Embed Size (px)
Citation preview
Request for Proposal
For ISO 27001 Certification of
Bank’s Datacentre
Information Technology Department Head Office, National Housing Bank
Core 5-A, 3rd Floor,India Habitat Centre, Lodhi Road, New Delhi – 110 003 Phone: 011-24649432
E-Mail: [email protected]
1
Note:- Technical bids will be opened in the presence of bidders who choose to attend.
BID DETAILS
1. Date of commencement of collection of Bid Documents
01/03/2014
2. Last date and time for collection of Bid Documents
27/03/2014 17.00 hrs
3. Last date and time for receipt of Bid Documents
27/03/2014 17.00 hrs
4. Date and Time of opening of Technical Bid
28/03/2014 12.00 hrs
5. Cost of RFP Rs. 5,000/- (non refundable) (Rs. Five Thousand Only)
6. Earnest Money Deposit Amount Rs. 25,000/- (refundable) (Rs. Twenty Five Thousand Only)
7. Place of opening of Bids National Housing Bank, Head Office Information Technology Department Core 5-A, 3rd Floor, India Habitat Centre, Lodhi Road, New Delhi – 110003
2
TABLE OF CONTENTS
Sl. No. SUBJECT PAGE NO
1. About National Housing Bank 4 2. Purpose 4 3. Scope of the Project 6 4. Existing Set-up of Bank’s Datacentre 12 5. Details of IT Security Policy 14 6. Other Terms & Conditions 14 7. ISO 27001 Certifi9cation Schedule 20 8. Penalty Clause 21 9. Bidding Process 21 10. Payment Schedule 22 11. Bid Opening and Evaluation 22 12. Evaluation Criteria for the Bidding Process 23 13. Clarification on Bids 26 14. Preliminary Examination 26 15. Contacting the Bank 27 16. Bank’s Right to Accept or Reject any or all Bids 27 17. Signing Contract 27
ANNEXURES 18. Annexure A (Part – I) – Bidder Information 28 19. Annexure A (Part – II) – Service Information 29 20. Annexure A (Part – III) – Confidentiality Undertaking 30 21. Annexure A (Part – IV) – Undertaking letter 32 22. Annexure B – Compliance Statement Declaration 34 23. Annexure C – Format for Commercial Bid 35 24. Annexure D – Pre-Qualification Criteria 36 25. Annexure E – ECS Mandate 37
3
1. ABOUT NATIONAL HOUSING BANK
National Housing Bank (NHB), a statutory organisation is wholly owned subsidiary of the Reserve Bank of India. NHB is an Apex Financial Institution formed under the Act of the Parliament with a mandate for Promotion, Development and Regulation of the Housing Finance Sector. Apart from regulating the housing finance companies (HFC), NHB also extends financial support by way of equity participation in HFCs and refinance facility to financial institutions such as Banks, HFCs, Co-operative Sector Institutions, Housing Agencies, etc. benefiting the masses both in urban and rural areas. The head office of NHB is located in New Delhi and it has a regional office located at Mumbai and representative offices at Ahmedabad, Bangalore, Chennai, Hyderabad, Kolkata , Lucknow, Patna and Bhopal, Bhubaneswar and Nagpur. 2. PURPOSE
National Housing Bank (hereinafter referred to as the Bank) with Head
Office at New Delhi is interested to conduct ISO 27001 certifcation for its Datacentre and Disaster Recovery Site. Related activities are defined in the scope of work. The scope of the system can be enhanced as per requirements of Bank.
The purpose of RFP is to solicit proposals from qualified bidders who
have expertise in facilitating ISO 27001 certification. Technical and commercial bids (to be submitted separately) are invited from bidders for the aforesaid job as per the terms and conditions mentioned hereunder.
The Bank has fully fledged centralized systems at Data Centre and DR
site and it intends to obtain ISO 27001 certification for its operations at Data Centre and DR Site. For this the Bank intends to appoint
4
competent and qualified consultant for ISO27001 Consultancy & Certification services.
The selected Bidder has to provide services based on the latest ISO 27001 standard currently being ISO 27001:2013 and RBI Guidelines for FIs (if any). Based on the contents of the RFP, the selected Bidder shall be required to independently arrive at approach and methodology, based on ISO 27001 standards, best practices and RBI guidelines, suitable for the Financial Institution, after taking into consideration the effort estimate for completion of the same and the resource and the equipment requirements. The approach and methodology will be approved by the Bank.
The Bank stipulates that the Consultant’s selection under this RFP is
on the understanding that this RFP contains only the principle provisions for the entire assignment and that delivery of the deliverables and the services in connection therewith are only part of the assignment
The selected bidder shall be required to undertake to perform all such
tasks, render requisite services and make available such resources as may be required for the successful completion of the entire assignment at no additional cost to the Bank.
The selected Bidder will be responsible for carrying out exercise as per
the broad objectives as outlined below.
1. A comprehensive risk assessment of the IT operations of the Bank.
2. Development of risk management framework which would ensure that the IT risks are managed by the Bank on an ongoing basis.
3. Develop risk assessment templates for the various Information System Assets for DC & DR to enable the bank to self-assess the risks at any point of time.
4. To arrange the ISO 27001 certification audit by the approved agencies.
5
5. To ensure that the Bank obtains ISO 27001 Certification for its DC & DR operations and maintains the same.
6. To implement the RBI Working Group Report following a risk based approach.
The selected Bidder will ensure knowledge transfer to the Bank at every stage of the project to enable the Bank to carry out the work as specified in this RFP in future after completion of this assignment. Bank may, at its full discretion, choose to avail of the services for all services or part thereof. Such decision may be advised in course of the project. The selected Bidder’s appointment is task specific and would last till the bank achieves the objective such as IT Risk Assessment, ISO 27001 certification for DC & DR and RBI compliance for FIs (if any) as per the scope of this RFP. 3. SCOPE OF THE PROJECT The primary focus of the scope is to obtain ISO 27001:2013 certification for Data Centre/Disaster Recovery Site. The detailed scope is detailed as under. The project scope includes ISO27001 certification for Bank’s Data Centre at New Delhi & Disaster Recovery site at Mumbai. Risk Assessment and mitigation plan should be done as per ISO Standards, RBI guidelines for FIs (if any) and industry best practices. The consultant would also develop the risk assessment template with a scoring system which would be used by the Bank in future to assess risks of business operations of the Bank. Following is the list of in-scope business units :
o Data Centre, New Delhi
o DR Site Mumbai
Certification including Recertification should be as per the latest version of ISO27001 currently being the version 2013. As part of IS Audit, the following is already being carried out by the Bank appointed IS Auditors.:-
6
Comprehensive Audit of IT Infrastructure (DC/DR)
• IT Infrastructure review
• Data Centre/DR Audit
• Managed Service effectiveness and Service Level Agreement
• Business Continuity Plan & Disaster Recovery Plan Comprehensive Audit of Banking Application Systems (SAP)
• Threat & Vulnerability Analysis (Periodic Audit of customer facing applications).
• Access controls review.
• Review/Audit of ERP Business Application SAP.
The Reports of the recent audits will be made available to the selected Bidder. Any residual requirement of technical audit, Vulnerability assessment, penetration testing etc has to be completed by the selected Bidder. As part of the scope of work the following would need to be carried out.
3.0 Training: This includes classroom training and on the job training, in all the phases would be provided by the selected Bidder to the Bank’s personnel at various levels to obtain a proper understanding of ISO 27001 standard, RBI guidelines for FIs (if any), their compliance and IT Risk Assessment to enable the Bank personnel to carry out such assignments independently. The selected vendor will conduct two such training programs in a year. Training Deliverable Training material in the form of training manuals and presentations Conduct of classroom trainings for Bank’s officers at various levels. 3.1 Phase I 3.1.1 Scoping: A detailed scoping is required to be carried out to define the areas which would be covered encompassing the business processes, policies and procedures, IT infrastructure, IT organization, IT implementation etc. The scope would need to be approved by the bank before further work is undertaken.
7
Deliverable:
• Description of approach and methodology
• Detailed scope
• Implementation plan 3.1.2 Gap assessment: During this phase the selected Bidder would review the in-scope elements against the best practices, Bank’s own Information Security Policy & Guidelines, ISO 27001 guidelines, RBI & Other relevant organizations guidelines for FIs (if any) etc. This phase would include but not limited to the following:
• Review of IT governance and organization. • Review of IT Risk Management framework • Review of IT processes and business processes around IT processes. • Review of Policies Standards & Guidelines, Procedures and other
subordinate documents. • Review of Change Management Process including security testing
of applications/updates/patches before moving to production. • Review based on bank appointed IS Auditors Comprehensive
Audit reports of IT Infrastructure. • Review based on bank appointed IS Auditor’s Audit reports on
Banking application systems 3.1.3 Asset Identification, Ownership & classification: The selected Bidder would be required to identify, classify and document the entire Information System assets of various types in a logical manner. The selected Bidder will define owners in consultation with the Bank and will perform the Asset valuation based on the confidentiality, integrity and availability value of the asset. The selected Bidder will classify them according to the criticality based on the business area and usage. 3.1.4 Threat analysis: The selected Bidder will perform the Threat and Vulnerability analysis and Compute the probability of occurrence of the threat based on a scientific method.
8
3.1.5 Risk assessment: The selected Bidder would use standard risk assessment methodology and assess the risk based on the inputs from the above three steps i.e Gap assessment, Asset identification, valuation and classification and Threat analysis. The selected Bidder will also evaluate the third party relationships (if any) and perform risk assessment of the same. Risk Assessment would have to be carried out for all Information System assets without any sampling. Risk Assessment frequency would be carried out as per guidelines/norms of ISO 27001 certification. Ongoing Risk assessment would need to be carried out for any new implementation in the Bank during the period of assignment. 3.1.6 Baseline Security Review: The selected Bidder would review the Baseline security of IT Assets as per the industry best practices and vendor recommended guidelines and ensure that Baseline security is implemented. Selected Bidder should ensure that Baseline security documents are available. In case of any gap found, the same has to be formulated by the vendor. 3.1.7 Deliverables for Gap Assessment:
• Gap assessment report based on ISO27001 standards and RBI Working Group Report dated and RBI Circular No. RBI//2010-11/494 DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29,2011 with separate columns indicating the ISO and RBI Gaps. The details are available on the RBI URL: http://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf
• Review/Audit reports under various heads such as IT organisation, Technical Infrastructure with detailed implementable steps.
• Asset Inventory, ownership and Classification, Asset Register • Risk Management Framework for the Bank. • Develop process for ongoing Risk Assessment before introduction
of any application, IT device. • Risk Assessment Report • Baseline security review report
3.2 Phase II
9
3.2 Gap/Risk Remediation The Selected Bidder will identify the gap in the Bank’s existing environment vis-à-vis the ISO27001 requirements and RBI Guidelines and suggest the Bank the remediation plan with the detailed steps to be performed to achieve ISO 27001 certification and meet RBI requirements. The Selected Bidder will have to hold periodic meetings with the Bank and would spell out a detailed remediation plan meant for various levels such as organization, policies and procedures, devices to facilitate implementation. The remediation plan has to be granular and deficiency specific based on risk assessment and generic recommendations should be avoided. The Selected Bidder would have to revise or formulate new required documentation such as IT Security policy, Standard & guidelines, Procedures, subordinate documents, Baseline security etc. The required documentation should also include the steps to be performed for ongoing ISO27001 compliance and Regular risk assessment. The Selected Bidder has to provide technical expertise in identifying and evaluating product vendors for technology solutions that would be required to mitigate the risks. The selected Bidder has to coordinate with the Bank’s system integrator, monitor the progress in risk remediation and provide handholding support to the Bank till the risk is remediated. The support has to be in the form of emails, telephone, and onsite visits, additional technical inputs etc as may be required by the Bank during the tenure of the contract. In case the solution suggested by the selected Bidder cannot be implemented, in such cases, selected Bidder will suggest the alternative solution to the Bank. Deliverables for Gap/Risk Remediation:
• Business unit wise Risk Mitigation and Gap remediation planwith separate columns for ISO and RBI Gaps.
• Revised or new IT Security policy, Standard & Guideline, Procedures and subordinate documents etc.
• Baseline security hardening guideline documents 3.3 Phase III Certification
10
• The selected Bidder has to perform the precertification audit on
completion of the Gap remediation to ensure compliance as per ISO 27001 standards. The coverage needs to be comprehensive during this exercise as per the ISO 27001 requirement.
• Prepare all the documentation required (like SOA) and enable the Bank to apply for ISO 27001.
• Provide onsite consultancy support during ISO 27001 Certification audit.
• Get the ISO 27001 Certification audit done through authorized certification agency and get the ISO 27001 certification for the Bank.
• Carry out a compliance evaluation vis-à-vis the RBI Working Group Report.
Deliverable for Certification
• Precertification Audit report. • Consultancy support to get the ISO 27001 certification. • All documentation required for ISO 27001 certification. • ISO27001 Certification reports by the approved auditors. • RBI compliance report based on the working group
recommendations. 3.4 Phase IV Post Certification The selected Bidder has to perform the steps enumerated as above in Phase I to Phase III to ensure ongoing compliance by the Bank. The selected Bidder will perform risk assessment on 6 monthly bases and perform ongoing risk assessment of any changes in the IT infrastructure assets. The ongoing compliance will include ISO 27001 surveillance audit for next 2 years after the certification and recertification audit after 3 years by the authorized auditors. Deliverables
• As per above phase I to III
• Ongoing Risk assessment reports.
• 6 monthly Risk assessment report
11
4. EXISTING SETUP OF BANK’S DATACENTRE Bank’s Data Centre
Bank has its Data Centre (DC) at Head Office, New Delhi and Disaster Recovery Site (DRS) at Mumbai Regional Office, Mumbai. The Data Centre of the Bank hosts about 30 servers which run on 24X7 basis. The business operation of the Bank is completely dependent on the efficient functioning of these servers round the clock. The key operational services provided by these servers are SAP-ERP the Enterprise Application, Corporate e-Mail service, File Servers etc. These servers are interconnected through network devices like routers, switches, firewalls etc. The DC also hosts network devices, power distribution equipment, surveillance equipment and other devices. These devices are installed on server and network rack units for better space manageability and controlled operation. These rack units are placed on a raised platform which facilitates air flow for better and effective cooling. The DC equipments are provided power through redundant Uninterruptible Power Supply (UPS) devices. The Data Centre is equipped with two Precision Air Conditioners (PAC), which provides cooling and control humidity for smooth functioning of servers, network devices, and other equipment. Bank has also installed four numbers of stabilisers to provide stabilized and controlled electrical power to the UPS and PAC units. The existing DC is hosted on 3rd floor (west side) and occupies an area of 380 sq ft (approx.). Network Architecture Bank had upgraded its leased line based network to MPLS based network during the year 2011. M/s Sify is the vendor to provide MPLS connectivity across all NHB locations. Multiprotocol Label Switching (MPLS) is an advanced network facility and is the successor of legacy leased line based network. This network is backed by various defined parameters such as CoS (Class of Service), Jitter, Packet loss etc. and is easy to manage and monitor. This facility is also backed up by Service Level Agreement (SLA) to ensure uptime and uninterrupted service. MPLS gives network operators a great deal of flexibility to divert and route traffic around link failures, congestion, and bottlenecks thus ensuring robust connectivity with high uptime. In addition to moving traffic faster overall, MPLS makes it easy to manage a network for Quality of Service (QoS). MPLS has become the de-facto
12
standard for interconnecting offices and has been implemented by all PSBs and peer groups.
A. Present MPLS infrastructure
Connectivity & NHB IT Services:
a. At present NHB has MPLS connectivity between DC, DR and other NHB locations are as under:
S.no Location Bandwidth 1 New Delhi 8Mbps 2 Mumbai 2Mbps 3 Ahmedabad 512 Kbps 4 Bangalore 512 Kbps 5 Chennai 512 Kbps 6 Hyderabad 512 Kbps 7 Kolkata 512 Kbps 8 Patna 512 Kbps 9 Lucknow 512 Kbps
b. The MPLS link between the HO (DC Site) and the MRO (DR Site) is
redundant i.e. the last mile connections are provided by two different service providers to ensure minimal downtime & is of higher bandwidth. The higher bandwidth requirement is procured to cater high bandwidth requirement between applications such as SAP/Exchange/File Server exchanging data over MPLS link.
c. MPLS service is also being used for Video Conferencing (VC) through which all interactions among HO, MRO & RROs and various staff meetings (with remote offices) are being carried out. Bank also conducts interviews over VC for promotion of the officers working at RROs and MRO. All Representative Offices of the Bank except Bhopal, Nagpur & Bhubaneswar are interconnected over MPLS with a bandwidth of 512 Kbps.
d. It may also be mentioned that all RRO location links are backed up by
ISDN line which works as a redundant link between two sites.
13
5. Details of IT Security Policy Bank has IT Security Policy which has been reviewed by the IS Auditors as also by the IT Committee from time to time and has been approved by the Board of Directors. Bank also has other 3 policy documents and Guideline documents which is approved by the IT Committee & the Board. Bank also has Business continuity plan approved by the Board of Directors. 6. OTHER TERMS & CONDITIONS: The Bank reserves the right to: • Reject any and all responses received in response to the RFP, with or without
assigning any reasons whatsoever.
• Waive or change any formalities, irregularities, or inconsistencies in proposal format delivery.
• To negotiate any aspect of proposal with any Bidder and negotiate with more than one Bidder at a time.
• Extend the time for submission of all proposals.
• Select the most responsive Bidders (in case no Bidder satisfies the eligibility criteria in totality).
• Select the next most responsive Bidder if negotiations with the Bidder of choice fail to result in an agreement within a specified time frame.
• Share the information/ clarifications provided in response to RFP by any Bidder, with any other Bidder(s) /others, in any form.
• Cancel the RFP/Tender at any stage, without assigning any reason whatsoever.
7. INSTRUCTION TO BIDDERS The Bidder is expected to examine all instructions, forms, terms and specifications in the bidding documents. Failure to furnish all information required by the bidding documents may result in the rejection of its bid and will be at the bidder's own risk. No binding legal relationship will exist between any of the Respondents
and Bank until execution of a contractual agreement.
14
Each Bidder acknowledges and accepts that Bank may in its absolute
discretion apply selection criteria specified in the document for evaluation of proposals for short listing / selecting the eligible vendor(s). The RFP document will not form part of any contract or arrangement, which may result from the issue of this document or any investigation or review, carried out by the bidder.
The bidder will, by responding to Bank for RFP, be deemed to have
accepted the terms of this Introduction and Disclaimer. Bidders are required to direct all communications related to this RFP,
through the Nominated Point of Contact person:
Contact : R K Pandey Position : General Manager (IT) Email : [email protected] Telephone : +91 - 11 – 24649432 Fax : +91 - 11 – 24649432 Or Contact : Sourav Seal Position : Assistant General Manager (IT) Email : [email protected] Telephone : +91 - 11 – 24611070 Fax : +91 - 11 – 24649432
Bank may, in its absolute discretion, seek additional information or
material from any bidder after the RFP closes and all such information and material provided must be taken to form part of that bidder’s response.
Bidders should provide details of their contact person, telephone, fax, email and full address(s) to ensure that replies to RFP could be conveyed promptly.
If Bank, in its absolute discretion, deems that the originator of the question
will gain an advantage by a response to a question, then Bank reserves the right to communicate such response to all Respondents.
15
Queries / Clarification if any, may be sought from the contact persons detailed above before the deadline for submission of bids, between 10.00 am to 5.00 pm on any working days (Monday to Friday except holidays).
Bank may, at its absolute discretion, engage in discussion or negotiation
with any Bidder (or simultaneously with more than one Bidder) after the RFP closes, to improve or clarify any response.
Bank will notify all short-listed Bidders in writing or by mail or by
publishing in its website as soon as decision is taken on the outcome of their RFP. Bank is not obliged to provide any reasons for any such acceptance or rejection.
The bids qualifying the Minimum Eligibility Criteria will be eligible for further evaluation and subsequently the bids which qualify both Minimum Eligibility Criteria and Technical Evaluation Criteria will be eligible for Commercial Evaluation.
7.1 Pre-bid Meeting
For the purpose of clarification of doubts of the bidders on issues relating to this RFP, NHB intends to hold a Pre-Bid meeting on the date and time as indicated in the RFP. The queries of all the bidders, in writing, should reach by e-mail or by post on or before 14/03/2014 on the address as mentioned above. It may be noted that no queries of any bidder shall be entertained which are received after the Pre-Bid meeting. Clarifications on queries will be given in the Pre-Bid meeting. Only the authorized representatives of the bidders, who have purchased the RFP, will be allowed to attend the Pre-Bid meeting. 7.2 Soft Copy of Tender Document & Bid Earnest Money and Cost of RFP
The soft copy of the tender document will be made available on Bank’s website http://www.nhb.org.in . The bidder has to submit an RFP cost of `. 5,000 (Rs. Five Thousand) (non-refundable) & earnest money deposit of `. 25,000 (Rs. Twenty Five Thousand only) (refundable after successful completion of ISO 27001 Certification exercise) for successful bidders and after finalizing the selection process for unqualified bidders) by way of an e-payment in favour of National Housing Bank. The Accounts details are given below:
1. Beneficiary Name: National Housing Bank 2. Beneficiary Address: Core 5A, 4th Floor, India Habitat Centre,
16
Lodhi Road, New Delhi 110 003 3. Beneficiary Bank Name: State Bank of Hyderabad 4. Beneficiary Bank Branch Address: Pragativihar Delhi Branch,
Ground Floor, Core-6, Scope Complex, Lodhi Road, New Delhi – 110 003
5. Type of Bank Account: Current account 6. Beneficiary Bank A/C No: 52142903844 7. IFCS code of Bank branch: SBHY0020511 8. MICR No.: 110004005
The proof of the payment should be enclosed and put in the envelope containing the Technical Bid; in the absence of which the bid may not be considered for further evaluation. The bidders are also required to submit ECS Mandate Form as enclosed in Annexure-E.
• The EMD security may be forfeited:
o If a Bidder withdraws its bids during the period of bid validity
o If a Bidder makes any statement or encloses any form which turns out to be false/incorrect at any time prior to signing of the contract
o In case of successful Bidder, if the Bidder fails to Sign the contract.
7.3 Language of Bid
The bid prepared by the Bidders, as well as all correspondence and documents relating to the Bid exchanged by the Bidder and the Bank and supporting documents and printed literature shall be written in English.
7.4 Masked Commercial Bid
The bidder should submit a copy of the actual price bid (as per the format specified by Bank ) being submitted to NHB by masking the actual prices. This is mandatory. The bid may be disqualified if it is not submitted by masking it properly. Bank reserves the right to cancel the bid at the time of commercial evaluation, if the format/detail (except price) of ‘Masked Commercial Bid’ does not match with the format/detail of actual Commercial Bid submitted.
17
7.5 Cost of Bidding
The bidder shall bear all the costs associated with the preparation and submission of bid and Bank will in no case be responsible or liable for these costs regardless of the conduct or outcome of the bidding process.
7.6 Bidding Document
The bidder is expected to examine all instructions, forms, terms and conditions and technical specifications in the Bidding Document. Submission of a bid not responsive to the Bidding Document in every respect will be at the bidder’s risk and may result in the rejection of its bid without any further reference to the bidder.
7.7 Amendment to Bidding Documents
At any time prior to the last Date and Time for submission of bids, the Bank may, for any reason, modify the Bidding Document by amendments at the sole discretion of the Bank. All amendments shall be uploaded on Bank’s website. In order to provide, prospective bidders, reasonable time to take the amendment if any, into account in preparing their bid, the Bank may, at its discretion, extend the deadline for submission of bids.
7.8 Period of Validity
Bids shall remain valid for six months from the date of its opening, as prescribed by the Bank. A bid valid for shorter period shall be rejected by the Bank as non-responsive.
7.9 Bid Currency
18
Prices shall be expressed in Indian Rupees only. 7.10 Submission of Bids
The bidders shall duly seal each envelope with RED LAC SEAL (Wax Seal) and place both the envelopes in a third envelope, which shall also be only sealed with red lac. The bid should be addressed to Bank at the following address up to the time and date mentioned on page 2 of this document. General Manager Information Technology Department National Housing Bank, Head Office Core 5-A, 5th Floor, India Habitat Centre, Lodhi Road, New Delhi – 110003
7.11 Last Date and Time for Submission of Bids
Bids must be received by the Bank at the address given in the Bid Document not later than the specified date and time as given in the Bid Document or as extended by the Bank as per clause 3. In the event of the specified date of submission of bids being declared a holiday for the Bank, the bids will be received up to the appointed time on next working day.
7.12 Late Bids
Any bid received by the Bank after the due date of submission of bids will be rejected and/or returned unopened to the Bidder, if so desired by him.
7.13 Modifications and/or Withdrawal of Bids
• Bids once submitted will be treated, as final and no further correspondence will be entertained on this.
19
• No bid will be modified after the due date of submission of bids.
• No bidder shall be allowed to withdraw the bid, if the bidder happens to be a successful bidder.
7.14 Content of Documents to be Submitted
8.14.1 Documents required in Technical Bid Envelope (Sealed Cover):
i. Bidder’s information as per part “I” of Annexure-‘A’. ii. Service Information as per part “II” of Annexure –‘A’.
iii. Confidentiality Undertaking as per part “III” of Annexure – ‘A’ iv. Undertaking Letter as per part “IV” of Annexure –‘A’. v. Compliance Statement Declaration – Annexure-‘B’
vi. ECS Mandate Format – Annexure – ‘E’
8.14.2 Documents required in Commercial Bid Envelope (Sealed Cover):
i. Commercial offer: The offer should be as per commercial bid
format in Annexure ‘C’ and should be all-inclusive, including taxes and other Govt. levies etc. In case of any variation (upward or down ward) in Government levies/taxes/duties etc. up-to the date of invoice, the benefit or burden of the same shall be passed on or adjusted to the Bank.
8. ISO CERTIFICATION SCHEDULE The selected vendor has to depute their officials at NHB Delhi for facilitating ISO 27001 Certification of its Datacentre (New Delhi) and Disaster Recovery Site (Mumbai) within 10 days of placement of service contract. The ISO Certification 27001 and its related activities for DC & DR site of NHB shall be carried out in accordance with the roll out plan laid out by NHB.
20
The Certification process shall be carried out at New Delhi (DC Site) & Mumbai (DR Site) offices of NHB
S. No. Description Tentative Date 1. Study of Existing System 5 working days 2. Study of documents/processes provided by
SAP vendor 5 working days
3. ISO 27001 Certification Exercise 15 working days 4. Examination and Submission of Reports 5 working days 5. Addressing Gaps (if any)k 5 working days 6. Audit Review for the Data Centre for ISO
27001 Certification 5 working days
7. Getting the processes and other details verified by ISO 27001 certification agency
15 working days
8. Arranging for issuance of certificate 15 working days Total 70 working days
9. PENALTY CLAUSE Penalty will be charged as 2% of the total contract rate per week delay in getting the processes and other details verified by ISO 27001 certification agency & arranging for issuance of certificate with a maximum of 10% of the contract cost. If the delay exceeds 5 weeks, contract / Order may be cancelled and bank may claim entire advance amount with interest from the vendor with additional 10% of the contract cost as penalty.
10. BIDDING PROCESS (TWO STAGES) For the purpose of the present job, a two-stage bidding process will be followed. The response to the RFP will be submitted in two parts: Technical bid Part I Commercial bid Part II The bidder will have to submit the Technical bid and Commercial portion of the
21
bid separately in two separate red lac-sealed envelopes (wax seal), duly super scribing “ISO 27001 CERTIFICATION“, “TECHNICAL BID” or “COMMERCIAL BID” as the case may be. TECHNICAL BID shall not contain any pricing or commercial information. The bid shall be typed or written in indelible ink and shall be signed by the Bidder or a person duly authorized by him. The authorization shall be indicated by a written power of attorney accompanying the Bid. All pages of the Bid shall be initialed by the person(s) signing the Bid. The Bid shall contain no interlineations, erasures or overwriting except as necessary to correct errors made by the Bidder, in which case corrections shall be initialed by the person(s) signing the Bid. 11. PAYMENT SCHEDULE Payment will be made on completion of project basis.
a. 50 % of the contract rate as advance Payment on acceptance of
order. Advance payment will be released only on submission of Performance Bank Guarantee of 55% of contract rate valid up to one year.
b. 50% of yearly contract rate after completion of the ISO 27001 certification and submission of final compliance report.
Note: If the selected vendor does not submit Bank Guarantee within one month of placement of order no advance amount will be released and full payment will be made only after completion of the project for respective year.
12. BID OPENING AND EVALUATION The Bank will open the technical bids, in the presence of Bidders representative who choose to attend, at the time and date mentioned in Bid document at the
22
address mentioned at clause 8.10 titled “Submission of Bids". The bidders or their representatives who are present shall sign register as an evidence of their presence. In the event of the specified date of bid opening being declared a holiday for Bank, the bids shall be opened at the appointed time and place on next working day. In the first stage, only TECHNICAL BID will be opened and evaluated. Bidders satisfying the technical requirements as determined by the Bank and accepting the terms and conditions of this document shall be short-listed. In the second stage, the COMMERCIAL BID of short-listed bidders will be opened. Bank reserve right to accept or reject any technical bid without assigning any reason thereof. Decision of the Bank in this regard shall be final and binding on the bidders. Commercial bids of those bidders whose technical bids are found suitable by the Bank shall only be opened.
12.1 Evaluation Criteria for the Bidding Process
The bids received from the firms would be evaluated on the basis of their technical and financial competencies. The technical competencies would be evaluated first and only the firms having the requisite qualifying technical score would be eligible for the financial bid round. The composite score of the technical and financial competencies would be considered as the final score for the firm and firm with highest composite score would be considered for the project.
Technical Bids
Criteria and Point system for the evaluation of the Technical bids are as under: Maximum Points 100 Criteria Points (Max
Marks)
The company should have past experience in implementing/facilitating ISO 27001 certification exercise
Max Marks 20
23
1. The bidder should be in the business of ISO 27001 certification for at least five years as on December 31, 2013
a. 3+ but less than 5 Years
b. 5+ to 7 Years
c. More Than 7 years
05 10 20
2. Competency of the firm to undertake ISO 27001 Certification in state of the art centralized Datacentre environment (Decision of the Bank is final towards considering state of the art centralized Datacentre environment)
(Bidder has to submit satisfactory certificates from the clients in respective area)
Max Marks 20
a. 3 to 5 state of the art centralized Datacentre
environment (It should be undertaken in
different organizations preferably in PSUs/
Govt. Bodies/FIs/Banks)
b. 6 to 7 Datacentre
c. More than 7 Datacentre
10 15 20
3. List of Clients (with respect to ISO 27001 certification in Centralised datacentre) (Only currently valid contracts (upto last 5 years) considered for points award)
Max Marks 20
o For 7 or more in Govt. Sector / PSU/Banks/FIs in India/ Large corporate
o For 5 or less Govt. Sector / PSU/Banks/FIs in India/ Large corporate
o For 3 or less Govt. Sector / PSU/Banks/FIs in India/ Large corporate
o Private clients in India/ Large corporate
20 15 08 00
4. Details of qualified professionals on the role of the firm handling ISO 27001 certification. [Following professional qualifications will be considered: [(CA/ICWA/MBA/DISA/CISA/CISM/BE/MCA)]
Max Marks 20
24
• More than 200 professionals • 150+ to 200 professionals • 100+ to 150 professionals
20 15 10
5. Average turnover for Last 3 years (with respect to ISO 27001 Certification/IS Audit only)
Max Marks 20
Rs. 06 Crore to 10 crore
Rs. 10+ Crore to 15 crore Rs. 15+ Crore to 20 crore Rs. 20+ Crore and above
08 10 15 20
Bidders have to provide copies of supporting documents against each criteria mentioned above, without which bid may be rejected. The minimum qualifying score for the Technical Bid would be 75. Note: An organization having an average annual turnover/business of Rs. 1000 Crore or above during last three years with a minimum of 1000 employees on its payroll and having offices in all metro cities in India including Bangalore and Hyderabad, will be considered as Large Corporate Sector for this RFP.
12.2 Financial Bid Only firms successfully qualifying the requisite criteria of the Technical Bid process would be considered eligible for the Financial Bid Round. The evaluation of the Financial Bids would be as follows: ♦ The lowest bid will be assigned the maximum Financial Score of 100
points. ♦ The Financial Scores of the other Financial Bids will be computed relative
to the lowest evaluated Financial Bid. ♦ The Financial Score computing methodology is as follows:
25
Lowest BidBid under consideration
Bid under consideration
100 Price Financial Score =Price
×
Final Processing
♦ Proposals would be ranked according to their Final Score arrived at by
combining Technical and Financial Scores as follows:
Final Score = Technical Score T + Financial Score F× × (T - Weightage given to the Technical Bid, F - Weightage given to the
Financial Bid, T + F = 1) ♦ Weightage for the bids are as follows:
I. Technical Bid T 60%
II. Financial Bid F 40%
Total Weightage 100%
♦ The firm achieving the highest combined Technical and Financial Score will
be invited for negotiations.
• The Bank reserves the right to revise the evaluation criteria, methodology, distribution points and weightages; if it finds it necessary to do so.
13. CLARIFICATIONS ON BIDS To assist in the examination, evaluation and comparison of bids the Bank may, at its discretion, ask the bidder for clarification and response shall be in writing and no change in the price or substance of the bid shall be sought, offered or permitted. 14. PRELIMINARY EXAMINATION The Bank will examine the bids to determine whether they are complete, whether any computational errors have been made, whether required information has been provided as underlined in the bid document, whether the documents have
26
been properly signed, and whether bids are generally in order. The bid determined as not in order as per the specifications will be rejected by the Bank. 15. CONTACTING THE BANK Any effort by bidder to influence the Bank in the Bank's bid evaluation, bid comparison or contract award decision may result in the rejection of the Bidders' bid. Bank's decision will be final and without prejudice and will be binding on all parties. 16. BANK'S RIGHT TO ACCEPT OR REJECT ANY BID OR ALL BIDS The Bank reserves the right to accept or reject any bid and annul the bidding process and reject all bids at any time prior to award of contract, without thereby incurring any liability to the affected bidder or bidders or any obligation to inform the affected bidder or bidders of the ground for the Bank's action. Bank reserves the right to select more than one bidder keeping in view its large requirements. 17. SIGNING OF CONTRACT. The successful bidder(s) to be called as vendor, shall be required to enter into a Service level Agreement (SLA) with the Bank, within 7 days of the award of the tender or within such extended period as may be specified by the Bank.
--------XXX--------
27
Annexure ‘A’ PART - I: Bidder Information
Please provide following information about the Company (Attach separate sheet if required): -
S. No. Information Particulars / Response 1. Company Name 2. Date of Incorporation 3. Company Head Office / Registered
Office and Addresses Contact Person(s) Phone Fax E-mail Website
4. Provide the range of services /options offered covering service description and different schemes available for:
o ISO 27001 Certification o Risk Analysis of IT
Systems/Infrastructure
Yes / No / Comments (if option is ‘No’)
5. Any pending or past litigation (within three years)? If yes please give details Also mention the details of claims and complaints received in the last three years (About the Company / Services provided by the company).
Yes/No/Comments (if option is ‘Yes’)
6. Please mention turnover for last three years and include the copies of Balance Sheet in support of it.
Year Turnover Profit/Loss(-)
2010-11
2011-12 2012-13
Signature of Bidder
28
PART – II: Service Information S. No Service Name of organization
where the service is provided
Duration of service (in weeks)
1 ISO 27001 Certification 2 IS Audit of banking
package other than ERP
We confirm that, all the details mentioned above are true and correct and if the Bank observes any misrepresentation of facts on any matter at any stage of evaluation, the Bank has the right to reject the proposal and disqualify us from the process. We hereby acknowledge and unconditionally accept that the Bank can at its absolute discretion apply whatever criteria it deems appropriate, not just limiting to those criteria set out in the RFP document, in short listing of vendors for facilitating ISO 27001 Certification of its Datacentre. We also acknowledge the information that this bid is valid for a period of six months, for the short-listing purpose, from the last date of submission of bid. SIGNATURE OF VENDOR WITH SEAL NAME OF THE AUTHORISED SIGNATORY
29
PART – III: (On the letterhead of the bidder)
Strictly Private and Confidential
Shri R. K. Pandey, GM Information Technology Department National Housing Bank 5th Floor, Core- 5A India Habitat Centre Lodhi Road, New Delhi – 03 [Date] Confidentiality Undertaking We acknowledge that during the course of bidding for Request For Proposal (RFP) floated for ISO 27001 Certification of Datacentre in National Housing Bank, we shall have access to and be entrusted with Confidential Information. In this letter, the phrase "Confidential Information" shall mean information (whether of a commercial, technical, scientific, operational, administrative, financial, marketing, business, or intellectual property nature or otherwise), whether oral or written, relating to NHB and its business that is provided to us pursuant to this Agreement. In consideration of you making Confidential Information available to us, we agree to the terms set out below:
1. We shall treat all Confidential Information as strictly private and confidential and take all steps necessary (including but not limited to those required by this Agreement) to preserve such confidentiality.
2. We shall use the Confidential Information solely for the preparation of our response to the RFP and not for any other purpose.
3. We shall not disclose any Confidential Information to any other person or firm, other than as permitted by item 5 below.
4. We shall not disclose or divulge any of the Confidential Information to any other client of [ISO 27001 Certifying Firm]
5. This Agreement shall not prohibit disclosure of Confidential Information: To our partners/ directors and employees who need to know such
Confidential Information to assist with the bidding for RFP floated for ISO 27001 Certification;
With your prior written consent, such consent not to be unreasonably withheld
To the extent that such disclosure is required by law;
30
To the extent that such disclosure is required by any rule or requirement of any regulatory authority with which we are bound to comply; and
To our professional advisers for the purposes of our seeking advice. Such professional advisors will be informed of the need to keep the information confidential.
6. Upon your request we shall arrange delivery to you of all Confidential Information, and copies thereof, that is in document or other tangible form, except: For the purpose of a disclosure permitted by item 5 above; and To the extent that we reasonably require to retain sufficient
documentation that is necessary to support any advice, reports, or opinions that we may provide.
7. This Agreement shall not apply to Confidential Information that: Is in the public domain at the time it is acquired by us; Enters the public domain after that, otherwise than as a result of
unauthorized disclosure by us; Is already in our possession prior to its disclosure to us; and Is independently developed by us.
8. This Agreement shall continue perpetually unless and to the extent that you may release it in writing.
9. We acknowledge that the Confidential Information will not form the basis of any contract between you and us.
10. We warrant that we are acting as principal in this matter and not as agent or broker for any person, company, or firm.
11. We acknowledge that no failure or delay by you in exercising any right, power or privilege under this Agreement shall operate as a waiver thereof nor shall any single or partial exercise thereof or the exercise of any other right, power, or privilege.
12. This Agreement shall be governed by and construed in accordance with Indian law and any dispute arising from it shall be subject to the exclusive jurisdiction of the Delhi courts.
Yours sincerely Signature and Stamp of Company [Authorized Signatory (same as signing the proposal) – ISO 27001 Certifying organization] Name: Position: Date: We have read this Agreement fully and confirm our agreement with its terms
31
PART – IV: Letter to be submitted by bidder along with bid documents To The General Manager Information Technology Department National Housing Bank, Head Office Core 5-A, 3rd Floor, India Habitat Centre, Lodhi Road, New Delhi – 110003 Sir Reg: Our bid for ISO 27001 Certification of Bank’s Datacentre We submit our Bid Document herewith. If our Bid for the above job is accepted, we undertake to enter into and execute at our cost, when called upon by the Bank to do so, a contract in the prescribed form. Unless and until a formal contract is prepared and executed, this bid together with your written acceptance thereof shall constitute a binding contract between us. We understand that if our Bid is accepted, we are to be jointly and severally responsible for the due performance of the contract. We understand that you are not bound to accept the lowest or any bid received by you, and you may reject all or any bid; you may accept or entrust the entire work to one vendor or divide the work to more than one vendor without assigning any reason or giving any explanation whatsoever.
32
We understand that the names of short listed bidders after the completion of first stage (Technical Bid) and the name of the successful bidder to whom the contract is finally awarded after the completion of the second stage (Commercial Bid), shall be communicated to the bidders either over phone/e-mail/letter. Dated at ______ / ______ day of _______ 2013. Yours faithfully,
For ________________________
Signature __________________ Name ______________________ Address ____________________ _____________________ (Authorised Signatory)
33
Annexure-B COMPLIANCE STATEMENT DECLARATION Terms and Conditions We hereby undertake and agree to abide by all the terms and conditions stipulated by the Bank in this RFP including all addendum, corrigendum etc. (Any deviation may result in disqualification of bids). Signature: Seal of company Technical Specification We certify that the systems/services offered by us for tender confirms to the specifications stipulated by you with the following deviations List of deviations 1) ___________________________________________________________ 2) ___________________________________________________________ 3) ___________________________________________________________ 4) ___________________________________________________________ (If left blank it will be construed that there is no deviation from the specifications given above) Signature: Seal of company
34
Annexure ‘C’ Format for Commercial Bid: S. No. Particulars Amount/Rate (In Rs.)
1 • ISO 27001 Preparedness checking,
addressing & finalization of gaps and ISO 27001 Certification
Total:
(A) The bidder has to submit the commercial bid only in the above format.
All taxes and duties are inclusive. (B) In case of any variation (upward or down ward) in Government
levies/taxes/duties etc. up-to the date of invoice, the benefit or burden of the same shall be passed on or adjusted to the Bank.
(C) For computation of financial score, Total Amount/Rate will be taken in
consideration. Note: Providing commercial proposal other than this format may reject the bid.
35
Annexure - D
Pre Qualification Criteria: The bidders are also to meet the following pre qualification criteria
i. The average turnover of bidding company (not parent company) for the
last three financial years must exceed Rs. 6 Crore (Documentary proof to
be provided).
ii. Empanelment with CERT-In as Software/ERP Audit Organization
iii. The bidder Company should have at least 100 qualified
(CA/ICWA/MBA/DISA/CISA/CISM/BE/MCA) ISO 27001 certification
professionals.
iv. The bidder should have at least three years experience in facilitating ISO
27001 certification area and they should have done this exercise in atleast 3
organizations of repute.
Note: Bidders are to submit documentary proof to establish the qualification of the above mentioned qualification criteria.
36
