n B
an
ks e
arl
ier)
In t
erm
s o
f years
and a
reas o
f
expert
ise
IT S
ecuri
ty E
xpert
ise
In t
erm
s o
f years
and a
reas o
f
expert
ise
Num
ber
of
sim
ilar
assig
nm
en
ts
involv
ed
In B
anks/oth
er
insti
tuti
on
s
Deta
ils o
f T
ools
know
n
RFP r
espon
se P
age R
efe
ren
ce #
Team
Mem
ber:
Onsit
e/ O
ffsit
e
Documentary proofs are to be enclosed to substantiate the claims made. Place: Date: Seal and signature of the Bidder
Document Classification : Public Page 44 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-I : COMMENTS ON TERMS & CONDITIONS & SERVICES/PRE BID
QUERY FORMAT
Please submit your pre bid queries in the format as mentioned below.
Please provide your comments on the Terms & conditions in this section. You are requested to categorize your comments under appropriate headings such as those pertaining to the Scope of work, Terms & Conditions etc. You are also requested to provide a reference of the page number, state the clarification point and the comment/ suggestion/ deviation that you propose as shown below.
Sr. No.
Page #
Point / Section #
Clarification point as stated in the tender
document
Category of Comment/ Suggestion/
Deviation/ Query
Comment/ Suggestion/ Deviation/
Query
Note : A line should contain any one of the Comment/Suggestion/Deviation/Query only.
Place: Date: Seal and signature of the Bidder
Document Classification : Public Page 45 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
ANNEXURE-J : COMMERCIAL BID FORMAT
Commercial Bid Format (in Rupees)
Sr. No.
Major Activities
Expected No of Units
(A)
Unit Cost of 1st
assignment
(B)
Unit Cost of repeat
Assignment on Half
yearly basis (C )
Total Costs (inclusive of all applicable taxes except Service Tax)
1 Vulnerability Assessment & Penetration Testing for Internet facing infrastructure hosted in Bank‟s environment at DC & DR
1+3 (D=B+C*3)
2 Vulnerability Assessment & Penetration Testing for Internet facing Applications hosted in Bank‟s environment (For a set of 11 IPs)
1+3 (D=B+C*3)
3 Vulnerability Assessment & Penetration Testing of Bank‟s Website www.bankofbaaroda.com hosted at outsourced environment
1+3 (D=B+C*3)
4 VAPT for Application (Repeat/New application) hosted at DC/DR
10 Apps (D=A*B+A*C*3)
Grand Total
Amount in Words : ____________________________________________________.
Please also furnish the following:
1. Average cost per man-day (in Rupees) :
2. Rate per man-day for Senior Resource ( in Rupees) :
3. Rate per man-day for other Resources ( in Rupees) :
4. Rate per man-day external site duty ( Composite Rate) : The prices quoted above should be inclusive of all taxes, levies, cess, and duties etc. except service tax. The service tax is payable on actual basis. For line item no. 4 the following will apply : 1. Bank reserves the right to avail any one or more services from the above line
items. 2. Bank reserves the right to increase or decrease the quantity of any one or
more service mentioned at line item no. 4. 3. In case of any travel out of Mumbai and Hyderabad for such extra work,
Bank will pay only hotel accommodation charges and return ticket fare as per the Bank‟s policy as applicable to the Senior Manager grade officials of the Bank.
4. The cost should be all inclusive including usage of tools etc. Place: Date : Seal & Signature of the Bidder
Document Classification : Public Page 46 of 46 IT Security Cell, Risk Management Dept., Baroda Corporate Centre, Bank of Baroda Mumbai-400051
RFP for Selection of Service Provider for Conducting VA and PT of Internet
facing Applications and Infrastructure
RFP Ref No: BCC:CISO:RFP:107/17 Date : 5th May 2015
Bank Of Baroda, IT Security Cell, Risk Management Department 2nd Floor, Bank Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), MUMBAI – 400051.
End of Document