REQUEST FOR PROPOSAL (RFP) FOR SUPPLY, …...Jun 27, 2019 · and maintenance of File Integrity...

Document Type: Public Page 1 of 62

Information Security Department, Baroda Corporate Centre, Bank of Baroda Mumbai

RFP for Supply, Implementation & Maintenance of FIM Solution RFP Ref No: BCC:CISO:68:111/227 Date : 27 June 2019

REQUEST FOR PROPOSAL (RFP)

FOR

SUPPLY, IMPLEMENTATION & MAINTENANCE

OF

FILE INTEGRITY SOLUTION

RFP Reference No. BCC: CISO: 68:111/227

Date : 27 June 2019

Bank of Baroda,

Baroda Corporate Centre,

C-26, G Block, Bandra Kurla Complex

Bandra (East),

Mumbai - 400 051.




Important Dates:

Sr. No.

Particulars Dates and Timelines

1 Issuance of RFP document by the Bank

00:00 hours on 27th June 2019

2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document

16:00 hours on 08th July 2019

3 Pre-bid Meeting date/venue 14:00 hours on 11th July 2019. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

4 Last Date of submission of RFP response


5 Technical bid opening date / time / venue

15:00 hours 22th July 2019 Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

All times shown above are Indian Standard Time

Important Clarifications:

Following terms are used in the document interchangeably to mean:

Bank means “Bank of Baroda (including domestic operations, overseas operations, Overseas & Indian subsidiaries & Associate Banks)”

BCC means “Baroda Corporate Centre”.

BST means “Baroda Sun Tower”.

Security Systems Integrator(SSI), Recipient, Respondent, Bidder and Vendor generally means “Respondent to the RFP document” unless context specifies otherwise.

SIEM means Security Information and Event Management

DAM means Database Activity Monitoring

VA/VM means Vulnerability Assessment/Vulnerability Management

EPS means Events per second

DC means Bank’s Data centre at Mumbai.

DR, DRS means Bank’s Disaster Recovery centre at Hyderabad.

RFP means this “RFP document”

OEM means Original Equipment Manufacturer

OSD means Original Solution Developer




TABLE OF CONTENTS

SECTION – I ................................................................................................................................................... 5

1.1 INTRODUCTION AND DISCLAIMER ......................................................................................... 5

1.2 INORMATION PROVIDED ............................................................................................................. 5

1.3 FOR RESPONDENT ONLY ............................................................................................................. 5

1.4 CONFIDENTIALITY.......................................................................................................................... 5

1.5 DISCLAIMER ...................................................................................................................................... 6

1.6 ELIGIBILITY CRITERIA. ............................................................................................................... 6

1.7 COSTS BORNE BY RESPONDENTS .......................................................................................... 6

1.8 NO LEGAL RELATIONSHIP .......................................................................................................... 7

1.9 RECIPENT OBLIGATION TO INFORM ITSELF ..................................................................... 7

1.10 EVALUATION OF BIDS ............................................................................................................... 7

1.11 ERRORS AND OMISSIONS ....................................................................................................... 7

1.12 ACCEPTANCE OF TERMS......................................................................................................... 8

1.13 RFP RESPONSE TERMS ............................................................................................................ 8

1.14 NOTIFICATIONS ..........................................................................................................................13

1.15 DISQUALIFICATION ...................................................................................................................13

1.16 ERASINGS OR ALTERATIONS ...............................................................................................13

1.17 RIGHT TO REJECT BIDS .........................................................................................................13

1.18 PROCESS & TIMEFRAME ........................................................................................................14

1.19 OTHER TERMS AND CONDITIONS ......................................................................................15

SECTION – II .................................................................................................................................................16

2.1 BANK OF BARODA-INTRODUCTION .......................................................................................16

2.2 PROJECT OBJECTIVE ..................................................................................................................16

2.3 PROJECT SCOPE ............................................................................................................................16

2.3.1 PROPOSED METHODOLOGY FOR FIM IMPLEMENTATION .....................................16

2.3.2 FIM SOLUTION SUPPLY ...........................................................................................................17

2.3.3 EVENT MONITORING AND INCIDENT GENERATION ..................................................17

2.3.4 INTEGRATION WITH SIEM TOOL AND OTHER SECURITY TOOLS .......................17

2.3.5 ALTERNATIVE APPROACH .....................................................................................................17

2.3.6 ANNUAL MAINTENANCE/ANNUAL RECURRING LICENSE ........................................18

2.3.7 ALERT GENERATION ................................................................................................................18

2.3.8 EVENT VIEWER/DASHBOARD/REPORTS/INCIDENT MANAGEMENT ................18

2.3.9 INTEGRATION WITH IN-SCOPE MONITORED DEVICES ............................................18

2.3.10 DEVELOPMENT OF CONNECTORS FOR CUSTOMIZED APPLICATIONS/

DEVICES. .......................................................................................................................................................18




2.3.11 PROOF OF CONCEPT TESTING OF FIM SOLUTION ................................................19

2.3.12 TRAINING TO IDENTIFIED USERS. ................................................................................19

2.4 DELIVERABLES ...............................................................................................................................19

2.5 SERVICE LEVEL AGREEMENT .................................................................................................20

2.6 DEPLOYMENT ARCHITECTURE ...............................................................................................20

2.7 PROJECT TIMELINES ...................................................................................................................20

2.7.1 DELIVERY OF ALL HARDWARE AND SOFTWARE COMPONENTS .......................20

2.7.2 IMPLEMENTATION .....................................................................................................................21

2.7.3 TRAINING .......................................................................................................................................21

2.8 DETAILS OF INFRASTRUCTURE AT BANK’S DC/DR......................................................21

SECTION – III ...............................................................................................................................................23

3.1GENERAL TERMS AND CONDITIONS ..........................................................................................23

SECTION – IV ................................................................................................................................................33

ANNEXURE-A : ELIGIBILITY CRITERIA ............................................................................................33

ANNEXURE-B : SECURITY SYSTEM INTEGRATOR’S SELECTION/ EVALUATI-ON

PROCESS ........................................................................................................................................................36

ANNEXURE-C : COMPLIANCE CERTIFICATE .................................................................................41

ANNEXURE-D : TECHNICAL BID FORMAT ......................................................................................42

ANNEXURE-E : FIM SOLUTION SPECIFICATIONS .......................................................................45

ANNEXURE-F : EXPERIENCE DETAILS ............................................................................................51

ANNEXURE-G : PROPOSED IMPLEMENTATION TEAM PROFILE ..........................................52

ANNEXURE-H : ESTIMATED EFFORT AND ELAPLSED TIME ..................................................53

ANNEXURE-I : OEM DETAILS ...............................................................................................................54

ANNEXURE-J : MANUFACTURER AUTHORIZATION FORM .....................................................55

ANNEXURE-K : OEM SIZING CONFIRMATION ..............................................................................56

ANNEXURE-L : COMMENTS ON TERMS & CONDITIONS & SERVICES/PRE BID

QUERY FORMAT .........................................................................................................................................57

ANNEXURE-M : COMMERCIAL BID FORMAT .................................................................................58

ANNEXURE-O : BILL OF MATERIAL ...................................................................................................62




SECTION – I

1.1 INTRODUCTION AND DISCLAIMER

This Request for Proposal document (“RFP”) has been prepared solely to enable Bank of Baroda (“Bank”) to select a vendor for supply, installation and maintenance of File Integrity Monitoring Solution for the Bank, including its branches, subsidiaries, overseas branches etc.

The RFP document is not a recommendation, offer or invitation to enter into a contract, agreement or other arrangement in respect of the product and services. The provision of the product and services is subject to observance of selection process and appropriate documentation being

agreed between the Bank and any successful Bidder as identified after completion of the selection process as detailed in Annexure-B on RFP Evaluation Process.

1.2 INORMATION PROVIDED

The RFP document contains statements derived from information that is believed to be true and reliable at the date obtained but does not purport to provide all of the information that may be necessary or desirable to enable an intending contracting party to determine whether or not to enter into a contract or arrangement with Bank in relation to the provision of product and services. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers gives any representation or warranty (whether oral or written), express or implied as to the accuracy, updating or completeness of any writings, information or statement given or made in this RFP document. Neither Bank nor any of its directors, officers, employees, agents, representative, contractors, or advisers has carried out or will carry out an independent audit or verification or investigation or due diligence exercise in relation to the contents of any part of the RFP document.

1.3 FOR RESPONDENT ONLY

The RFP document is intended solely for the information of the party to whom it is issued (“the Recipient” or “the Respondent”) i.e. Government Organization/PSU/PSE/ limited Company/partnership firm or an autonomous institution approved by GOI/RBI promoted. The RFP document can be downloaded from the Bank’s corporate website ww.bankofbaroda.com

1.4 CONFIDENTIALITY

This document is meant for the specific use by the Respondents interested to participate in the current tendering process. This document in its entirety is subject to Copyright laws. Bank expects the Bidders or any




person acting on behalf of the Bidders to strictly adhere to the instructions given in the document and maintain confidentiality of information shared with them. The Bidders will be held responsible for any misuse of the information contained in the document and liable to be prosecuted by the Bank in the event of such a circumstance is brought to the notice of the Bank. By downloading the document, the interested party is subject to confidentiality clauses. Bank may update or revise the RFP document or any part of it. The Recipient acknowledges that any such revised or amended document shall be received subject to the same confidentiality terms.

The Recipient will not disclose or discuss the contents of the RFP document with any officer, employee, consultant, director, agent, or other person associated or affiliated in any way with the Bank or any of its customers or

suppliers without prior written consent of the Bank.

1.5 DISCLAIMER

Subject to any law to the contrary, and to the maximum extent permitted by law, Bank and its directors, officers, employees, contractors, representatives, agents, and advisers disclaim all liability from any loss, claim, expense (including, without limitation, any legal fees, costs, charges, demands, actions, liabilities expenses or disbursements incurred therein or incidental thereto) or damage (whether foreseeable or not) (“Losses”) suffered by any person acting on or refraining from acting because of any presumptions or information (whether oral or written and whether express or implied), including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the Losses arises in connection with any ignorance, negligence, inattention, casualness, disregard, omission, default, lack of care, immature information, falsification or misrepresentation on the part of Bank or any of its directors, officers, employees, contractors, representatives, agents, or advisers.

1.6 ELIGIBILITY CRITERIA.

Vendor wishing to bid, should conform to the Eligibility Criteria as per Annexure-A : Eligibility Criteria except for clause no 3. For meeting the

eligibility criteria, 15.06.2019 would be considered as the date on which the Bidder should be eligible.

1.7 COSTS BORNE BY RESPONDENTS

All costs and expenses (whether in terms of time or money) incurred by the Recipient / Respondent in any way associated with the development, preparation and submission of responses, including but not limited to attendance at meetings, discussions, demonstrations, presentation etc. and providing any additional information required by Bank, will be borne entirely and exclusively by the Recipient / Respondent. Stamp duty that




may be incurred towards entering in to agreement with the successful Bidder for awarding the contract will be shared by the Bank and the successful Bidder in equal proportion.

1.8 NO LEGAL RELATIONSHIP

No binding legal relationship will exist between any of the Recipients / Respondents and the Bank until execution of a contractual agreement to the full satisfaction of the Bank.

1.9 RECIPENT OBLIGATION TO INFORM ITSELF

The Recipient must apply its own care and conduct its own investigation and analysis regarding any information contained in the RFP document and the meaning and impact of that information.

1.10 EVALUATION OF BIDS

The evaluation of the bids will be done as per evaluation criteria mentioned in Annexure-B “BIDDER’S SELECTION/EVALUATION PROCESS” of this RFP document. The Bidders who do not qualify the eligibility criteria as stipulated under Annexure-A will not be considered for technical evaluation. A Bidder not eligible under Technical Bid will not be considered for opening of Commercial Bid.

However each Recipient acknowledges and accepts that the Bank may, in its sole and absolute discretion, apply whatever criteria it deems appropriate in the selection of organizations, not limited to those selection criteria set out in this RFP document.

The issuance of RFP document is merely an invitation to offer and must not be construed as any agreement or contract or arrangement nor would it be construed as material for any investigation or review to be carried out by a Recipient. The Recipient unconditionally acknowledges by submitting its response to this RFP document that it has not relied on any idea, information, statement, representation, or warranty given in this RFP document.

For meeting the requirements of eligibility criteria, 15.06.2019 would be

considered as the date on which the Bidder should be eligible. For Technical Evaluation criteria the date on the basis of which marks would be given would be 15.06.2019.

1.11 ERRORS AND OMISSIONS

Each Recipient should notify the Bank of any error, fault, omission, or discrepancy found in this RFP document upto 16:00 hrs IST 8th July 2019 as per the enclosed Annexure ‘L’.




1.12 ACCEPTANCE OF TERMS

The Recipient will, by responding to the Bank’s RFP document, be deemed to have accepted the terms as stated in this RFP document.

1.13 RFP RESPONSE TERMS

1.13.1 Application Money & Earnest Money

The Bidder will be required to submit Application Money of Rs.5,000/-(Rupees Five Thousand) by way of Banker’s Cheque/Demand Draft/Pay Order favoring Bank of Baroda, Payable in Mumbai, which is non refundable, must be submitted separately along with RFP response.

Earnest Money Deposit of Rs 1,00,000/- (Rupees One Lakh only) has to be submitted by way of Demand Draft / Banker's Cheque/ Pay Order/ Bank Guarantee drawn in favor of "Bank of Baroda” payable in Mumbai. Earnest Money Deposit will not carry any interest. The Earnest Money Deposit of unsuccessful Bidders will be refunded while intimating the rejection of the bid. The Earnest Money Deposit of the successful Bidder will be adjusted towards security deposit.

Application Money and Earnest Money Deposit should be delivered separately along with the sealed envelopes containing RFP responses and the Application Money and Earnest Money documents should not be put inside the sealed envelope containing RFP Response documents.

MSEs (Micro and Small Enterprise (MSE) are exempted from paying the application money and Earnest Money deposit amount for which the concerned enterprise needs to provide necessary documentary evidence. For MSEs Government of India provisions shall be considered while evaluating the tender.

RFP document should be downloaded from the Tenders Section of the Bank’s website, http://www.bankofbaroda.com.

The Earnest Money Deposit will be forfeited if:

The Bidder withdraws his tender before processing of the same.

The Bidder withdraws his tender after processing but before acceptance of “Work Order” to be issued by the Bank, in case the Bidder is selected by the Bank.

The selected Bidder withdraws his tender before furnishing Bank Guarantee/Security Deposit as required under this RFP.




The Bidder violates any of the provisions of the terms and conditions of this RFP specification.

If the selected Bidder fails to enter into the contract agreement with the Bank within 15 days of issuing the Work Order.

1.13.2 RFP Closing Date

RFP Response should be submitted to the officials indicated below not later than 14:30 hrs IST (Indian Standard Time) on 22nd July 2019.

1.13.3 Format of Bids

The Bidders should use the formats prescribed by the Bank in the RFP for submitting both technical and commercial bids. Any deviation in this regard entails the Bidder for disqualification.

1.13.4 Submission of Bid

-2- Sets of Technical and -2- sets of Commercial Bids in separate sealed envelopes (Total -4- sealed envelopes – two sealed envelops for technical bid and 2 sealed envelopes for commercial bid) should be submitted. In addition Application money and Earnest Money Demand Drafts / Pay Orders which should be in a separate unsealed envelope should be submitted before the RFP closing date and time. The sealed envelopes containing technical proposal should be superscribed as “TECHNICAL PROPOSAL for Supply, Installation and Maintenance of File Integrity Monitoring Solution” and the sealed envelopes containing the commercial proposal should be superscribed as “COMMERCIAL PROPOSAL for Supply, Installation and Maintenance of File Integrity Monitoring Solution”. The e-mail address and phone numbers of the Bidder should also be indicated on the sealed envelopes.

The soft copy of the technical proposal in MS-Word / Excel format should also be submitted in a CD along with hard copy of the technical proposal. It should be noted that in case of any discrepancy observed in information submitted by the Bidder in

hard-copy and soft-copy, the hard-copy will be given precedence. However, in case of non-submission of any hard copy document, if the same is found submitted in the soft-copy and vice-versa, Bank reserves right to accept the same at its discretion.

The Bidder shall submit the proposals properly filed so that the papers are not loose. The Bidder shall submit the proposal in suitable file such that the papers do not bulge out and tear during scrutiny. All the pages of the proposal including documentary proofs should be numbered as “Page ____ (current page) of _____ (Total pages)" and be signed by authorized signatory. The current page




number should be a unique running serial number across the entire proposal.

List of Contents for Technical Bid:

The Technical Proposal should be as per the requirement of the Bank in prescribed formats as follows:

a. Index of contents submitted.

b. Compliance Certificate as per Annexure-C.

c. Technical Bid Format as per Annexure-D

d. FIM Solution Specifications Compliance as per Annexure-E

e. Experience Details as per Annexure-F

f. Proposed Team Profile as per Annexure-G

g. Estimated Effort and Elapsed time as per Annexure-H

h. OEM Details as per Annexure-I

i. Manufacturer Authorization Form as per Annexure-J

j. OEM Sizing confirmation as per Annexure-K

k. Comments on Terms and Conditions & Services/ Pre Bid Query format as per Annexure-L

l. Masked Copy of Commercial Bid as per Annexure-M (i.e. a copy of the Commercial Bid without price figures)

m. Bill of Material as per Annexure-N

n. FIM Solution detailed technical specification/Whitepaper

o. Proposed deployment methodology and upgrade plan based on increase in number of servers and storage requirements

p. All the copies of certificates, documentary proofs, work orders, brochures etc should be clearly marked.

q. A CD containing soft copy of the technical proposal.

List of Contents for Commercial Bid

a. Commercial Bid as per Annexure-M.

RFP Response should be addressed to:

The Chief Information Security Officer 2nd Floor, Information Security Department Bank of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), Mumbai 400 051.




RFP Response/Bids in the sealed envelopes as detailed above must be hand delivered to the Bank at the following address :

Ms. Varshini Gajraj(Manager) or Mr. Punit Kumar (Chief Manager-IT Security), Information Security Dept, Bank of Baroda, 2nd Floor, Baroda Corporate Centre, C-26, G Block, Bandra Kurla Complex, Mumbai-400051.

Submission of bids by any mode other than hand delivery to the officials mentioned above is not allowed and will be considered invalid.

Bids submitted not as per the process and terms specified above will

be rejected.

1.13.5 Registration of RFP

Registration of RFP response will be effected by the Bank by making an entry in a separate register kept for the purpose, upon receiving the RFP response in the above manner as detailed in this RFP. The RFP response must contain all documents, information, and details required by this RFP. If the submission to this RFP does not include all the documents and information required or is incomplete or submission is through Fax mode or e-mail or any mode other than hand delivery, the RFP is liable to be summarily rejected.

All submissions, including any accompanying documents, will become the property of Bank. The Recipient shall be deemed to have licensed, and granted all rights to the Bank to reproduce the whole or any portion of their submission for the purpose of evaluation, to disclose the contents of the submission to other Recipients who have registered a submission and to disclose and/or use the contents of the submission as the basis for any resulting RFP process, notwithstanding any copyright or other intellectual property right of the Recipient in the submission or accompanying documents.

1.13.6 Late RFP Policy

RFPs lodged after the deadline for lodgment of RFPs may be registered by the Bank and may be considered and evaluated by the evaluation team at the absolute discretion of the Bank. Respondents are to provide detailed evidence to substantiate the reasons for a late RFP submission. It should be clearly noted that Bank has no obligation to accept or act on any reason for a late submitted response to RFP.




1.13.7 RFP Validity Period

RFP responses will remain valid and open for evaluation according to their terms for a period of at least six (6) months from the RFP closing date.

1.13.8 Requests for Information

All queries relating to the RFP, technical or otherwise, must be either in writing or by email only and will be entertained by the Bank only in respect of the queries received up to 16:00 hrs IST 08th July 2019. All queries should be addressed to the nominated point of contact as mentioned below.

Chief Information Security Officer (CISO) Bank of Baroda, 2nd Floor, Baroda Corporate Centre,

C26, G Block, Bandra Kurla Complex, Mumbai, 400 051 Tel No: 022-66985238/ 66985227 E-mail ID: [email protected]

The Bank will try to reply, without any obligation in respect thereof, every reasonable query raised by the Recipients in the manner specified.

However, the Bank will not answer any communication initiated by Respondents later than the date of pre bid meeting. Bank may in its absolute discretion seek, but being under no obligation to seek, additional information or material from any Respondent after the RFP closes and all such information and material provided will be taken to form part of that Respondent’s response.

Respondents should invariably provide details of their email address as responses to queries will only be provided to the Respondent via email.

If Bank in its sole and absolute discretion deems that the originator of the query will gain an advantage by a response to a question, then Bank reserves the right to communicate such response to all Respondents.

Bank may in its sole and absolute discretion engage in discussion or negotiation with any Respondent (or simultaneously with more than one Respondents) after the RFP closes to improve or clarify any response.

1.13.9 Charges Terms and Taxes

By submitting the bid, the Bidder will be deemed to have accepted all the terms and conditions mentioned in the RFP document and the rates quoted by the Bidder will be adequate to complete such




work according to the specifications and conditions attached thereto and the Bidder has taken into account all conditions and difficulties that may be encountered during the period of assignment and to have quoted all the commercial rates, which shall include agreed price/ contract amount royalties, transportation, delivery, installation and all other facilities and services necessary for proper completion of the assignment, all taxes inter-alia custom duty, excise duty, VAT, octroi etc except such as may be otherwise provided in the contract document for completion of the assignment.

The TDS amount on prevailing rate and work contract tax etc. shall be deducted from selected Bidder’s running account/final bills. Necessary certificates shall be issued to the selected Bidder by the Bank.

1.14 NOTIFICATIONS

Bank will notify the Respondents in writing as soon as practicable, about the outcome of the RFP evaluation process, including whether the Respondent’s RFP response has been accepted or rejected. Bank is not obliged to provide any reasons for any such acceptance or rejection.

1.15 DISQUALIFICATION

Any form of canvassing/lobbying/influence/query regarding short listing, status etc will result in disqualification.

1.16 ERASINGS OR ALTERATIONS

The offers containing overwriting, erasing or alterations may not be considered. There should be no hand written material corrections or alterations in the offer. Technical details must be completely filled up. Correct technical information of the services being offered must be filled in. Filling up of the information using terms such as OK, ACCEPTED, NOTED, AS GIVEN IN BROCHURE/MANUAL or any Special Characters such as -, “, @, _,# is not acceptable. The Bank may treat offers not adhering to these guidelines as unacceptable.

1.17 RIGHT TO REJECT BIDS

Bank reserves the absolute and unconditional right to reject the response to this RFP if it is not in accordance with its requirements and no further correspondence will be entertained by the Bank in the matter. The bid is liable to be rejected if

It is not in conformity with any of the instructions, terms and conditions mentioned in this RFP document.

It is not accompanied by the requisite Application Money and EMD.




It is not properly/duly signed.

It is received through any mode other than hand delivery to the designated officials

It is received after expiry of the due date and time.

It is incomplete including non-furnishing the required documents.

It is evasive or contains incorrect information.

There is canvassing of any kind.

It is submitted anywhere other than the place mentioned under clause 1.13.4.

1.18 PROCESS & TIMEFRAME

Selection of a successful Bidder will involve a five (5) stage approach.

The following is an indicative timeframe for the technical bids opening. Bank reserves the right to vary this timeframe at its absolute and sole discretion should the need arise. Changes to the timeframe will be relayed to the affected Respondents during the process.

Sr. No.

Particulars Dates and Timelines

1 Issuance of RFP document by the Bank

00:00 hours on 27th June 2019

2 Last date of submission of any queries and Last date for reporting any error, omissions or faults in the RFP document


3 Pre-bid Meeting date/venue 14:00 hours on 11th July 2019. Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

4 Last Date of submission of RFP response


5 Technical bid opening date / time / venue

15:00 hours 22th July 2019 Bank Of Baroda, Baroda Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Mumbai – 400 051

All times shown above are Indian Standard Time

Receipt of RFP Bids

Evaluation of Bids

Award of Contract

STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5

Pre - bid Meeting

Issue Of RFP




The dates mentioned above are tentative dates and the Bidder acknowledges that it cannot hold the Bank responsible for breach of any of the dates.

Note: Bidders can depute their representative (only one) to attend the Technical bid opening process. No separate intimation will be given in this regard to the Bidders for deputing their representatives for technical bid opening.

1.19 OTHER TERMS AND CONDITIONS

The Bank reserves the right to:

Reject any and all responses received in response to the RFP, with or without assigning any reasons whatsoever.

Waive or change any formalities, irregularities, or inconsistencies in proposal format delivery.

To negotiate any aspect of proposal with any Bidder and negotiate with more than one Bidder at a time.

Extend the time for submission of all proposals.

Select the most responsive Bidders (in case no Bidder satisfies the eligibility criteria in totality).

Select the next most responsive Bidder if negotiations with the Bidder of choice fail to result in an agreement within a specified time frame.

Share the information/ clarifications provided in response to RFP by any Bidder, with any other Bidder(s) /others, in any form.

Cancel the RFP/Tender at any stage, without assigning any reason whatsoever.




SECTION – II

2.1 BANK OF BARODA-INTRODUCTION

Bank is one of the largest Public Sector Banks in India with global presence.

Bank has expanded the installation of ATMs and issuance of Debit Cards in India and overseas territories. Bank has captive Security Operations Centre which is equipped with latest Log Monitoring and various other security tools. SOC operations on 24X7 basis.

Bank has initiated process for Payment Card Industry-Data Security Standard Compliance for its Card data environment.

2.2 PROJECT OBJECTIVE

In view of the growing use of IT and to mitigate evolving threat environment, Bank’s threat perception is also heightened. As a measure to further strengthen the Information Security, it has been decided to implement File Integrity Monitoring(FIM) Solution. FIM will be integrated with Bank’s SIEM tool.

The Bank invites proposals from OSDs or their Authorized Channel partners for supply, installation and maintenance of FIM.

Implementation of FIM should confirm to Industry best practices such as PCI-DSS Standard, ISO27001 standards, Regulatory guidelines and Bank’s Information Security policy.

The selected Bidder will ensure knowledge transfer to the Bank at every stage of the project to enable the Bank to carry out the work as specified in this RFP in future after completion of this assignment.

2.3 PROJECT SCOPE

Selected Bidder should perform a detailed study of the Bank’s IT Infrastructure and suggest a suitable FIM solution to the Bank and integrate the same with SIEM tool and other Security tools implemented in the Bank.

Selected Bidder to supply, install and maintain File Integrity Monitoring Solution. Following is broad scope of work :

2.3.1 Proposed methodology for FIM Implementation

Based on the study of the Bank’s Card data Infrastructure and other critical systems, regulatory requirement etc, selected Bidder will suggest the detailed FIM implementation methodology acceptable to the Bank with timelines as per the RFP terms and conditions. Implementation of FIM has to be as per International best practices such as PCI-DSS Guidelines.




2.3.2 FIM Solution supply

Selected Bidder will provide end to end Software solution to the Bank which will include all the supplies, installation and integration of the FIM tools with the existing infrastructure. Selected bidder shall suggest Hardware configuration requirement, Operating system, Database for installing and implementing FIM tool.

Bank will provide requisite server hardware, Operating system, Database, network connectivity, power in the server room.

All the software tools supplied as part of this RFP should be supplied with Enterprise wide License. Bank will have the right to use the tools for the functions provided by the tools in any manner and for any number of branches, offices, subsidiary units, joint ventures, irrespective of the number of users, geographical location of the devices being monitored. Bank will also have a right to relocate any one or all the tools to different locations.

2.3.3 Event Monitoring and Incident generation

The FIM solution shall

1. Track file, directory and registry access, movement and shares in real time.

2. FIM solution shall provide information such as the chain of events that caused the change, who did the change and when the change was done etc.

3. Identify unwarranted file changes.

4. The FIM solution shall be using wide variety of cryptographic generation algorithms so as to detect evasion through signature weaknesses. The FIM shall be capable of identifying grouping of servers based on service and applying same policy. These servers may have different OS and different applications running on it.

2.3.4 Integration with SIEM tool and other Security tools

Selected Bidder will integrate FIM with QRADAR SIEM tool and also with other security tools, if decided by the Bank.

2.3.5 Alternative approach

Selected Bidder shall suggest alternative approach in case, there are challenges observed in implementation of FIM solution through a particular methodology.




2.3.6 Annual Maintenance/Annual Recurring License

After the expiry of Warranty Period, Selected Bidder shall undertake comprehensive Annual maintenance Contract.

2.3.7 Alert Generation

Solution should be configured as per threat perception of the system under monitoring. System should generate alerts, register and send the same through message formats like SMTP, SMS, Syslog, SNMP as per user configurable parameters to SIEM tool.

2.3.8 Event Viewer/Dashboard/Reports/Incident Management

FIM Solution should provide web based and/or thick client based facility to view security events and File integrity posture of the Bank’s in-scope environment. Solution should have drill down capability to view deep inside the alert and analyze the attack pattern. Dash board should have filtering capability to view events based on various criteria like location, Device type, attack type etc. Dashboard should have Role based as well as Discretionary access control facility to restrict access to incidents based on user security clearance level. Solution should provide various reports based on user configurable parameters and standard compliance reports like PCI-DSS, ISO27001, SOX, IT Act and regulatory reports.

Selected vendor will customize incident management/dashboard/reports for the Bank.

2.3.9 Integration with in-scope monitored devices

Configuration of the monitored devices will be out of scope of the vendor. However vendor will have to suggest the detailed commands/guidelines for integration of the in-scope monitored systems and provide onsite assistance while installing the agent in monitored devices. Selected Bidder shall also be responsible to integrate FIM solution with QRADAR SIEM tool, Ticket

Management tool or any other monitoring tool.

2.3.10 Development of Connectors for customized applications/ devices.

FIM Solution should support multiple Operating system platforms, multiple file types for integrity monitoring. In case of any non supportive platform/file type, selected Bidder shall develop the customized agents for integration of such Operating system/file types.




2.3.11 Proof of concept testing of FIM Solution

Bank may at its discretion ask the Bidders to demonstrate (POC) the proposed solution to the Bank.

Bank would like the selected Bidder to perform a proof of concept testing in the Bank’s environment with DC/DR cutover and meeting the Recovery Point (RPO) and Recovery time objective (RTO) of the proposed solution and demonstrate its integration with the SIEM solution.

2.3.12 Training to identified users.

Vendor will provide the detailed Administrator level advanced training/certified training and normal user level trainings to the selected participants of the Bank.

The training will be arranged by the vendor/OEM in their premises at the cost of the vendor. All expenses related to training shall be borne by the selected vendor except lodging, boarding and travelling expenses of the Bank staff within India.

In addition an overview of the solution to be deployed should be given to the Bank staff at the Bank’s premises in Mumbai, Hyderabad/Bangaluru.

The trainings should include the architecture, hardware, software, integration, customization, policy installation, trouble shooting, reporting and other aspects of the system. Vendor will ensure knowledge transfer and will involve the Bank officials during implementation of the FIM components and day to day FIM operations. Vendor shall provide comprehensive training manual, lecture notes, handouts and other training documentation during trainings. The persons in the above trainings may be different.

2.4 DELIVERABLES

To meet project scope requirement, selected Bidder shall supply all the necessary software components including but not limited to the following:

i. Supply FIM Solution and install all the software and peripheral components and supporting systems, if any.

ii. Define security baseline and Configure FIM solution as per the defined baseline.

iii. Integrate FIM with SIEM Solution.

iv. Provide user level and administrator level training to Bank staff.

v. Provide all training materials in soft copy/hardcopy format.




2.5 SERVICE LEVEL AGREEMENT

Solution Uptime

S.No. Service Level Solution Uptime % calculated on monthly basis

Penalty Penalty as XX% of all inclusive monthly charges calculated based on FIM running expenditure.

1.a 99.5% and above NA

1.b 98% to 99.5% 5%

1.c 95% to 97.99% 8%

1.d 90% to 94.99% 15%

1.e 80% to 89.99% 30%

1.f 70% to 79.99% 50%

1.g Less than 70% 100%

Solution uptime is to be maintained on standalone basis without any consideration of devices in HA mode. If a function is down at the site, the same should be shifted to DR site within the SLA parameters.

FIM running expenditure will include all the AMC/Annual License fees etc.

2.6 DEPLOYMENT ARCHITECTURE

Software based solution should be deployed at DC and DR sites of the Bank located at Hyderabad/ Mumbai/ Bangaluru. Solution should be deployed without HA mode.

In case a device goes down at DC, the function being performed by the device

should be taken over by a corresponding device at DR site and vice versa.

2.7 PROJECT TIMELINES

2.7.1 Delivery of all Hardware and Software Components

All the software components must be delivered within -4- weeks of issue of the confirm purchase order to the successful Bidder.




2.7.2 Implementation

Implementation of FIM, configuration and its integration with SIEM should be completed within -6- weeks of issuance of purchase order.

Device integration shall be carried out in phased manner and all devices shall have to be integrated within 10 weeks of issuance of purchase order.

Phase I: Phase 1 will include the servers, desktop systems, network devices as per the immediate prevailing requirement of the Bank.

Phase II: Rest of the devices which are left out in phase I, shall be covered under Phase II.

2.7.3 Training

All trainings has to be provided within -3- months of issuance of purchase order.

2.8 DETAILS OF INFRASTRUCTURE AT BANK’S DC/DR

Bank’s Data Centre

Bank has state of the art Data Centre/DR sites at Mumbai, Hyderabad and Bangaluru as per tier 3 standard. DC/DR sites is connected to all the Branches in India, overseas territories, Bank’s subsidiaries and business partners like NFS, Visa Card, Master card, SWIFT, NSE and BSE etc. DC Operation is jointly managed by HP/DXC and the Bank’s team. Bank has implemented various applications at DC and DR in the centralized environment. Irrespective of the present status of applications, systems, processes, interfaces, hardware, networking equipments, security devices etc. implemented at DC/DR site, all future changes including new initiatives will be covered as part of the scope of work during the term of the engagement. Bank has also implemented a Near Site in Mumbai. Bank’s DC and DR sites are ISO27001:2013 certified.

Network Architecture

Bank has implemented its DC/DR in Mumbai, Hyderabad and Bangaluru with Link level and device level redundancies. Bank’s DC and DR sites are connected to various branches through MPLS link, ISDN links, VSAT. Bank’s onsite ATMs are part of the branch network. Offsite ATMs and select remote branches are connected through VSATs. Bank’s overseas branches/territories networks are managed by network service providers of international repute.




Details of Information Security Policies

Bank has following Board approved policies:

Information Security Policy

Cyber Security Policy

Business Continuity Plan

Purging and Archival policy

Data Privacy & Protection Policy

To complement Information Security Policy, Bank has 22 Standard and Guideline

documents covering various aspects of Information Security. In addition, Bank has ISMS framework documents as per ISO27001 standard.




SECTION – III

3.1GENERAL TERMS AND CONDITIONS

3.1.1 Term of Assignment

The selected Bidder under this RFP will be appointed for a period of -5- years.

3.1.2 Adherence to Terms and Conditions

The Bidders who wish to submit responses to this RFP should note that they should abide by all the terms and conditions contained in

the RFP. Any clarification to pre bid response would also form part of the RFP. If the responses contain any extraneous conditions put in by the Respondents, such responses may be disqualified and may not be considered for the selection process.

3.1.3 Execution of Agreement/NDA

The selected Bidder should execute a Non Disclosure and Service Level Agreement with the Bank which will remain valid for 66 months. The Service Level Agreement would include all the terms and conditions of the services to be extended as detailed herein and as may be prescribed or recommended by the Bank which will include a Non-disclosure Agreement clause. The selected Bidder should execute the Service Level Agreement with ND clause within -2- weeks from the date of acceptance of Work Order.

3.1.4 Issuance of purchase order

Bank will have the discretion, to procure/avail of any one or more of the product/services or part there of from the successful Bidder, any time during the tenure of the contract as per the contracted rates and terms and conditions. Bank may also defer the deployment of any product and services. Bank can at its discretion stop and restart any of the services at any time depending upon its need.

The quantity mentioned in the price Bid are only indicative. Bank also has a right to increase and decrease the quantity.

All the rates quoted by the success Bidder will remain valid during the period of the contract.




3.1.5 Annual Maintenance Contract(AMC)/Annual Recurring License(ARL)

During the tenure of the contract, all the software patches and software components has to be replaced or upgraded at no extra cost to the Bank. AMC/ARL shall include supply, consultancy, manpower and updation/upgrade of all past released/future versions of the software and migration from old to new version without any extra cost to the Bank. Any failure in any part of the systems supplied has to be replaced or upgraded at no extra cost while maintaining the service levels(SLA) as mentioned in the relevant clause. OSD/OEM shall not supply any product/software which is under sunset from future development point of view. No product, nearing End of support, and/or nearing End of Life,

solution shall be provided to the Bank.

3.1.6 Problem Resolution

All the problems should be resolved within SLA time to the satisfaction of the Bank. In case of the repeated problem, delay in resolving problem or if the vendor is not able to resolve a problem to the satisfaction of the Bank, the Bank has a right to call for the expert from the OEM vendor. Cost of such visit by OEM vendor expert will have to be borne by the vendor during the tenure of the contract.

3.1.7 Project Team Members

The key persons identified by the Selected Bidder for implementation should possess the following qualification/experience.

Should have in-depth knowledge of IT processes with a minimum of three years work experience in Information Security.

Should preferably have knowledge of PCI-DSS, legal and Regulatory requirements towards analyzing and handling security incidents.

Should preferably be a certified professional for tools to be

implemented.

Should have experience of implementing such tools.

3.1.8 Substitution Of Project Team Members

During the assignment, the substitution of key staff identified for the assignment will not be allowed by the Bank unless such substitution becomes unavoidable to overcome the undue delay or that such changes are critical to meet the obligation. In such circumstances, the selected Bidder, as the case may be, can do so only with the




prior written concurrence of the Bank and by providing the replacement staff of the same level of qualifications and competence. If the Bank is not satisfied with the substitution, the Bank reserves the right to terminate the contract and recover whatever payments(including past payments and payment made in advance) made by the Bank to the selected Bidder during the course of the assignment pursuant to this RFP. However, the Bank reserves the unconditional right to insist to the selected Bidder to replace any team member with another (with the qualifications and competence as required by the Bank) during the course of assignment pursuant to this RFP.

3.1.9 Professionalism

The selected Bidder should provide professional, objective and impartial advice at all times and hold the Bank’s interest paramount and should observe the highest standard of ethics, values, code of conduct, honesty and integrity while executing the assignment.

3.1.10 Adherence To Standards

The selected Bidder should use industry standards and best practices and also Bank’s Information Security Policy while supplying products and services under the scope of work of this RFP document.

Implementation and integration of the solution should be as per industry best practices such as latest PCI-DSS standard, NIST framework, ISO27001 standard, RBI regulatory guidelines etc.

The selected Bidder should adhere to all the applicable laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities.

The Bank reserves the right to conduct an audit/ongoing audit of the consulting services provided by the selected Bidder.

The Bank reserves the right to ascertain information from the other Banks and institutions to which the Bidders have rendered their services for execution of similar projects.

3.1.11 Expenses

It may be noted that Bank will not pay any amount/expenses / charges / fees / traveling expenses / boarding expenses / lodging expenses / conveyance expenses / out of pocket expenses other than the “Agreed Price”.




3.1.12 Payment Terms

Bank will release the payment within 3 to 4 weeks of receiving the undisputed invoice, after deduction of any charges such as penalties etc applicable taxes at source of the agreed price to the selected Bidder. No advance payments will be made. Further, it may be noted that the mentioned criteria is only for the purpose of effecting agreed price payment. The selected Bidder shall cover the entire scope including deliverables mentioned in Section II.

S.NO. Description Payment Terms

1 FIM Solution supply and

Installation.

40% of cost and 100% taxes amount shall be paid against delivery, installation and its

integration with SIEM tool and basic User acceptance testing.

30% after completion of Phase I.

Balance 30% after completion of Phase II.

2 FIM Solution Implementation charges

50% of cost along with applicable taxes

after completion of Phase I.

Balance 50% of cost along with applicable taxes

after completion of Phase II.

3 AMC/ARLF/Yearly subscription of updates for Security devices

Half yearly basis after expiry of the period.

4 Training 100% after completion of the deliverables

All payments will be made on successful completion of the job to the

satisfaction of the Bank and achievement of the objective as defined in the scope of work after deducting any penalty which may be chargeable irrespective of the invoice being paid.

3.1.13 Contract Performance Guarantee

The selected Bidder has to provide an unconditional and irrevocable performance guarantee for 5% of the contract value from a Public Sector Bank (other than Bank of Baroda) towards due performance of the contract in accordance with the specifications, terms and conditions of this RFP document, within 15 days from the date of




work order. The Performance Guarantee shall be for 66 months (60 months contract period plus 3 months delivery and installation of FIM plus -3- months additional claim period) kept valid for the entire period of assignment and to be released at the end of the period of assignment.

3.1.14 Security Deposit

The selected Bidder has to deposit with the Bank an amount equivalent to 05(Five) % of the contract value towards security deposit for the entire period of assignment, within 15 days from the date of work order. Interest on the Security Deposit will be paid as per the applicable fixed deposit rate.

3.1.15 Single Point Of Contact

The selected Bidder has to provide details of single point of contact viz. name, designation, address, e-mail address, telephone/mobile no., fax no. etc.

3.1.16 Applicable Law And Jurisdiction Of Court

The Contract with the selected Bidder shall be governed in accordance with the laws of India for the time being in force and will be subject to the exclusive jurisdiction of courts at Mumbai.

3.1.17 Liquidated Damages (LD)

The Bank will consider the inability of the Selected Bidder to deliver or install the equipment within the specified time limit, as a breach of contract and would entail the payment of Liquidation Damages on the part of the vendor. The liquidation damages represent an estimate of the loss or damage that the Bank may have suffered due to delay in performance of the obligations (relating to delivery, installation, Operationalization, implementation, training, acceptance, warranty, maintenance etc. of the Security Operations Center) by the Vendor. Installation will be treated as incomplete in

one/all of the following situations:

i. Non-delivery of any component or other services mentioned in the order

ii. Non-delivery of supporting documentation

iii. Delivery/Availability, but no installation of the components and/or software

iv. No Integration

v. System operational, but unsatisfactory to the Bank




If the selected Bidder fails to deliver any or all of the Goods or perform the Services within the time period(s) specified in the Contract, the Bank shall, without prejudice to its other remedies under the Contract, deduct from the Contract Price, as liquidated damages, a sum equivalent to 0.50% of the complete contract amount until actual delivery or performance, per week or part thereof (3 days will be treated as a week); and the maximum deduction is 10% of the contract price. Once the maximum is reached, the Bank may consider termination of the contract.

LD is not applicable for delay due to reasons attributable to the Bank and Force Majeure. However, it is the responsibility of the SSI

to prove that the delay is attributed to the Bank or Force Majeure. The selected Bidder shall submit the proof authenticated by the SSI and Bank’s official that the delay is attributed to the Bank or Force Majeure along with the bills requesting payment.

If the delay is attributable to the Bank, or Force Majeure, or any other circumstances beyond the control of the Selected Bidder, then the Bank will continue with the contract without claiming any Liquidated Damage. Bank reserves the right to adjust the penalty and Liquidated Damages if any against the Security Deposit.

3.1.18 Force Majeure

Any failure or delay by selected Bidder or Bank in the performance of its obligations, to the extent due to any failure or delay caused by fire, flood, earthquake or similar elements of nature, or acts of God, war, terrorism, riots, civil disorders, rebellions or revolutions, acts of governmental authorities or other events beyond the reasonable control of non-performing party, is not a default or a ground for termination. The affected party shall notify the other party of the occurrence of a Force Majeure Event forthwith.

3.1.19 Authorized Signatory

The selected Bidder shall indicate the authorized signatories who can discuss and correspond with the Bank, with regard to the obligations under the contract. The selected Bidder shall submit at the time of signing the contract, a certified copy of the resolution of their Board, authenticated by Company Secretary/Director, authorizing an official or officials of the company or a Power of Attorney to discuss, sign agreements/contracts with the Bank. The selected Bidder shall furnish proof of identification for above purposes as required by the Bank.




3.1.20 Indemnity

The selected Bidder shall indemnify Bank and keep the Bank indemnified for any loss or damage, cost or consequences that Bank may sustain, suffer or incur on account of violation of intellectual property rights of third party by the selected Bidder. The selected Bidder shall always remain liable to the Bank for any Losses suffered by the Bank due to any technical error or negligence or fault on the part of the selected Bidder, and the selected Bidder also shall indemnify the Bank for the same.

3.1.21 Non Payment Of agreed price

If any of the items/activities as mentioned in the price bid and as

mentioned in Annexure-M are not taken up by the Bank during the course of this assignment, the Bank will not pay the contracted agreed price quoted/agreed by the selected Bidder in the price bid against such activity/item.

3.1.22 Assignment

Neither the contract nor any rights granted under the contract may be sold, leased, assigned, or otherwise transferred, in whole or in part, by the selected Bidder without advance written consent of the Bank and any such sale, lease, assignment or transfer otherwise made by the selected Bidder shall be void and of no effect.

3.1.23 Non – Solicitation

The selected Bidder, during the term of the contract and for a period of two years thereafter shall not without the express written consent of the Bank, directly or indirectly: a) recruit, hire, appoint or engage or attempt to recruit, hire, appoint or engage or discuss employment with or otherwise utilize the services of any person who has been an employee or associate or engaged in any capacity, by the Bank in rendering services in relation to the contract; or b) induce any person who shall have been an employee or associate of the Bank at any time to terminate his/ her relationship with the Bank.

3.1.24 No Employer-Employee Relationship

The selected Bidder or any of its holding/subsidiary/joint-venture/ affiliate / group / client companies or any of their employees / officers / staff / personnel / representatives/agents shall not, under any circumstances, be deemed to have any employer-employee relationship with the Bank or any of its employees/officers/ staff/representatives/ personnel/agents.




3.1.25 Vicarious Liability

The selected Bidder shall be the principal employer of the employees, agents, contractors, subcontractors etc., engaged by the selected Bidder and shall be vicariously liable for all the acts, deeds, matters or things, of such persons whether the same is within the scope of power or outside the scope of power, vested under the contract. No right of any employment in the Bank shall accrue or arise, by virtue of engagement of employees, agents, contractors, subcontractors etc., by the selected Bidder, for any assignment under the contract. All remuneration, claims, wages dues etc., of such employees, agents, contractors, subcontractors etc., of the selected Bidder shall

be paid by the selected Bidder alone and the Bank shall not have any direct or indirect liability or obligation, to pay any charges, claims or wages of any of the selected Bidder’s employees, agents, contractors, subcontractors etc. The selected Bidder shall agree to hold the Bank, its successors, assigns and administrators fully indemnified, and harmless against loss or liability, claims, actions or proceedings, if any, whatsoever nature that may arise or caused to the Bank through the action of selected Bidder’s employees, agents, contractors, subcontractors etc.

3.1.26 Subcontracting

The selected Bidder shall not subcontract or permit anyone other than its personnel or the OEM supplier to perform any of the work, service or other performance required of the vendor under the contract without the prior written consent of the Bank.

3.1.27 Warranty and Product Support

All the software products/licenses supplied should carry a minimum warranty of -1- year from the date of operationalization of the system to the satisfaction of the Bank (ie. completion of phase I). All the support has to be provided on site. Remote access to the systems supplied will not be permitted. Date of start of warranty/Annual Maintenance/software license support of all the items supplied will be treated as started from the completion of phase I of the project.

3.1.28 Cancellation Of Contract And Compensation

The Bank reserves the right to cancel the contract of the selected Bidder and recover expenditure incurred by the Bank in any of the following circumstances. The Bank would provide 30 days notice to rectify any breach/ unsatisfactory progress if :

the selected Bidder commits a breach of any of the terms and conditions of the bid/contract;




the selected Bidder becomes insolvent or goes into liquidation voluntarily or otherwise;

an attachment is levied or continues to be levied for a period of 7 days upon effects of the bid;

the progress regarding execution of the contract, made by the selected Bidder is found to be unsatisfactory;

if deductions on account of penalty and liquidated damages exceeds more than 10% of the total contract price;

if the selected Bidder fails to complete the due performance of the contract in accordance with the agreed terms and conditions.

After the award of the contract, if the selected Bidder does not

perform satisfactorily or delays execution of the contract, the Bank reserves the right to get the balance contract executed by another party of its choice by giving one month’s notice for the same. In this event, the selected Bidder is bound to make good the additional expenditure, which the Bank may have to incur to select and carry out the execution of the balance of the contract. This clause is also applicable, if for any reason, the contract is cancelled.

The Bank reserves the right to recover any dues payable by the selected Bidder from any amount outstanding to the credit of the selected Bidder, including the pending bills and/or invoking Bank Guarantee/Security Deposit, if any, under this contract.

3.1.29 Dispute Resolution

If a dispute, controversy or claim arises out of or relates to the contract, or breach, termination or invalidity thereof, and if such dispute, controversy or claim cannot be settled and resolved by the Parties through discussion and negotiation, then the Parties shall refer such dispute to arbitration. Both Parties may agree upon a single arbitrator or each Party shall appoint one arbitrator and the two appointed arbitrators shall thereupon appoint a third arbitrator. The arbitration shall be conducted in English and a written order shall be prepared. The venue of the arbitration shall be Mumbai. The arbitration shall be held in accordance with the Arbitration and Conciliation Act, 1996. The decision of the arbitrator shall be final and binding upon the Parties, provided that each Party shall at all times be entitled to obtain equitable, injunctive or similar relief from any court having jurisdiction in order to protect its intellectual property and confidential information.

3.1.30 Ownership of Deliverables

All the deliverables as per scope of this RFP will become the property of Bank of Baroda.




3.1.31 Project Timelines

The selected Bidder shall furnish an implementation schedule, covering entire scope, discuss the same with the Bank officials and arrive finally at a mutually agreed implementation schedule within the overall ambit of 3 months time. The selected Bidder shall be bound by the Implementation schedule so agreed.




SECTION – IV

ANNEXURE-A : ELIGIBILITY CRITERIA

Bidders, who wish to bid should conform to the following criteria.

S.No. Eligibility Criteria Documents required Page

Ref. no

1 Bidder be either a Government

Organization/PSU/PSE/ partnership firm or

a limited Company

under Indian Laws

or /and an autonomous

Institution approved by GOI/RBI promoted

Partnership firm-Certified copy of Partnership Deed.

OR

Limited Company-Certified copy of Certificate of Incorporation and Certificate of Commencement of Business.

Reference of Act/Notification

For other eligible entities- Applicable documents.

2 Bidder have been in existence in India for three years as on 15 June 2019.

Partnership firm-Certified copy of Partnership Deed.

OR



3 Bidder have minimum annual turnover of Rs.5.00 crores (Rupees Five Crores) during last

three financial years viz. 2016-17, 2017-18 and 2018-19.

Copy of audited Balance Sheet and P&L statement for the financial years 2016-17, 2017-18

and 2018-19.

4 The Bidder should be OEM( Original Equipment Manufacturer)/Original Solution Developer or their authorized channel partner in India.

Relevant letters from the FIM OEM/OSD

5 Proposed FIM solution should have been implemented in at least -1- BFSI

Copy of purchase order




company/Centralized payment Processors, in India in past -3- years or OEM/OSD or their channel partner should have been maintaining same FIM tool in at least -1- organization for at least past -3- years in India.

6 Bidder must have experience of implementing any FIM tool in India in at least -1- institution in past -3- years

Copy of purchase order

7 The firm should not be blacklisted / barred by Government of India.

Self Declaration

8 The Bidder or its parent company or its subsidiary should not be existing System integrator maintaining IT Infrastructure at Data Centre-Mumbai and Disaster Recovery site- Hyderabad of the Bank.

Self Declaration by Bidder

9 The Bidder has to submit declaration from the OEM that in case the Bidder fails to provide the services or the Bidder firm ceases its Business, OEM will step in and provide the FIM Solution support services at the same terms and conditions as agreed with the selected Bidder.

10 The OEM of FIM tool should have

been in existence in India for the last -2- years as on 15/06/2019 with its own support centre in India.

1. Partnership firm-Certified

copy of Partnership Deed OR



2. List of support offices and




manpower

NOTE: Same FIM tool means the FIM tool being quoted by the Bidder.

Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above eligibility criteria along with documentary proofs as specified above.

The fulfillment of above eligibility criteria except items 3 above, would be ascertained as of 15-06-2019.

Those who fulfill all the eligibility criteria as mentioned above are only eligible to take part in this bid exercise. Proposals of those Bidders, who do not fulfill the Eligibility Criteria as stated above fully, will be rejected.

Bidder/Bidders who have been appointed by the Bank for any other project and whose contract has been terminated before completion of the project are not eligible to bid in the proposed project.




ANNEXURE-B : SECURITY SYSTEM INTEGRATOR’S SELECTION/ EVALUATI-ON PROCESS

Evaluation of Technical Bid

First, Technical bid documents will be evaluated for fulfillment of eligibility criteria. Technical bids of only those Bidders who fulfill the eligibility criteria fully as per Annexure-A will be taken up for further evaluation/selection process rejecting the remaining bids.

The evaluation/selection process will be done with combination of, technical competence and commercial aspects as detailed here below. A maximum of 100 marks will be allocated for the technical bid. The evaluation of functional and technical capabilities of the Bidders of this RFP will be completed first as per the following guidelines. The technical proposals only will be subjected for evaluation at this stage. The Bidders scoring less than 70 marks (cut-off score) out of 100 marks in the technical evaluation shall not be considered for further selection process. Once the evaluation of technical proposals is completed, the Bidders who score equal to, or more than the prescribed cut-off score of 70 will only be short listed.

In case of less than -2- Bidders fails to score more than cut off marks, the cut off marks criteria will be relaxed to cut off marks of 60 in such a case and the top -2- Bidders will be evaluated as per rest of the evaluation criteria.

The evaluation of technical proposals, among other things, will be based on the following:

Prior experience of the Bidder in undertaking projects of similar nature.

Professional qualifications and experience of the key staff proposed/ identified for this assignment.

Methodology/Approach proposed for accomplishing the proposed project, Proof of Concept testing/ Activities / tasks, project planning, resource planning, effort estimate etc.

Various stages of technical evaluation are presented below:

1. Eligibility evaluation as per the criteria prescribed in Annexure-A.

2. Evaluation of technical proposals of Bidders qualified in eligibility evaluation, based on response and presentation

3. Arriving at the final score on technical proposal.

Presentation-cum-Interview

The Bidders who are qualified in eligibility evaluation, have to give presentation/interactions before panel of representatives of the Bank on the methodology/ approach, time frame for various activities, strengths of the Bidders in carrying out the tasks as per the RFP. The technical competence and capability of the Bidder should be clearly reflected in the presentation. If any short listed Bidder fails to make such




presentation, he will be eliminated from the evaluation process. Bank may at its discretion ask the Bidder to conduct proof of concept testing of the solution being provided to the Bank.

At the sole discretion and determination of the Bank, the Bank may add any other relevant criteria for evaluating the proposals received in response to this RFP.

Bank may, at its sole discretion, decide to seek more information from the Respondents in order to normalize the bids. However, Respondents will be notified separately, if such normalization exercise as part of the technical evaluation is resorted to.

Technical Evaluation Criteria:

The criteria for evaluation of technical bids is as under. Credentials and other evaluation criteria will be computed as of 15-06-2019.




Criteria Evaluation Parameters Max

Mar

ks

Documents to

be submitted

Bidder Credentials

The number of years experience of providing FIM Solution by Bidder in last 3 years.

For each year of experience 5 Copies of Work order/ client reference.

Maximum marks 15

The number of FIM implementation assignments carried out by the Bidder

For each implementation experience

5 Copies of Work order / client reference. Maximum marks 15

Sub-total (Credentials) 30

OEM Technical Support: FIM OEM/IOSD should have should have a technical support centre in India. and onsite support should be provided to the Bank at Mumbai/Hyderabad/Bangaluru locations.

10 Bidder to provide details of support centre including the trained manpower and infrastructure details.

FIM Solution Specifications compliance

40 As per Annexure ‘E’ post normalization

Methodology, Approach and Proof of concept testing.

Demonstration of in-depth understanding of the Bank’s project requirements through the technical proposal and presentation, with detailed broken-down activities to be performed, effort estimation, manpower to be deployed and results of proof of concept testing.

20 Subjective evaluation based on technical proposal, presentation and Proof of Concept (POC) testing

TOTAL MARKS 100

NOTE 1: Experience of last -3- years only will be counted in the Eligibility and Technical Evaluation of the Bids. NOTE 2: FIM tool implemented by Bidder should include FIM tool installation, configuration and maintenance for at least -1- year period in the last -3- years. Annexure-D (Technical Bid format) to be submitted by Bidders should contain detailed responses to each of the above evaluation criteria along with documentary proofs as specified there against.




Commercial Bid Evaluation Criteria

It may be noted that commercial bids will be subjected to following evaluation process.

Based on the technical evaluation criteria, each Bidder will be given certain marks. Only those Bidders scoring 70% (70 marks out of 100) or above in the technical evaluation will be short-listed for commercial evaluation.

The vendor who achieves the required cut – off technical score as part of technical evaluation shall be qualified for commercial bid opening. The

commercial bid would be evaluated based on a “Total Cost of Ownership” (‘TCO’) basis. The key considerations of the TCO would be the total payouts for entire project through the contract period of 5 years, discounted at 10% to arrive at the present value of the future cash outflows. The evaluation will be done as follows:

The discounted rate will be calculated on yearly basis based on the formula A/(1+i/100)n where A= Total Value in each Year; i=10% and n =Year.

The Present Value will be calculated for all components where the payment is recurring year on year. The Present Value for the component will start from the year of purchase of that component / start of the services (AMC) and shall be calculated till the end year of the contract. Further n - number of period will be ‘0’ in the year of purchase of that component / start of the services and subsequently increased by 1 for subsequent years.

Any component / service for which the payment is a One Time Cost the NPV cost of the equipment / service for that year will be considered and the relevant year’s NPV cost will be added as part of the Present Value calculation for that year. Further the payment of the OTC component / service not being recurring in nature hence the present value for that component / service will be considered in the year of purchase only and not in subsequent years.

Weighted Evaluation:

On the basis of the combined weighted score for technical and commercial evaluation, the bidders shall be ranked in terms of the total score obtained. The proposal obtaining the highest total combined score in evaluation of quality and cost will be ranked as H-1 followed by the proposals securing lesser marks as H-2, H-3 etc. The proposal securing the highest combined marks and ranked H-1 shall be recommended for award of contract.




As an example, the following procedure can be followed:

A score (S) will be calculated for all qualified bidders using the following formula:

C stands for discounted rate arrived basis of commercial evaluation;

Clow stands for the lowest discounted rate arrived basis of commercial evaluation.

T stands for average of technical evaluation score of all the products and

X is equal to 0.30.

# Bidder Technical Evaluation Marks (T)

Discounted Rate (C)

T * 0.70 (A)

[(Clow / C ) x 100] x 0.30 (B)

Score (S = A +B)

1 AAA 75 120 52.5 25 77.5

2 BBB 80 100 56 30 86

3 CCC 90 110 63 27.3 90.3

In the above example, Clow is 100.

In the above example, CCC, with the highest score becomes the successful bidder.

In case of more than one vendor with equal highest score (S) upto three decimal, then number of decimal will be increased.

The decision of the Bank shall be final and binding on all the vendors to this document.

In the case of tie between two or more Bidders a fresh commercial bid will be called upon from these Bidders for evaluation and selection of the Security System Integrator.

Bank may at its discretion go for the reverse auction. Terms and conditions of the reverse auction will be communicated to the eligible Bidders prior to the commencement of the reverse auction exercise.




ANNEXURE-C : COMPLIANCE CERTIFICATE

(on company’s letterhead) To, Date : The Chief Information Security Officer (CISO) Bank of Baroda Baroda Corporate Centre C-26, G Block, Bandra Kurla Complex, Bandra (East) Mumbai 400 051 Dear Sir, Ref: - RFP for selection of Vendor for Supply, Installation and Maintenance of File Integrity Monitoring Solution.

1. Having examined the Request for Proposal (RFP) including all annexures, the receipt of which is hereby duly acknowledged, we, the undersigned offer to provide the desired services to supply, install and maintain File Integrity Monitoring Solution for the Bank’s Information System Assets in conformity with the terms and conditions of the said RFP and in accordance with our proposal and the schedule of Prices indicated in the Price Bid and made part of this bid.

2. If our Bid is accepted, we undertake to complete the project within the scheduled time lines.

3. We confirm that this offer is valid for six months from the last date for submission of RFP to the Bank.

4. This Bid, together with your written acceptance thereof and your notification of award, shall constitute a binding Contract between us.

5. We undertake that in competing for and if the award is made to us, in executing the subject Contract, we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of Corruption Act 1988”.

6. We agree that the Bank is not bound to accept the lowest or any Bid that the Bank may receive.

7. We have not been barred/black-listed by Government of India / statutory authority in India and we have required approval, if any, to be appointed as a service provider.

8. We shall observe confidentiality of all the information passed on to us in course of the tendering process and shall not use the information for any other purpose than the current tender.

9. We confirm that we have obtained all necessary statutory and obligatory

permission to carry out the assignment, if any. Signed Dated Seal & Signature of the Bidder Phone No.: Fax: E-mail:




ANNEXURE-D : TECHNICAL BID FORMAT

Particulars to be provided by the Bidder in the technical proposal –

No

Particulars

Bidder to furnish details

Reference Page no

of relevant

document in RFP

response

1 Name of the Bidder

2 Date of establishment and constitution. Certified copy of “Partnership Deed” or “Certificate of Incorporation/commencement of business” should be submitted. For entities other than partnership firm and limited company, other relevant documents to be submitted.

3 Location of Registered Office /Corporate Office/ Mumbai office with addresses.

4 Mailing address of the Bidder

5 Names and designations of the persons authorized to make commitments to the Bank

6 Telephone and Mobile numbers of contact persons

7 E-mail addresses of contact persons

8

Details of:

Description of business and business background Service Profile & client profile

Domestic & International presence.

9 Gross annual turnover of the Bidder (not of the group)

Year 2016-07 Audited

Year 2017-18 Audited.

Year 2018-19 Audited.

(Copy of audited financial statements for above years to be submitted)




No

Particulars

Bidder to furnish details

Reference Page no

of relevant

document in RFP

response

10

Experience of assignments executed successfully in the last -3- years as per Annexure G

As per Annexure ‘F’

11 Details of the similar assignments on hand as on date (Name of the organization, time projected for execution of the assignment and documentary proofs such as work order are to be furnished)

12 Names of the Engagement Manager, Project Manager and Team members identified for FIM implementation and their professional qualifications and experience/expertise.

Details of similar assignments handled by the said Implementation manager. Documentary proofs for all the assertions are to be enclosed.

As per Annexure ‘G’

13

Names of the FIM Solution certified staff members, if any.

(Copy of relevant certification)

14 Estimated work plan and time schedules for providing services for this assignment.

15 Details of the Bidder’s proposed methodology/approach with reference to the scope of work.

16

Effort estimate and elapsed time are to be furnished.

As per Annexure-‘H’

The Bidder should provide detailed responses for each of the above items along with documentary proofs as prescribed there against and also as specified in Annexure-A (eligibility criteria) & Annexure B ( Bidder’s Selection/Evaluation Process).

Declaration:




1. We confirm that we will abide by all the terms and conditions contained in the RFP.

2. We hereby unconditionally accept that Bank can at its absolute discretion apply whatever criteria it deems appropriate, not just limiting to those criteria set out in the RFP, in short listing of Bidders.

3. All the details mentioned by us are true and correct and if Bank observes any misrepresentation of facts on any matter at any stage, Bank has the absolute right to reject the proposal and disqualify us from the selection process.

4. We confirm that this response, for the purpose of short-listing, is valid for a period of six months, from the date of expiry of the last date for submission of response to RFP.

5. We confirm that we have noted the contents of the RFP and have ensured that there is no deviation in filing our response to the RFP and that the Bank will have the right to disqualify us in case of any such deviations.

Place:

Date: Seal & Signature of the Bidder




ANNEXURE-E : FIM SOLUTION SPECIFICATIONS

S.No. OPERATIONAL REQUIREMENTS Maximum Marks

Complying Y / N or

Customization Required (C )

1.00

FIM Solution should be able to generate a baseline of a server(s) so that integrity is based on a known good state.

2

1.01

FIM Solution should be able to create a single baseline that can be distributed to a group of servers to verify differences from baseline (i.e. configuration verification).

1

1.02

FIM solution should provide capability for Execution of commands based on integrity violations.

1

1.03

FIM Solution should be capable to distribute Policy files remotely via a console to one or more machines.

1

1.04 Standard Policy templates should be available in the tool 1

1.05

FIM Solution should have facility to group Files and directories together in policy template (rule blocks).

1

1.06

FIM Solution should be able to Specify severity level to individual files and/or directories.

1

1.07 FIM Solution should support file directory recursion. 1

1.08 FIM Console can view status of machines. 1

1.09

FIM Console should be able to group agents on various parameters.

1

1.10

Ability to have monitoring (view-only) only consoles available for defined users.

1

1.11

FIM Templates can utilize wildcards or variables (to encompass minor differences in file system contents between systems).

1

1.12

FIM solution should be able to operate through firewall (ports opened).

1

1.13 FIM solution should work well in low bandwidth connections.

1

1.14

FIM Solution should be able to monitor snapshot of database from console.

1

1.15

FIM should be able to easily and quickly update multiple baselines at once, in cases where routine maintenance and/or changes cause integrity violations.

1

1.16 FIM should have ability to automatically promote baseline. 1




1.17

FIM should be able to auto-promote changes when real-time analysis of change indicates they are inconsequential or beneficial.

1

1.18

FIM Management console should be cross platform (i.e. Windows and Unix etc.).

1

1.19 FIM Management console should detect status of agents. 1

1.2

FIM should allow users to quickly compare two versions and quickly isolate changes or differences between versions.

1

1.21

FIM agents should operate on different flavors of Windows , different flavors of Linux and different flavors of Unix (such as HP-UX, AIX etc).

10

1.22 FIM should be able to change agent passphrases from console.

1

1.23

FIM should be able to Transfer only delta change information for each scan (after the first), not all configuration data each time

1

1.24

FIM should be scalable to address requirements of both individual departments and entire enterprise worldwide.

1

1.25

FIM should be able to provide users access from anywhere to a single location which allows them to view, search, and compare configurations.

1

1.26

FIM should be able to provide immediate access to detailed change information.

1

1.27

FIM should be able to arrange and manage monitored components in a number of ways including by location, device type, and responsibility etc.

1

1.28

FIM should enable explanations, descriptions, or labels to be annotated by users.

1

1.29

FIM should provide standard sets of defaults and templates for each operating environment

1

Total Marks 40

S.No. SECURITY AND CONTROL Maximum Marks

Complying Y / N or


1.00

FIM should provide Role based access control to establish levels of access and control for specific groups of users. 1




1.01

FIM should provide secure communication between devices and database. 1

1.02

FIM should Inform authorized persons of when, how and who made changes. 1

1.03

FIM should provide summary and detailed reports to management that various departments are in compliance with set security policies. 1

1.04

FIM should enable compliance with security and regulatory requirements (e.g. CIS, PCI, ISO, SOX, FISMA, FDCC, FFIEC, NERC, HIPAA, JSOX, GLBA, etc.) 2

1.05

FIM should report devices that don’t meet established operational or regulatory policies. 1

1.06

FIM should analyze changes in real time to determine if they introduce risk based on conditions under which change was made, type of change made and user-specified severity of a change. 2

1.07

FIM Console should have auditing facilities for any changes in FIM. 2

1.08

FIM Communication link between agent and console should be secure (SSL). 1

1.09 FIM should be able to verify agent security and pass phrases. 1

1.10 Ability to verify agent security and pass phrases. 1

Total Marks 14

S.No. INTEGRATION Maximum Marks

Complying Y / N or


1.00

FIM should provide Interface launch commands (toolbar actions) (GUI Interface) to provide one click actions. 2

1.01

Integration or links to change ticketing systems to correlate and match requested change tickets to actual changes. 2

1.02

Integrates with QRADAR security information and event management (SIEM) solutions to provide log management capabilities and correlate change and compliance status information with security event information from a single point of control. 6

1.03

FIM should have ability to create tickets and/or incidents in Ticketing system based upon integrity violations. 1




1.04

Integration into virtual management console to keep inventory information consistent and help secure virtual environments. 1

1.05

FIM tool provided by the Bidder should be able to monitor network and security devices. 5

Total Marks 17

S.No. REPORTING AND ALERTING Maximum Marks

Complying Y / N or


1.00 FIM should have multiple levels of reporting. 1

1.01

FIM should provide executive level summary reports/dashboards. 1

1.02 FIM should be able to send Reports via email. 1

1.03 FIM should provide options to print Reports. 1

1.04 FIM Reports should be archived locally. 1

1.05 Reports clearly denote severity levels of integrity violations. 1

1.06 Reports can be filtered and searchable. 1

1.07

Reports can be exported to other applications (CSV, xml or html format). 1

1.08 FIM should provide capabilities to create on demand Reports. 2

1.09 FIM reports should be easily customizable 3

1.10

FIM should send alerts to a Web Console, Network Consoles, email SMSs whenever a high-priority file, content or configuration change is detected. 1

1.11

FIM should alert users when configurations change and introduce risk or non-compliance, and provides details on what change was made and who made the change. 1

1.12 FIM should provide a single source of change information. 1

1.13

FIM should specify the relative significance of a change according to the monitoring rules for a system component. 1

1.14

FIM should enables searches of configuration histories and audit logs for specified content using a variety of search criteria and filters. 1

1.15

FIM should allow searching to be predefined or saved for future use by all users. 1




1.16

FIM should identify all devices whose configurations differ from their designated baselines, or either contain or are missing specified configuration settings. 1

1.17

FIM should provide Audit logging that provides a change control record for all change activity by recording detected changes, added and deleted devices, modified user accounts, etc. 1

1.18 FIM console should send alert when agent connections are lost. 1

1.19

FIM should differentiate authorized vs. unauthorized changes based on change window, who made the change, what the change was, etc. 1

1.20 FIM should have role-based and customizable user interface. 1

1.21

FIM tool should provide sequence of events leading to security incident for deeper analysis of events. 1

1.22

FIM tool should provide sequence of events leading to security incident for deeper analysis of events. 4

Total Marks 29

S.No. POLICY MANAGEMENT Maximum Marks

Complying Y / N or Customization Required (C )

1.01 FIM should be able to compare an asset’s configuration state against a pre-defined policy /baseline to determine whether or not the configuration is compliant and suggest remedial action.

1

1.02 FIM should be able to seamlessly integratefile integrity monitoring data to immediately reassess upon detected changes (continuous monitoring).

1

1.03 FIM should support pre defined policy templates. 1

1.04 FIM should support, Center for Internet Security (CIS) benchmarks out-of-the-box.

1

1.05 FIM should support, security standards (NIST, DISA, VMware, ISO 27001) out-of-the-box.

2

1.06 FIM should support regulatory requirements (PCI, SOX, FISMA, FDCC, NERC, COBIT) out-of-the-box.

2

1.07 FIM should support operational/performance policies out-of-the-box for business-critical applications.

1




1.08 FIM should have ability to easily modify standard policies to conform to unique organizational needs.

1

1.09 FIM should capture and automate own organizational (internal) policies.

1

1.1 FIM should have ability to report compliance status based on platforms/ applications/devices etc

1

1.11 FIM should provide out-of-the-box remediation guidance to help fix non-compliant configurations.

1

1.12 Ability to systematically waive policy tests to seamlessly integrate into compliance processes and requirements.

1

1.13 Provides proof to management that various departments are in compliance with set security policies.

1

1.14 Ability to report “policy scorecards” to summarize the compliance status of a device.

1

1.15 Ability to assign different weights to different tests that comprise a policy scorecard.

1

1.16 Ability to ignore certain tests for certain periods of time (i.e. support for policy waivers).

1

1.17 Fil should have ability to run, assess configurations against multiple policies without requiring a re-scan.

1

1.18 Ability to report on current policy waivers in effect and their expiration dates.

1

Total Marks 20

Normalization: Total marks obtained as per this annexure shall be divided by -3- and considered for Technical evaluation as per annexure ‘B’.

* For specifications with reply of ‘Y’ and ‘C-Customization required’, it will be presumed that the price of the feature is included in the commercial quote by the Bidder including customization, if any. Bidder should additionally mention in the remarks column the details of customization in brief.

Place:

Date: Seal & Signature of the Bidder




ANNEXURE-F : EXPERIENCE DETAILS

DETAILS OF FIM IMPLEMENTATION AND MAINTENANCE EXPERIENCE

Sl. No.

Name of

the Client and

place of implementatio

n

Client segment Bank/

Insurance/Stock

Exchange or Others

Date of PO and date of completion of assignment

Brief Scope

of work

Name of Lead consult

ant

Details of FIM Tool and its

modules

Contact

person details of the client

Page Ref. No.

Please submit copy of Purchase order and Client letter. Place: Date: Seal and Signature of Bidder:




ANNEXURE-G : PROPOSED IMPLEMENTATION TEAM PROFILE

Sl No

Name of Proposed Engagement Manager /Project Manager/ Team Member

Date of Joining

Prof. Qualifications

Age and total experience

Certifications/ Accreditations

Experience in FIM Solution implementation and operations

Documentary proofs are to be enclosed to substantiate the claims made. Place: Date: Seal and signature of the Bidder




ANNEXURE-H : ESTIMATED EFFORT AND ELAPLSED TIME

Sl No

Activities

Ela

pse

d T

ime

Eff

ort

in

Man

day

s

Nu

mb

er

of

team

mem

bers

wh

o w

ill

be

dep

loy

ed

Remarks

1

FIM Solution- Study of Bank’s Infrastructure

2 FIM Solution- High Level and Detailed project plan

3 Implementation plan phase I comprising of Critical systems

4 Implementation plan phase II comprising of other systems

5 Training

Place: Date: Seal and Signature of Bidder:




ANNEXURE-I : OEM DETAILS

The vendor must provide the following details for the original manufacturers of the products proposed to be provided: Name of the Product with full specifications (please enclose Brochure if available)

1. Name of the Manufacturer

2. No. of years in business

3. Address of the Manufacturer

4. Contact details like phone, fax, email

5. PAN number and Sales Tax number

6. List of Manufacturing locations (world wide)

7. Description of manufacturing locations

8. Description of production facilities

9. Description of inspection & testing facilities

10. Certifications possessed by the manufacturer (ISO etc.)

11. Any other information about the manufacturer

12. Industry Recognitions

Place: Date: Seal and signature of the bidder




ANNEXURE-J : MANUFACTURER AUTHORIZATION FORM Performa of letter to be given by the OEM of devices/hardware/FIM Solution to the bank on OEM letterhead by authorized signatory.

Date: To, The Chief Information Security Officer Bank of Baroda Baroda Corporate Centre Bandra Kurla Complex, Bandra (East) Mumbai 400 051

Dear Sir, We ……………………………………………………………… (Name of the Manufacturer) who are established and reputable manufacturers of ……………………………………File Integrity Solution having factories/development centres at ………, …………, ………, …………… and …………… do hereby authorize M/s ……………………… (who is the vendor submitting its bid pursuant to the Request for Proposal issued by the Bank) to submit a Bid and negotiate and conclude a contract with you for supply of equipments and softwares manufactured by us against the Request for Proposal received from your Bank by the Vendor and we have duly authorized the Vendor for this purpose. We hereby extend our guarantee and warranty as per terms and conditions of the RFP and the contract for the equipment and softwares offered for supply against this RFP by the above-mentioned Vendor, and hereby undertake to perform the obligations as set out in the RFP in respect of such equipments and softwares. In case the vendor does not perform its duties as per the terms and conditions stipulated in the RFP for maintaining the hardware/softwares during warranty/post warranty period, we shall takeover the maintenance of the hardware/software and related components, supplied by the vendor under same terms and conditions or more favorable terms and conditions to the Bank without any additional cost to the Bank. Yours Faithfully Authorized Signatory (Name: Phone No. Fax E_mail ) (This letter should be on the letterhead of the Manufacturer duly signed by an authorized signatory)




ANNEXURE-K : OEM SIZING CONFIRMATION

Performa of letter to be given by the OEM of FIM Solution to the bank on OEM letterhead by authorized signatory. Date: To, The Chief Information Security Officer Bank of Baroda Baroda Corporate Centre Bandra Kurla Complex, Bandra (East) Mumbai 400 051 Sir, Sub: RFP for implementation of File Integrity Monitoring Solution-Sizing Confirmation We as Original Equipment Manufacturers of _________________FIM solution, have sized the hardware/software and license requirement based on information provided by the bank in its’ Tender #....... and in accordance with the tender and Service Level requirements and assure the bank that the sizing is for the DC and DR sites envisaged in the tender. Yours faithfully, Authorized Signatory Designation Vendor’s corporate name




ANNEXURE-L : COMMENTS ON TERMS & CONDITIONS & SERVICES/PRE BID QUERY FORMAT

Please submit your pre bid queries in the format as mentioned below.

Please provide your comments on the Terms & conditions in this section. You are requested to categorize your comments under appropriate headings such as those pertaining to the Scope of work, Terms & Conditions etc. You are also requested to provide a reference of the page number, state the clarification point and the comment/ suggestion/ deviation that you propose as shown below.

Sr. No.

RFP Page no. #

RFP Point / Section #

Clarification point as stated in the tender document

Comment/ Suggestion/ Deviation/ Query

Place: Date: Seal and signature of the Bidder

ANNEXURE-M : COMMERCIAL BID FORMAT

Commercial Bid Format (Amt in Rupees excl GST)

Part A

S.n

o.

(a).

Item (B)

Hig

h

Avail

ab

ilit

y

(Red

un

da

ncy

)

No

of

Un

its

(C)

Un

it C

ost

(R

s.)

(D)

(Ex

clu

din

g G

ST

)

To

tal

E =

C X

D

1st y

ear

2n

d y

ear (

F)

3rd

yea

r (G

) i

4th

year (

H)

i

5th

year (

I) i

To

tal

Co

st(

in R

s)

(J =

E+

F+

G+

H+

I)

(Ex

clu

din

g

tGS

T)

Bill of

Material

Line

items

Remark (g)

1.a FIM Solution including supply and basic Installation for DC

No 1

1.b FIM Solution including supply and basic Installation for DR

1

2.a AMC/ARLF charges

for FIM Solution for

DC post warranty

period

2.b. AMC/ARLF charges

for FIM Solution for

DR post warranty

period

3.a Cost of Licenses for

180 Monitored

Devices for DC

180




3.b Cost of Licenses for

120 Monitored

Devices for DR

120

3.c Incremental cost of

FIM Solution license

upgrade from 180

devices to 360 devices

(cost shall be paid in

slabs(blocks) of 20

licenses on pro rata

basis) for DC

180

3.d Incremental cost of

FIM Solution license

upgrade from 120

devices to 240 devices

(cost shall be paid in

slabs(blocks) of 20

licenses on pro rata

basis) for DR

120

4. Training

5 FIM Solution Implementation charges

Total Cost

Note:

1. All the prices quoted above are inclusive of all taxes, octroi etc except Goods & Services Tax. GST shall be paid by the Bank

on actual basis.

2. The above price will remain valid for the terms of the contract.

3. Please provide price breakup of individual line items, if the line items is comprising of various harrdware/software/service

components preferably in Excel format.

4. Please provide Annual Maintenance charges for all the applicable line items below their product costs.




5. The product costs mentioned in the price bid should include all the implementation related costs including but not limited to installation, integration, testing and operationalization of the item.

6. Annual Maintenance Charges(AMC)/Annual Recurring License fees include all costs including but not limited to version upgrade, patch upgrade, onsite maintenance support etc.

7. Please provide complete project implementation methodoligy, deployment architecture, bill of material to be supplied for the

above line items.

8. All prices are to be quoted by the Bidder. Bank may at its discretion remove the redundant components and other components

at DC and DR.

9. All capacities defined in Bytes are native capacity unless specifically specified.

Note : Please Leave the space blank wherever the charges are not applicable.

Declaration by bidder: We, M/s _________________, hereby confirm that all the items including Services as required for making

system operational as per requirement of the Bank have been included in the commercial bid. Further, we understand that Bank

reserve the right to use reverse auction method.

Prices of major components must be broken down.

Part B

Total Cost of Ownership Calculation format:

Total cost

Fixed One time cost

Procurement & implementation cost

Recurring/Incremental Cost

1st year

2nd year

3rd year

4th year

5th year

Total Recurring Cost

Total Cost

Total Cost in Part ‘A’ and Part B should match.




Provide AMC/ License fee/ subscription fee/ Renewal fee details for Software and give year wise breakup during the -5- years time span. Pricing of major components of the solution must be broken down. Note:

1. The Bank may add further devices / servers/applications under the scope of the project at a future date. 2. In case the Bank adds devices / servers at a later date and brings the same under the scope of this contract, pro rata

charges per month and per device shall be calculated on the basis of cost derived at from the final BOM. 3. Bank reserves the right to reduce or increase the quantity and also defer the procurement of a particular

component and/or service under the scope of this RFP. 4. It is expected that vendor will submit the comprehensive proposal for AMC. In case any part is not covered under

AMC, the same should be clearly specified along with the price and MTBF(Mean time between failure) value. Place: Date : Seal & Signature of the bidder

ANNEXURE-O : BILL OF MATERIAL

Please submit complete Bill of Material as per the following format for the materials to be supplied under this RFP preferably in Excel format including the proposed upgrade.

Sr. No.

Item Name

Make/ Model No.

Configuration/ Details/ Specifications

Brief Function of Item

Commercial Bid Line item (Leave blank if not applicable)

Qty Page ref. no. of Brochure enclosed.

Remarks

Please provide complete Hardware configuration details for server components at DC and DR.

Place: Date: Seal and signature of the Bidder Bank Of Baroda, Information Security Department 2nd Floor, Bank Corporate Centre, C-26, G-Block, Bandra Kurla Complex, Bandra (East), MUMBAI – 400051.

End of Document

Date post:	28-Jul-2020
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times