BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – … ISASP 31102014 Final.pdf · BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP ... Objectives:- The bank has

BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP

Page 1 of 50

REQUEST FOR PROPOSAL (RFP)

For

Empanelment of Information Security and Audit Service Providers [ISASPs]

For Information Security Cell [ISC] and

Information Systems Audit Cell [ISAC]

Ref: HO: BOI/HO/RMD/INFOSEC/2014/112

Dated 31.10.2014 [Friday]

The information provided in response to this Request For Proposal (RFP) will

become the property of the bank and will not be returned. The Bank reserves

the right to amend, rescind or reissue this RFP and all amendments will be

advised to the bidders and such amendments will be binding on them. The

Bank also reserves the right to accept or reject any or all the responses to this

RFP without assigning any reasons whatsoever.

This document is prepared by Bank of India for its Empanelment of

Information Security and Audit Service Providers [ISASPs]. It should not be

reissued or copied or used either partially or fully in any form.


Page 2 of 50

CONTENTS

PART DESCRIPTION PAGE

NO.

1. INVITATION TO BID (ITB) 3

2. DISCLAIMER 6

3. INSTRUCTIONS FOR BIDDERS (IFB) 7

4. TERMS & CONDITIONS OF CONTRACT (TCC) 26

5. ADDRESSES FOR NOTICES

31

6. BID FORMS, PRICE SCHEDULES AND OTHER FORMS 32


Page 3 of 50

PART 1

INVITATION TO BID [ITB]

1. Background:-

Bank of India is a leading and innovative Public Sector Bank, having its registered office in

Mumbai. The Bank has 4800+ branches in India spread over all states / union territories including

150+ specialized branches and 36+ Extension Counters. Bank has 6 Staff Training Centers

[STCs]. M/s HP is the solution provider for Finacle CBS application and the system integration.

These branches are controlled through 50 Zonal Offices [ZOs] under six National Banking

Groups [NBGs]. The Bank has a dominant presence abroad with 56+ branches / offices. The

Bank is listed at both NSE & BSE. The Bank has 5,700+ ATMs spread over the Country.

2. Objectives:-

The bank has its primary Data Centre [DC] and Near Site in Mumbai and its Disaster Recovery

[DR] site at Bengaluru. The Data Center serves the domestic branches in India, Overseas

Branches, Offices of the Bank and Regional Rural Banks [RRBs] sponsored by Bank of India.

The Data Center houses various other applications and resources. The database environment is

a heterogeneous mix of UNIX, Linux, HP-Unix, AIX, Solaris and Windows platforms, with

databases like Oracle, SQL, PostgreSQL, Networking devices like CISCO, Check Point etc. The

Bank has Integrated Treasury Operations in Mumbai.

With multifarious servers, databases, network devices and applications serving as components of

the critical infrastructure, continuous maintenance, management and monitoring of the resources

are required.

The Bank had called for Expression of Interest (EOI) on the Bank’s website on 12.08.2014 for

Empanelment of Information Security Service Providers [ISSPs] from eligible vendors. Vendors

with their preferred services have participated in that process and made presentations to

understand the details about the various services offered by them.

3. General Terms and Conditions in brief:-

Now Bank of India invites sealed bids from the eligible Bidders to participate in this RFP for

empanelment of ISASPs under the following terms and conditions;


Page 4 of 50

a) Fulfillment of eligibility criteria as mentioned below. These are MANDATORY and are to be

included in Technical Bid, without which the Bid is liable to be rejected.

b) Bank reserves the right to change the evaluation process for adherence to CVC guidelines

and / or better transparency as it deems fit.

c) This RFP is to empanel eligible firms to provide various services and activities related to

Information Security and Information Systems Audit for the Bank.

d) Bank’s decision on admissible and acceptable evidences is binding on the bidder.

e) Bank may have two groups of empanelment of ISASPs. Basing on the marks obtained in

Evaluation of Technical Bids, panels of the Groups will be decided by the Bank.

f) Bank will reserve list of empaneled ISASPs to be used as per Bank’s discretion.

g) The purpose of the grouping is only to form two tiers for management convenience,

criticality of operations to be handled effectively etc.

h) It is the discretion of the Bank to decide which group an ISC / ISAC related exercise /

assignments would be allocated.

i) The Bank will communicate to the empaneled vendors about the objective, scope,

eligibility requirements, deliverables, time lines, any other information that is deemed fit for

smooth execution of the assignment and services.

j) The vendor would submit their quote regarding deployment of resources, number of man-

days required for the specific assignment.

k) The selected empaneled bidder has to provide the documentation / presentation for the

assignment for PRE and POST implementation of the services during the process of

actual process of assignment. We would also like to inform the bidders that, the Bank has

a complex infrastructure with multiple resources maintained and managed through multiple

vendors. So the bidder has to coordinate with the service providers of different

applications / system integrators [SI] of the Bank to carry out assignment/s.

l) Upon empanelment Bidder is required to enter into an appropriate Service Level

Agreement [SLA], wherein Clause for active Participation in the various Assignments and

Services offered by Bank from time to time during the complete tenure of agreement.

4. Non Refundable Bid Amount:-

A Non-refundable bid amount o f `. 5 ,000/- [ R u p e e s F i v e T h o u s a n d o n l y ] to be

paid by means of a demand draft / pay order favouring “Bank of India" payable at Mumbai

towards the cost of the Bid Application.

The Technical Bid envelop, without Bid Amount would be treated as non-responsive and

in such case, financial / price bid envelop would not be opened.


Page 5 of 50

5. Empanelment Period:-

The empanelment of ISASPs is proposed to be for a period of five years. This would be subject

to annual review. Bank reserves the right to de-empanel any empanelled ISASP. Empanelment

does not confer any rights on the vendors to necessarily receive assignments / jobs. This

allocation of assignments / jobs will be at the sole discretion of the Bank. Empaneled ISASPs are

required to enter into Service Level Agreement [SLA] and Non-Disclosure Agreement [NDA]. The

decision of the Bank in this regards will be final.

6. Schedule / Relevant Dates of this RFP:-

RFP Issuance Date 31/10/2014 – FRIDAY

Last date for requesting any clarifications by Email 13/11/2014 up to 12.00 noon – THURSDAY

Pre-bid meetings for clarifications. 14/11/2014, 4.00 To 5.00 p.m. – FRIDAY

Last Date & Time for Receipt of Bids at our Office. 25/11/2014 by 3.00 p.m. – TUESDAY

Date and Time of opening of Technical Bids 25/11/2014, 4.00 p.m. - TUESDAY

Representatives of bidder may be present

during opening of Technical bid, however, it

would be opened even in the absence of

any or all of the bidder`s representative.

Presentation on experience, proposed approach,

work plan and methodology

1st Week of December 2014 – Exact schedule will be advised separately.

Date and time of opening of Commercial Bids 2nd Week of December 2014 – Exact schedule will be advised separately.

Contact Persons & Telephone Numbers Shri Sanjay Save @ ISC – 6668 4974 & Shri R. K. Pamnani @ ISAC – 6131 9425

Address for Communication & Submission of bid The General Manager, Risk Management Department, Information Security Cell, 4th Floor, East Wing, Star House - I, C-5, G-Block, Bandra Kurla Complex, Bandra East, Mumbai – 400 051. Email: [email protected]

Availability of Bid Document and all other related

communications.

Available on our Website – www:\bankofindia.co.in under Tender Section

Bank reserves the right to change the dates / time mentioned in the RFP if any, which will be

communicated to bidders through our Website / Email separately.

mailto:[email protected]


Page 6 of 50

PART – 2

DISCLAIMER

The information contained in this Request for Proposal (RFP) document or information provided

subsequently to bidder(s) or applicants whether verbally or in documentary form by or on behalf

of Bank of India (BOI - Bank), is provided to the bidder(s) on the terms and conditions set out in

this RFP document and all other terms and conditions subject to which such information is

provided.

This RFP is neither an agreement nor an offer and is only an invitation by BOI [Bank] to the

interested parties for submission of bids. The purpose of this RFP is to provide the bidder(s) with

information to assist the formulation of their proposals. This RFP does not claim to contain all the

information each bidder may require. Each bidder should conduct its own investigations and

analysis and should check the accuracy, reliability and completeness of the information in this

RFP and where necessary obtain independent advice. BOI makes no representation or warranty

and shall incur no liability under any law, statute, rules or regulations as to the accuracy, reliability

or completeness of this RFP. BOI may in its absolute discretion, but without being under any

obligation to do so, update, amend or supplement the information in this RFP.


Page 7 of 50

PART – 3

INSTRUCTIONS FOR BIDDERS (IFB)

TABLE OF CLAUSES

Clause No.

Topic Clause

No. Topic

A. Introduction 3.16 Period of Validity of Bids

3.1 General Background 3.17 Format and Signing of Bid

3.2 Broad Scope of Work D. Submission of Bids

3.3 Consortium 3.18 Sealing and Marking of Bids

3.4 Cost of Bidding. 3.19 Deadline for Submission of Bids

3.5 Eligibility Criteria 3.20 Late Bids

B. Bidding Documents 3.21 Modification & Withdrawal of Bids

3.6 Content of Bidding Documents E. Bid Opening and Evaluation

3.7 Clarification of Bidding Documents 3.22 Opening of Technical Bids by the Bank

3.8 Amendment of Bidding Documents 3.23 Clarification of Bids

C. Preparation of Bids 3.24 Preliminary Examination

3.9 Language of Bid 3.25 BID Evaluation & Comparison of Price Bids

3.10 Format / Documents & Signing of the Bid

3.26 Contacting the Bank

3.11 Bid Prices / Rates

F. Award of Contract

3.12 Bid Currencies 3.27 Bank’s Rights

3.13 Documents establishing Bidder’s Eligibility and Qualifications

3.28 Notification of Award

3.14 Documents establishing eligibility and conformity

3.29 Signing of Contract

3.15 Bid Security


Page 8 of 50

A. Introduction

3.1 General Background

Bank of India (hereinafter referred to as the “Bank”) intends to prepare a panel of reputed Information Security and Audit Service Providers [ISASP], Information Security [IS] Consulting Organisations, Information Technology [IT] Auditors, Information Systems [IS] Audit Agencies / Firms [including Chartered Accountant Audit Firms with CISA qualified Auditors], Cyber Security Auditors and Forensic Consultants etc. for carrying out various activities, assignments and assistance to Information Security and IT / IS Audit related work of Information Security Cell [ISC] in Risk Management Department and Information Systems Audit Cell [ISAC] in Inspection and Audit Department of the Bank. The Bank has mixed environment of IT outsourcing and managing in-house. During the past decade, the Bank has strengthened its IT infrastructure. To embark upon its ambitious growth plan and meet present and future need of Bank’s business, Bank is under process of undergoing IT up gradation process with latest available technology.

The complexity of bank’s IT operations has really increased demanding higher level of IS skills and Monitoring the IS Operations, as IS Audit requirements as well. The Bank invites ‘Request for Proposal [RFP] from reputed Companies / firms / Service Providers who have proven experience in the field of work related to Information Security, IT/IS Audit, Cyber Security and related work and fulfil the eligibility criteria as laid down in this document.

Bank intends to have an Empanelment of Information Security and Audit Service Providers [ISASPs] for Information Security / IT & IS Audit related work, for approximately for a period of five years at Bank’s discretion. This would be subject to annual review. In case the empaneled ISASP do not respond to the quotation / inquiry by Bank on three occasions or do not perform / execute the assignment during the validity of the empanelment, they may be delisted from the Panel by the Bank. The decision of the Bank will be final and binding to the Empaneled ISASPs.

3.2 Broad Scope of Work [SoW]

Types of present and future activities and services required by our ISC and ISAC of the Bank are covered / defined in this RFP is illustrative and indicative but not exhaustive. The scope may also undergo changes / updates due to implementation of new products, technology, projects, configuration requirements, business needs, legal and regulatory requirements etc. Broad SoW is as under;


Page 9 of 50

1) Services on Information Security & Audit Projects and Security Certifications

2) Assistance in implementation of ISC and or ISAC related Project/s and Tools

3) IT and IS Audits including Outsourced Activities and Third Party Audits.

4) Technological Risk Assessment [TRA], Risk Profiling and Threat Perception of Assets,

GAP Analysis, Third Party Outsourcing Activities etc.

5) Documentation – Policy, Process, Procedure Creation / Review / Modification etc.

6) Immediate Risk Mitigation Measures / suggestive steps

7) Vulnerability Assessment [VA]

8) Penetration Testing [PT]

9) Application Security Testing

10) ISC and ISAC related work related Application Development and Services

11) Secured Configuration Documents [SCDs]

12) Network Audit and Supervision

13) Database Audits / Migration Audit

14) Cyber Security Audit

15) Application Audits / Website Audit / ATM Network Audit

16) Fraud Investigation

17) Forensics Investigation

18) BCP / DR Preparedness / Readiness

19) Data Centers, Treasury Branch, DR / NR Sites / Data warehouse Audit

20) Assistance in Training and Security Awareness

21) Assurance Services as per Regulatory requirements where Bank has Branches / Offices

22) Advanced Real Time Threat Intelligence including Anti-Phishing, Anti- Trojan, and Anti-

Malware Services, Zero Day Vulnerabilities etc. services for Security Project Management

and Services.

23) Assistance in Compliance

24) Assist / suggest ISC / ISAC related changes due to transformative technology like Mobility,

Virtualisation, Cloud, Social Networking, Service-Oriented Architecture (SOA) etc.

25) Assess & Develop IS performance dashboard focused on ROI with a mechanism and

process to convey value of investment on IS infrastructure across the Bank including Top

Management using industry standard Benchmark

26) Assisting in Network Security including Virtualisation, wireless & Mobile Technologies

27) Review / set up IS Controls, Standards, Metrics their effectiveness and adequacy

28) Any other activity as decided by the Bank during the empanelment period.

3.3 Consortium

Any type of formation of consortium, sub-contracting and joint assignment will not be allowed /

considered. Such proposal will be disqualified.


Page 10 of 50

3.4 Cost of Bidding

The Bidder shall bear all costs associated with the preparation and submission of its Bid /

POC / Presentations etc., and the Bank will in no case be responsible or liable for these

costs, regardless of the conduct or outcome of the Bidding process.

3.5 Eligibility Criteria - Pre-Requisite Qualification

The Bid is open to all Bidders who fulfil the following eligibility criteria. Bidders are required to

submit their Bids along with supporting documents. If the Bid is NOT accompanied by ALL the

required documents together with CHECK LIST as per FORMAT – 6.13 supporting and

confirming eligibility criteria, the same would be REJECTED. No further communication will be

entertained in this regards.

Sr.

No.

Eligibility Criteria Enclose - Required

Documents as Proof

To be

Marked as

1 Bidder should be Indian Company / Firm /

Organisation, registered in India under

Companies Act 1956 or related Act at least for

the past FIVE years i.e. established on or

before 01.04.2009.

Certificate of Incorporation

/ Date of Establishment /

Registered Organisation.

EC – 1

2 Bidder should be empaneled with CERT-IN. CERT-IN Certificate EC – 2

3 Bidders should have experience & expertise in

handling Assignments / Services related to IS /

IS-IT Audit in India in BFSI Sectors in last

THREE years i.e. On or after 01.11.2011.

They must have carried out Minimum TWO

Information Security and or IS Audit related

Assignments in BFSI during preceding year

i.e. on or after 01.11.2013 for a duration of

minimum 15 Man-Days.

1> Details of Assignments

and Experience Certificate

from BFSI Sectors

together with PO as per

- FORMAT – 6.6.

2> Number of different

types of activities carried

out in Banks in past 3

years i.e. after 01.11.2011

- FORMAT – 6.7.

EC – 3

4 Bidder should have NET Profit in last THREE

Financial Years [i.e. 2011-2012, 2012-2013

and 2013-2014].

Audited Balance Sheet,

P&L or Certificate from

CA.

EC – 4

5 Bidder should have minimum Turnover of

`. 10.00 Crores in the last Financial Year.

Certificate from CA. EC – 5


Page 11 of 50

6 Fair Practice Code by Bidder – No [Black

Listing, Barred, Litigation] by ANY

Regulator / Statutory Body / Sector.

Present and Past Litigations / Disputes [if

any], Out come and present status – Self

Certificate.

Self-Declaration giving

full details of Blacklisting,

litigations etc. [if any

please give results /

present status with proof

as an evidence.]

EC – 6

7 Bidder should have Minimum TEN staff with

any of the following qualifications /

Certifications.

I> CISA II> CISSP, III> CISM, IV> PCI-DSS,

V> ISO 27001 LA/LI Holder, VI> COBIT

Certificate Holder, VII> CEH, VIII> ISO 22301

LA/LI, IX> CCNA, X> COBIT Certification, XI>

CRISC, XII> CHFI, XIII> GIAC, XIV> SSCP,

XV> Any Other Specialised Products /

Domains related Professional Qualifications /

Certifications [Please Specify].

Provide details of No. of

staff having listed

certificates after avoiding

duplication. Multiple

Certificate Holders will be

counted once only. Total

10 Staff. FORMAT – 6.8.

EC – 7

8 Check List of Enclosures of all related

documents including Bid Amount of `. 5,000/=.

As per the CHECK List.

FORMAT – 6.13.

EC – 8

NOTES on Qualification / Eligibility Criteria:-

1> Assignments done during past three years i.e. on or after 01.11.2011 should only be

mentioned.

2> While it is desired to empanel vendors of versatile exposure and resources in the

Information Security and IS / IT Audit related activities for entrusting jobs from time to time

in any of the areas mentioned hereinabove, Bank at its sole and absolute discretion,

may opt for empanelment of firms with well-known specialised expertise in specific areas,

for limited empanelment for some specified activities only, in case of not fully and or

partly complying with all and or any of clauses stated above but are able to present

equivalent expertise in their specific areas, for specific jobs on a case to case basis.

3> ALL Documents are to be signed by the Authorised Signatories of the Bidders.

4> Supporting documents shall be copy of Work Order [PO], letters from clients on their letter

head, contacts of clients including Scope of Work [SoW] for all the relevant assignments

carried out during past three years from the date of RFP.

5> Brochures / Emails attached shall not be considered for evaluation.

6> Information Security and IT / IS Audit Services does not include sale of Products.


Page 12 of 50

7> The Eligibility criteria mentioned in the RFP like turnover, staff experience, number of

qualified staff etc., should be maintained by the service provider till the end of the

empanelment period/contract period.

8> CHECK LIST in FORMAT– 6.13 must be enclosed.

B. The Bidding Documents

3.6 Content of Bidding Document/s

3.6.1 The Solution required, Bidding procedures, and contract terms are prescribed in the

Bidding Documents. The Bidding Documents includes:

(a) PART 1 - Invitation To Bid (ITB)

(b) PART 2 - Disclaimer

(c) PART 3 - Instruction For Bidders (IFB)

(d) PART 4 - Terms and Conditions of Contract (TCC)

(e) PART 5 - Technical and Functional Formats and Specifications (TFF / TFS)

(f) PART 6 - Bid Forms, Price Schedules and other forms (BF)

3.6.2 The Bidder is expected to examine all instructions, forms, terms and specifications in the

Bidding Document. Failure to furnish all information required by the Bidding Document or

to submit a Bid not substantially responsive to the Bidding Document in every respect will

be at the Bidder’s risk and may result in the rejection of the Bid. We repeat to confirm the

CHECK LIST in FORMAT– 6.13 before submitting the Bid document to the Bank.

3.7 Clarification of Bidding Document/s

3.7.1 Bidder / requiring any clarifications, queries, questions etc. on the Bidding Document

[RFP] may notify the Bank by e-mail only indicated in Invitation to Bid on or before

12.00 noon on Thursday, 13.11.2014

3.7.2 A pre-bid meeting is scheduled on Friday, 14.11.2014 from 4.00 p.m. to 5.00 p.m.

Venue for the pre-bid meeting will be at the communication address given bellow.

Bank of India, The General Manager – RMD, Information Security Cell [ISC], 4th Floor, East Wing, Star House - I, C-5, G-Block, Bandra Kurla Complex, Bandra East, Mumbai – 400 051. Email: [email protected] Contact Officials / Senior Managers;

[1] Shri Sanjay Save - 6668 4974 from ISC and [2] Shri R. K. Pamnani - 6131 9425 from ISAC.



Page 13 of 50

Bidders should provide their email address in their queries without fail. All responses will be posted on the website of the Bank.

3.8 Amendment of Bidding Document/s

3.8.1 At any time prior to the deadline for submission of Bids, the Bank, for any reason,

whether, at its own initiative or in response to a clarification requested by a prospective

Bidder, may modify the Bidding Document/s, by amendment.

3.8.2 All prospective Bidders will be notified of the amendment, if any, by Bank hosting the same

on the Bank’s website which will be final and binding on all the bidders. It will be the

responsibility of the bidders to regularly visit the Bank’s website for any amendments from

time to time and respond accordingly. No other intimation will be given by the Bank.

3.8.3 In order to allow prospective Bidders reasonable time in which to take the amendment into

account in preparing their Bids, the Bank, at its discretion, may extend the deadline for the

submission of Bids.

C. Preparation of Bids

3.9 Language of Bid

The Bid prepared by the Bidder, as well as all correspondence and documents relating to

the Bid exchanged by the Bidder and the Bank and supporting documents and printed

literature shall be written in English.

3.10 Format / Documents & Signing of the Bid

All the documents submitted by bidder shall be duly signed by the authorised

signatory.

3.10.1 Each bid shall be in two parts:-

Part I - Technical Bid Form – Stage I (in FORMAT – 6.11)

Part II – Commercial Bid (in FORMAT – 6.3)

The two parts should be in two separate covers, each super-scribed with the name of the Project

as well as i.e. “Empanelment of ISASPs - Technical Bid” and “Empanelment of ISASPs -

Commercial Bid” as the case may be. Both these two envelops should be sealed in one

main envelop.


Page 14 of 50

Bids are liable to be rejected, if is incomplete.

3.10.2 The Bid shall be typed or written in indelible ink and shall be signed by the Bidder or a person or persons duly authorized to bind the Bidder to the Contract. The person or persons signing the Bids shall initial all pages of the Bids, except for un-amended printed literature.

3.10.3 Any inter-lineations, erasures or overwriting shall be valid only if they are initialled by the person signing the Bids. The Bank reserves the right to reject bids not conforming to any of above.

3.10.4 Documentary evidence establishing that the Bidder is eligible to Bid and is qualified for ISASP Empanelment as per CHECK LIST of evidences in FORMAT No.6.13 of the Bidding Document if it’s Bid is accepted.

3.10.5 A Non-disclosure Agreement as per FORMAT – 6.2

3.10.6 Documents comprising Price Bid Envelope, should be a complete document and placed in

a sealed envelope super-scribed as “COMMERCIAL BID” as per FORMAT – 6.3. Price

bids containing any deviations or similar clauses will be summarily rejected.

3.10.7 While submitting, the Technical Documents and other documentary evidence, Literature

on the Solution Architecture Diagram, Drawings, Data and Broachers should be

segregated and kept together in one section/lot along with CD containing Technical

Documents and PPT of the proposed Presentation.

3.10.8 The other papers, Forms as mentioned above, etc. should form the main section, bound

properly so that no paper can be taken out/loosened, and should be submitted in one lot,

separate from the section containing literature and annual accounts etc. This includes

Referral letters from clients and customers.

3.11. Bid Prices / Rates

The prices / rates indicated in the Price Schedule shall be entered in the following manner:

The prices / rates should be specified only in “Commercial Bid” and must not be

specified at any other place in the bid document. The quoted prices should be exclusive of

all taxes and statutory levies such as Service Tax / VAT, Sales Tax, Octroi etc. which

should be specified separately.


Page 15 of 50

Prices / rates quoted as above shall be valid for a minimum period of 180 days from last

date for submission of the tender / bid. This quote is applicable for this RFP process.

The Bank has the discretion to adopt the pricing formula on a case to case basis which will

be communicated to the empaneled bidders during the bidder selection process for an

exercise.

3.12. Bid Currencies

Bids are to be quoted in Indian Rupees only.

3.13 Documents Establishing Bidder’s Eligibility and Qualifications

3.13.1The Bidder shall furnish, as part of its Bid, documents establishing the Bidder’s eligibility

to Bid and its qualifications to be empanel as ISASPs, if its Bid is accepted.

3.14.2 The documentary evidence of the Bidder’s qualifications to empanel as ISASPs if it’s Bid

is accepted shall establish to the Bank’s satisfaction:

a) That the Bidder has the technical and professional capability necessary to perform the

Contract as per Organization Profile;

b) That adequate, specialized expertise is already available to ensure that the support

services are responsive and the Bidder will assume total responsibility for the operation

and assignment on continuous real time basis.

3.14 Documents Establishing Eligibility and Conformity to Bidding Documents as per

Techno – Commercial eligibility and Evaluation process prescribed by the Bank.

3.15. Bid Security

Upon empanelment as ISASPs, the Bidder may require to furnish bid security at the time

of actual assignment decided for the respected activity. The Bid security is required to

protect the Bank against the risk of Bidder’s conduct, which would warrant the security’s

forfeiture. The Bid security shall be denominated in Indian Rupees and shall be in the

form of bank guarantee issued by a nationalised / public sector bank.

In case the Bidder is not ready to offer as above, will be rejected by the Bank, as non-

responsive.


Page 16 of 50

The successful completion of the assignment/s, Bid security will be discharged.

The Bid security may be forfeited:

a) if a Bidder withdraws its Bid during the period of Bid – assignment validity specified by

the Bidder on the Bid Form; or

b) if a Bidder makes any statement or encloses any form which turns out to be false /

incorrect at any time prior to signing of Contract; or

c) in the case of a successful Bidder, if the Bidder fails;

(i) to sign the Contract; OR

(ii) to furnish Performance Security OR

(iii) to furnish NDA

3.16 Period of Validity of Bids

Bids / rates shall remain valid for 180 days from the date of opening of the Bid. A Bid valid

for a shorter period shall be rejected by the Bank as non-responsive.

In exceptional circumstances, the Bank may solicit the Bidders’ consent to an extension of

the period of validity. The request and the responses thereto shall be made in writing.

3.17. Format and Signing of Bid

3.17.1 The Bid shall be typed or written in indelible ink and shall be signed by the Bidder or a

person or persons duly authorized to bind the Bidder to the Contract. The person or

persons signing the Bids shall initial all pages of the Bids, except for un-amended printed

literature.

3.17.2 Any inter-lineations, erasures or overwriting shall be valid only if they are initialled by the

person signing the Bids. The bank reserves the right to reject bids not confirming to

above.

D. Submission of Bids

3.18. Sealing and Marking of Bids

3.18.1The inner and outer envelopes shall:

a) be addressed to the Bank at the address given; and


Page 17 of 50

b) Envelops should bear the Project Name "Empanelment of Information Security and

Audit Service Provider” and a statement: “DO NOT OPEN BEFORE (mention last

date of submission of the bid i.e. 25.11.2014 before 4.00 p.m.”.

c) All envelopes should indicate on the cover the name and address of the Bidder.

3.18.2 If the outer envelope is not sealed and marked, the Bank will assume no responsibility for

the Bid’s misplacement or premature opening.

3.19. Deadline for Submission of Bids

3.19.1 Bids must be received by the Bank at the address specified, not later than the date

and time for submission of Bids specified in the Invitation to Bid [RFP].

3.19.2 The Bank may, at its discretion, extend this deadline for the submission of Bids by

amending the Bid Documents, in which case, all rights and obligations of the Bank and

Bidders previously subject to the deadline will thereafter be subject to the deadline as

extended.

3.20. Late Bids

Any Bid received by the Bank after the deadline for submission of Bids prescribed, will be

rejected and returned unopened to the Bidder.

3.21. Modification and Withdrawal of Bids

3.21.1 The Bidder may modify or withdraw its Bid after the Bid’s submission, provided that

written notice of the modification, including substitution or withdrawal of the Bids, is

received by the Bank, prior to the deadline prescribed for submission of Bids.

3.21.2 The Bidder’s modification or withdrawal notice shall be prepared, sealed, marked and

dispatched. A withdrawal notice may also be sent by Fax, but followed by a signed

confirmation copy, postmarked no later than the deadline for submission of Bids.

3.21.3 No Bid may be modified after the deadline for submission of Bids.

3.21.4 No Bid may be withdrawn in the interval between the deadline for submission of Bids

and the expiration of the period of Bid validity specified by the Bidder on the Bid Form.

Withdrawal of a Bid during this interval may result in the Bidder’s forfeiture of its Bid

security amount.


Page 18 of 50

E. Opening and Evaluation of Bids

3.22 Opening of Technical Bids by the Bank

The Bidders’ names, Bid modifications or withdrawals and the presence or absence of

requisite Bid Security and such other details as the Bank, at its discretion, may consider

appropriate, will be announced at the Bid opening. No bid shall be rejected at bid

opening, except for late bids, which shall be returned unopened to the Bidder.

Bids (and modifications sent) that are not opened at Bid Opening shall not be

considered further for evaluation, irrespective of the circumstances. Withdrawn bids will

be returned unopened to the Bidders.

3.23. Clarification of Bids

During evaluation of the Bids, the Bank, at its discretion, may ask the Bidder for

clarification of its Bid. The request for clarification and the response shall be in writing,

and no change in the prices or substance of the Bid shall be sought, offered, or

permitted.

3.24 Preliminary Examination

3.24.1 The Bank will examine the Bids to determine whether they are complete, required

formats have been furnished, the documents have been properly signed, and the Bids

are generally in order.

3.24.2 The Bank may, at its discretion, waive any minor infirmity, non-conformity, or irregularity

in a Bid, which does not constitute a material deviation.

3.24.3 Prior to the detailed evaluation, the Bank will determine the substantial responsiveness of

each Bid to the Bidding Document. For purposes of these Clauses, a substantially

responsive Bid is one, which confirms to all the terms and conditions of the Bidding

Document without material deviations. Deviations from, or objections or reservations to

critical provisions, such as those concerning Bid Security, Applicable Law, Performance

Security, Qualification Criteria, Insurance, Contract, AMC and Force Majeure will be

deemed to be a material deviation. The Bank’s determination of a Bid’s responsiveness is

to be based on the contents of the Bid itself, without recourse to extrinsic evidence. The

Bank reserves the right to evaluate the bids on technical & functional parameters

including possible visit to inspect live site/s of the Service providers and witness demos,

presentations or undertake a POC exercise of the system and verify functionalities,

response times, users acceptability etc.


Page 19 of 50

3.24.4 If a Bid is not substantially responsive, it will be rejected by the Bank and may not

subsequently be made responsive by the Bidder by correction of the non-conformity. The

bank may, at its sole discretion, opt for a technical evaluation which will take into account

the capability of the bidder application to implement the proposed services.

3.24.5 In case of the successful bidder, the Bank will evaluate the capability of the bidder to fulfil

the requirements. If the Bank is not satisfied with the offerings, the Bank may cancel /

remove from empanelment from ISASPs without incurring any liability to anybody

whatsoever.

3.24.6The Bank’s determination of a Bid’s responsiveness will be based on the contents of the

Bid itself, without recourse to extrinsic evidence.


Page 20 of 50

3.25. Bid Evaluation Weightage and Comparison of Price Bids [TWO STAGES]

STAGE – I

Bank proposes for TWO stages for Evaluation Process. In STAGE - !, Bank shall intends

to arrive at TWO GROUPs. Based on the Highest Scorer list of Bidders will be prepared and

GROUPED. This STAGE – I only for the purpose of Empanelment of ISASPs in TWO Groups.

3.25.1 Technical BID Evaluation – [STAGE – I]

Sr.

No. Activities / Details Max

Marks

Marks

Scored

*

Weightage REMARKS

1 Total No of Assignments carried out in BFSI related to IS / ISAC

Activities in India as declared in FORMAT – 6.10 to be submitted by

the Bidder. Proof need to be submitted. - One Mark per Assignment

/ Purchase Order [Maximum 3 Marks for 3 years for same /

similar activity] for different activities in different organisations.

23

2 Total No of Assignments carried out for IS / ISAC related activities for

their Global Clients as per the LIST enclosed as an evidence by the

Bidder. One Mark per Assignment / Purchase Order after

01.11.2011 [i.e. during past three years].

10

3 Total No. of Skilled Employees / Resources available as per the

enclosed LIST of Employees with their Credentials / Certifications

related to IS / ISAC Activities given in the FORMAT – 6.8.

11 to 25 Employees 05 Marks

26 to 50 10 Marks

Over 51 15 Marks

15

4 No. of Years’ Existence/Establishment in IS/ISAC related activities in

INDIA in BFSI Sector. Evidence of the 1st Assignment to be enclosed

as a proof of Experience. - One Mark per year prior to 01.04.2009.

12

5 Technical Skill Credentials (extra ordinary activities) – Proprietary

Tools Developed, R&D Work Done, Papers Published, Forensic

Assignment Carried out. Other Value added Services and Additional

Deliverables, Proprietary Tools, Dashboards, Training, Knowledge

sharing, etc. Attach Evidences as a proof. (each activity will carry

1 mark)

10

6 Certifications/Accreditations relevant to IS/ IS Audit Services received

from GoI, RBI, IDRBT, IBA, Gartner, BFSI Sector or any other

independent Authority. - One Mark per valid current Certificate

05

7 Presentation and Methodologies, Procedures, Tools, Utilities,

Templates Developed / used during execution of previous assignments

and arrangements for BCPDR Infrastructure proposed etc. presented

by the Bidder. – To be given by Bank Team based on Presentations.

25

* TOTAL Marks are to be calculated and filled by the Bidders for

item Nos. 1 to 6 and submit together with the Technical Bid Cover


Page 21 of 50

3.25.2 Bank shall have Technical Evaluation based on following broad criteria/parameters;

1> only qualifying eligible bidders will be considered for Technical Evaluation.

2> As per inputs and information provided in the bid, Services undertaken, presentations

by bidders, site visits [if required], existing customers feedback, highlights of noteworthy /

superior features of their services. Noticeable State of the Art Services, Capabilities

proposed and demonstrated, Future IS threats, Vision, future requirements NOT

highlighted by the Bank in the RFP, Specialised Services like Forensic Services etc.

offered. Bidder to provide evidences to substantiate their claims. This includes in house

capabilities, Proprietary Tools developed, Additional Support facility provided etc. Broad

base of Technical Evaluation weightage by the Bank Team / Committee will be as under;

a. Variety of Experience - 15%

b. Proposed Methodology and Work Plan - 30%

c. Professional Staff - 15%

d. Execution Capabilities - 15%

e. Specialised Services Offered - 15%

f. Other like Vision, Tools, Support Offered, Client Opinion etc. - 10%

3> To qualify, Bidders must score minimum 55%Technical Score in Technical Evaluation.

4> Bank proposed to form shortlist in TWO groups base on %age Tech. Score as under;

- Group “A” 76% and Above Tech. Score

- Group “B” 55% to 75% Tech. Score

- Bidders scoring less than 55% Tech. Score will not be considered. Their

Commercial Bids will NOT be considered for further process. Commercial Bids of

NOT qualifying Bidders will NOT be opened and returned the respective Bidders.

BOI will NOT be responsible for security / privacy of such Bid/s.

- Bank may change / modify captioned criteria / parameters of Evaluation procedure

etc. at its sole discretion. Bank will decide on evaluation and weightage of

marks on the evidences / proof (acceptable to the bank) submitted and

presentation made by the bidder. The decision of the bank will be final. Bank

has right to verify, seek confirmation on the evidences furnished by the

bidders from the respective BFSI / Organisations.

3.25.3. The Bank may use the services of external consultants for bid evaluation, if required.


Page 22 of 50

3.25.4. The Bank will evaluate and compare the Price bids, which have been determined to be

substantially responsive.

3.25.5 Arithmetical errors [if any] will be rectified on the following basis. If there is a discrepancy

between the unit price [man day rate] and the total price [no of days] that is obtained by

multiplying the unit price and quantity, the unit price shall prevail, and the total price shall

be corrected. If the successful bidder does not accept the correction of the errors, its Bid

will be rejected, and its Bid security may be forfeited. If there is a discrepancy between

words and figures, the amount in words will prevail.

3.25.5 The evaluation will be done on the basis of evaluation of the Technical bid and the bidder

offering the lowest price as mentioned in the respective FORMAT.

3.25.6 Commercial Evaluation

The envelope containing the Commercial Bids of only those Bidders, who are short-listed

and eligible after technical evaluation – STAGE - I, would be opened. The format for

quoting commercial bid set out in FORMAT 6.3.

Commercial quotes of Bidders of Group A will be opened and compared. The lowest

quoted rates will be offered to the other bidders of Group A. All the Group A bidders

accepting the lowest quoted rates will be empanelled at those rates.

Similar separate process will be followed for bidders of Group B.

Bank will create two separate panels – Group A and Group B.

Allocation / Distribution of activities / assignments to different Group or any other Empaneled Bidders will be solely at the discretion of the bank.

Empanelment by the Bank does not constitute any right on the vendor to receive assignments / activities / work orders. The bank reserves the right to opt for manual negotiation. 3.25.7 Awarding of Assignment and Technical Bid Evaluation – STAGE - 2 This is an empanelment only, the actual job allocation or Scope of Work [SoW] will be a

dynamic time to time activity and in any areas of ISC / ISAC related activities as required by

Bank; payments will be based on actual work mutually agreed at the time awarding an

assignment / contract.


Page 23 of 50

While the empanelment will attempt to set specific service rates (man–hour, man-day /

man-month rate i.e. Rate per Hour, Rate per Day and Rate per Month), Bank can, at its

sole and absolute discretion, prefer multiple price models including piece rates for some

activities or techno-commercial bids for any specific activities or assignments from time to

time.

Entire process of Awarding actual assignment and Services is explained by giving an illustration as under; [However, this process is illustrative. Bank at discretion may adopt / change the process / parameters with prior intimation to respective empaneled bidders]

Example: Arrival of L1 [At the time actual awarding a Contract / Assignment]

A. Proficiency Assessment: (TECHNICAL EVALUATION - STAGE – II of Technical Bid)

1) Full marks i.e. 100 (notional absolute value) will be awarded to the empaneled bidder/s scoring the highest marks at the time of process of awarding a contract.

2) The inputs will be based on the information provided in this RFP - Bid process or Bank may ask for the latest information concerning the assignment / services.

3) Proportionate marks will be awarded to the other bidders as the percentage of the highest marks received.

4) Full 70 marks will be awarded to the bidder getting the highest marks.

5) Similarly proportionate marks will be awarded to the other bidders. (as per calculation shown under item B – Example).

6) Normally this will be dynamic based on the information provided by the Empanelled bidders for actual assignment / services.

7) Marks on Proficiency may vary / differ based on nature / critically / proficiency required etc. This will be communicated to the bidders before actual requirement.

B. Commercial Assessment (Price Bid):

1) Rate of Man Hour / Day / Month will be the same rate agreed with the Empaneled ISASPs by the Bank.

2) Full marks i.e. 100 (notional absolute value) will be awarded to the bidder quoting number of MAN - HOURS / DAYS / MONTH for actual requirement for an assignment / services.

3) Actual cost of the Assignment will be No of Man days quoted x Agreed RATES for Man days [as the case may be]

4) Actual cost quoted by the Bidder for lowest price / rate as shown above.

5) Proportionate marks will be awarded to the other bidders as the percentage of the lowest quote.

6) Full 30 marks will be awarded to the bidder quoting the lowest price i.e. 30% of 100 i.e. 30.


Page 24 of 50

7) Similarly proportionate marks will be awarded to absolute value quoted by other bidders (as per calculation shown under item a– Example)

8) As stated above Marks on Commercial Assessment may vary / differ based on requirements of nature / criticality / professional services etc.

Comparative Chart of Calculations

Bidder X Y Z

(a) Price in `. (30% marks)

1000 1100 1200

Calculation (i) (1000/1000) x 100=100 (1000/1100)x 100 = 90.90 (1000/1200) x 100 = 83.33

Base is 100% of the lowest bidder

100 90.90 83.33

Calculation (ii) (100/100)x30=30 (90.90/100)x30=27.27 (83.33/100)x 30 =24.99

Actual Marks (A) Out of 30

30 27.27 24.99

(b) Proficiency Marks (70% marks)

85 100 95

Base is 100% of the highest scoring bidder

85 100 95

Calculation (85/100)x70= 59.50 (100/100)x70=70 (95/100)x70= 66.50

Actual Marks (B) Out of 70

59.50 70 66.50

Total Marks (A+B) Out of 100

89.50 97.27 91.49

Ranking of Bidder L3 L1 L2

Y is the L1 bidder with highest cumulative marks.

3.26 Contacting the Bank

a> No Bidder shall contact the Bank on any matter relating to its Bid, from the time of opening of

Bid to the time the Contract is awarded.

b> Any effort by a Bidder to influence the Bank in its decisions on Bid evaluation, Bid

comparison or contract award may result in the rejection of the Bidder’s Bid.


Page 25 of 50

F. Award of Contract

3.27. Bank’s Right to Accept Any Bid and to reject any or All Bids.

The Bank reserves the right to accept or reject any Bid in part or in full at any time prior to

contract award, without thereby incurring any liability to the affected Bidder or Bidders or

any obligation to inform the affected Bidder or Bidders on the grounds for the Bank’s

action.

3.28 Notification of Award

3.28.1Prior to expiration of the period of Bid validity, the Bank will notify the successful Bidder in

writing or by fax or by mail, that its Bid has been tentatively accepted.

3.28.2The notification of award will constitute the formation of the Contract.

3.29. Signing of Contract

3.29.1At the same time as the Bank notifies the successful Bidder that its Bid has been

accepted, the Bank will send the Bidder the Contract Form as per Format 6.5,

incorporating all agreements between the parties.

3.29.2At the same time the Bank would call the bidder to study the requirements and assure

itself that they are capable of fulfilling the requirements.

3.29.3 The successful Bidder shall sign and date the Contract and return it to the Bank.

Note:

Notwithstanding anything said above, the Bank reserves the right to reject / award the

contract to any vendor or cancel the entire RFP process without assigning any reasons

thereto.

**********


Page 26 of 50

4: TERMS AND CONDITIONS OF CONTRACT (TCC)

TABLE OF CLAUSES

Clause

No.

Topic Clause

No.

Topic

4.1 Definitions

4.2 Country of Origin

4.3 Use of Contract Documents and

Information

4.4 Contract

4.5 Payment

4.6 Contract Amendments

4.7 Delay in Supplier’s

Performance

4.8 Force Majeure

4.9 Termination for Insolvency

4.10 Resolution of Disputes

4.11 Governing Language

4.12 Applicable Law

4.13 Taxes and Duties


Page 27 of 50

4: TERMS AND CONDITIONS OF CONTRACT (TCC)

4.1. Definitions

In this Contract, the following terms shall be interpreted as indicated:

4.1.1 Vendor is the successful Bidder who has been determined to qualify to perform the

Contract / assignment satisfactorily, and whose Bid has been determined to be substantially

responsive, and is the lowest evaluated Bid.

4.1.2 “The Contract” means the agreement entered into between the Bank and the Service

Provider, as recorded in the Contract Form signed by the parties, including all attachments

and appendices thereto and all documents incorporated by reference therein;

4.1.3 “The Contract Price” means the price payable to the Service Provider under the Contract for

the full and proper performance of its contractual obligations;

4.1.4 “TCC” means the Terms and Conditions of Contract contained in this section;

4.1.5 ‘System' means a Computer System consisting of all Hardware, Software, etc., which

should work together to provide the services as mentioned in the Bid and to satisfy the

Technical and Functional Specifications.

4.1.6 ‘Software’ means Application/System software, Database, Middleware and other third

party utilities which will seamlessly integrate with the environment described in this

document without any hitch or hindrance.

4.1.7 In case of a difference of opinion on the part of the Bidder in comprehending and/or interpreting any

Clause / Provision of the Bid Document after submission of the Bid, the interpretation by the Bank

shall be binding and final on the Bidder.

4.2 Country of Origin

All services to be supplied under the Contract shall have their origin in eligible source

countries, as per the prevailing Regulations in India.


Page 28 of 50

4.3 Use of Contract Documents and Information

4.3.1 The Service Provider shall not, without the Bank’s prior written consent, disclose the

Contract, or any provision thereof, or any specification, plan, sample or information

furnished by or on behalf of the Bank in connection therewith, to any person other than a

person employed by the Service Provider in the performance of the Contract. Disclosure to

any such employed person shall be made in confidence and shall extend only as far as

necessary for purposes of such performance.

4.3.2 The Service Provider shall not, without the Bank’s prior written consent, make use of any

document or information enumerated in this Bidding Document except for purposes of

performing the Contract.

4.3.3 Any document, other than the Contract itself, enumerated in this Bidding Document shall

remain the property of the Bank.

4.3.4 The Bidder shall sign a Non-disclosure Agreement as per Format 6.2.

4.4 Contract

4.4.1 The empanelment is for 5 years and reviewed on annual basis. The decision of the bank

will be final and binding to all Service Providers.

4.4.2 Contract Uptime

During the Period of contract, Service Provider will maintain the services as per contract.

4.5 Payment

4.5.1 Payment shall be made in Indian Rupees.

4.5.2 The price quoted shall be all-inclusive (including VAT if any). Only service tax if applicable

will be paid extra.

4.5.3 All payments shall be made net of taxes, if any i.e. Less Tax Deduction at Source (TDS).

4.6 Contract Amendments

No variation in or modification of the terms of the Contract shall be made, except by

written amendment, signed by the parties.


Page 29 of 50

4.7 Delay in the Performance & Liquidated Damages

Bank will decide the penalty clause at the time of actual assignment awarded.

4.8 Force Majeure

4. 8.1 Notwithstanding the provisions of TCC, the Supplier shall not be liable for forfeiture of its

performance security, liquidated damages, or termination for default if and to the extent

that it’s delay in performance or other failure to perform its obligations under the Contract

is the result of an event of Force Majeure.

4.8.2 For purposes of this clause, “Force Majeure” means an event beyond the control of the

Service Provider and not involving the Supplier’s fault or negligence and not foreseeable.

Such events may include, but are not restricted to, acts of the Bank in its sovereign

capacity, wars or revolutions, fires, floods, epidemics, quarantine restrictions, and freight

embargoes.

4.8.3 If a Force Majeure situation arises, the Service Provider shall promptly notify the Bank in

writing of such condition and the cause thereof. Unless otherwise directed by the Bank in

writing, the Supplier shall continue to perform its obligations under the Contract as far as is

reasonably practical, and shall seek all reasonable alternative means for performance not

prevented by the Force Majeure event.

4.9 Termination for Insolvency

The Bank may, at any time, terminate the Contract by giving written notice to the Service

Provider if the Service Provider becomes bankrupt or otherwise insolvent. In this event,

termination will be without compensation to the Service Provider, provided that such

termination will not prejudice or affect any right of action or remedy which has accrued or

will accrue thereafter to the Bank.

4.10 Resolution of Disputes

4.10.1The Bank and the Service Provider shall make every effort to resolve amicably by direct

informal negotiation, any disagreement or dispute arising between them under or in

connection with the Contract.

4.10.2 If, the Bank and the Service Provider have been unable to resolve amicably a Contract

dispute even after a reasonably long period, either party may require that the dispute be

referred for resolution to the formal mechanisms specified herein below. These

mechanisms may include, but are not restricted to, conciliation mediated by a third party

and/or adjudication in an agreed national forum.


Page 30 of 50

4.10.3 The dispute resolution mechanism to be applied shall be as follows:

(a) In case of Dispute or difference arising between the Bank and the Service Provider

relating to any matter arising out of or connected with this agreement, such disputes or

difference shall be settled in accordance with the Arbitration and Conciliation Act, 1996.

The third Arbitrator shall be chosen by mutual discussion between the Bank and the

Service Provider.

(b) Arbitration proceedings shall be held at Mumbai, and the language of the arbitration

proceedings and that of all documents and communications between the parties shall

be English;

(c) The decision of the majority of arbitrators shall be final and binding upon both parties.

The cost and expenses of Arbitration proceedings will be paid as determined by the

arbitral tribunal. However, the expenses incurred by each party in connection with the

preparation, presentation, etc., of its proceedings as also the fees and expenses paid

to the arbitrator appointed by such party or on its behalf shall be borne by each party

itself.

4.11 Governing Language

The governing language shall be English.

4.12 Applicable Law

The Contract shall be interpreted in accordance with the laws of the Union of India and the

Bidder shall agree to submit to the courts under whose exclusive jurisdiction the Registered

Office of the Bank falls.

4.13 Taxes and Duties

4.13.1 The Service Provider will be entirely responsible for all applicable taxes, duties, levies,

charges, license fees, road permits, etc. in connection with delivery of Solution at site

including incidental services and commissioning. Only applicable service tax would be

paid extra. Applicable TDS would be deducted at the time of actual payment.

4.13.2 Income / Corporate Taxes in India:

The Service Provider shall be liable to pay all corporate taxes and income tax that shall be

levied according to the laws and regulations applicable from time to time in India and the

price bid by the Service Provider shall include all such taxes in the contract price.


Page 31 of 50

PART 5

Addresses for Notices

The following shall be the address of the Bank.

Bank’s address for notice purposes:

Bank of India,

Risk Management Department, Head Office,

Information Security Cell,

Star House 1, 4th floor, C-5, G Block, Bandra Kurla Complex,

Mumbai - 400 051, Phone: - 022-6668 4974 Fax: - 022-668 4786

Email: - [email protected]

A notice shall be effective when delivered or on effective date of the notice whichever is

later.



Page 32 of 50

PART 6

BID FORM, PRICE SCHEDULES

AND OTHER FORMATS

INDEX

FORMAT NUMBERS

6.1 Covering Letter

6.2 Non-Disclosure Agreement

6.3 Commercial Bid

6.4 Contract Form

6.5 Organisational Profile

6.6 Details of related Assignment in Banks

6.7 No of assignments / Experience during past three years in Banks

6.8 List of experienced staff working in the company more than three years

6.9 Bid Covering letter

6.10 Priority List of Services and assignements by the ISSP in BFSI Sector

6.11 Technical BID Form

6.12 Local communication details form

6.13 Document Verification Check List for Proposal

NOTE

For Convenience, we have enlisted all Technical & Functional Specifications,

FORMATS which are to be submitted by the Bidders are kept in this PART


Page 33 of 50

FORMAT – 6.1

COVERING LETTER

(To be included in main Bid Envelope)

Date:...................

To:

Bank of India,

Risk Management Department,

4th Floor ,

Star House, C-5, G-Block, Bandra Kurla Complex

Bandra (East), Mumbai-400 051.

Gentlemen:

Re.: Empanelment of Information Security and Audit Service Providers

(Your RFP Ref: HO: BOI/HO/RMD/INFOSEC/2014/112 dated 31.10.2014)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Having examined the Bidding Documents, the receipt of which is hereby duly acknowledged, we,

the undersigned, to Empanelment of Information Security and Audit Service Providers in

conformity with the said Bidding documents.

We undertake, if our Bid is accepted, to enter into and execute at our cost when called upon by

the Bank to do so, the contract in the prescribed form.

We agree to abide by the Bid and the rates quoted therein up to the period prescribed in

the Bid, which shall remain binding upon us.

Until a formal contract is prepared and executed, this Bid, together with your written acceptance

thereof and your notification of award, shall constitute a binding Contract between us.

We undertake that, in competing for (and, if the award is made to us, in executing) the above

contract, we will strictly observe the laws against fraud and corruption in force in India namely

“Prevention of Corruption Act 1988”.

We understand that you are not bound to accept the lowest or any Bid you may receive. You

may reject all or any bid without assigning any reason or giving any explanation whatsoever.

Dated this ....... day of ............................ 2014.

_______________ ________________________________

(Signature) (Name) (In the capacity of)

Duly authorized to sign Bid for and on behalf of ________________________________


Page 34 of 50

FORMAT 6.2

NON-DISCLOSURE AGREEMENT

WHEREAS, we, ________________________________________, having Registered Office at

__________________________________, hereinafter referred to as the COMPANY, are

agreeable to Empanelment of Information Security And Audit Service Providers for Bank of

India, having its registered office at Star House, C-5, G Block, Bandra Kurla Complex, Mumbai –

400 051, hereinafter referred to as the BANK and,

WHEREAS, the COMPANY understands that the information regarding the Bank’s web site

shared by the BANK in their Request for Proposal is confidential and/or proprietary to the BANK,

and

WHEREAS, the COMPANY understands that in the course of submission of the offer to

Empanelment of Information Security and Audit Service Providers and Services and/or in

the aftermath thereof, it may be necessary that the COMPANY may perform certain jobs/duties

on the Bank’s properties and/or have access to certain plans, documents, approvals or

information of the BANK;

NOW THEREFORE, in consideration of the foregoing, the COMPANY agrees to all of the

following conditions, in order to induce the BANK to grant the COMPANY specific access to the

BANK’s property/information

The COMPANY will not publish or disclose to others, nor, use in any services that the COMPANY

performs for others, any confidential or proprietary information belonging to the BANK, unless the

COMPANY has first obtained the BANK’s written Authorization to do so;

The COMPANY agrees that notes, specifications, designs, memoranda and other data shared by

the BANK or, prepared or produced by the COMPANY for the purpose of submitting the offer to

the BANK to Empanelment of Information Security And Audit Service Providers, will not be

disclosed to during or subsequent to submission of the offer to the BANK, to anyone outside the

BANK

The COMPANY shall not, without the BANK’s written consent, disclose the contents of this

Request for Proposal (Bid) or any provision thereof, or any specification, plan, pattern, sample or

information (to be) furnished by or on behalf of the BANK in connection therewith, to any

person(s) other than those employed/engaged by the COMPANY for the purpose of submitting

the offer to the BANK and/or for the performance of the Contract in the aftermath. Disclosure to

any employed/engaged person(s) shall be made in confidence and shall extend only so far as

necessary for the purposes of such performance.

Authorized Signatory

Designation Name:

Place:

Date: Office Seal:


Page 35 of 50

FORMAT – 6.3

Commercial Bid

(Include in Commercial Bid Only in a separate sealed envelope)

The indicative commercial Bid needs to contain the information listed hereunder in a sealed

envelope bearing the identification – “Indicative Commercial Bid for Empanelment of Information

Security and Audit Service Providers (ISASPs)”.

Name of the Bidder:-

A> Qualifications [Certifications] and Related Experience (in the company as on

31.10.2014) Requirements:-

Level 1

Experience up to 3 years

• Mini. Certifications: CEH, ISO 27001, CCNA, CISSP, CISA, CISM

• Mini. Experience:

Minimum of 150 VAs; Minimum of 50 PTs; Minimum of 10 TRAs;

Minimum of 10 Application Security Assessments;

• Minimum of 5 IT GC Audits, Process Audits, Application Audits

and Security Audits

Level 2

Experience between

3 years and 5 years

• Certifications: Level – 1 and or Specialized Product Certifications.

• Experience: Conduct of Domain Level Assessment / Assignment.

Level 3

Experience above 5 years

• Certifications: As per Level – 2 and or CRISC, CHFI.

• Experience: Previous Experience in Specialized Services.

Senior Executive Level • As per need of the project / assignment

B> Resource Level wise Per Hour / Day / Month indicative Rates Offered:-

Sr

No.

Resource

Level

Resource Cost Per Person

/ Per Hour – in `.

Resource Cost Per

Person / Per Day – in `.

Resource Cost Per

Person / Per Month in `.

1

2

3

4

Important Notes:-

Depending upon the nature of Assignment / Services appropriate rate will be considered.

The lowest price quoted by one vendor under each level will be final and binding to all other

vendors under the category.

Signature of Bidder------------------------

Name -------------------------

Business address ----------------------


Page 36 of 50

Place: Date:

C. Suggestive Annual increase in the original Agreed rate:-

D. Out of Pocket / Lodging / Travelling / Boarding Charges @ Outside

Mumbai

1. Bank do NOT intends to give any additional charges / out of pocket / travelling expenses.

2. In case of exigencies / urgencies and need of the bank, bank may consider the following

additional charges

a. Travel Expenses: - Air Travel – Economy Class or Lowest Fare of the shortest air

route.

b. Out of Pocket / Lodging / Boarding Expenses – As per Bank’s Rules Applicable to

Chief Manager from time to time.

c. The above charges will be done from the Company’s [bidders] / Head Office /

Mumbai / current location of the resources to carry out the activity i.e. whichever location is

nearer. The least of charges will be paid.

3. All applicable taxes / TDS shall be paid / recovered as relevant.

Yours faithfully,

For: [Name of the Company]

__________________

(Signature of the Authorised Official)

Name:-

Designation:-

Place:-

Date:-________

Item % increase over original rate

agreed (for new assignments

ordered during a year)

Remarks / Logical Reason/s if

any

Yearly set up


Page 37 of 50

FORMAT 6.4

CONTRACT FORM

THIS AGREEMENT made the .......day of.................................., 2014. Between..........................

(Name of Service Provider) (hereinafter called "Service Provider") of the one part

and..................... (Name of Service Provider) of......................... (City and Country of Service

Provider) (hereinafter called " Service Provider ") of the other part:

WHEREAS the Bank invited Bids for Empanelment of Information Security and Audit Service

Providers (ISASPs) and has accepted a Bid,

NOW THIS AGREEMENT WITNESSETH AS FOLLOWS:

1. In this Agreement words and expressions shall have the same meanings as are respectively

assigned to them in the Conditions of Contract referred to.

2. The following documents of Bid No.: HO:BOI/HO/RMD/INFOSEC/2014/112 dated

31.10.2014 shall be deemed to form and be read and construed as part of this Agreement,

viz.:

a) the Bid Form and the Price Schedule submitted by the Bidder

b) the Technical & Functional Specifications;

c) the Terms and Conditions of Contract;

d) the Service Providers Notification of Award;

e) DELIVERY SCHEDULE:

IN WITNESS whereof the parties hereto have caused this Agreement to be executed in

accordance with their respective laws the day and year first above written.

Signed, Sealed and Delivered by the

said..................................................... (For the Bank)

in the presence of:.......................................

Signed, Sealed and Delivered by the

said..................................................... (For the Service Provider)

in the presence of:.......................................


Page 38 of 50

FORMAT 6.5

ORGANISATIONAL PROFILE

(Include in Main Bid Only – Not to be included in Price Proposal)

CONSTITUTION

1. Proprietary

2. Partnership

3. Private Ltd.

4. Public Ltd.

:

Established since

:

:

Address of Registered Office :

Name Phone Nos. (with STD

Codes)

Names of

Proprietor/Partners/ Directors

: 1.

2.

3.

Note: Please support the above facts with documentary evidence. Please also attach:

Income-Tax Clearance Certificate (latest) Referral Letters from Clients mentioned above

Signature of Bidder: __________________

Name: _____________________________

Business address: ____________________

Place Date:

Seal of the Service Provider


Page 39 of 50

FORMAT 6. 6

Details of Related Assignments / Contracts

(For past THREE Years from the date of RFP in BFSI)

(Banking Clients should appear at top, followed by other BFSI etc.)

Sr.

No.

Details of

Name of

Clients -

Companies

[Address, Key

Persons, Cell

Nos. etc.]

Particulars of

Assignments -

Purchase

Order - Date,

Value, Period

of Completion

of SoW etc.

SoW Code No.

of the

Assignment As

given in this

RFP

START &

ACTUAL Date

of Completion

of Engagement

/ Assignment /

Project/Service

& ACTUAL

Man – Days /

Hours taken.

Remarks

Repeat Order

/ Extension of

Engagement

and related

information.

1

2

3

Yours faithfully,


__________________


Name:-

Designation:-

Place:-

Date:-


Page 40 of 50

FORMAT 6.7

No. of Assignments / Experience during Past three years in BANKS

Activities

[as per

SoW code

No. –

Format

6.10]

CBS /

Finacle

ATM

NW /

Switch

Internet

Banking

Mobile

Banking –

All

Platforms

Treasury

Operations

Various

Certifications

TPP /Out

Sourced

Activities

Any

other

activity

Note : Mention only no. of assignments under the respective head.

Yours faithfully,


__________________


Name:-

Designation:-

Place:-

Date:-


Page 41 of 50

FORMAT 6. 8

List of Experienced Staff working in the Company

Sr.

No.

Name of

the

Employee

Designation Professionals /

Technical /

Qualifications /

Certifications

Date of

Joining

No. of

Completed

Years as on

31.10.2014

No. of

ISC &

ISAC

Projects

Handled

Activities

[as per

SoW

code No.

– Format

6.10]

1

2

3

Note : a. Employee should be on permanent Pay Roll of the company.

b. Adhoc / Temporary staff or other outsources / organisation should not be

included.

Yours faithfully,


__________________


Name:-

Designation:-

Place:-

Date:-


Page 42 of 50

FORMAT 6. 9

BID COVERING LETTER

(The bidder shall submit together with CHECK LIST & other Bid Documents)

To,

The General Manager,

Bank of India, Head Office,

Risk Management Department, InfoSec Cell,

4th Floor – East Wing, Star House – I, C-5, “G” Block,

Bandra Kurla Complex, Bandra – East, Mumbai – 400 051.

Dear Sir,

Sub:- Our Bid for Empanelment of Information Security And Audit Service Providers

We intend to participate in the RFP process for empanelment of the vendors [ISSPs] to provide various ISC and ISAC related services required by the Bank. We submit our Bid Documents along with CHECK LIST. We understand that;

1> You are not bound to accept the lowest or any bid received by you, and you may reject all or any bid without assigning any reason or giving any explanation whatsoever.

2> Bank may follow close or open bidding [RFP] process as per requirement and sole discretion of the Bank.

3> If our Bid is accepted, we undertake to enter into and execute at our cost, when called upon by Bank to do so, a contract in the prescribed Form.

4> You may accept or entrust the entire work to one vendor or divide the work to more than one vendor without assigning any reason or giving any explanation whatsoever.

5> Vendor [ISASPs] means the Bidder (s) who is / are selected by the Bank after the RFP - bidding process.

6> The name(s) of successful bidder(s) to whom the empanelment is finally awarded after the completion of bidding process shall be communicated to the successful bidder(s) - ISSPs. Bank shall NOT entertain any communication in this regards.

7> We have gone through the Technical, Commercial Bidding process and other Terms and Conditions as mentioned in the RFP.

8> We understand that this RFP process is ONLY for empanelment of ISASPs and deciding the mutually agreed Man-Days / Man-Month Service charges.

9> We agree that the lowest price quoted by any vendor under each level will be final and binding on us.

10> We understood the entire bid process of empanelment including the grouping and levels mentioned within the groups.

11> The number of pages in the document is ……………….. This has been duly verified, signed and company’s stamp affixed.

Yours faithfully,

For: [Name of the Company] (Signature of the Authorised Official)

Name:- Designation:-

Place:- Date:-


Page 43 of 50

FORMAT 6.10

Priority List of SERVICES and ASSIGNMENTS by the ISSP in BFSI Sector

SoW Services / Assignments Capability Total No. of

CODE No. YES PRIORITY

1 is TOP

Priority

Assignments

ISC-STD-01 Vulnerability Assessment [VA].

ISC-STD-02 Penetration Testing [PT].

ISC-STD-03 Secured Configuration, & Hardening

Documents Review - [Technical Standards

Updation].

ISC-STD-04 Mobile Application Review and Security related

Work.

ISC-STD-05 Risk Assessment, Asset Classification,

Review, Compliance of NDAs, SLA with

Vendors / Third Party Outsourcing Agencies.

ISC-STD-06 SMS and All Middleware Security Review and

related work.

ISC-SPL-07 Network Security, Access Control, Review of

NAP Locations, Switches and Routers and

LAN - WAN NW.

ISC-STD-08 General Controls Review / Audit Review and

related Work.

ISC-STD-09 Anti-Phishing, Anti-Malware and Brand

Monitoring Services etc.

ISC-STD-10 PCI DSS Certification and Compliance related

Work.

ISC-SPL-11 COBIT – Advisory Services and related Work.

ISC-STD-12 ISO 20000 Certification and related Work.

ISC-STD-13 ISO 22301 Certification, Automated Score

ISMS Score Board and related Work.

ISC-STD-14 ISO 27001 Certification and related Work.

ISAC-STD-15 ISO 27001 Audit and Compliance related

Work.

ISAC-SPL-16 Review, Update Gaps of IS Audit Policies, IS

Audit Manual, IS Audit Procedures, Metrics

and related Work.


Page 44 of 50

ISC-SPL-17 Review, Update Gaps of Corporate Information

Security Policy [CISP], Procedures, Metrics,

Controls.

ISAC-SPL-18 IS Audit - Internal Control Guidelines of

Treasury Branch, Dealing Room Activities

Review and related Work.

ISAC-STD-19 IS Audit of ATMs of Bancs under Section PSS

Act 2007 of RBI and related Work.

ISAC-STD-20 IS Audit of ATMs of BOI Network, Gaps and

related Work.

ISAC-SPL-21 Concurrent Audit of Data Center

ISC-SPL-22 Forensic Audit / Analysis / Special Reviews /

Scrutinise / Cyber Crime – Investigations and

related Work.

ISAC-STD-23 Green Process Audit [GPA], Configuration

Audit and related Work.

ISC-SPL-24 Project Management Office [PMO] – Security

Solution Assessment, Identification,

Requirements for Pre-Implementation of IS

Projects, Production Evolution for Monitoring of

IS Projects and related Work.

ISC-SPL-25 Application [SW] Security Assessment /

Review of Domain / Channel Process Audit

including Associated Infrastructure [Including

WEB]

ISAC-SPL-26 Application Code Audit - Review – Gap

Analysis, Post Compliance Audit and related

Work.

ISC–STD-27 Data Governance, Data Protection Strategy

Framework and Development related Work.

ISAC-SPL-28 GAP Analysis of Requirements of Local

Regulator/s of Foreign Centres including

Threat and Vulnerability Risk Assessment

[TVRA].


Page 45 of 50

ISAC-SPL-29 Conducting IS Audit of IT

Infrastructure at DC / DR / NR Site /

Treasury / RRBs / FCBS / Service

Branches – CTS etc. Quality

Assurance, GAPs, Compliance Audit/s

and related Work.

ISC-SPL-30 Quality Assurance, Conducting GAP

Analysis, Compliance Audit/s of RBI /

G. G. Committee Recommendations,

IT Act 2008, Guidelines of other

Foreign Regulators & GoI Guidelines

etc. Automation of Compliance

requirements and related Work.

ISC-SPL-31 Development and Implementation of

IT Governance, Risk and Compliance

[IT – GRC], most suitable IS Solutions

and Tool/s and related Work.

ISC-SPL-32 Assisting in Selection of suitable tool,

solution for ISC / ISAC related work.

ISC-SPL-33 Review of BCPDR System, strategy

and related Work.

ISC-SPL-34 Review, Development, Selection,

Implementation of various Tools for

Data Privacy, Data Protection Data

Classification, Data Governance

Strategy, and Framework of the Bank

in pursuance of the various Regulatory

and Government Guidelines in vogue

from time to time.

ISC-SPL-35 Develop, Implement, Training IS

Awareness, E-Learning Modules

related to InfoSec related areas and

Issues.

ISC-SPL-36 Review of Post - Implementation of

various IS initiatives and Project/s


Page 46 of 50

NOTE on SoW:-

1> In case of capability, experience and expertise vendors shall mention “YES” and give

“Priority of list of services and Assignments” stating 1,2,3.. & so on. In case of “Capability”

coloum kept blank, respective SoW item no will be considered as NO.

2> Kindly mention the No. of Assignments carried out in past TEN years from the date of RFP

against respective SoW Code No.

3> In case of ANY other related Activities NOT included in the above list, but related

assignment/s carried out by the Bidder, may be added and included in the list after

avoiding duplication along with the priority no. of such additional items.

4> The information provided in the list must be supported by documentary evidence. Non

submission or incomplete documentary evidence will be considered as Non-conformity for

particular SoW and it will not be considered. Bank’s decision in this regards will be final.

5> In case the Bidder has carried out any other assignments over and above list they may

add these assignment together with evidence and PRIORITY for that assignment. The

Bidder should give and list out all their ISC and ISAC related Assignments and Services.

Yours faithfully,


__________________


Name:-

Designation:-

Place:-

Date:-

ISC-SPL-37 Assisting in Log Management –

Revamping and upgration of our SOC

Operations, Monitoring, Assessment

of SIEM Solution, Optimisation

technical process, correlation review

for existing DLP, DAM, SIEM, IPS /

IDS etc., Identify and assistance in

implementation of recommend IS

Tools such as IAM, IRM etc. and other

related Work.


Page 47 of 50

FORMAT 6.11

Technical BID Form – Stage – I

Sr

No

Activities / Details Max

Marks

Marks

Scored

*

Weightage Remarks

1 Total No of Assignments carried out in BFSI related to IS /

ISAC Activities in India as declared in FORMAT – 6.10 to be

submitted by the Bidder. Proof need to be submitted. - One

Mark per Assignment / Purchase Order [Maximum 3 Marks

for 3 years for same / similar activity] for different

activities in different organisations.

23

2 Total No of Assignments carried out for IS / ISAC related

activities for their Global Clients as per the LIST enclosed as

an evidence by the Bidder. One Mark per Assignment /

Purchase Order after 01.11.2011 [i.e. during past three

years].

10

3 Total No. of Skilled Employees / Resources available as per

the enclosed LIST of Employees with their Credentials /

Certifications related to IS / ISAC Activities given in the

FORMAT – 6.8.

11 to 25 Employees 05 Marks

26 to 50 10 Marks

Over 51 15 Marks

15

4 No. of Years’ Existence/Establishment in IS/ISAC related

activities in INDIA in BFSI Sector. Evidence of the 1st

Assignment to be enclosed as a proof of Experience. - One

Mark per year prior to 01.04.2009.

12

5 Technical Skill Credentials (extra ordinary activities) –

Proprietary Tools Developed, R&D Work Done, Papers

Published, Forensic Assignment Carried out. Other Value

added Services and Additional Deliverables, Proprietary Tools,

Dashboards, Training, Knowledge sharing, etc. Attach

Evidences as a proof. (each activity will carry 1 mark)

10

6 Certifications/Accreditations relevant to IS/ IS Audit Services

received from GoI, RBI, IDRBT, IBA, Gartner, BFSI Sector or

any other independent Authority. - One Mark per valid

current Certificate

05

7 Presentation and Methodologies, Procedures, Tools, Utilities,

Templates Developed / used during execution of previous

assignments and arrangements for BCPDR Infrastructure

proposed etc. presented by the Bidder. – To be given by Bank

Team based on Presentations.

25

* TOTAL Marks are to be calculated and filled by the

Bidders for item Nos. 1 to 6 and submit together with the

Technical Bid Cover


Page 48 of 50

Yours faithfully,



Name:-

Designation:-

Place:- Date:-


Page 49 of 50

FORMAT 6.12

Local communication/correspondence Details Form

City /

Location

Postal Address, Telephone, Fax, E-Mail

and Contact Details of Contact Personnel

Name & Designation of the

contact person

Yours faithfully,


__________________


Name:-

Designation:-

Place:-

Date:-


Page 50 of 50

FORM -6.13

DOCUMENT VERIFICATION CHECK LIST FOR PROPOSAL

Sr.

No.

Name of the Document Remarks

(i) Covering Letter (6.1) YES

(ii) Non-Disclosure Agreement (6.2) YES

(iii) Commercial Bid (6.3) YES

iv) Contract Form (6.4) YES

v) Organisational Profile (6.5) YES

vi) Details of related Assignments in BFSI (6.6) YES

vii) No of Assignments in BANKS (6.7) YES

viii) List of experienced Staff working in the company (6.8) YES

ix) Bid Covering Letter (6.9) YES

x) Priority List of Services & Assignments (6.10) YES

xi) Technical BID Form – Stage – I (6.11) YES

xii) Local Communication/Correspondence details Form (6.12) YES

xiii) Document Verification Checklist Form 6.13 YES

xiv) Demand Draft/PO – Non-refundable Bid Amount `. 5,000/- YES

xv) CD Containing Technical Document and Presentation YES

xvi) Evidence for Eligibility Criteria properly marked as EC-1,

EC-2 etc. duly signed and enclosed

YES

NOTE: All Forms must be filled in by the bidder and necessary supporting evidences must be enclosed with this checklist.

(Name) (Signature) (in the capacity of)

Date: Place:

Duly authorized to sign the proposal for and on behalf of _______________________

Seal

-x-x-x- EOD -x-x-x-