Tender No: PSB/HOIT/RFP/145/2020 Dated: 26.02 · Information for Online Participation This Tender will follow e-Tendering process which will be conducted by Bank’s authorized e-Tendering

INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT

PROCESSES ETC. OF PUNJAB & SIND BANK

RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 1 of 57

LIMITED TENDER

Request for Proposal from the Empanelled Auditors of the Punjab and Sind

Bank, for Information System Audit of Data Centre, Critical Applications, IT

Processes etc. of the Bank

Tender No: PSB/HOIT/RFP/145/2020 Dated: 26.02.2020

PUNJAB & SIND BANK

Head office Information Technology Department

2nd Floor, Plot No. 151, Sector 44, Institutional Area,

Gurugram-122003




Contents

Sr.

No.

Particulars Page

No.

1. INTRODUCTION 5

2. SCOPE OF WORK 6

3. OTHER IMPORTANT TERMS & CONDITIONS 13

4. TERMS & CONDITION 14

5. RESOLUTION OF DISPUTE 24

6. CORRUPT or FRADULANT PRACTICES 25

7. INDEMNITY 26

8. BIDDER`s OBLIGATION 26

9. INTELLECTUAL PROPERTY RIGHT 26

10. SIGNING OF CONTRACT 27

11. PUBLICITY 27

12. ANNEXURE A 29

13. ANNEXURE B 35

14. ANNEXURE C 51

15. ANNEXURE D 55




KEY INFORMATION

Particulars Details

Tender Number PSB/HOIT /RFP/145/2020 Dated: 26.02.2020

Tender Title Request for Proposal from the Empanelled

Auditors of the Punjab and Sind Bank, for

Information System Audit of Data Centre, Critical

Applications, IT Processes etc. of the Bank

Eligibility The Empaneled IS Auditors of Punjab and Sind

Bank for three years as per the Expression of

Interest PSB/HOIT/EoI/133/2018-19 Dated:

22.03.2019.

Performance Bank Guarantee Rs.1,00,000.00(Rs. One lakh only) in the form of

Bank guarantee valid for 12 months

Date of Publishing the tender 26.02.2020

Last Date for submission of Pre-

Bid Query

02.03.2020 by 3:00 pm

(queries must be mailed to [email protected]

only in MS- excel format quoting tender reference

number in the subject)

Last Date and time for submission

of Bids

11.03.2020 by 03:00 pm

Date and Time of Opening of

Technical Bids

11.03.2020 at 03:30 pm

Date and Time of opening of

Indicative Commercial Bids

11.03.2020 at 5.00 pm

Place of submission and Opening

of Bids

Punjab & Sind Bank

Head Office, 2nd Floor, Information Technology

Department, Plot No. 151, Institutional Area,

Sector 44, Gurugram- 122003

Contact Persons for any

clarifications/ Submission of Bids

Gaurav Kumar Yadav (AGM IT)/ Arun

Ahlawat (Officer- Inspection)

Contact Numbers Gaurav Kumar Yadav (AGM IT) - 9555813220

Arun Ahlawat (Officer) -8396049100

* If any of the dates given above happens to be Holiday in Gurugram, the related activity shall be undertaken on the next working day at

the same time.

Information for Online Participation

This Tender will follow e-Tendering process which will be conducted by Bank’s

authorized e-Tendering Service Provider M/s C1 India Pvt. Ltd. through website:

https://psb.eproc.in




Following activities will be conducted online through the above website:

1. Procurement of RFP document including all Annexures

2. Addendums to the RFP

3. Submission of Technical Bid & Indicative Commercial Bid by the Bidder

4. Opening of Technical Bid & Indicative Commercial Bid by the Bank

5. Reverse Auction

6. Announcement of results, if any

Instructions:

1. Bidders who wish to participate will have to register with the website

(https://psb.eproc.in). Bidders will be required to create login id & password on

their own in registration process.

2. Bidder who wish to participate in this tender need to procure Class III Digital

Signature Certificate (With Both DSC Components, i.e. Signing & Encryption)

from any of the licensed Certifying Agency. Bidders can view the list of licensed

CAs from www.cca.gov.in.

3. In case of any clarification/ queries regarding online registration/ participation,

Bidders may reach out to: Email: [email protected] Ph: 0124-

4302033/36/37

http://www.cca.gov.in/




1. INTRODUCTION

1.1 About the Bank

PUNJAB & SIND BANK, a leading Public Sector Bank having its Head Office at New

Delhi is implementing many key technology solutions like Core Banking (CBS),

Internet Banking (e-banking),Tele Banking, Mobile Banking, onsite / offsite ATMs,

Integrated Treasury Systems, RTGS, SFMS, NEFT etc. The Bank has chosen FINACLE

Software of M/s. INFOSYS Ltd., as the Core Banking Solution and implanted CBS

in 100% branches and offices.

1.2 Present Status of the Bank

The Bank is using the financial software Finacle (7.0.25) for carrying out the Banking

operations. The bank has a widespread network of 1500 plus branches, 25 Zonal Offices,

more than 30 Departments in Head Office, 9 Regional Clearing Centers, 2 Training

Centers and 9 Currency Chests all networked under Centralized Banking Solution. It also

has a network of more than 1250 ATMs spread across the country including onsite and

offsite ATMs. The Bank’s CBS Project Office and HO Information Technology

Department are located in New Delhi & Gurugram, respectively. The Bank’s Data Center

(DC) is located in Vashi Mumbai and Disaster Recovery Center at Greater Noida and both

are managed by Bank’s CBS System Integrator M/s Wipro. The DC is connected to the

branches, Zonal Office and Head Office through Bank-wide Wide Area Network. The

entire network uses Leased Lines, RF, VSAT and Backup connectivity through ISDN lines

& RF etc. The ATMs, Mail Messaging System and other applications also use the WAN.

The Disaster Recovery Center of Bank has similar setup as that of Data Centre of financial

software setup.

1.3 Purpose of RFP:

This RFP seeks to engage a Service Provider who has the capability and experience for

Conducting Information Systems (IS) Audit including Application audit of Core Banking

Solution, other applications and to make appropriate recommendations, as covered under

the Scope of Work. Carrying out risk analysis of all IT assets of the Bank and preparation

of Risk Matrix based on Guidelines issued by RBI and Govt. of India.

The aim of the RFP is to solicit proposals from empanelled IS Auditors for undertaking

above detailed assignments.




2. SCOPE OF WORK:

2.1 Scope of Work Related to IS (Information Systems) Audit:

a. The Scope of work mainly relates to conducting of Information System and Security

Audit including Cyber Security Audit of different Information systems/applications/

Databases / Operating Systems / Security devices, appliances and Solutions / Network

Equipments/ Information Technology (IT) Process like sharing information through web

services, host to host etc. in use by the Bank, as listed in Annexure-C, including those

systems used by other agencies for providing services in respect of activities which are

outsourced. The scope also includes the VAPT of all systems as listed in Annexure-C and

Annexure- D.

2.2 The IS Audit shall be performed:

a. Bidder is expected to carry out IS Audit activities including but not limited to the points

mentioned in the scope of this RFP. Further the Bidder has to evaluate and comment on

compliance by Bank as per RBI Circular on Cyber Security Framework,

Information/Cyber Security Policy/ Procedures/Processes of the Bank, ISO 27001:2013

standards, other RBI guidelines and Industry best practices etc.

b. The guidelines issued by RBI, Govt. of India, NPCI, UIDAI, Cert-In etc.

c. Punjab & Sind Bank IS Audit Policy, Punjab & Sind Bank’s IT security Policies &

Procedures and Punjab & Sind Bank Cyber Security Policy.

d. IT Act, 2000 as amended from time to time.

2.3 IS Audit of each of the systems shall broadly cover the following aspects:

− Physical and Environmental controls

− Logical access Controls

− Operating System/database review including Vulnerability Assessment

− Application Review

− Business process Review

− Vulnerability Assessment

− Penetration Testing

− Network and Security Review including VA and Penetration test

− Backup procedure Review

− Business Continuity/Disaster Recovery plans/practices

− Review of Outsourced Activities

− Virus protection and Patch management.

− Capacity utilization of servers and applications

− Review of Basic minimum Configuration applicable for each system as per




best practice i.e. Baseline Secure Configuration review.

− Application Security Life Cycle (ASLC) review.

− Database Configuration Audit.

− Secure Code Practice Review.

− IT General Controls Review.

− General Process Controls Review.

2.4 Vulnerability Assessment (VA)

The scope also includes conducting Vulnerability Assessment and Penetration Tests

(VAPT) covering operating systems, database, networking and Security Infrastructure

and various on-line applications facing customers as listed in Annexure-C and all other

assets listed in Annexure-D.

The purpose of the vulnerability assessment is to discover all systems on perimeter

network or internet facing and to assess these systems for securities vulnerabilities.

Vulnerability assessment shall attempt to determine vulnerabilities that may enable

unauthorized logical access to protected system via the external network interfaces of the

Banks network. The vendor will conduct vulnerability assessment against network and

security infrastructure components to identify services in use and potential vulnerabilities

present.

IS auditors are expected to conduct the audit against the standard configuration document

that Bank has created, as also the latest global standards and industry best practices.

2.5 Penetration Tests (PT)

The objective of the Penetration Testing is to determine the effectiveness of the security

of organizations infrastructure and its ability to withstand an intrusion attempt. The

security assessment should use the industry standard penetration test methodologies and

scanning techniques, and will focus on applications. The application tests should cover

but not limited to OWASP Top 10 attacks. IS Auditor shall perform application security

testing, to identify security vulnerabilities in the Banks applications that may be exploited

by a user to obtain unauthorized access.

The IS Auditors shall use automated and manual testing techniques to exploit the

weaknesses identified in the application logic, in areas like authentication, authorization,

information leakage, field variable control, session timeout & logout, cache control, serve

side logic, client side logic, error handling, application administration and encryption.

The Scope for penetration testing should include but not limited to list of internet facing

websites/ applications. It is explicit that penetration tester should conduct vulnerabilities

assessment consulting with concerned personnel and proper permission of the Bank.

The bidder is to carry out an application review covering the functionality, security, and




controls within the applications. A list of a minimum set of activities to be performed as

detailed in scope of work. The auditor has to conduct VA, PT & white box testing (with

credentials) for security assurance of the applications.

2.6 IT General Controls Review

The IS Auditors shall assess the data processing that takes place in systems and IT occurs

in a controlled environment, supporting data integrity and security and the need of

complying with local laws and their requirements relating to information security. The

scope of work for IT General Controls Review:

i) Change Management Review

ii) Logical Access

iii) Backup Management

iv) Incident Response Management

v) Observing DR Drill Activities

vi) Integration of system servers, devices with PIM

vii) Others (Audit logging and review mechanism, Patch Management, Antivirus

Management etc.

2.7 General Process Audit Review

The IS Auditors shall assess whether the data processing that takes place in systems and

IT occurs in a controlled environment, supporting data integrity and security. The scope

of work for General Process Audit review is:

i) Assess the controls implemented in the system.

ii) Logical Access Controls - Review all types of Application Level Access Controls

including proper controls for access logs and audit trails for ensuring Sufficiency &

Security of Creation, Maintenance and Backup of the same. Only authorized users should

be able to edit, input or update data in the applications or carry out activities as per their

role and/or functional requirements

iii) Assess sufficiency & accuracy of event logging, adequacy of Audit trails, SQL

command prompt usage, database level logging etc.

iv) Review and analysis of database procedures to check various calculations in the

system

v) Assess interface controls - Application interfaces with other applications and security

in their data communication.

vi) Assess authorization controls such as Maker Checker, Exceptions, Overriding

exception & Error condition.

vii) Assess Data integrity & File Continuity Controls

viii) Assess controls for user maintenance, password policies being followed are as per

Banks IT& IS security policy.




ix) Assess controls for segregation of duties and accesses of production staff and

development staff with access control over development, test and production regions.

x) Review of all types of Parameter maintenance and controls implemented.

xi) Assess controls for change management procedures including testing &

documentation of change.

xii) Identify gaps in the application security parameter setup in line with the Banks

security policies and leading best practices

xiii) Audit of management controls including systems configuration/ parameterization &

systems development.

xiv) Audit of controls over operations including communication network, data

preparation and entry, production, file library, documentation and program library, Help

Desk and technical support, capacity planning and performance, Monitoring of

outsourced operations.

xv) Review of customizations done to the Software & the SDLC Policy followed for such

customization.

xvi) Verify adherence to Legal & Statutory Requirements.

xvii) Review segregations of Roles/Responsibilities with respect to Application software

to improve internal controls

xviii) Review of documentation for formal naming standards, design process of job roles,

activity, groups, profiles, assignment, approval & periodic review of user profiles,

assignment & use of Super user access.

xix) Check the sufficiency and coverage of UAT test cases, review of defects & tracking

mechanism deployed by vendor & resolution including re-testing & acceptance.

xx) Backup/Fallback/Restoration /Recovery & Restart procedures

2.8 Policy, Process and Procedure review

a. Information Security Policy

b. Cyber Security Policy

c. Data Privacy Policy

d. Integrated Risk Management Policy

e. Fraud Risk Management Policy

f. Operational Risk Management Policy

g. Cyber Crisis Management Plan

h. IT Policy

i. Business Continuity Plan & Disaster Recovery Policy

j. Information/Cyber Security Processes, Procedures & Guidelines.

k. IT Processes, Procedures & Guidelines




2.8.1 Review of Information Security/Cyber Security vis-à-vis RBI Circular on

Cyber Security Framework

• Review of preparedness of the Bank vis-à-vis RBI Circular on Cyber Security

Framework in Banks.

• Vetting of Self-assessment of gaps vis-à-vis Baseline Security & Resilience

Requirements.

2.8.2 Review of IT infrastructure from the point of view of Information/Cyber

Security

• Review of the Current Security Architecture and Security Technology of the

organization.

• Review Vulnerability Assessment [VA] and Penetration Testing [PT] for Servers

and Network/Security devices, Application Security Testing [Web and Mobile App

Sec] being done for the bank.

• Incident Management review in which IS auditor should review whether

Incidents are managed, monitored and reported as per the RBI guidelines or other

regulators like Cert-in, NCIIPC etc.

• Review Secure Configuration Documents adopting best practices for Servers OS,

Web application, Database, Security Devices, Network Devices, Desktops, Laptops,

Mobile devices etc.

• Review of Network Security including various wireless technologies, Security

Design, Access Control, etc.

• Review of the existing network topology/ Network Security Architecture and

deployment of the security controls within the organization like Firewalls, IDS/IPS,

network segmentation, WAF, Mail Gateway, Patch Management, Active Directory

(AD), AV, SIEM, PIM, DAM, Anti APT etc.

• Review of access rules (ACLs) of network & security devices.

2.9 Network Management

• Review of overall network management as per as per RBI guidelines or other

regulators and industry best practices.

• Review of network design – scalability and redundancy

• Review Network cabling and IP Sec implementation

• Evaluate processes adopted for:

• Transmission of data

• Bandwidth management

• Uptime against the SLAs

• Fault Management

• Capacity planning

• Audit log review and maintenance




• Performance management

• Audit log review and maintenance

• Review of Network performance management

• Analyze the logs maintained for Network Incident

• Review of security architecture implementation

• Review of password management.

• Review of Network Information security administration.

• Review of Cryptography.

• Review of Policies and rule sets including ACLs (Access Control Lists).

• Review of Violation logging management.

• Review of Information storage & retrieval.

• Audit of PKI management.

• Audit of PIN management.

• Review access control documentation and configuration

• Network and Security Equipment

• Ensure Router, Firewall, Proxy, Intrusion Prevention System, ATM Switch,

Network Switch, Modems etc. procured and installed are in line with business

strategy/IT Policy/Information/Cyber Security policy of BANK/ Industry best

practice/Regulatory guidelines

• Evaluate the installation, deployment/ placement, configuration, security,

policies defined in respective equipment for meeting the security requirement of

the LAN & WAN as per IT Policy/Information/Cyber Security policy of BANK

and industry best practices.

2. 10 Database Management System and Data Security

• Review of Database Access & Data Security as per RBI guidelines or other

regulators and industry best practices.

• Review of procedures to ensure that all data are classified in terms of sensitivity

and necessary safeguards for its confidentiality, integrity and authenticity are

taken as per Information/Cyber Security Policy

• Ensure logical access controls which ensure the access to data is restricted to

authorized users

• Review to ensure that confidentiality and privacy requirements are met

• Review of authorization, authentication and access control

• Ensure that segregation of duties is in place for accessing data

• Review of protection of sensitive Information during transmission and transport.

• Ensure separation and rotation of duties should be in place

• Review of controls procedures for sensitive DB passwords.




• Review to ensure that patches and new versions are updated as and when

released by Bidder/ Research and Development team. If not done then comment

upon vulnerabilities and availability of services of existing version being used.

• Review of physical access and protection.

• Ensure confidentiality requirements are met.

• Review of Database Backup Management.

• Ensure patches and new versions are updated as and when released by vendor/

Research and Development team.

2.11 Wide Area Network

• Review of Integration between BANK and NPCI/IDRBT/RBI/UIDAI/e-sign

Vendor/Card Vendor/Bill Desk/ Mastercard/ VISA/ SWIFT/Market Feeds etc.

• Bidder should check configuration of Network and security devices at

DC/DR/NLDC and other locations.

2.12 Security Operations Centre

• Review of SOC infrastructure and implementation

• Review of SOC processes, SLA Management process for SOC

• Review the configuration parameters and adequacy of staff working at SOC

• Review of reporting responsibility and periodicity of report

• Review of work authorization system between outsource service provider and

bank‘s team

• Review of access control, customer data privacy & confidentiality maintained at

SOC

• Review of SOC implementation as per RBI guidelines or other regulators and

industry best practices.

2.13 Network Operations Centre

• Review of NOC infrastructure and implementation

• Review of NOC processes, SLA Management process for NOC and check for

the adherence of these SLAs

• Review the configuration parameters and adequacy of staff working at NOC

• Review of reporting responsibility and periodicity of report generated

• Review of NOC implementation as per RBI guidelines or other regulators and

industry best practices.

2.14 Access Control and Change Management

• Review of access control process for Bank`s employee/SI/Vendor/Contractor to

any BANK assets including DC/DR/NLDC and other locations as per

Information Security Policy of BANK, RBI/other regulatory guidelines &

industry best practice.




• Review of Change management process for IT assets including applications, H/w,

Network & security solutions etc.

2.17. Execution of work:

2.17.1 The successful bidder shall submit a detailed plan clearly indicating the tentative

dates and estimated time for IS Audit of all the systems.

2.17.2 During the course of audit, if the bidder/ service provider observes any major

deficiencies, they shall immediately bring such observations, deficiencies, areas of

improvement and suggestions for improvement to the notice of the concerned persons.

The service provider shall also discuss with, guide/help the Bank staff in implementation

of the critical and important suggestions.

2.17.3 At the end of IS Audit, the service provider shall submit a detailed report

containing all the observations, deficiencies, areas of improvement and suggestions for

improvement, for each system separately. An executive summary should also form a part

of the Final Report.

2.17.4 Since it will take some time setting right the deficiencies, on the Bank intimating

them to do so, the service provider shall conduct a compliance audit, to confirm setting

right of the deficiencies and implementation of the suggestions. The service provider shall

submit a detailed report after compliance audit.

2.17.5 The assignment will be for conducting IS Audit for one time only. Bank, at its

option, will review and entrust the assignment either in full or in part subsequently.

3. OTHER IMPORTANT TERMS & CONDITIONS:

Sr.

No.

Phase Objectives Timeline Deliverables Payment

Schedules

1. Phase-

I

Conduct of IS

Audit as per scope,

evaluation,

discussion on the

findings and

submission of final

reports

6 weeks ISA Report :-

1.Executive

summary

2. ISA Report Core

findings along with

Risk Analysis

3. ISA Report

Detailed findings /

Checklists

1. 70% after

completion of

PHASE-I.




4. ISA Report :-

Analysis of reports

/Corrective

Measures &

Suggestions along

with Risk Analysis.

2. Phase-

II

Compliance

Audit, Review &

Certification

2

weeks

Compliance

Report:-

1. Compliance

Audit report.

2. To provide the

BANK an ISA

compliance

certificate

including

certificate as per

RBI guidelines for

Internet Banking.

2. 30% after

completion of

PHASE-II.

Note: The detail of Phase, deliverables, payment schedule is described in Annexure-A.

4. TERMS AND CONDITIONS:

a. The empanelment will be cancelled if the empanelled IS Auditor refuses to accept

purchase order or having accepted the purchase order, fails to carry out his obligations

mentioned therein.

4.1. Clarifications on the RFP

a. Queries/clarifications shall not be entertained over phone.

b. All the queries and clarifications must be sought in writing to the email id:

[email protected].

c. Bidders are also requested to collate queries and submit them together seeking

clarifications/responses from the Bank. It shall be ensured that all the queries and

clarifications are communicated in writing on or before pre-bid query date. Queries

received thereafter will not be entertained.

d. Bank will email the clarifications/amendment (if any) to the empanelled IS Auditors.




4.2. Two Part Bid:

The bidder shall submit his response to the present tender separately in two parts – “The

Technical Bid” and ‘Indicative Commercial bid’. Technical Bid will contain Eligibility and

product specifications whereas Commercial bid will contain the pricing information.

a. All the envelopes must be super-scribed with the following information –

Type of Bid – Conducting IS Audit of Data Centre, Critical Applications, IT Processes

etc. (Technical Bid)

Type of Bid - Conducting IS Audit of Data Centre, Critical Applications, IT Processes

etc. (Indicative Commercial Bid)

Due Date :, Name of Bidder :, Name of the Authorized Person :, Contact Number :

b. All schedules, Formats and Annexure shall be stamped and signed by an authorized

official of the bidder`s company.

c. Submission of bids

The Bank expects the bidders to carefully examine all instructions, terms and conditions

mentioned in this RFP document before submitting its unconditional compliance as part

of the RFP. Failure to furnish all information required or submission of an RFP not

substantially responsive to the RFP in every respect will be at the bidder’s risk and may

result in the rejection of its response.

d. Bids duly sealed shall be submitted, in person, on or before the last Date and Time

for bid submission at the address mentioned below. Bid also required to be submitted

electronically as mentioned in KEY-INFORMATION of this document.

Punjab & Sind Bank,

Second Floor

Information Technology Department

Plot No 151, Institutional Area,

Sector 44, Gurugram, Pin 122003

Any other mode of submission, e.g. by courier, fax, e-mail etc. will not be accepted.

Bids will be opened in the presence of the bidder representatives who choose to attend the

opening of tender on the specified date, time and place of bid opening. All bidders are

advised to be present at the time of bid opening. No separate intimation will be given in

this regard.




4.3. No Erasures or Alterations:

a. The original bid (Technical Bid and Commercial Bid) shall be prepared in indelible ink.

b. Technical details must be completely filled up. All the hand-written details in the bid

must be initialed by the persons or person who sign(s) the bids.

c. All the pages of the bid must be initialed by an authorized representative with a round

stamp of the bidding firm.

4.4. Validity:

a. The bid shall remain valid for a period of 180 days from the last date of submission of

the bid.

b. At the option of the Bank, the bidder shall extend the validity of bid for such required

period (s), as the Bank may require during the evaluation process.

4.5. Technical Bid:

a. The Technical Bid shall be complete in all respects and contain all the information asked

for in this RFP document in an organized and structured manner. All the details sought

must be submitted in the prescribed pro-forma only (as per the attached formats).

Additional/ supporting documents, write-ups, etc., if any, should be furnished separately.

b. The Technical Bid shall be submitted in separate sealed envelope, super scribed as

“Conducting IS Audit of Data Centre, Critical Applications, IT Processes etc. (Technical

Bid)”.

c. The Technical Bid shall not contain any price information.

d. The Bank, at its discretion, may not evaluate a bid in case of non-submission or partial

submission of details sought.




e. The Technical Bid shall comprise of the following (as per the formats):

Sr.

No

ANNEXURE No. SUBJECT PAGE No.

1 ANNEXURE – I PROFILE OF THE BIDDER 36

2 ANNEXURE – II PROFILE OF THE PROPOSED

CORE AUDIT TEAM

37

3 ANNEXURE – IV BID FORM 39

4 ANNEXURE – VII TECHNICAL DEVIATION 46

5 ANNEXURE – VIII COMMERCIAL DEVIATION 47

6 ANNEXURE – IX LETTER OF CONFIRMATION 48

7 ANNEXURE- X COMPLIANCE FOR REVERSE

AUCTION

49

8 ANNEXURE- XI LETTER OF AUTHORITY FOR

PARTICIPATING IN REVERSE

AUCTION

50

4.6. Indicative Commercial Bid:

The commercial bid evaluation will be carried out by opening sealed indicative

commercial bids.( Indicative Commercial bids of the technically qualified bidders only

opened). After that, based on the indicative commercial bids, reverse auction will be

conducted. Post reverse auction, the bidders with the lowest commercial proposals will be

designated as L1 Bidder.

4.6.A Reverse Auction

The Bank shall conduct the reverse auction on TOTAL COST OF IS AUDIT and the

price so obtained after closure of Reverse Auction shall be taken into account for

Commercial Evaluation. Bidders have to submit final price to the Bank within 48 hours

of closure of Reverse Auction process.

In case any technically qualified bidder does not take part in reverse auction, then he

will not be considered for commercial evaluation. The procedure of reverse auction will

be notified to the shortlisted bidders separately. The Reverse Auction process will be

conducted online through Bank’s authorized e-Tendering Service Provider M/s C1

India Pvt. Ltd through website: https://psb.eproc.in.

In case of any clarification/ queries regarding Reverse Auction Process, Bidders may

reach out to: Email: [email protected] Ph: 0124-4302033/36/37.

https://psb.eproc.in/




4.6. B. Business Rules for Reverse Auctions:

Applicability

Reverse auctions are carried out under the framework of rules that are called Business

Rules.

1. All bidders participating in reverse auction shall understand/accept and give an

undertaking for compliance with the same to the Bank in the prescribed format

“Annexure X: Compliance for Reverse Auction”.

2. Any bidder not willing to submit such an undertaking shall be disqualified for further

participation in the e-procurement process in question.

4.6. C. Compliance/Confirmation from Bidder

The bidders participating in reverse auction shall submit the following documents duly

signed by the same Competent Authority who signs the offer document in response to

the RFP:

Acceptance of Business Rules for Reverse Auction and undertaking as per format in

Annexure X: Compliance for Reverse Auction.

4.6. D. Training to bidders:

1. The Bank may facilitate training for participation in reverse auction either on its own

or through the service provider for the reverse auction.

2. On request where necessary, the Bank/service provider may also conduct a ‘mock

reverse auction’ to familiarize the bidders with reverse auction process.

3. Any bidder not participating in training and/or ‘mock reverse auction’ shall do so at

his own risk and it shall not be open for him to make any request / complaint / grievance

later.

4. Each bidder shall participate in the training at his / their own cost.

5. The venue, date, time etc. for training in reverse auction shall be advised at the

appropriate time.




6. No request for postponement/fixing of training date/time shall be entertained which

is the sole view and discretion of the Bank, might result in any avoidable delay to either

the Reverse Auction or the whole process of selection of bidder.

4.6. E. Date/time of reverse auction

1. The date and time of commencement of reverse auction as also duration of ‘Reverse

Auction Time’ shall be communicated at least 4 working Days prior to such auction

date.

2. Any force majeure or other condition leading to postponement of auction shall entitle

the Bank to postponement of auction even after communication, but the Bank shall be

obliged to communicate to all participating bidders the ‘postponement’ prior to

commencement of such ‘Reverse Auction’.

4.6.F. Conduct of Reverse Auction

1. The reverse auction shall be conducted on a specific web portal meant for this

purpose.

2. The reverse auction may be conducted by the Bank itself or through a service provider

specifically identified/appointed/empanelled by the Bank.

4.6.G. Transparency in Bids

All bidders will be able to view during the auction time the current lowest price in portal.

Bidder shall be able to view not only the lowest bid but also the last bid made by him

at any point of time during the auction time.

4.6.H. Masking of Names

1. Names of bidders shall be masked in the Reverse Auction process and bidders will

be given suitable dummy names.

2. After completion of Reverse Auction, the service provider / auctioneer shall submit

a report to the Bank with all details of bid and the original names of the bidders as also

the L1 bidder with his original name.

4.6.I. Start Price

Reverse Auction process shall commence at and after electronically loading the “START-

UP PRICE” on the basis of lowest Audit Cost arrived at after evaluation of commercial

bids or lesser than the lowest Audit Cost arrived at as evaluated by the Bank.




4.6.J. Decremented Bid Value

1. The bidders shall be able to bid only at a specified decrement value or multiple thereof

and not at any other fractions. The Bid decrement value shall be decided by the

Competent Authority of the Bank.

2. For the sake of convenience of bidders, the web portal shall display the next possible

decremented value of bid. It is not, however, obligatory on the part of bidders to bid at

the next immediate lower level only. (That is, bids can be even at 2 or 3 lower levels

than the immediate lower level.)

4.6.K. Reverse Auction Process

1. The Bank shall, however, be entitled to cancel the Reverse Auction process, if in its

view procurement or Reverse Auction process cannot be conducted in a fair manner and

/ or in the interest of the Bank.

2. The successful bidder shall be obliged to provide a commercial bid (ANNEXURE-

III) as the last bid price at the close of auction.

4.6.L. Changes in Business Rules

1. Any change in Business Rules as may become emergent and based on the experience

gained may be made by the Bank.

2. Any/all changes made in Business Rules shall be uploaded on the Website of the

Bank https://www.psbindia.com/ immediately.

3. If any reverse auction process has commenced and a change is made in Business

Rules, it shall be informed immediately to each bidder participating in the Reverse

Auction and his concurrence to/ acceptance of the change shall be obtained in writing

by the Bank.

4.6.M. Don’ts applicable to the Bidders

1. No bidder or any of its representatives shall involve itself in any price manipulation

directly or indirectly with other bidders. If any such practice comes to the notice, Bank

shall disqualify the bidders concerned from the process.




2. Bidder shall not disclose details of bids or any other details concerning Reverse

Auction process of the Bank to any other third party without specific permission in

writing from the Bank.

3. Neither Bank nor service provider/ auctioneer can be held responsible for

consequential damages such as no power supply, system problem, inability to use the

system, Loss of electronic information, power interruptions, UPS failure, etc. at bidders’

place. (Bank shall, however, entertain any such issues of interruptions, problems with

open mind and fair degree of transparency in the process before deciding to stop or

extend the auction.)

4.6.N. Errors and omissions:

On any issue, not specifically dealt with in these Business Rules, the decision of the bank

shall be final and binding on all concerned.

4.6.O. The indicative Commercial Bid shall be submitted in separate sealed envelope,

super scribed as “Conducting IS Audit of Data Centre, Critical Applications, IT Processes

etc. (Indicative Commercial Bid)”.

1. The Commercial Bid should provide all relevant price information in Indian Rupees

only.

2. The responses shall be strictly as per the terms and conditions of this RFP. Bidders are

advised not to attach or specify any terms and conditions. The Bank reserves its right to

reject the bids received with any additional terms and conditions specified by the Bidder.

3. The Commercial Bid shall comprise of Annexure-III (Format for Commercial BID) &

Annexure-VIII (Commercial Deviation).

4. The prices mentioned in the commercial bid shall strictly be in conformity with the

price composition specified in Annexure-A clause 4.5 (Price Composition).

5. The Commercial Bid shall include all taxes, duties, fees, and other charges as may be

levied under the applicable law as on the date of submission of the bid. However, the

GST component of the prices shall be payable extra on actual basis.

6. The total cost must be quoted in WORDS AND FIGURES. In case of discrepancy

between the words and figures, lower of the two would be considered as the price quoted

and the same will be binding on the bidder.

7. Indicative Commercial Bid of only those bidders, who qualify in Technical Bid

evaluation, will be opened.




4.7 Evaluation Procedure:

The Evaluation will be a Two-stage process:

1. Technical Evaluation

2. Commercial Evaluation- (through Reverse Auction)

a. The evaluation of technical bids will be done by a team of officials, which may include:

i. Scrutiny of eligibility criteria to determine the eligibility of bidders;

ii. Scrutiny of the bids to verify whether the same is in accordance with the RFP terms.

b. In the process of scrutiny of the bids, Bank may seek additional inputs and

clarifications as may be needed. The request for such clarifications and the response will

necessarily be in writing.

c. Bid found to be meeting the Bank`s requirements based on the technical evaluation

only will be considered for further commercial evaluation.

d. The evaluation by the Bank will be undertaken by a Committee of internal Bank

officials and may include Consultant. The decision of Banks’ Committee shall be

considered final.

4.8. Right to Alter Quantities

a. The Bank reserves the right to alter quantities, revise/modify all or any of the

specifications, delete some items specified in this bid, when finalizing its requirements or

declare the RFP void, without assigning any reason, before or after receiving the

responses. That is, the Bank reserves its right to add or remove the Information systems

in respect of which the IS Audit is to be conducted.

4.9. No Commitment to Accept Lowest or Any Tender

The Bank shall be under no obligation to accept the lowest or any other bid received in

response to this tender notice and shall be entitled to reject any or all tenders without

assigning any reason whatsoever.

4.10. Rotation of Audit Team

If the selected Bidder has already carried out IS Audit of our bank, the Bidder shall change

the entire team and to depute a fresh team.




4.11. Price freezing and Contract Period

a. The final prices stated above, shall remain frozen for a minimum period of upto two

years from the date of the purchase order.

b. The Contract would be valid for one time IS Audit exercise only.

4.12. Cancellation of the assignment:

The Bank reserves its right to cancel the assignment in the event of one or more of the

following conditions:

a. Delay in commencement of the IS Audit beyond four weeks after the assignment order

or beyond the date given by the bank in the purchase order.

b. Delay in completion of all the phases of the IS Audits beyond the time specified in the

assignment letter.

4.13. Liquidated Damages:

4.13.1 Notwithstanding the Bank's right to cancel the assignment, 0.5% of the order value

per week or part thereof would be payable to the Bank for delay in the execution of this

assignment order beyond specified schedule, subject to a maximum of 5% of the value of

the said phase.

4.13.2 Bank reserves it's right to recover these amounts by any mode such as adjusting

from any payments to be made by the Bank to the bidder.

4.13.3 The Bank however may review and consider waiving imposition of liquidated

damages for delays beyond the control of the Bidder.

4.14. RFP Ownership: The RFP and all supporting documentation are the sole property of Punjab & Sind Bank

and shall not be redistributed without prior written consent of Punjab & Sind Bank.

Violation of this would be a breach of trust and may, inter-alia, cause the bidders to be

irrevocably disqualified. The aforementioned material must be returned to Punjab & Sind

Bank while submitting the bid, or upon request. However, bidders can retain one copy

for reference.

4.15. Bid Ownership: The bid and all supporting documentation submitted by the

bidders shall become the property of the Bank. The bid and documentation may be

retained, returned or destroyed as the Bank decides.




4.16. Confidentiality:

This document contains information confidential and proprietary to the Bank.

Additionally, the bidders will be exposed by virtue of the contracted activities to the

internal business information of the Bank. Disclosures of receipt of this RFP or any part

of the aforementioned information to parties not directly involved in providing the

services requested could result in the disqualification of the bidders, premature

termination of the contract, or legal action against the bidders for breach of trust.

4.17. Non Transferable Tender:

This tender document is not transferable. Only the bidder, who has been empanelled by

the Bank will be eligible for participation in the evaluation process.

4.18. Language of BID:

The bid prepared by the Bidder, all correspondence and documents relating to the

bid exchanged by the Bidder & the Bank shall be written in English.

5. RESOLUTION OF DISPUTES:

5.1 The Bank and the bidder shall make every effort to resolve amicably by direct

informal negotiation any disagreement or dispute arising out of or in connection with the

Contract.

5.2 If, after thirty (30) days from the commencement of such informal negotiations, the

Bank and the bidder have been unable to resolve amicably a Contract dispute, either party

may require that the dispute be referred for resolution to the formal mechanisms.

Such disputes or differences shall be settled in accordance with the Arbitration and

Conciliation Act, 1996. Where the value of contract is above Rs.1 crore, the arbitral

tribunal shall consist of 3 arbitrators, one each to be appointed by the Bank and the Bidder.

The third arbitrator shall be chosen by mutual discussion between the Bank and the

Bidder.

5.3 The arbitration proceedings shall be held at New Delhi, India, and the language of the

arbitration proceedings shall be English. The arbitrators shall hold their sittings at New

Delhi. The arbitration proceedings shall be conducted in English language. Subject to the

above, the courts of law at New Delhi alone shall have the jurisdiction in respect of all

matters connected with the Contract/Agreement.

5.4 The decision of majority of arbitrators shall be final and binding upon both parties.

The cost and expenses of Arbitration Proceedings will be paid as determined by arbitral

tribunal. However, expenses incurred by each party in connection with the preparation,




presentation, etc., of its proceedings as also the fees and expenses paid to the arbitrator

appointed by such party or on its behalf shall be borne by each party; and

5.5 Where the value of the contract is Rs.1 crore and below, the disputes or

differences arising shall be referred to the sole arbitrator. The sole Arbitrator shall

be appointed by agreement between the parties. If the parties not agreed upon the

selection of the Arbitrator then Bank will appoint any ex staff not below the rank

of DGM as Arbitrator.

5.6 All disputes are subject to the exclusive jurisdiction of the Court at New Delhi.

5.7 To ensure transparency, equity, and competitiveness and in compliance with the

CVC guidelines, this tender shall be covered under the Integrity Pact (IP) policy of the

Bank.

Sh. Ratan Kishore Bajaj has been appointed as IEM (Independent External Monitor)

for the Bank.

IEM can be contacted at:-

Sh. Ratan Kishore Bajaj,

Email: [email protected]

Mob: 9818156262

6. CORRUPT OR FRAUDULENT PRACTICES:

6.1 As per CVC directives, it is required that Bidders/Suppliers/Contractors observe

the highest standard of ethics during the procurement and execution of such contracts.

In pursuance of this policy;

i) “Corrupt practice” means the offering, giving, receiving or soliciting of anything

of value to influence the action of a public official in the procurement process or

in contract execution; And

ii) “Fraudulent practice” means a misrepresentation of facts in order to influence a

procurement process or the execution of contract to the detriment of the Bank and

includes collusive practice among Bidders (prior to or after bid submission) designed

to establish bid prices at artificial non-competitive levels and to deprive the Bank of the

benefits of free and open competition;

6.2 The Bank will reject a bid for award if it determines that the Bidder

recommended for award has engaged in corrupt or fraudulent practices in competing

for the contract in question;




6.3 The Bank will declare a firm ineligible, either indefinitely or for a stated period

of time, to be awarded a contract if at any time it determines that the firm has

engaged in corrupt or fraudulent practices in competing for, or in executing a contract.

7. INDEMNITY:

7.1 The bidder (Contractor) will indemnify the Bank against all actions,

proceedings, claims, suits, damages and any other expenses for causes attributable

to the bidder.

7.2 The total liability of the selected bidder under the contract will not exceed the total

cost of the project.

8. BIDDER’S OBLIGATIONS:

8.1 The bidder is obliged to work closely with the Bank`s staff, act within its own

authority and abide by directives issued by the Bank during the IS AUDIT

activities.

8.2 The bidder is responsible for managing the activities of its personnel and will hold

itself responsible for any misdemeanors.

8.3 The bidder is under obligation to provide IS AUDIT services as per the contract

to various Offices of the Bank.

8.4 The bidder will treat as confidential all data and information about the Bank, obtained

in the execution of his responsibilities, in strict confidence and will not reveal such

information to any other party without the prior written approval of the Bank.

9. INTELLECTUAL PROPERTY RIGHTS:

9.1. The Bidders shall indemnify the Bank against all third party claims of

infringement of copyright, patent, trademark, industrial design or any other intellectual

property rights arising from use of the Software package or any part thereof in India

and abroad.

9.2. In the event of any claim asserted by the third party of infringement of copyright,

patent, trademark or industrial design rights arising from the use of the solution or any

part thereof in India and abroad, the Bidder shall act expeditiously to extinguish

such claims. If the Bidder fails to comply and the Bank is required to pay compensation

to a third party resulting from such infringement, the Bidder shall be responsible for the

compensation including all expenses, court costs and lawyer fees. The Bank will give

notice to the Bidder of such claims, if it is made, without delay.




9.3 Performance Bank Guarantee

The successful bidder has to submit the Performance Bank Guarantee for

Rs.1,00,000.00/( Rupees One Lakh only) for the due performance of the contract, valid

for 15 months.

In case Auditor fails to perform the contract or fails to pay the due penalty, if any, as

demanded by bank, Bank shall invoke the Bank Performance Guarantee to recover

penalty/damages.

10. SIGNING OF CONTRACT:

10.1 At the time when the Bank notifies the Bidder that its bid has been accepted,

the Bank will send the Bidder the Contract Form (Annexure-VI) provided in the

RFP, incorporating all agreements between the parties.

10.2 Within 10(Ten) days of receiving the Contract Form, the successful bidder shall

sign the contract and return it to the Bank along with the required Performance

Bank Guarantee.

10.3 Bank reserves the right to select the next ranked bidder if the selected bidder

withdraws his bid after selection or at the time of finalization of the contract or

disqualified on detection of wrong or misleading information in the bid.

10.4 In case the bidder fails to comply with the terms & conditions mentioned in

RFP and/ or in case the bidder withdraws his bid after selection, the empanelment as

IS Auditor will be cancelled and such bidder’s name will be included in the list of

ineligible persons / firms for not considering for any future assignment.

10.5 Contract Amendment: No variation in or modification of the terms of the

Contract shall be made except by written amendment signed by the parties.

10.6 The bidder shall not assign, in whole or in part, its obligations to perform

under the Contract, except with the Bank`s prior written consent.

11. PUBLICITY:

Any publicity by the bidder in which the name of the Bank is to be used shall be done

only with the explicit written permission of the Bank.

Disclaimer




Subject to any law to the contrary, and to the maximum extent permitted by law, Punjab

& Sind Bank and its officers, employees, contractors, agents, and advisers disclaim all

liability from any loss or damage (whether foreseeable or not) suffered by any person

acting on or refraining from acting because of any information including forecasts,

statements, estimates, or projections contained in this RFP document or conduct ancillary

to it whether or not the loss or damage arises in connection with any negligence, omission,

default, lack of care or misrepresentation on the part of Punjab & Sind Bank or any of its

officers, employees, contractors, agents, or advisers.




Annexure A

OTHER IMPORTANT TERMS & CONDITIONS

The bidder has to undertake IS audit in a phased manner as described below:-

PHASE I – CONDUCT OF IS AUDIT AS PER SCOPE, EVALUATION, DISCUSSION

ON THE FINDINGS AND SUBMISSION OF FINAL REPORTS

PHASE II – COMPLIANCE AUDIT, REVIEW & CERTIFICATION

The activities covered under each Phase are appended below:

1. PHASE I

1.1 Conduct of Information Systems Audit as per the SCOPE OF WORK as defined in

Clause 2.

1.2 The Bank will call upon the bidder, on placement of the order , to carry out

demonstration and/or walkthrough, and/or presentation and demonstration of all or

specific aspects of the IS AUDIT at the Bank s desired location or, for a

walkthrough, at a mutually agreed location. All the expenses for the above will be borne

by the concerned bidder.

1.3 Audit schedule to be provided 7 working days prior to the start of audit along with the

name of the auditors who will be conducting the audit. Resumes of the auditors as assigned

above for the project to be provided to the Bank beforehand and they should be deputed to

the assignment only after Bank s Consent.

1.4 Commencement of IS Audit of IT Setups / branches as per the scope of Work.

1.5 Execute Vulnerability Assessment/Penetration testing of the entire network including

Internet Banking, Mobile Banking, Tele Banking and Corporate Website as per the scope

of work and Annexure- C & D on the written permission of the Bank and in the presence

of Bank`s Officials, Analysis of the findings and Guidance for Resolution of the same.

1.6 Detailing the Security Gaps

1.7 Document the security gaps i.e. vulnerability, security flaws, loopholes, etc. observed

during the course of the review of the CBS & other IT infrastructure of the Bank as per the

scope of Audit.




1.8 Document recommendations for addressing these security gaps and categorize

the identified security gaps based on their criticality, resource/effort requirement to

address them.

1.9 Chart a roadmap for the Bank to ensure compliance and address these Security gaps.

1.10 Addressing the Security Gaps

1.11 Help in Fixing/ addressing the Security flaws, gaps, loopholes, shortfalls

Vulnerabilities in deployment of applications / systems which can be fixed immediately.

If recommendations for Risk Mitigation / Removal could not be implemented as suggested,

alternate solutions to be provided.

1.12 Recommend fixes for systems vulnerabilities in design or otherwise for application

systems and network infrastructure.

1.13 Suggest changes/modifications in the Security Policies and Security Architecture

including Network and Applications of PUNJAB & SIND BANK to address the same.

1.14 Final Reports of ISA Findings :- Bidder has to discuss the preliminary report

findings / observations recommendations /suggestions with the Bank and subject to the

acceptance of the preliminary report by the bank, the bidder has to submit the Final

report.

1.15 The final reports of the ISA findings will be submitted in parts as detailed under

Deliverables Section:-

ISA Report: - Executive summary

ISA Report Core findings along with Risk Analysis

ISA Report Detailed findings / Checklists

ISA Report:-Analysis of reports /Corrective Measures & Suggestions along with Risk

Analysis

1.16 Acceptance of the Final Report.

2. PHASE II.

2.1 Compliance Review

An exercise to review the compliance with the findings and recommendations of ISA had

to be undertaken by the bidder. This exercise would be undertaken preferably within 30

days from the date of completion of Phase I. However , the final date for the start

of Compliance Audit will be intimated by the bank suitably. This exercise would

encompass evaluation of the general/overall level of compliance undertaken by the Bank

against the shortcomings reported in the ISA Reports.




2.2 Certification for compliance with the findings of the ISA & Final Sign Off On

completion of the compliance review and before final sign off, the bidder has to provide

the BANK an ISA compliance certificate including certificate as per RBI guidelines

for Internet Banking.

2.3 Documentation Format:-All documents will be handed over in three copies, signed,

legible, neatly and robustly bound on A-4 size, good-quality paper Soft copies of all the

documents, properly encrypted in MS Word /MS Excel /PDF format also to be submitted

in CDs/DVDs along with the hard copies All documents will be in plain English .

3. DELIVERY SCHEDULE:

3.1 The delivery of the Reports of Phase I should be effected within 8 weeks of

placement of purchase order.

4. TERMS OF PAYMENT:

4.1 The Bidder (s) request(s) for payment shall be made to the Bank in writing,

accompanied by an invoice describing, as appropriate and services performed and by

documents submitted and upon fulfillment of other obligations stipulated in the Contract.

4.2 Payments shall be made promptly by the Bank on submission of an invoice/claim

supported by all required documents by the Bidder.

4.3 Payment will be made to the Bidder in Indian Rupees only.

4.4 Payment Schedule: -

Payment will be made on completion of following milestones:

70% after completion of PHASE-I

30% after completion of PHASE-II

** TDS would be deducted at source for any payment made by the BANK as per the

prevailing Rules of Government of India.

4.5 Price Composition: The price quoted should be inclusive of following:

a) Professional Charges

b) Travel and Halting expenses, including local conveyance

c) Out of pocket expenses

d) Excluding GST

4.6 Work Contract tax or any other tax+, if any, applicable shall be borne by the Bidder.




4.7 The commercial bid shall be on a fixed price basis and in Indian Rupees. No price

variation should be asked for relating to increases in customs duty, any taxes, foreign

currency price variation etc.

4.8 All costs and expenses incurred by bidder in any way associated with the development,

preparation, and submission of responses, including the attendance at meetings,

discussions, demonstrations, reference site visits etc. and providing any additional

information required by Punjab & Sind Bank, will be borne entirely and exclusively by the

bidder.

5. TAXES & DUTIES:

5.1 The bidder will be entirely responsible to pay all taxes including corporate tax,

income tax, license fees, duties etc. except GST in connection with delivery of the services

at site.

5.2 Wherever the laws and regulations require deduction of such taxes at the source of

payment, the Bank shall effect such deductions from the payment due to the bidder. The

remittance of amount so deducted and issue of certificate for such deductions shall

be made by the Bank as per the laws and regulations in force.

5.3 GST if any, which will be applicable, will be paid by the Bank on actual basis on

production of proof.

5.4 Nothing in the contract shall relieve the bidder from his responsibility to pay any

tax that may be levied in India on income and profits made by the bidder in respect

of this contract.

5.5 Payment of Other Expenses:

a. The selected bidder will have to visit various offices of the Bank, at various locations

like Mumbai, Chennai, Delhi, Noida etc. during the course of IS Audit. The Bank will not

pay any expenses towards travelling, lodging and boarding of the members of IS Audit

team of the selected bidder. They will have to make their own travel and stay arrangements.

b. The bidder may perform a site inspection at its own cost to verify the appropriateness of

the sites/facilities before start of the Audit.

6. PROJECT SCHEDULE:

The selected bidder has to depute its officials at Information Systems Audit Cell, HO

Inspection Department, Gurugram within 10 days from the date of signing of the

contract, for holding a formal meeting. During the said meeting, the bidder has to

give a brief technical overview / presentation regarding the technical methodology being

adopted by them to conduct the said audit.

The bidder has to maintain the schedule time frame as mentioned below:-




The timeframe for completion for Phase I of the project would be maximum 6 weeks.

The time frame for completion for Phase II would be maximum 2 weeks.

An exercise to review the compliance with the findings and recommendations of IS Audit

had to be undertaken by the bidder (Phase-II). This exercise would be undertaken

preferably within 180 days from the date of completion of phase I. However, Final date

for the start of compliance Audit will be informed by the Bank in due course of time.

The Final ISA certificate is to be issued within a week of Audit Compliance Review.

7. DELIVERABLES:-

The major deliverables in this project are noted below:-

7.1 Information Systems Audit as per the Scope of Work.

7.2 Vulnerability Assessment/Penetration testing of the entire network including Internet

Banking as per the scope of work and Annexure C & D, Analysis of the findings and

Guidance for Resolution of the same.

7.3 ISA Report (Type - Documentation)

7.3.1 Audit Report:-

Broadly the Audit Report shall contain and keep the undernoted points in view:-

-Gaps, Deficiencies, Vulnerabilities observed in audit. Specific observations will be given

indicating name and important address of equipment Risk associated with Gaps,

deficiencies, vulnerabilities observed Analysis of vulnerabilities and issues of concern.

-Recommendations for corrective action.

-Category of Risk. (High/Medium/ Low)

-Summary of audit findings including identification tests, tools used and results of test

performed during IS Audit. Report on audit covering compliance status of the IS Audit. All

observations will be thoroughly discussed with process owners before finalization of

report. Audit report should be submitted in the following order:

-Location, Domain/Module, Hardware, Operating Systems.

-Detailed report of network audit including VAPT with recommendations and suggestions.

-Detailed report of VAPT.

-Audit report shall incorporate a certificate that the report covers every area specified in

the scope of the BID.

The IS Audit Reports have to be submitted at the end of Phase I and the sets of reports

would comprise of the following sub reports:-




7.3.2 ISA Report: - Executive Summary:-

-An executive summary should form a part of the FINAL REPORT.

7.3.3 ISA Report: Core Findings along with Risk Analysis:

-The bidder will submit a report bringing out the core findings of the IS Audit exercise

in the existing practices along with Risk Analysis of individual items, with reference

to the best practices &standards.

7.3.4 ISA Report: Detailed Findings/Checklists:

-The detailed findings of the ISA would be brought out in this report which will cover in

details all aspects viz. identification of flaws / gaps /vulnerabilities in the systems (

specific to equipments/resources –indicating name and IP address of the equipment with

Office and Department name), identifications of threat sources, identification of Risk,

Identification of inherent weaknesses, Servers/Resources affected with IP Addresses etc.

Report should classify the observations into Critical /Non Critical category and asses

the category of Risk Implication as HIGH/MEDIUM/LOW RISK based on the impact.

The various checklist formats, designed and used for conducting the IS Audit as per

the scope, should also be included in the report separately for Servers (different

for different OS), RDBMS, Network equipments , security equipments etc, so that

they provide minimum domain wise baseline security standard /practices to achieve

a reasonably secure IT environment for technologies deployed by Punjab & Sind

Bank. The Reports should be substantiated with the help of snap shots/evidences

/documents etc. from where the observations were made.

7.3.5 ISA Report :- In Depth Analysis of findings /Corrective Measures &Suggestions

along with Risk Analysis :- The findings of the entire IS Audit Process should be

critically analyzed and controls should be suggested as corrective /preventive

measures for strengthening / safeguarding the IT assets of the Bank against existing

and future threats in the short /long term. Report should contain

suggestions/recommendations for improvement in the systems wherever required. If

recommendations for Risk Mitigation / Removal could not be implemented as suggested,

alternate solutions to be provided. Also, if the formal procedures are not in place for any

activity, evaluate the process & the associated risks and give recommendations for

improvement as per the best practices.

7.3.6 Provide Certification for the ISA (Type - Documentation & Service At the end of IS

Audit process, the bidder has to provide Bank certification for IS Audit including a

certificate as per RBI guidelines for Internet Banking.

7.3.7 Documentation Format:-All documents will be handed over in three copies, signed,

legible, neatly and robustly bound on A-4 size, good-quality paper Soft copies of all the

documents, properly encrypted in MS Word /MS Excel /PDF format also to be submitted

in CDs/DVDs along with the hard copies All documents will be in plain English .




7.3.8 LIST OF COUNT OF SERVERS/DEVICES IN DIFFERENT AUDITEE

LOCATIONS (It may vary in actual scenario) is enclosed as Annexure ‘D’.

Note:- The list may vary in actual scenario. Any new addition/ up gradation in hardware,

software, new deliverables, change in architecture during the contract period at Data

Center, DRS etc will also be covered in the audit. Exact details of the devices

/equipments at the various auditee locations will be provided to the final shortlisted

bidder at the time of placing of order.

ANNEXURE B: SCHEDULE OF REQUIREMENTS

I N D E X

Sr.

No.

ANNEXURE No. SUBJECT PAGE

No.

1 ANNEXURE – I PROFILE OF THE BIDDER 36

2 ANNEXURE – II PROFILE OF THE PROPOSED CORE

AUDIT TEAM

37

3 ANNEXURE – III FORMAT FOR COMMERCIAL BID 38

4 ANNEXURE – IV BID FORM 39

5 ANNEXURE – V PERFORMANCE SECURITY FORM 40

6 ANNEXURE – VI CONTRACT FORM 44

7 ANNEXURE – VII TECHNICAL DEVIATION 46

8 ANNEXURE – VIII COMMERCIAL DEVIATION 47

9 ANNEXURE – IX LETTER OF CONFIRMATION 48

10 ANNEXURE- X COMPLIANCE FOR REVERSE

AUCTION

49

11 ANNEXURE- XI LETTER OF AUTHORITY FOR

PARTICIPATING IN REVERSE

AUCTION

50




ANNEXURE –I (TECHNICAL BID):- PROFILE OF THE BIDDER

RFP REF No:- PSB/HOIT/RFP/145/2020 Dt. 26.02.2020

DESCRIPTION DETAILS

Registered address of the Bidder

Address:

Address for Correspondence of the Bidder

STD- Phone:

e-mail Id:

FAX No:

Contact name of the official who can

commit on the contractual terms and

the name of an alternate official who

may be contacted in the absence of the

former

Primary Contact:

Name:

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Name :

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Contact addresses if different from

above

Official Website Web Site URL :

Authorized Signatory with Seal

Date:

Place:




Annexure II :- (Technical Bid) PROFILE OF THE PROPOSED CORE AUDIT

TEAM TO BE ASSIGNED FOR THE PROJECT

S.N. NAME DESIG. PART

TIME/

FULL

TIME

ROLE IN

IS AUDIT

(TASK/

MODULE)

PROFESSIONAL

QUALIFICATION

YEARS

OF IS

AUDIT

EXP.

1

2

3

4

5

6

7

8

9

10


Date:

Place:




Annexure III:- (Indicative Commercial bid)

FORMAT FOR INDICATIVE COMMERCIAL BID

PARTICULARS AMOUNT (IN RS) INCLUDING ALL

TAXES OTHER THAN GST

Cost of IS Audit as per the scope of

work defined in the RFP (Inclusive

of all fees & expenses)

TOTAL COST OF IS AUDIT

(Total Amount in Words: - Rupees )


Date:

Place:

Note:-

➢ The Commercial Bid should contain the Total Cost of Audit, on a fixed cost

Basis. Punjab & Sind will neither provide nor reimburse any expenditure towards any

type of Accommodation, Travel Ticket, Airfares, Train fares, Halting expenses, Transport,

Lodging , Boarding etc.

➢ The prices quoted above should be inclusive of all taxes & Duties as applicable

except GST. The commercial bid will be evaluated based on TOTAL COST OF IS AUDIT

i.e. Amount including all taxes but excluding GST.

➢ GST shall be payable extra on actual basis.

➢ Providing Indicative Commercial bid other than this format may lead to rejection of the

bid.




Annexure IV :- (Technical Bid)

BID FORM

To Date:

PUNJAB & SIND BANK,

H.O. IT Department,

2nd floor, Bank House,

21, Rajendra Place,

New Delhi – 110008

Having examined the RFP including all Annexures, the receipt of which is hereby

duly acknowledged, we the undersigned, offer to provide IS Audit services in

conformity with the said RFP in accordance with the Price Composition indicated in

the Commercial Bid and made part of the Bid.

We undertake, if our bid is accepted, to deliver the services in accordance with the delivery

schedule specified in Annexure A.

We agree to abide by this bid for the period of 180 days from the last date of submission of

the bid and it shall remain binding upon us and may be extended at any time before the

expiration of that period.

We undertake that, in competing for (and, if the award is made to us, in executing)

the above contract, we will strictly observe the laws against fraud and corruption in

force in India namely “Prevention of Corruption Act 1988”.

We understand that the Bank is not bound to accept the lowest of any bid the Bank

may receive.

Dated this ________________ day of _____________ 20 .

(Signature) (In the Capacity of)

Duly authorized to sign bid for and on behalf of

(Name & Address of Bidder) ________________________________

Business_________________________ Address________________




Annexure V: - PERFORMANCE BANK GUARANTEE

(Issued by a nationalized /scheduled commercial Bank)

(ON A NON-JUDICIAL STAMP PAPER OF RS. 100.00)

Tender Reference No: ______________________Date _________________

TO:

PUNJAB & SIND BANK,

H.O. IT Department,

2nd floor, Plot No. 151,

Sector 44,

Gurugram – 122003

Bank Guarantee No.

Bank Guarantee Amount

Expiry Date

Claim Period

Dear Sir,

GUARANTEE FOR PERFORMANCE OF CONTRACT/AGREEMENT

THIS GUARANTEE AGREEMENT executed at ________ day of_____________

Two Thousand ___________

BY: ______________________ Bank, a body corporate constituted under

_______________, having its Registered Office/ Head Office at ______________, and

a Branch Office at_____________________________________________________

(Hereinafter referred to as “the Guarantor”, which expression shall, unless it be

repugnant to the subject, meaning or context thereof, be deemed to mean and include

its successors and assigns)

IN FAVOUR OF:

Punjab & Sind Bank, a body corporate, established under the Banking Companies

(Acquisition and Transfer of Undertakings) Act 1980 and having its Registered Office

at 21, Rajendra Place, New Delhi 110008 (hereinafter referred to as “Bank” which

expression shall unless it be repugnant to the subject, meaning or context thereof, be

deemed to mean and include its successors and assigns),

WHEREAS Bank had called for the bids for Information System Audit of Data Centre,

Critical Applications, IT Processes etc. of the Bank and for the purposes

M/s……………………… have been appointed as the Vendor (hereinafter referred to

as "Vendor") and accordingly has entered into Contract / Agreement on ………..




(Agreement) with Bank subject to the terms and conditions contained in the said

documents and the Vendor has duly confirmed the same.

AND WHEREAS pursuant to the Bid Documents, the Agreement, and the other related

documents (hereinafter collectively referred to as “the said documents”, the Bank has

agreed to avail the service from M/s……………………. has agreed to provide to the

Bank, the Services Information System Audit of Data Centre, Critical Applications, IT

Processes etc. of the Bank, more particularly described in the Schedule/Annexure to the

said documents, subject to payment of the contract price as stated in the said documents

and also subject to the terms, conditions, covenants, provisions and stipulations

contained the said documents.

AND WHEREAS the Vendor has duly signed the said documents.

AND WHEREAS in terms of the said documents, inter alia, the Vendor is required to

procure an unconditional and irrevocable performance Bank guarantee, in favour of the

Bank, from a Bank acceptable to the Bank for a sum of Rs…………………

(Rupees…………………………………………………….. Only) for the faithful

observance and performance by the Vendor of the terms, conditions, covenants,

stipulations, provisions of the Agreement /the said documents.

AND WHEREAS at the request of the Vendor, the Guarantor has agreed to issue the

Guarantee in favour of the Bank for a sum of Rs. …………

(Rupees………………………………………………..Only).

AND WHEREAS at the request of the Vendor, the Guarantor has agreed to guarantee

the Bank that the Vendor shall faithfully observed and performed of the terms of the

said documents.

NOW THEREFORE THIS AGREEMENT WITNESSETH AS FOLLOWS:

In consideration of the above premises, the Guarantor hereby unconditionally,

absolutely and irrevocably guarantees to the Bank as follows:

(1) The guarantor hereby agree and guarantee that the Vendor shall faithfully observed

and performed all the terms and conditions stipulated in the Contract/Agreement and

the said documents.

(2) The Guarantor hereby guarantees and undertakes to pay, on demand and without

demur, reservation, contest, recourse or protest or without any reference to the Vendor,

to the Bank at its office at New Delhi forthwith, and all monies payable by the Vendor

to the extent of Rs.………………………………………. against any loss, costs,

damages, etc. suffered by the Bank on account of default of the Vendor in the faithful

observance and performance of the terms, conditions, covenants, stipulations,

provisions of the Agreement / said documents, without any demur, reservation, contest,

recourse or protest or without any reference to the Vendor. Any such demand or claim




made by the Bank, on the Guarantor shall be final, conclusive and binding

notwithstanding any difference or any dispute between the Bank and the Vendor or any

dispute between the Bank and the Vendor pending before any Court, Tribunal,

Arbitrator, or any other authority.

(3) The Guarantor agrees and undertakes not to revoke this Guarantee during the

currency of these presents, without the previous written consent of the Bank and further

agrees that the Guarantee herein contained shall continue to be enforceable until and

unless it is discharged earlier by the Bank, in writing.

(4) The Bank shall be the sole judge to decide whether the Vendor has failed to perform

the terms of the Agreement / said documents for providing the Services by the Vendor

to the Bank, and on account of the said failure what amount has become payable by the

Vendor to the Bank under this Guarantee. The decision of the Bank in this behalf shall

be final, conclusive and binding on the Guarantor and the Guarantor shall not be entitled

to demand the Bank to establish its claim under this Guarantee but shall pay the sums

demanded without any objection, whatsoever.

(5) To give effect to this guarantee, the Guarantor will be deemed to be the Principal

Debtor to the Bank.

(6) The liability of the Guarantor, under this Guarantee shall not be affected by:

(a) any change in the constitution or winding up of the Vendor or any absorption, merger

or

(b) amalgamation of the Vendor with any other company, corporation or concern; or

(c) any change in the management of the Vendor or takeover of the management of the

Vendor by the Government or by any other authority; or

(d) acquisition or rationalization of the Vendor and/or of any of its undertaking(s)

pursuant to any law; or

(e) any change in the constitution of Bank / Vendor; or

(f) any change in the setup of the Guarantor which may be by way of change in the

constitution,

(g) winding up, voluntary or otherwise, absorption, merger or amalgamation or

otherwise; or the absence or deficiency of powers on the part of the Guarantor to give

Guarantees and/or Indemnities or any irregularity in the exercise of such powers.

(7) This guarantee will remain in force up to 15 months from the date of signing of the

contract.

(8) Notwithstanding anything contained in this Guarantee, the Guarantor hereby agrees

and undertakes to extend the validity period of this guarantee for a further period as

may be requested by the Bank, from time to time.

(9) This guarantee shall be binding upon us and successors -in -interest and shall be

irrevocable.

(10) For all purposes connected with this Guarantee and in respect of all disputes and

differences under or in respect of these presents or arising there from the courts of New




Delhi where the Bank has its Head Office shall alone have jurisdiction to the exclusion

of all other courts.

(11) Notwithstanding anything contained herein above:

I. Our liability under this Bank Guarantee shall not exceed Rs ……………. (Rupees

……………………….. only)

II. This Bank Guarantee shall be valid up to…………….

III. We are liable to pay the guaranteed amount or any part thereof under this Bank

Guarantee only and only if you serve on us a written claim or demand on or before

………………… (mention validity period + claim period)

IN WITNESS WHEREOF the Guarantor has caused these presents to be executed on

the day, month and year first herein above written as hereinafter appearing.

SIGNED SEALED AND

DELIVERED BY the within

named Guarantor (Vendor Bank),

______________________,

by the hand of Shri. __________, its authorised official.




Annexure VI: - CONTRACT FORM (SAMPLE)

(Non-Judicial Stamp Paper of appropriate value)

RFP REF. NO.

CONTRACT NUMBER:

THIS AGREEMENT made the _________ day of ______, 20___ Between PUNJAB

& SIND BANK (hereinafter “the Purchaser”) of one part and __________ (Name of

Selected Bidder) of ____________ (City and Country of Bidder) (hereinafter “the Bidder”)

of the other part:

WHEREAS the Purchaser is desirous that certain services should be provided by the

Bidder, viz. ________________ ________________ (Brief description of Services) and

has accepted a bid by the Bidder for Information System Audit of Data Centre, Critical

Applications, IT Processes etc. of the Bank.

NOW THIS AGREEMENT WITNESSETH AS FOLLOWS:

1. In this Agreement words and expressions shall have the same meanings as are

respectively assigned to them in the Conditions of Contract referred to.

2. The following documents shall be deemed to form and be read and construed as part

of this Agreement, viz. :

(a) RFP No. PSB/HOIT/RFP/145/2020 dated 26.02.2020 and all its

addendums/modifications.

(b) The Bid form and price schedule submitted by the bidder and subsequent amendments

made into it as accepted by the bank.

(c) the Scope of works, deliverables

(d) all terms & conditions as per RFP and Annexures.

3. In consideration of the payments to be made by the Purchaser to the Bidder in terms of

Purchase Order for IS AUDIT services placed by Head Office of the Purchaser, the

bidder hereby covenants with the Purchaser to provide the services therein in conformity

in all respects with the provisions of the contract.




4. The Purchaser hereby covenants to pay the bidder in consideration of the provision

of services , the Purchase order Price or such other sum as may become payable under the

provisions of the Contract at the times and in the manner prescribed by the Contract.

IN WITNESS whereof the parties hereto have caused this Agreement to be executed

in accordance with their respective laws the day and year first above written.

Signed, sealed and Delivered by the Said ________________________ (For the Bidder) in

presence of _______________________

Signed, sealed and Delivered by the Said ________________________ (For the Purchaser)

in presence of ______________________



RFP REF. NO.: HO/HO IT/RFP/ / 19-20 DATED: Page 46 of 57

Annexure VII :- (Technical Bid)

TECHNICAL DEVIATION STATEMENT

The following are the particulars of deviations from the requirements of the tender/ bid:-

CLAUSE DEVIATION REMARKS

(Including justification)

Whether it has any

commercial implications

(Reply in yes*/ no)

The eligibility criterion & offered IS AUDIT services furnished in the bidding document

shall prevail over those of any other documents forming a part of our bid except only to the

extent of deviations furnished in this statement.

Dated ________________ Signature and seal of the Bidder

Note: Where there is no deviation, the statement should be returned duly signed with

an endorsement indicating “No Deviations”.

* If reply is yes, it must be specified in Annexure- XVI (Commercial Deviation

Statement Form), else the commercial implication will be treated as NIL.




Annexure VIII :- (Commercial Bid)

COMMERCIAL DEVIATION STATEMENT FORM

The following are the particulars of deviations from the requirements of the tender/ bid:

CLAUSE DEVIATION REMARKS

(Including justification)

The cost of offered IS AUDIT services furnished in the bidding document (Annexure- III)

shall prevail over those of any others document forming a part of our bid except only to the

extent of deviations furnished in this statement.

Dated ________________ Signature and seal of the Bidder

NOTE: Where there is no deviation, the statement should be returned duly signed with

an endorsement indicating “No Deviations”.



RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 48 of 57

Annexure IX (Technical Bid)

LETTER OF CONFIRMATION

The Asstt. General Manager,

PUNJAB & SIND BANK,

H.O. IT Department,

2nd floor, plot No. 151,

Sector 44,

Gurugram – 122003

Dear Sir,

We confirm that we will abide by the conditions mentioned in the Tender Document

(RFP and annexure) in full and without any deviation subject to Annexure- VII

& VIII. We shall observe confidentiality of all the information passed on to us in course

of the IS Audit process and shall not use the information for any other purpose than the

current tender.

We confirm that we have not been blacklisted by any Govt. Department /PSU / PSE or

Banks or otherwise not involved in any such incident with any concern whatsoever,

where the job undertaken / performed and conduct has been questioned by any

authority, which may lead to legal action.

We also confirm that we are not a bidder /consultant to the bank involved in

either supply/installation of Hardware/Software, implementation of Security/Network

Infrastructure of the Bank or providing services excluding IS Audit services, in

the past three years directly or indirectly through a consortium.

Place:

Date:

(Authorized Signatory)

SEAL




Annexure X

Compliance for Reverse Auction

RFP No: PSB/HOIT/RFP/xxx/2019-20 Date:

Punjab & Sind Bank,

2nd floor, Information Technology Department,

Plot No. 151, Sector 44,

Gurugram – PIN 122003

Dear Sir,

We ______________________ (name of the company) hereby confirm having submitted

our bid for participating in Bank’s RFP dated _________ for procurement of

____________.

1 We also confirm having read the terms of RFP as well as the Business Rules relating to

the Reverse Auction for this RFP process.

2 We hereby undertake and agree to abide by all the terms and conditions stipulated by

Punjab & Sind Bank in the RFP document including all annexures and the Business Rules

for Reverse Auction.

3 We shall participate in the on-line auction conducted by ……………….. (Auctioneer

Company) and submit our commercial bid. We shall also abide by the procedures

prescribed for online auction by the auctioneer company.

4 We, hereby confirm that we will honour the Bids placed by us during the auction

process, failing which we shall forfeit the Earnest Money Deposit. We also understand

that the bank may debar us from participating in future tenders.

5 We confirm having nominated Mr. ________________, designated as ______________

of our company to participate in the Reverse Auction on behalf of the company. We

undertake that the company shall be bound by the bids made by him in Reverse Auction.

6 We accordingly authorize Bank and/ or the reverse auction company to issue user ID

and password to the above named official of the company.

7 Both Bank and the auction company shall contact the above named official for any and

all matters relating to the Reverse Auction.

8 We, hereby confirm that we will honour the Bids placed by Mr. __________ on behalf

of the company in the auction process, failing which we will forfeit the EMD. We agree

and understand that the bank may debar us from participating in future tenders for any

such failure on our part.

9 We undertake to submit the confirmation of last bid price by us to the auction

company/Bank within 48 working hours of the completion of event. We also undertake to

submit the Bill of Materials for the TCO (Total Cost of Ownership) in terms of RFP.

Name of Authorized Representative: _______________________

Signature of Authorized Representative: ____________________

Verified above signature

Date: Seal and signature of the bidder




ANNEXURE – XI

Letter of Authority for Participating in Reverse Auction

Punjab & Sind Bank

Second Floor

IT Department

Plot Number 151, Sector 44,

Gurugram, 122003

Dear Sir,

We _____________________ (name of the Company) have submitted our bid for

participating in Bank’s RFP dated _________________ for procurement of

_______________.

We also confirm having read and understood the terms of the RFP as well as the business

rules relating to the Reverse Auction for this RFP process.

As per the terms of RFP and Business Rules, we nominate Mr. __________________,

designated as ______________________ of our company to participate in the Reverse

Auction.

We accordingly authorize Bank and/ or the Auction Company to issue user ID and

password to the above named official of the company.

Both Bank and the auction company shall contact the above named official for any and

all matters relating to the Reverse Auction.

We, hereby confirm that we will honor the Bids placed by Mr. __________________ on

behalf of the company in the auction process, failing which Bank shall have the right to

forfeit the EMD. We agree and understand that the Bank may debar us from participating

in future tenders for any such failure on our part.

(Signature)

(Name of Authorized Signatory)

(Designation)

(Date)

Place:

(Name and address of the bidder)

(Company Seal)




ANNEXURE “C”

A. Systems/ Applications and its Locations (tentative)

1.1 Information Systems Audit should cover entire Information Systems

Infrastructure which includes Servers & other hardware items, Operating Systems,

Databases, Application Systems, Technologies, Networks, Facilities, Process & People

of the under noted locations :

Sr.

No.

Particulars DC DR NLDC

1. CBS Servers,

Interfaces, Network &

Other Devices, Finacle

Application

Navi Mumbai Greater

Noida

Navi Mumbai

2. ATM Switch & Back

Office, ATM Card

(Debit & Prepaid

Cards)

Chennai Mumbai N.A.

3. Financial Inclusion,

Centralized FI gateway

Application solution

Navi Mumbai Greater

Noida

N.A.

4. E-KYC (Biometrics) Navi Mumbai Greater

Noida

N.A.

5. Internet Banking

Application

Navi Mumbai Greater

Noida

Navi Mumbai

6. Mobile Banking

Application

Navi Mumbai Greater

Noida

Navi Mumbai

7. Mail Messaging

Solution

Navi Mumbai Greater

Noida

Navi Mumbai

8. Intranet of the bank Navi Mumbai Greater

Noida

Navi Mumbai

9. SMS Alert System Mumbai Pune

10. RTGS/NEFT etc. HO.IT Deptt.

Rajendra Place

Greater

Noida

11. Cheque Truncation

System (CTS) -

Northern Grid

Ranjit Nagar, New

Delhi

Greater

Noida


System (CTS) -

Southern Grid

RCC, Chennai

(Opex Model)


System (CTS) -

Western Grid

RCC,Mumbai

(Opex Model)




14. Treasury Solution Navi Mumbai Greater

Noida

N.A.

15. UPI Mumbai New Delhi N.A.

16. BBPS Mumbai Chennai --

17. POS, Cash@POS Mumbai Bangalore --

18. Bharat QR Code Mumbai Bangalore --

19. Aadhar Enable

Payment System

(AEPS)

Navi Mumbai Greater

Noida

20. Merchant Aadhar

Payment System

Hyderabad Navi

Mumbai

21. Accumen Pro Connect

(Liquidity

Management System)

HO.IT Deptt.

Rajendra Place

Greater

Noida

22. Call Centre Noida Noida

23. GST Navi Mumbai Greater

Noida

24. SWIFT Navi Mumbai HO.Fex

Deptt.

N.D.

(To be

soon

shifted to

Greater

Noida)

--

25. Card Management Chennai Mumbai --

26. CCIL Server HO.IT Deptt.

Rajendra Place

Greater

Noida

--

27. ALM Vashi Mumbai Greater

Noida

--

28. AML Navi Mumbai Greater

Noida

--

29. Data Archival

Retrieval (DAR)

Navi Mumbai Greater

Noida

--

30. Security Operation

Center (SOC)

Navi Mumbai Greater

Noida

Navi Mumbai

31. Third Party

Applications

1. PKI

2. C-KYC

3. E-TDS

4. LOS-Loan

Origination

System

Navi Mumbai Greater

Noida

Navi Mumbai




5. RTTS - Real Time

Transaction

System (RTTS)

6. EIRMS- Risk

Management

Systems for

Standardized &

Advanced

Approaches

7. GST Suvidha

Provider

8. Internal Credit

Rating Solution

9. Settlement,

Reconciliation &

Dispute

Management

10. e-Procurement &

e-Auction Services

11. PFMS

B. IS AUDIT OF INTERNET BANKING (WWW.PSBONLINE.CO.IN),

MOBILE BANKING

(HTTPS://WWW.PSBMOBILE.COM/MPAYPSBWAP/PSB),

INTRANET.PSB.CO.IN, WEBMAIL.PSB.CO.IN, UPI, BHIM, FI AND

CORPORATE WEBSITE (WWW.PSBINDIA.COM) OF THE BANK

While conducting the IS Audit, the guidelines/ recommendations issued by CERT-In

and Reserve Bank of India should be strictly complied with.

C. Vulnerability Assessment & Penetration Testing (Internal and External)

The Bidder is expected to conduct a VA/PT of the deployed solution at the Data Centre

and the Disaster Recovery Site and ensure compliance of the security gaps. A list of a

minimum set of activities to be performed as detailed in scope of work.

D. Application Review and Testing

The bidder is to carry out an application review covering the functionality, security,

and controls within the applications. A list of a minimum set of activities to be

performed as detailed in scope of work. The auditor has to conduct VA, PT & white

box (with credentials) testing for security assurance of the applications.

https://www.psbmobile.com/MPAYPSBWAP/PSB




E. Scope of Assessment of UPI:

The IS Auditors have to conduct the system and app audit to ensure data

integrity, encryption and the app security in the compliance of NPCI circular

no. NPCI/2019-20/IS/003 dated 10.12. 2019 and risk and compliance

framework for UPI ecosystem. The minimum following reports are expected

from the IS Auditor:

• Vulnerability Assessment of the IT Servers (web, App, DB, OS),

networking and security devices that participated in the UPI ecosystem

including that of TPAP.

• Black box penetration testing of the IT Servers, networking and security

devices that participated in the UPI ecosystem including that of TPAP.

• Configuration Audit as per CIS Benchmark for IT Servers, networking and

security devices that participated in the UPI ecosystem including that of

TPAP.

• Application security testing report (both SAST & DAST) performed on the

UPI PSP Application/ SDK/ Merchant/ TPAP application.

• Source Code review report performed on the UPI PSP Application/ SDK/

Merchant/ TPAP application.

F. ATM Switch- Cyber Security Controls for ATM Switch Application

Service Providers (ASPs)

The IS Auditors have to review the compliance of RBI circular no. DoS.CO/

CSITE/BC.4084/31.01.015/2019-20 dated 31.12. 2019. The list of prescribed

controls is indicative but not exhaustive.

• Preventing access of unauthorised software

• Environmental Controls

• Network Management and Security

• Secure Configuration

• Application Security Life Cycle (ASLC)

• Patch/Vulnerability and Change Management

• User Access Control / Management

• Data Leak prevention strategy

• Audit Logs

• Incident Response and Management

• Advanced Real-time Threat Defence and Management

• Vulnerability assessment and Penetration Test

• Forensics

• Arrangement for continuous surveillance - Setting up of Cyber Security

Operation Center (C-SOC)

• Compliance with various standards




ANNEXURE ‘D’

LIST OF SERVERS/DEVICES IN DIFFERENT AUDITEE LOCATIONS

(It may vary in actual scenario)

Sr.

no. Purpose Model

Quantity

DC DR NLDC

Servers , Storage & Tape Library

1

CBS Servers

(Database +

Application)

Oracle T4-4 2 2 NA

2

CBS Servers

(Database +

Application)

Oracle T4-1 6 6 NA

3 SASCL Server Oracle T3-1 1 NA NA

4 Storage EMC VNX 5500 in DC & DR

and EMC VNX 5300 in near site 1 1 1

5 Storage EMC VNXe 3100 1 NA NA

6 SAN Switch Cisco SAN Switch 2 2 2

7 Tape Drive Tandberg T40+ Tape library 1 1 NA

8 Blade Chassis Cisco UCS chassis 6 4 NA

9 Windows Servers Cisco UCS Blade server 42 28 NA

Networks equipment

1 MPLS Routers ASR1002-10G-SEC/K9 2 2 2

2 IPSec Routers ASR1002-10G-VPN/K9 2 2 NA

3 Routers CISCO2921-SEC/K9 4 2 NA

4 Routers CISCO2921-SEC/K9 2 1 NA

5 Core Switches N7K-C7009-BUN2-R 2 2 NA

6 Server Farm WS-C3750X-24T-S 3 2 2

7 Uplink Switches WS-C3750X-24T-S 4 4 NA

8 DMZ Switches WS-C2960G-24TC-L 2 2 NA

9 Web Zone ACE-4710-04-K9 4 4 NA

10 ISE SLB ACE-4710-04-K9 4 4 NA

11 Internet Section APV 2600 2 2 NA

12 Replication APV 2600 2 2 NA




Sr. no. Purpose Model Quantity

DC DR NLDC

Security Equipments

1 Intranet

Firewall ASA5585-S20P20XK9 2 2 NA

2 RA VPN

Firewall ASA5545-K9 2 2 NA

3 Internet

Firewall CP4200 2 2 NA

4 CP Security

Mgmt Smart-1 1 NA NA

5 CP Smart Event SM503-EVNT 1 NA NA

6 Access Control CSACS-1121-K9 1 1 NA

7 Admission

Control ISE-3395-K9 8 8 NA

8 Web Gateway MFE Web Gateway 5500

Appl-B 2 1 NA

9 Email Gateway MFE Email Gateway 5500

Appl-C 2 1 NA

Sr. no. Purpose Model Quantity

DC DR NLDC

Other

1 Network

Monitoring LMS-4.1-2.5K-K9 1 1 NA

2 Security

Monitoring L-CSMPR250-4.2-K9 1 1 NA

3 NAC Cisco L-ISE-ADV5Y-5K= 4 3 NA

LIST OF SERVERS/DEVICES IN SOC

Sr. no. Device Model/Version Purpose Quantity

DC DR

Hardware (Switch, Servers , Storage & Appliances)

1 Barracuda WAF 660A Web Application Monitoring 2 2

2 DDI 510 ANTI-APT

2 2

3 DDAN 1100 2 2

4 SAN Switch Brocade SAN

Switch NA 2 2

5 Netapp SAN Storage 212 C Storage 1 1

6 Netapp NL Storage 224 C Storage 1 1

7 CISCO UCS Server C220 M5 Server for Virtual

implementation 5 2

8 CISCO Catalyst N/W

Switch 2960L

Network equipment for N/w

connectivity

4 4

Security Technology (ANTI-APT) Virtual




1 IMSVA 9.1.0.1960 E-mail Solution 2 2

2 TMCM 7 Controlling manager 1 NA

Security Technology (SIEM) Virtual

1 VLC

11.3.2.0 Log Solution

1 1

2 Decoder 1 NA

3 Concentrator 1 NA

4 ESA 1 NA

5 Archiver 1 NA

6 SA Server 1 NA

Security Technology (PIM) Virtual

1 Application 4.8.5.0

Privilege Access Management

1 1

2 DB NA 1 1

3 Gateway Centos 7 1 1

Security Technology (SEC-OPS) Virtual

1 Application 6.5

Archer Ticketing Tool

1 1

2 DB NA 1 1

3 Gateway NA 1 1

Other

1 VMWare Vsphere

Client 6.5 OS for ESXI Hosting 1 1

2 ESXI 6.5 OS for UCS Server 5 2

3 Windows Server Microsoft 2012

To establish different applications and

technology (SECOPS, PIM, VCSA)

8 6