Request for Proposal (RFP) for Selection of Service...

Bank of Baroda Head Office, Baroda

Confidential Page 1 of 42 CIAD, HO, Baroda

RFP Document for Comprehensive audit of IT Infrastructure

Created on 20/11/2013

Request for Proposal (RFP)

for

Selection of Service Provider for Conducting

Comprehensive Audit of IT Infrastructure (Data

Centre/Disaster Recovery Centre/Near Site)

Bank of Baroda Central Inspection and Audit Department

Head Office, Baroda Mumbai

Nov 25, 2013





[A] Important Dates:

1. Issuance of RFP Document by Bank from : 30/11/2013

2. Last Date of Submission of Response by the Bidder : 31/12/2013

[B] Important Clarifications:

Following terms are used in the document interchangeably to mean:

1. Bank of Baroda, BOB, BoB, and Bank means “Bank of Baroda”.

2. Recipient, Respondent and Bidder means “Respondent to the RFP

Document’.

3. RFP means the “Current RFP Document”

4. SP Means the “Service Provider”

5. DC Means the “Data Centre”

6. DR Means the “Disaster Recovery Site”

7. DRP Means the “Disaster Recovery Procedures”





Confidentiality

This document is meant for the specific use by the Company / person/s interested to participate in the current tendering process. This document is in its entirety is subject Copyright laws. Bank of Baroda expects the bidders or any person acting on behalf of the bidders to strictly adhere to the instructions given in the document and maintain confidentiality of information. The bidders will be held responsible for any misuse of the information contained in the document and liable to be prosecuted by Bank of Baroda in the event of such a circumstance is brought to the notice of the Bank. By downloading the document, the interested party is subject to confidentiality clauses.





Section – I





1. Introduction and Disclaimer

This Request for Proposal document (“RFP”) has been prepared solely to enable Bank of Baroda in the selection of suitable organizations to tender for the provision for conducting Comprehensive Audit of the IT infrastructure implemented under the Technology Enabled Business Transformation Project. The RFP document is not a recommendation, offer or invitation to enter into a contract, agreement or other arrangement in respect of the services. The provision of the services is subject to observance of selection process and appropriate documentation being agreed between Bank of Baroda and any successful bidder as identified after completion of the selection process as detailed under Section – II, Para 22.

2. Information Provided

The RFP document contains statements derived from information that is believed to be reliable at the date obtained but does not purport to provide all of the information that may be necessary or desirable to enable an intending contracting party to determine whether or not to enter into a contract or arrangement with Bank of Baroda in relation to the provision of services. Neither Bank of Baroda nor any of its employees, agents, contractors, or advisers gives any representation or warranty, express or implied as to the accuracy or completeness of any information or statement given or made in this RFP document. Neither Bank of Baroda nor any of its employees, agents, contractors, or advisers has carried out or will carry out an independent audit or verification or due diligence exercise in relation to the contents of any part of the RFP document.

3. For Respondent Only

The RFP document is intended solely for the information of the party to whom it is issued and no other person or organisation. 4. Service Provider Eligibility Criteria The Service Provider (SP) company is required to meet the following eligibility criteria and provide adequate documentary evidence for each of the criteria stipulated below:

1. SP Must be a Government Organization/PSU/PSE/partnership firm/LLP or limited company.

2. SP Must be in existence for five years as on 31.03.2013 (in case of mergers/acquisition/restructuring or name change, the date of establishment of the earlier/original Partnership Firm/Limited Company can be taken in to account).

3. Must have a minimum turnover of atleast Rs 200 crore in the past two years i.e. 2011-12 and 2012-13 out of which, at least, 25% of the revenue must have come from the Audit & Consulting Services.





4. Should have made profits for the past 3 years in succession i.e. 2010-11, 2011-12 & 2012-13 or should have a minimum Net worth of at least 50 crores in each of the past two years i.e. 2011-12 and 2012-13 (Net worth means the Tangible Net worth of the bidder).

5. The bidder should be empanelled by CERT -In as Information Security Audit Organization for the period valid up to April 30, 2014.

6. Should have conducted IT Infrastructure audit /review of Data Centers For 2 bank’s in last 5 years.

7. Must have never been blacklisted/barred/disqualified by any regulator/statutory body.

8. Must have the experience in reviewing of IT Infrastructure Systems. 9. Must not be application implementer/Solution providers, assistance

providers for implementation with an alliance with Bank’s SI Hewlett Packard in Bank of Baroda’s Project.

10. Must not be a direct competitor providing solution/application being provided/ Implemented by Hewlett Packard to the Bank.

11. Must have on rolls at least one Project Manager and one additional member who have similar experience as that of the (Project Manager) team leader who would have personally involved in at least one similar assignment. The Engagement Manager must have at least experience of the Testing Services and Audit Services for 3 years.

12. Must have existence in India.

5. Confidentiality

The RFP document is confidential and is not to be reproduced, transmitted, or made available by the Recipient to any other party. The RFP document is provided to the Recipient on the basis of the undertaking of confidentiality given by the Recipient to Bank of Baroda. Bank of Baroda may update or revise the RFP document or any part of it. The Recipient acknowledges that any such revised or amended document is received subject to the same terms and conditions as this original and subject to the same confidentiality undertaking. The Recipient will not disclose or discuss the contents of the RFP document with any officer, employee, consultant, director, agent, or other person associated or affiliated in any way with Bank of Baroda or any of its customers, suppliers, or agents without the prior written consent of Bank of Baroda.

6. Disclaimer

Subject to any law to the contrary, and to the maximum extent permitted by law, Bank of Baroda and its officers, employees, contractors, agents, and advisers disclaim all liability from any loss or damage (whether foreseeable or not) suffered by any person acting on or refraining from acting because of any information, including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the loss or damage arises in connection with any negligence, omission, default, lack of care or





misrepresentation on the part of Bank of Baroda or any of its officers, employees, contractors, agents, or advisers.

7. Costs Borne by Respondents

All costs and expenses incurred by Recipients / Respondents in any way associated with the development, preparation, and submission of responses, including but not limited to attendance at meetings, discussions, demonstrations, etc. and providing any additional information required by Bank of Baroda, will be borne entirely and exclusively by the Recipient / Respondent.

8. No Legal Relationship

No binding legal relationship will exist between any of the Recipients / Respondents and Bank of Baroda until execution of a contractual agreement.

9. Recipient’s Obligation to Inform Itself

The Recipient must conduct its own investigation and analysis regarding any information contained in the RFP document and the meaning and impact of that information.

10. Evaluation of Offers

Each Recipient acknowledges and accepts that Bank of Baroda may, in its absolute discretion, apply whatever criteria it deems appropriate in the selection of Service Provider, not limited to those selection criteria set out in this RFP document. The RFP document will not be construed as any contract or arrangement, which may result from, the issue of this RFP document or any investigation or review carried out by a Recipient. The Recipient acknowledges by submitting its response to this RFP document that it has not relied on any information, representation, or warranty given in this RFP document.

11. a Earnest Money Deposit

As part of compliance, intending bidders should pay along with RFP an Earnest Money Deposit of Rs. 2,50,000/- (Rs two lacs fifty thousands only). The earnest money shall be paid by Demand Draft/Bankers Cheque/Pay Order drawn in favour of Bank of Baroda – payable at Mumbai. The earnest money will not carry any interest. The EMD will be refunded immediately to non-Selected RFP Respondents. In case of selected respondents the deposit will be adjusted against the Security Deposit payable under the terms of contract. The EMD made by the bidder will be forfeited if:

The Respondent withdraws his tender before processing the same.





The Respondent withdraws his tender after processing but before acceptance of “Letter of Selection for Final RFP” issued by Bank.

The Selected Respondent withdraws his tender before furnishing an unconditional and irrevocable Performance Bank Guarantee/Security Deposit.

The Respondent violates any of the provisions of the term and conditions of this tender specification.

11. b) Security Deposit; - The EMD amount deposited by the successful bidder will be converted as security Deposit. Excess amount of EMD (i.e. EMD – 5% of the contract value) of successful bidder will be refunded by the bank with two weeks from the date of acceptance of contract, however if the EMD amount is less than the amount equivalent of contract value then the successful bidder has to deposit the difference amount (i.e 5% of the contract value – EMD amount) by way of Demand Draft/Banker’s Cheque/Pay Order drawn in favor of the Bank of Baroda payable at Mumbai, within one week from the date of awarding the contract. The Security deposit will be refunded by the bank after successful completion of the project. Amount of Security Deposit will be rounded off to the nearest thousand. Bank Guarantee in lieu of Security Deposit is not acceptable. 11.c ) Performance Bank Guarantee:- The Selected bidder has to provide an unconditional and irrevocable Performance Bank Guarantee of 10% of the contract value from the Public Sector Bank in India (Other than Bank of Baroda) towards due performance of the contract in accordance with the specifications, terms and conditions of RFP document, within 15 days from the date of letter of indent (LOI). The Bank Guarantee shall be kept valid three months, beyond the tentative completion period of project. 11.d Application Money The intending bidders should pay along with bids an Application money of Rs 5000/- (rupees Five Thousand only) The application money shall be paid by Demand Draft/Banker’s Cheque/Pay Order drawn in favour of Bank of Baroda payable at Mumbai. The application money is non-refundable. 11. e Execution of SLA/NDA: The SP company must execute (a) a Service Level Agreement, which would include all the services and terms and conditions of the services to be extended as detailed herein and as may be prescribed by the Bank and (b) Non-disclosure Agreement. The SP must execute the SLA and NDA within one month from the date of acceptance of Letter of Appointment.





12. Errors and Omissions

Each Recipient must notify Bank of Baroda of any error, omission, or discrepancy found in this RFP document.

13. Acceptance of Terms

A Recipient will, by responding to Bank of Baroda RFP, be deemed to have accepted the terms as stated above from Para 1 through Para 12.

14. Lodgment of RFP Response (To be read in conjunction with Section – III, Para 2.4)

14.1 RFP Closing Date for submission of response

RFP Response may be received by the officials indicated below no later than 4:00 pm (Indian Time – GMT +5:30) 31 Dec 2013.

Submission of Response to Bank of Baroda Two (2) paper copies and one (1) electronic copy (Microsoft XP Word and Excel, on CD ROM) of all submissions must be supplied to Bank of Baroda addressed to General Manager (CIAD) at : IS Audit Cell, 2nd Floor Bank of Baroda Baroda Corporate Centre BKC, Bandra (East) Mumbai 400051

For any further clarification you may contact

Mr N D Kundu Assistant General Manager Bank of Baroda Head Office, 10th Floor Surajplaza, Sayajigung, Vadodara - 390005 Submission will be valid if:

Copies of the RFP are submitted before the aforementioned closing time.

Submission is not by Fax transmission.

Response is submitted in two separate sealed envelopes with separate marking “Technical Proposal” & “Commercial Proposal”

All separate copies of RFP and attachments must be provided in a sealed envelope or sachet “.





Only One Submission Permitted

Only one submission of response to RFP by each Vendor / Service Provider will be permitted. In case of partnerships / consortium, only one submission is permitted through the lead vendor / service provider.

14.2 Registration of RFP

Registration will be effected upon Bank of Baroda receiving the RFP response in the above manner (Para 14.1). The RFP must be accompanied with all documents, information, and details required. If the submission to this RFP does not include all the information required or is incomplete or submission is through Fax mode, the RFP is liable to be rejected. All submissions, including any accompanying documents, will become the property of Bank of Baroda. Recipients shall be deemed to license, and grant all rights to, Bank of Baroda to reproduce the whole or any portion of their submission for the purpose of evaluation, to disclose the contents of the submission to other Recipients who have registered a submission and to disclose and/or use the contents of the submission as the basis for any resulting RFP process, notwithstanding any copyright or other intellectual property right that may subsist in the submission or accompanying documents.

14.3 Late RFP Policy

Respondents are to provide detailed evidence to substantiate the reasons for a late RFP submission.

RFPs lodged after the closing date for lodgment of RFPs may be registered by Bank of Baroda and may be considered and evaluated by the evaluation team at the absolute discretion of Bank of Baroda. It should be clearly noted that Bank of Baroda has no obligation to accept or act on any reason for a late submitted response to RFP.

Bank of Baroda has no liability to any person who lodges a late RFP for any reason whatsoever, including RFPs taken to be late only because of another condition of responding.

14.4 RFP Validity Period

RFPs will remain valid and open for evaluation according to their terms for a period of at least six (6) months from the time the RFP submission process.

14.5. Requests for Information

Recipients are required to direct all communications related to this RFP, including notification of late RFP submission, through the Nominated Point of Contact person i.e. General Manager (CIAD).





All questions relating to the RFP, technical or otherwise, must be in writing only to the Nominated Point of Contact. Bank of Baroda will not answer any communication initiated by Respondents later than five business days prior to the due date for lodgment of RFPs. However, Bank of Baroda may in its absolute discretion seek, but under no obligation to seek, additional information or material from any Respondents after the RFP closes and all such information and material provided must be taken to form part of that Respondent’s response. Respondents should invariably provide details of their email address(es) as responses to queries will only be provided to the Respondent via email. If Bank of Baroda in its absolute discretion deems that the enquiring Respondent will gain an advantage by a response to a question, then Bank of Baroda reserves the right to communicate such response to all Respondents. Bank of Baroda may in its absolute discretion engage in discussion or negotiation with any Respondent (or simultaneously with more than one Respondent) after the RFP closes to improve or clarify any response.

15. Notification

Bank of Baroda will notify the Respondents in writing as soon as practicable about the outcome of the RFP evaluation process, including whether the Respondent’s RFP response has been accepted or rejected. Bank of Baroda is not obliged to provide any reasons for any such acceptance or rejection.

16. Disqualification

Any form of canvassing/lobbying/influence/query regarding short listing, status etc will be a disqualification.

17. Timeframe

The following is an indicative timeframe for the overall selection process. Bank of Baroda reserves the right to vary this timeframe at its absolute and sole discretion should the need arise. Changes to the timeframe will be relayed to the affected Respondents during the process. RFP Issuance Date 30 Nov, 2013 RFP Response Date 30 Dec, 2013 RFP Evaluation Date 31 Dec, 2013





Section - II





1. Current RFP Objectives: 1.1 Project Objective The Bank wishes to appoint competent Service Provider (SP) for carrying out `Comprehensive Audit of the IT Infrastructure implemented at the Bank’s Data Centre, Mumbai, Disaster Recovery Centre, Hyderabad and Near Site, Mumbai. The selected service provider is required to provide service of comprehensive audit of IT Infrastructure deployed at DC, DR & Near site including but not limited to following services: Performance Testing, Optimisation Testing, High Availability Testing, Scalability Testing, Networking and Hardware Sizing & Configuration Testing with reference to the four core architectural principles- Performance, Scalability, High Availability, Investment Protection. The SP will be responsible as per the scope and timelines outlined in Project Scope section (1.2) of RFP.

1.2 Project Scope

A description of the envisaged scope is enumerated as under. Based on the contents of the RFP, the selected SP shall be required to independently arrive at Approach and Methodology, based on globally acceptable standards and best practices, suitable for the Bank, after taking into consideration the effort estimate for completion of the same and the resource and the equipment requirements. The Selected Service Provider is required to conduct the detailed Risk assessment of IT Assets/Resources of the Bank at DC/DR /Near Site and suggest the control measures for the risks identified.

The Bank expressly stipulates that the SP’s selection under this RFP is on the understanding that this RFP contains only the principal provisions for the entire assignment and that delivery of the deliverables and the services in connection therewith are only a part of the assignment. The SP shall be required to undertake to perform all such tasks, render requisite services and make available such resources as may be required for the successful completion of the entire assignment at no additional cost to the Bank.

The services as indicated in Para 1.2.1 will be covered under the scope of the Comprehensive Audit of the IT Infrastructure Indicative details of services may involve:

1.2.1 Review/Audit of 1. IT Infrastructure (Data Centre, Disaster Recovery Centre and Near Site) 2. Business Continuity Plan & Disaster Recovery Planning 3. Security Operation Centre (SOC) at DC, DR & Near site.





1.2.1.1. IT Infrastructure 1.2.1.1. (a) IT Infrastructure in DC, DR & Near Site

SP shall carry out a review to ensure IT Infrastructure compliance with an indicative but not exhaustive list of activities are listed below:

Data Centre/Disaster Recovery Centre civil and interiors design as per submitted layout

Adequacy of server space in view of future requirement

Access control facility – logical & Physical

Fire detection and prevention

Fire protection system for server rooms

Very Early smoke detection systems for server rooms

Water leak detection systems for server rooms

Electrical subsystem (main panel, cables, Power Distribution Unit (PDU) and earthing)

Review of Electrical Power requirement and availability.

UPS systems

DG sets and Control of fuel

Precision (computer room standard) Air-conditioning systems for server room

Air-conditioning system for other relevant areas of DC

Building management system software/hardware

Closed circuit television system (CCTV) area for monitoring entry/exit points and strategic locations within the server room

Structured cabling system for functional areas as per layout

Environmental threat protection (Air Purifier, Humidity Control etc)

Review of operator awareness of physical security breaches

Review of safeguards to mitigate risks associated with earthquake and water related threats

Verification of Physical Security policy and review of authorisation documentation on file for each individual who has card access to the data centre

Review of License verification of all hardware, Software etc on entry and exit in DC/DR

Review of adequacy of physical Security (Guards, arms etc)





1.2.1.1.(b) Review of outsource of IT Operation (DC,DR,NS & SOC) Review the segregation of duties

Review of adequacy of staff

Review of reporting responsibility and periodicity of report

Review of information sharing by bank’s DC/DR team with outsourced service provider team & Data Loss/ Leak prevention System.

Review of work authorisation system between outsourced service provider and bank’s team

Access Control, Customer Data Privacy & Confidentiality.

1.2.1.1. c) Management of Hardware

Acquisition in DC/DR, installation, Up gradation, Movement, usage and disposal procedures

Server sizing- hard disk capacity, RAM, Processing power etc. as per requirements

Review of procedures to proactively manage the servers, which would alert the administrator as, and when service of the DC/DR reaches the defined threshold before the failure occurs on the servers or devices to ensure uptime of the Data Center

Preventive maintenance

Backup procedures

1.2.1.1.(d) Management of System Software

Software acquisition, installation, maintenance, updation of patches/security updates, development, storage, and change management is as per IT Security Policy Setup and maintenance of operative system parameters To Review Setting of various parameters, updates thereof and actual working of them as intended and accurately. All the security features available in the OS are enabled/ taken advantage of as far as possible Review of Use/Control, Retention, Changes, Hard coded use of root/administrative, generic and other Sensitive IDs and password. Vulnerabilities in OS are being taken care off. Compensatory controls for known vulnerabilities are in place Review of Operating system and Database Hardening and document verification of OS/DB Hardening.

OS patches are updated as and when released by vendor and control over





patch management.

Changes in system software are controlled in line with the organization’s change management procedures. Proper record is maintained and authenticated regarding installation, its up gradation, re-installation and maintenance.

Review of change Management Process, reporting and measuring effectiveness identifying areas of improvements

Use of sensitive system software utilities is in controlled manner and its is monitored and logged

Review of compliance of existing change management process of updating the document after Change Management process has compliance status.

1.2.1.1.(e ) Network Facility and Equipment Management

Overall Network management

Network design- provides scalability, redundancy

Review of IPv6 Readiness

Network cabling is structured

Current network and security posture of the WAN architecture

IP addressing schemes and their allocations

Physical and logical separation of the networks

Network and security products and technologies deployed- Their usage and physical security

Review of switches, routers configuration, scalability and port management.

Network bottlenecks and performance issues

Availability and quality of system documentation

IP Sec implementation

Real-time monitoring of network packets, which involves packet capture and analysis.

Monitoring of syslog traffic from a managed Cisco router

Review of procedures adopted for:

Secured transmission of data through dialup / leased line/ VPN/VSATs etc.

Bandwidth management

Uptime of network- its monitoring as per service level agreement

Fault management





Capacity planning

Performance management etc

Monitoring of logs (i.e trace log,CDCI Logs, fatal logs, archive logs, SU logs, Syslog, alert log, last log, application log, Security log, System log, File retention logs, file replication service log, DNS Logs, IDS log, AIPS Logs, event Log, access log, ISS log, AV Log etc)

Legal and Regulatory requirements

Evaluate their installation, placement, configuration, security, policies defined in respective equipment for meeting the security requirement of the LAN and WAN and monitoring of their logs.

1.2.1.1.(f) Database Management System and Data security:

Use of Data Repository System, Data Definition Language, Data Manipulation Language

Storage of duplicate copy of data definition and DRS at off-site

Monitoring of log of changes to the Data definitions

Procedures to ensure that all data are classified in terms of sensitivity by a formal and explicit decision by the data owner and necessary safeguards for its confidentiality, integrity and availability are taken as per IT Security Policy.

Logical access controls, which ensure the access to data is restricted to, authorized users.

Confidentiality and privacy requirements are met

Authorization, authentication and access control are in place

Segregation of duties is ensured for accessing data

Purging, Retention and archival of Data Files

Review of how the database integrity is ensured in case tables are not properly updated by application software due to various reasons i.e. break in link, bug in software etc. In case of direct Updation/modification of database is done by opening the tables in live environment, evaluate the controls

Protection of Sensitive Information during Transmission and Transport

Separation of duties

Rotation of duties

Impact of backend updates

Conduct an internal vulnerability assessment for reviewing the database security setting

Audit-ability both at client side and server side including sufficiency and accuracy of event logging, SQL prompt command usage, Database level





logging etc.

Recovery, rollback and restart procedures

Audit the data base systems security through automated security scans and manual reviews.

To review table, partitioned and indexing etc structures are as per application software requirements.

1.2.1.1.(g) Help Desk:

Helpdesk facility, which provides first-line support and advice

Prioritization of reported problems/calls

Timely resolution of reported problems

Problems and incidents are resolved, and the cause investigated to prevent any recurrence

Incident handling

Trend analysis and reporting

Development of knowledge base

Root cause analysis

Problem tracking and escalation with proper documentation

Audit trails of problems and solutions

Management/ operations of Help Desk for monitoring, managing and reporting the faults, configuration, performance and accounting of the Bank’s Wide Area Network, Servers installed in Data Centre and other locations across the network.

Application support calls and its resolution

1.2.1.1.(h) Storage Management

Retention, purging/archival periods and storage terms are defined for :

Documents

Data

Programs

Reports

Messages (incoming and outgoing)

Keys, certificates used for their encryption and authentication

Log files for various activities





Policy and Procedures for purging of data

1.2.1.1.(I) Media Storage

Responsibilities for media (magnetic tape, cartridge, disks and diskettes) library management are assigned to specific members of the IT functionary

Housekeeping procedures are designed to protect media library contents

Standards are defined for the external identification of magnetic media and the control of their physical movement and storage to support accountability

Procedures to assure that contents of its media library containing data are inventoried systematically, that any discrepancies disclosed by a physical inventory are remedied in a timely fashion and that measures are taken to maintain the integrity of magnetic media stored in the library.

Review of media handling process

Review of periodic Media testing

Review of labeling process of media storage

1.2.1.1.(J) Inventory Maintenance

Controls, which identify and record all IT assets and their physical location, and a regular verification programme which confirms their existence

IT assets classification

Checking for unauthorized software

Software storage controls

License management

Review of insurance

1.2.1.1. (k) Others

Review of console log activity during system shutdown and hardware/software re-initialization

Operational procedure for Data center

Documentation of all process

Personnel scheduling- Shift hand-over process

Review of operator log to identify variances between schedules and actual activity

Use of Internet/e-mail

Review of remote desk top Management/Net meeting/FTP/SFTP etc.

Review of antivirus/DLP Implementation





1.2.1.1. (l) Process Management Review

Review of Installation Procedure

Review of Maintenance Procedure

Review of Release Procedure

Review of User Management procedure

Review of Tracking Procedure

Review of Handover procedure

Review of Incident Management Procedure

Review of Change Management Procedure

Review of Anti Phishing Monitoring Process

1.2.2. Business Continuity Plan & Disaster Recovery Planning:

Service Provider would be required to review Bank’s BCP and DRP to validate BCP/DRP in terms of its adequacy, effectiveness, efficiency, activation ability and reliability taking into consideration.

Review of DRP Process

Site Review (DRC/ Near Site)

Review Business Flows

Review of Resource priority for recovery and recovery time objectives

Review of Business Continuity Strategy

Review of adequacy Disaster Recovery Plan and Business Continuity Plan

Review of BCP/ & DRP for DC/DR

Review of BCM Processes

Review of achieved vs projected result

Review of process of business continuity objective

Review of submission of test result to board

Identify Individual Point of failure

1.2.3 Security Operations Centre

Review of SOC infrastructure/implementation (SIEM: RSA Envision, DAM: Imperva, VA: Nessus)





Review of SOC processes

Review SLA Management process For SOC

Review the configuration parameters



Review of information sharing by bank’s DC/DR team without source service provider team.

Review of work authorisation system between outsource service provider and bank’s team

Access Control, Customer Data Privacy & Confidentiality

Broad Details of the systems are given below:

Device Type /Components Quantity Platform

Servers 362 Microsoft Windows, HP Unix, Red Hat Linux

Data Bases 110 Oracle / Microsoft SQL Server/Sybase

Network Devices 28 NA

Security Devices 22 NA

Others 10 Citrix NetScaler , RSA Envision

Please note that the Application & Database servers are counted in both sections Servers section & Database section. Please note that the list provided above is the tentative list. There may be 10% increase in list provided. SP should keep provision for the same while bidding. 2.3 Deliverables

During the course of review, the SP will suggest the following in addition to other critical observation/ methods/ improvements as deemed fit from the point of view of the SP professional experience for each of the services mentioned above:

Ways to secure the existing Networks & any new networks being merged / created

Provide re-designed network & security architecture along with technical specifications of network & security solutions based on the operational and business requirements of the Bank.





All observations will be thoroughly discussed with process owners before finalization of report

Reports will be submitted as soft copy (password protected) in doc and pdf format as well as one signed hard copy.

All reports will be prepared with the following information:

Gaps, deficiencies, vulnerabilities observed – specific observations should be given with details

Risk associated with Gaps, deficiencies vulnerabilities observed

Category of Risk – High/Medium/Low

Recommendations/ Procedures for removing Gaps, deficiencies, vulnerabilities observed

Preparation of Final testing Report with areas of improvement

Compliance testing report

2.4 Submission of Bids (Please refer to Section – I, Para 14)

The bids shall be in two parts viz. Technical Proposal and Commercial Proposal. Both Technical and Commercial Proposals shall be submitted in separate sealed envelopes superscribing “TECHNICAL PROPOSAL FOR COMPREHENSIVE

AUDIT OF IT IFRASTRUCTURE on top of the envelope containing the technical bid and “COMMERCIAL PROPOSAL FOR COMPREHENSIVE AUDIT OF IT

INFRASRTURE: on top of the envelope containing commercial bid. These two separate sealed envelopes should be put together in the sealed master envelope superscribing “PROPOSAL for COMPREHENSIVE AUDIT OF IT INFRASTRUCTURE: The Technical Proposal will be evaluated first for technical suitability. Commercial Proposal shall be opened only for the short-listed bidders who have qualified in the Technical Proposal evaluation.

The Technical Proposal shall contain the technical proposal to the requirement of the Bank as along with Annexure–A, C, D and E. A copy of the Commercial Proposal masking the prices is to be submitted along with the Technical Proposal.

The Commercial Proposal shall be submitted as per Annexure B.

The bidder shall submit the Proposals properly filed so that the papers are not loose. The Bidder shall submit the proposal in suitable capacity of the file such that the papers do not bulge out and tear during scrutiny.





The technical proposal shall be organized and submitted as per the following sequence:

a) Table of Contents (list of documents enclosed) b) Technical proposal with detailed activities broken down, effort estimate, Manpower estimated to be deployed along with annexure D and annexure E c) Compliance certificate for all the terms and conditions as per Annexure-C d) All copies of certificates, documentary proofs etc. e) A CD containing soft copy of the proposal f) Annexure A g) Masked Annexure B

All the relevant pages of the proposals (except literatures, datasheets and brochures) are to be numbered and be signed by authorized signatory on behalf of the Bidder. The number should be a unique running serial no. across the entire document.

The bidder has to submit a soft copy of the entire proposal in a CD. It should be noted that in case of any discrepancy in information submitted by the bidder in hard-copy and soft-copy, the hard-copy will be given precedence. However, in case of non-submission of any hard copy document, if the same is found submitted in the soft-copy, Bank reserves right to accept the same at its discretion.

The Bids shall be addressed and submitted to: GENERAL MANAGER (CIAD) BANK OF BARODA Head Offcie, Baroda The bids (arranged as mentioned above) are to be submitted at the Secretariat of the General Manager (CIAD), marked with the appropriate label, at the above address before the due date & time as specified. The bid submitted anywhere else is liable to be rejected. It may be noted that all queries, clarifications, questions etc., relating to this RFP, technical or otherwise, must be in writing only and should be to the nominated point of contact.

Bidders should provide their E-mail address in their queries without fail. The bidder will submit an undertaking specifying that the bidder has obtained all necessary statutory and obligatory permission if any to carry out project works, if any.





The proposal should be prepared in English in MS Word format. The e-mail address and phone/fax numbers of the bidder should also be indicated on the sealed cover. FORMATS OF BIDS: The bidders should use the formats prescribed by the Bank in the RFP for submitting both technical and commercial bids.

2.5 General Terms and Conditions (Please also refer to Section – I)

2.5.1 Adherence to Terms and Conditions: The bidders who wish to submit responses to this RFP must note that they must abide by all the terms and conditions contained in the RFP. If the responses contain any extraneous conditions put in by the respondents, such responses may be disqualified and may not be considered for the selection process. 2.5.2 Other terms and conditions: 1. Bank of Baroda reserves the right to :

• Reject any and all responses received in response to the RFP • Waive or Change any formalities, irregularities, or inconsistencies in

proposal format delivery • To negotiate any aspect of proposal with any bidder and negotiate with

more than one bidder at a time • Extend the time for submission of all proposals • Select the most responsive bidder (in case no bidder satisfies the eligibility

criteria in totality) • Select the next most responsive bidder if negotiations with the bidder of

choice fail to result in an agreement within a specified time frame. • Share the information/ clarifications provided in response to RFP by any

bidder, with any other bidder(s) /others, in any form. • Cancel the RFP/Tender at any stage, without assigning any reason

whatsoever.

2. Substitution of Project Team Members: During the assignment, the substitution of key staff identified for the assignment will not be allowed unless such substitution becomes unavoidable to overcome the undue delay or that such changes are critical to meet the obligation. In such circumstances, the service provider can do so only with the concurrence of the Bank by providing other staff of same level of qualifications and expertise. If the Bank is not satisfied with the substitution, the Bank reserves the right to terminate the contract and recover whatever payments made by the Bank to the SP during the course of this assignment besides claiming an amount, equal to the contract value as liquidated damages. However, the Bank reserves the right to





insist the SP to replace any team member with another (with the qualifications and expertise as required by the Bank) during the course of assignment.

2. Professionalism: The SP must provide professional, objective and

impartial advice at all times and hold the Bank’s interests paramount and must observe the highest standard of ethics while executing the assignment.

3. Adherence to Standards: The SP must adhere to laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities.

4. The Bank reserves the right itself or through a consultant to conduct an audit/ongoing audit of the consulting services provided by the SP. The cost of the audit/Consultant shall be borne by the Bank.

5. The Bank reserves the right to ascertain information from the banks and other institutions to which the bidders have rendered their services for execution of similar projects.

6. EXPENSES : It may be noted that Bank will not pay any amount/expenses / charges / fees / traveling expenses / boarding expenses / lodging expenses / conveyance expenses / out of pocket expenses other than the “Agreed Professional Fee”. However, traveling, boarding and lodging expenses, if any, for site visit outside Mumbai for project related work will be discussed with the Bank as to the need, duration, number of personnel involved, etc., and will have to be cleared by the Bank in advance in writing. Settlement of bills in such cases will be at rates mutually agreed and reimbursable against production of tickets and bills. Mumbai will be considered as the base station for the purpose of traveling.

7. The bidder cannot change the Project Manager during entire period of execution of the assignment unless consented in written by the Bank

8. The bid should contain the resource planning proposed to be deployed for the project which includes, inter-alia, the number of personnel, skill profile of each personnel, duration etc.

10. TERMS OF PAYMENT: The SP’s fees will be paid in the following manner for each item/activity which is described in the Commercial Proposal (Annexure B) :

1. 70% of the professional fee on the completion of the each of the following projects :

IT Infrastructure (Data Centre, Disaster Recovery Centre and Near Site)

Business Continuity Plan & Disaster Recovery Planning

Security Operation Centre (SOC)





2. 30% of the professional fees on rectification /correction/ implementation of suggestions by the SP and submission of the Compliance Verification Final Report to the Bank.

3. All invoices will be paid by the Bank within a period of 45 days from the date of receipt of undisputed invoices. Any dispute regarding the invoice will be communicated to the selected bidder within 15 days from the date of receipt of the invoice. After the dispute is resolved, Bank shall make payment within 30 days from the date the dispute stands resolved.

12. LIQUIDATED DAMAGES (LD):

The Bank will impose a penalty, of Rs. 50,000/- (Rupees Fifty thousand only) per week or part thereof, for delay in not adhering to the time schedules.

If the selected Bidder fails to complete the due performance of the contract in accordance to the specifications and conditions agreed during the final contract negotiation, the Bank reserves the right either to cancel the contract or to accept performance already made by the bidder. The Bank reserves the right to recover an amount equal to the value of contract by the Bank as Liquidated Damages for non-performance. Both the above are independent of each other and are applicable separately and concurrently.

However the same would not be applicable for reasons attributable to the Bank and Force Majeure. However, it is the responsibility of the bidder to prove that the delay is attributed to the Bank and Force Majeure. The bidder shall submit the proof authenticated by the bidder and Bank’s official that the delay is attributed to the Bank and/or Force Majeure along with the bills requesting payment. 13.Indemnity: The bidder shall indemnify Bank and keep indemnified for against any loss or damage by executing an instrument to the effect on a Non-Judicial stamp paper that Bank may sustain on account of violation of patent, trademarks etc. by the bidder. 14.Authorized Signatory: The selected bidder shall indicate the authorized signatories who can discuss and correspond with the bank, with regard to the obligations under the contract.





The selected bidder shall submit at the time of signing the contract, a certified copy of the extract of the resolution of their Board, authenticated by Company Secretary, authorizing an official or officials of the company or a Power of Attorney copy to discuss, sign agreements/contracts with the Bank. The bidder shall furnish proof of signature identification for above purposes as required by the Bank. 15. Applicable Law and Jurisdiction of court: The Contract with the selected bidder shall be governed in accordance with the Laws of India for the time being enforced and will be subject to the exclusive jurisdiction of Courts at Mumbai . 16.CANCELLATION OF CONTRACT AND COMPENSATION: The Bank reserves the right to cancel the contract of the selected bidder and recover expenditure incurred by the Bank on the following circumstances. The Bank would provide 30 days notice to rectify any breach/ unsatisfactory progress:

The selected bidder commits a breach of any of the terms and conditions of the bid/contract.

The bidder goes into liquidation voluntarily or otherwise.

An attachment is levied or continues to be levied for a period of 7 days upon effects of the bid.

The progress regarding execution of the contract, made by the selected bidder is found to be unsatisfactory.

If deductions on account of penalty exceeds more than 10% of the total contract price.

After the award of the contract, if the selected bidder does not perform satisfactorily or delays execution of the contract, the Bank reserves the right to get the balance contract executed by another party of its choice by giving one months notice for the same. In this event, the selected bidder is bound to make good the additional expenditure, which the Bank may have to incur to carry out bidding process for the execution of the balance of the contract. This clause is applicable, if for any reason, the contract is cancelled.

The Bank reserves the right to recover any dues payable by the selected bidder from the security deposit or any amount outstanding to the credit of the selected bidder, including the pending bills and/or invoking Bank Guarantee, if any, under this contract. 17.NON PAYMENT OF PROFESSIONAL FEES:





If any of the items/activities as mentioned in the price bid and as mentioned in annexure D are not taken up by the Bank during the course of this assignment, the Bank will not pay the professional fees quoted by the SP in the Price Bid against such activity/item. 18.ASSIGNMENT: Neither the contract nor any rights granted under the contract may be sold, leased, assigned, or otherwise transferred, in whole or in part, by the SP, without the advance written consent of the Bank and any such attempted sale, lease, assignment or otherwise transfer shall be void and of no effect. 19. Subcontracting: The SP shall not subcontract or permit anyone other than its personnel to perform any of the work, service or other performance required of the SP under the contract without the prior written consent of the Bank. 20. Force Majeure: Any failure or delay by SP or Bank in the performance of its obligations, to the extent due to any failure or delay caused by fire, flood, earthquake or similar elements of nature, or acts of God, war, terrorism, riots, civil disorders, rebellions or revolutions, acts of governmental authorities or other events beyond the reasonable control of non-performing Party, is not a default or a ground for termination. The affected Party shall notify the other party within reasonable time period of the occurrence of a Force Majeure Event. 21. Dispute Resolution: If a dispute, controversy or claim arises out of or relates to the contract, or breach, termination or invalidity thereof, and if such dispute, controversy or claim cannot be settled and resolved by the parties through discussion and negotiation, then the parties shall refer such dispute to arbitration. Both parties may agree upon a single arbitrator or either party shall appoint one arbitrator and the two appointed arbitrators shall thereupon appoint a third arbitrator. The arbitration shall be conducted in English and a written order shall be prepared. The venue of the arbitration shall be Mumbai. The arbitration shall be held in accordance with the Arbitration and Conciliation Act, 1996. The decision of the arbitrator shall be final and binding upon the parties, provided that each party shall at all times be entitled to obtain equitable, injunctive or similar relief from any court having jurisdiction in order to protect its intellectual property and confidential information





22. SP Selection/Evaluation Process:

22.1 Evaluation Criteria

Technical Bid Evaluation Criteria

Technical criteria are classified under 3 heads - Credentials, People and Approach & Methodology. The table below highlights the parameters under the technical criteria and scoring methodology.

Sr No

Evaluation Parameters Weightage

Informations Provided meets requirement( 100%)

Informations Provided Partially meets requirement(50%)

Informations Provided does not meets requirement(0%)

1

Must possess experience in conducting review of IT Infrastructure of Data Centre / Disaster recovery for at least 2 Public Sector Banks/or Equivalent organization in the last 5 years

20

2

Must have extensive experience in audit of Data Centre/ Disaster Recovery for at least 2 Public Sector Banks in the last 5 years

20

3

Must have extensive experience in audit of Network/security devices deployed in Data Centre / Disaster Recovery for at least 2 Public Sector banks in the last 5 years

10





4

Must have experience in developing and implementation of Business Continuity Plan and Disaster recovery Planning in at least 2 reputed Public Sector banks in the last 5 years

15

5

Must have extensive experience in audit of Security Operation Centre for at least 2 Banks in the last 5 years

10

Sub-Total

75

6

Engagement Manager should have handled such projects in the firm for at least four years

5

7

Overall person responsible should have handled such projects in firm for at least 6 years

5

8

Proposed team must have experience in executing similar projects in banks out of which at least one should be a public sector bank

5

Sub-Total

15

9

Demonstration of in-depth understanding of the Bank’s project requirements through the technical proposal

5





10

Technical Proposal with detailed broken-down activities to be performed, effort estimation, manpower to be deployed on a project-to-project basis.

5

Sub-Total 25

Total Marks 100

Commercial Evaluation Criterion

Sl. No. Major Activities Total Cost

1 IT Infrastructure (Data Centre/Disaster Recovery Centre /Near Site Audit)

2 Business Continuity Plan & disaster Recovery Planning

3 Review of Security Operation Centre (SOC)

NET TOTAL COST

Computation Methodology for arriving at “Least Price/Least Quote”

Bank will give 60% weightage to technical score while comparing the commercial quote. The Procedure is as under: A “Score(S)” will be calculated for all qualified bidders using the following formula:

Where C Stands for nominal price quoted, Clow stands for the price quote of the lowest nominal bid. T Stands for technical evaluation score and Thigh stands for the score of the technically highest bidder. X is equal to 0.4.





In the above example, ABC, with the highest score becomes the successful bidder. Bank reserve the right to negotiate the price with the finally short listed bidder before awarding the contract. It may be noted that Bank will not entertain any price negotiations with any other bidder, till the Least Price bidder declines to accept the offer. Note:

1. Banks exclude RRBs and Cooperative Banks 2. The SP is required to provide documentary evidence for each of the above

criteria and the same would be required on the client’s letter head in case of credentials

23. Project Timelines:

Sl. No.

Major Activities

Major Milestones (Only indicative. Bidder should add more detailed steps / tasks so as strengthen the quality of the response)

Time Lines (Days)

1

IT Infrastructure (Data Centre / Disaster Recovery Centre Audit)

Data Centre, Disaster Recovery, Near Site Acceptance Test Plan – Perform Acceptance Test for all critical Data Centre and Disaster Recovery Site, IT Infrastructure Assist Bank in signing of Acceptance Test, Management of hardware, software, network facilities, application and database Management of Operating System, data security, help desk, Storage, Business Continuity, Inventory and Media Process Management Review

45






Review of DRP Process

Site Review ( DRC/ Near Site)

Review Business Flows

Review of Resource priority for recovery and recovery time objectives

Review of Business Continuity Strategy

Review of adequacy Disaster Recovery Plan and Business Continuity Plan

Review of BCP/DRP DC/DR complete

Review of achieved vs projected result

Review of process of business continuity objective

Review of submission of test result to board

Identify Individual Point of failure

15

3 Review of Security Operation Centre (SOC)

Review of SOC infrastructure/implementation (SIEM:RSA Envision, DAM: Imperva, VA: Nessus)









15





24. Proposal and other formats

ANNEXURE A Technical Proposal format: Particulars to be provided by the bidder in the technical proposal –

No

Particulars

Details to be furnished by the bidder

1 Name of the bidder

2

Year of establishment and constitution Certified copy of “Partnership Deed” or “Certificate of Incorporation” should be submitted as the case may be.

3

Location of Registered office /Corporate office and address

4

Mailing address of the bidder

5

Names and designations of the persons authorized to make commitments to the Bank

6

Telephone and fax numbers of contact persons

7

E-mail addresses of contact persons

8

Details of: Description of business and business background Service Profile & client profile Domestic & International presence Alliance and joint ventures

9

Whether the consulting process confirms to ISO 9001(2000), BS7799, ISO17799 standards and if so, furnish details of compliance.

10 Details of experience/knowledge possessed in the areas of Project Planning and management review, Resource Planning, Role and Responsibility definition, Co-ordination across multiple teams, Project risk analysis and containment





11

Turnover of the bidder(not of the group) Year 2011-12 Year 2012-13

Gross revenue of the bidder (not of the group) Year 2011-12 Year 2012-13 Year 2005-06

Total From Audit & Consulting Services

12

Net Profit of the bidder (not of the group) Year 2010-11 Year 2011-12 & Year 2012-13 Year 2005-06 Documentary proofs are to be enclosed

13 Tangible Networth of the bidder (not of the group) Year 2011-12 Year 2012-13

15

Details of the similar assignments executed by the bidder during the last three years (Name of the Bank, time taken for execution of the assignment and documentary proofs from the Bank are to be furnished)

16

Details of the similar assignments on hand as on date (Name of the Bank, time projected for execution of the assignment and documentary proofs from the Bank are to be furnished)

17

Name of the team leader identified for this assignment and his professional qualifications and experience/expertise Details of similar assignments handled by the said team leader Documentary proofs for all the assertions are to be enclosed

As per annexure E

18

Names of the other team members identified for this assignment and their professional qualifications and experience/expertise Details of similar assignments handled by the said team members Documentary proofs for all the assertions are to be enclosed

As per annexure E

19

Estimated work plan and time schedules for providing services for this assignment





20

Effort estimate and elapsed time are to be furnished in annexure D

As per annexure D

21

Details of inputs, infrastructure requirements required by the bidder to execute this assignment.

22

Details of the bidder’s proposed methodology/approach for providing services to the Bank with specific reference to the scope of work.

23

Details of deliverables the bidder proposes with specific reference to the scope of work.

Declaration: 1. We confirm that we will abide by all the terms and conditions contained in the RFP. 2. We hereby unconditionally accept that Bank of Baroda can at its absolute discretion apply whatever criteria it deems appropriate, not just limiting to those criteria set out in the RFP, in short listing of bidders. 3. All the details mentioned by us are true and correct and if Bank of Baroda observes any misrepresentation of facts on any matter at any stage, Bank of Baroda has the absolute right to reject the proposal and disqualify us from the selection process. 4. We confirm that this response, for the purpose of short-listing, is valid for a period of six months, from the date of expiry of the last date for submission of response to RFP. 5. We confirm that we have noted the contents of the RFP and have ensured that there is no deviation in filing our response to the RFP and that the Bank will have the right to disqualify us in case of any such deviations. Place: Date :

Seal & Signature of the bidder





ANNEXURE B Commercial Bid Format

Sr. No.

Major Activities

Major Deliverables (Only indicative. Bidder may add more so as to strengthen the quality of the response)

Estimated Effort (In man days)

Quoted Price (In Rupees)

1

IT Infrastructure

Review/Audit of Data Centre, Disaster Recovery & Near Site Review/Audit of Management of hardware, software, network facilities, application and database Management of Operating System, data security, help desk, Storage, Business Continuity, Inventory and Media Process Management Review


Business Impact Analysis including Risk Assessment Developing Business flows Resource priority for recovery and recovery time objectives Development of Business Continuity Strategy Development and roll out of Disaster recovery Plan and Business Continuity Plan

3 Review of Security Operation Centre

Review of SOC infrastructure/implementation













Please also furnish the following:

1. Average cost per man-day (in Rupees) : 2. Rate per man-day for Senior Resource ( in Rupees) : 3. Rate per man-day for other Resources ( in Rupees) : 4. Rate per man-day external site duty ( Composite Rate) :





ANNEXURE C Compliance Certificate To, Date: The General Manager (Inspection & Audit) Bank of Baroda, Head Office Central Inspection & Audit Division, Surajplaza, Sayajigunj Baroda- 390005 Dear Sir, Ref: - 1. Having examined the Request for Proposal (RPF) including all annexures, the

receipt of which is hereby duly acknowledged, we, the undersigned offer to provide the desired services for the Comprehensive audit of the IT systems in conformity with the said RPF and in accordance with our proposal and the schedule of Prices indicated in the Price Bid and made part of this bid.

2. If our Bid is accepted, we undertake to complete the project within the scheduled time lines.

3. We confirm that this offer is valid for six months from the last date for submission of RFP to the Bank.

4. This Bid, together with your written acceptance thereof and your notification of award, shall constitute a binding Contract between us.

5. We undertake that in competing for and if the award is made to us, in executing the subject Contract, we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of Corruption Act 1988”.

6. We agree that the Bank is not bound to accept the lowest or any Bid that the Bank may receive.

7. We have not been barred/black-listed by any regulatory / statutory authority and hold the necessary approvals/Licenses/permission of statutory/regulatory authorities.

8. We are empanelled by CERT -In as Information Security Audit Organization for the period valid up to April 30, 2014.

9. We shall observe confidentiality of all the information passed on to us in course of the tendering process and shall not use the information for any other purpose than the current tender.

Signed Dated

Seal & Signature of the bidder Phone No.: Fax: E-mail:





ANNEXURE D Estimated Effort and Elapsed Time Sl No

Activities

Elapsed Time

Effort in Man days

Number of team members who will be deployed

Remarks

1

IT Infrastructure (Data Centre/DR /Near Site Audit)


3 Security Operation Centre

Place: Date: Seal and Signature of Bidder:





ANNEXURE E

Proposed Team Profile

Sl No

Name of Proposed Engagement Manager /Proposed Team Member

Prof. Qualifications

Certifications/ Accreditations

IS audit expertise (Mention if he has worked in Banks earlier) In terms of years and areas of expertise

IT Expertise In terms of years and areas of expertise

Number of similar assignments involved In Public Sector Banks in India

Documentary proofs are to be enclosed to substantiate the claims made. Place: Date: Seal and signature of the bidder





ANNEXURE F Comments on the Terms & Conditions, Services and Facilities provided: Please provide your comments on the Terms & conditions in this section. You are requested to categorize your comments under appropriate headings such as those pertaining to the Scope of work, Approach, Work plan, Personnel schedule, Terms & Conditions etc. You are also requested to provide a reference of the page number, state the clarification point and the comment/ suggestion/ deviation that you propose as shown below.]

Sr. No.

Page #

Point / Section #

Clarification point as stated in the tender document

Comment/ Suggestion/ Deviation

1

2

3

4

5

6

7

8

9

Central Inspection & Audit Department Bank of Baroda, Head Office Baroda Dated : 25/11/ 2013

End of Document

Date post:	29-Jun-2018
Category:	Documents
Upload:	buiduong
View:	216 times
Download:	0 times