The Maharashtra State Co-operative Bank Ltd TENDER DOCUMENTFOR INFORMATION SYSTEM AUDIT

The Maharashtra State Co-operative Bank Ltd (Incorporating The Vidarbha Co-op. Bank Ltd)

Head Office, Fort, Mumbai

TENDER DOCUMENT

FOR

INFORMATION SYSTEM BASIC (QUICK) AUDIT

OF

CORE BANKING SOLUTION, DATA CENTRE, NETWORKING INFRASTRUCTURE AND OTHER INTEGRATED SYSTEMS.

Reference Number: MSCB/ITD/ SYS-AUDIT/291/2015-16 (Short Name of the Tender / Project: “Systems Audit”)

Cost of the Tender Document: Rs.1000/- (Rupees One Thousand Only) per copy.

Page 2 of 31

INDEX

No. Details Page No.

1. Tender Notice 3

2. About MSCB 4

3. Invitation of Offers 10

4. Bank’s Objective 11

5. The Scope of the Project 12

6. Deliverables Under Systems Audit 13

7. Eligibility/Evaluation criteria for the bidder 13

8. Compliance to Regulations of Reserve Bank of India / NABARD/ other Regulatory bodies and agencies:

18

9. Technical Bid 18

10. Format of C.V. 20

11. Commercial Bid 21

12. Contents of documents 22

13. Terms and Conditions 23

14. Annexure – A 29

15. Annexure – I 31

16. Annexure – II 32

Page 3 of 31

The Maharashtra State Co-operative Bank Ltd (MSCB). (Incorporating the Vidarbha Co-op. Bank Ltd.)

SirVitthaldasThackerseyMemorialBuilding 9, Maharashtra Chambers of Commerce Lane, Fort, Mumbai - 400 001.

TENDER NOTICE

Sealed offers are invited (two bid system) from reputed companies for Information System Audit of Core Banking, Data Centre, Networking Infrastructure and Other Integrated Systems of The Maharashtra State Co-Operative Bank Ltd. (MSCB) Head Office, Fort, Mumbai.

1. Tender Highlights: Document Reference MSCB/ITD/ SYS-AUDIT /291/2015-16

Price of Tender Document 1000/-each by Cash or Demand Draft Only

Date of Commencement of Sale of Document 11.01.2016, 11.00 a.m.

Last Date of Sale of Documents 01.02.2016

Pre Bid Meeting 18.01.2016 at 11.30 a.m.

Last Date and Time for receipt of offers from Vendors

02.02.2016upto 3.30 p.m.

Address for Communication Manager, ITD, The Maharashtra State Co-operative Bank Ltd

9, Maharashtra Chambers of Commerce Lane, Fort, Mumbai - 400 001.

Contact Telephone Numbers 022-22800502 / 712

FAX Numbers 022-2204 24 84 / 2204 34 21

Email ID ksprabhu@mscbank.com

Terms and Conditions, eligibility criteria and procedure for submission of Bids are given in the tender document.The Tender document may be obtained by paying a non-refundable fee of Rs1000 (Rupees One thousand only) in cash or in the form of demand draft in favor of “The Maharashtra State Cooperative Bank Ltd, Mumbai” payable at Mumbai, from the office of The Managing Director of the Bank during office hours between 11.00 am to 16.00 pm. The same can also be downloaded from the official website of MSCB (www.mscbank.com) and may be submitted along with non-refundable fee of Rs1000/- (Rupees One thousand only) in the form of demand draft in favor of “The Maharashtra State Cooperative Bank Ltd, Mumbai” payable at Mumbai. Date: 11.01.2016 (P. R. Karnad) Mumbai Managing Director.

The Maharashtra State Co-operative Bank Ltd TENDER DOCUMENTFOR INFORMATION SYSTEM AUDIT

The Maharashtra State Co-operative Bank Ltd (MSCB). (Incorporating the Vidarbha Co-op. Bank Ltd.) Sir VitthaldasThackersey Memorial Building

9, Maharashtra Chambers of Commerce Lane, Fort, Mumbai - 400 001.

Tender Document for Information System Audit of Core Banking Solution, Data

Centre, Networking Infrastructure and Other Integrated Systems

2. About MSCB: 2.1 Introduction

The Maharashtra State Cooperative Bank Ltd, Mumbai is a premier co-operative institute at

State level established in 1911. It is rendering its services to its increasing number of clientele in

more diversified and multifarious bank services and facilities over last 10 decades and has

established itself a leader of co-operative movement in the state of Maharashtra. It has been in

the process of helping the economic development of rural Maharashtra through its six regional

offices and 41 Branches in the State.

The main business of the MSCB can be classified as direct financing for the cooperative societies,

engaged in various fields like Sugar production, Marketing, Spinning Mills, various types of

agriculture processing units; direct financing to some State level and National level co-operatives

and indirect financing through three tier system i.e. MSCB at apex level, DCC Banks at middle

level and primary agriculture societies at grass root level.

2.2 Organizational Set-up:

MSCB has its corporate office in Mumbai. The state-wide operations are managed through its 6

Regional Offices at Nagpur, Nasik, Pune, Aurangabad, Nanded and Kolhapur. All banking

transactions and operations are being carried out in Centralized Banking System (CBS)

environment at Head office, all branches, Extension counters, Regional offices (6), and it's

International Banking Division in Mumbai.

2.3 Current Status of Computerizations:

Bank has computerized majority of its banking operations / functional areas at Head office and

Branches. All Branches are working in CBS environment. Bank would like to extend its

technology usage by introducing different delivery channels, integration with networks of

other/District banks, sharing technology infrastructure with Co-op. banks, etc.

Page 5 of 31

2.4 Background:

2.4.1 The MSCB initiated the process of computerization of its operations in a phased manner starting in 1998-99. During the First Phase (1998 to 2003), MSCB covered banking operations at HO – Branch (which accounted for majority of the Transactions), Treasury and Human Resources Department. The Vendor (Next-Step now known as Data-Vision from Pune) developed the software as per the requirements of MSCB and implemented the same on a Client –Server architecture at the HO.

2.4.2 During the second Phase of computerization (2003 to 2008), the MSCB computerized its Branches, Regional Offices and Pay Offices Transactions. The Branches were computerized on distributed Total Branch Automation (“TBA”) systems with Application Software called “OMNI” provided and implemented by Infrasoft Technologies (India) Ltd (“ITL”). Although, the ITIL OMNI (TBA) was a industry standard TBA product, it required considerable customization in view of peculiar nature of MSCB operations as an apex state level co-operative Bank. During this Phase, the Bank successfully implemented RTGS application as per RBI requirement. The Bank also installed a readymade product KASTLE from 3i Infotech for Treasury, Risk Management / Asset Liability Management (“ALM”) operations. The Bank also introduced DMAT services for Share transactions and implemented Software Application from CMC for back-office management in due course. The Bank also established in Jan 2007 well equipped in house IT / Computer Training Centre at its premises at Vashi.

2.4.3 Implementation of Core Banking Solution (“CBS”)

In the third Phase of computerization (2008 to2011), MSCB focused on implementation of the

Core Banking Software and development of an effective and timely MIS. In addition the Bank

attempted to cover other corporate function like International Banking Transactions, Bank

Guarantees, and Letter of Credits etc.

Selection of CBS application software viz “OMNI Enterprise”: By the time computerization of

Branches was nearing completion, the Bank realized the need to implement the Core Banking

System (“CBS”) with centralized architecture so as to cater to functional requirements of the

Bank, client / customer expectations for new services, and technological advancements.

Therefore, during 2009, the Bank decided to migrate it operations to CBS (from TBA).

In view of the large customization requirements, familiarity of the MSCB specific functionality

and to maintain continuity of operations including User Interface of the Application, it was

decided to select and implement ITL’s “OMNI Enterprise” application software product to

ensure smooth transition from TBA to CBS.

Implementation of CBS: During April 2009 to March 2011, the Bank has completed the various

activities towards implementation of CBS as mentioned below in brief:

Page 6 of 31

Establishment of DataCenter (“DC”) at HO Mumbai

Establishment of Disaster Recovery (“DR”) Site at RO, Pune

Installation of Computer Hardware, Networking Equipment’s, System Software for Data-

center for CBS.

Provision of Connectivity / Bandwidth for DC, DR, Regional Office (“RO”), Pay Offices

(“PO”) and Branches

Migration of HO Branch - Application and Data to OMNI Enterprise CBS software

Provision of Facility Management Services (“FMS”) at DC & DR to manage the DC and DR

operations.

Installation of Oracle Database Servers, Benchmarking, and installation of OMNI

Enterprise Application Software Suite

Selection of Core IT Staff and their training from C-DAC.

Unification of Master Data (Customer Code / Account Number, GL Heads, Product

Codes, etc) across the Bank offices

Migration of Data of HO, ROs, POs and Branch Offices and implementation of

Connectivity in a phased manner for all 56 locations.

Implementation of Integrated Personnel Management System

Installation of other Hardware such as Servers, Desktops for HO Departments, RTGS,

CCIL and Branch Offices etc.

As a result of the completion of the above activities, the Bank is in a position to generate the

consolidated Balance Sheet / Trail Balance, and Other Reports on a Centralized Database from

March 31, 2011 onwards.

At present, all locations (HO, ROs, IBD, and Branch Offices totaling 50) are connected to DC and

DR with Primary (MPLS / Leased Lines) and Secondary (ISDN) lines for CBS.

At present the remaining modules such as LOC, BG, Nabard Borrowings, Cash Credits Banking

etc. of the CBS Application OMNI and remaining part of the MIS are being developed /provided

by Infrasoft Tech in a phased manner.

The details of the Hardware, the System Software, Networking Equipment and the CBS

Application Software installed and implemented are as follows:

2.5 Hardware/System Software and Networking/Other Equipment installed currently at the MSCB are as under: 2.5.1 At DC site, Head Office, Fort, Mumbai:

Hardware - Database Servers (3 no's) IBM Intel Zeon with adequate Storage, Redundant

SAN Switches, Backup Devices, IBM Blade Servers for Applications (12 no's), Intel Xeon

Rack Servers for RTGS, CCIL, VARR, HR, etc, UPS, Precision AC System

Page 7 of 31

NETWORKING EQUIPMENTS (mainly from CISCO) - Core Routers, Switches (L2/L3)

Firewalls (CISCO / Fortigate), etc.

2.5.2 At DR site, Pune: Database Servers (1) IBM Intel Zeon, Backup Devices, IBM Rack Servers for Applications

(2), Intel Xeon Rack Servers for RTGS, CCIL, VARR, HR, etc, UPS, and AC System

NETWORKING EQUIPMENTS (mainly from CISCO) - Core Routers, Switches (L2/L3)

Firewalls (CISCO / Fortigate), etc.

2.5.3 At each Branch/Other (Regional/Pay) Offices: Tower-top Servers (1) IBM Intel Zeon, CISCO Router, Switch (L3), and Desktop PCs

2.5.4 System Software REDHAT Linux for Database Servers, ORACLE 11g as RDBMS, Windows Server Editions

(32 bit, 64 bit) and Windows Desktop for clients.

2.6 The Applications / Systems implemented are as follows:

2.6.1 Modules Implemented at MSCB BY INFRASOFT

Branches Checking Accounts (Savings / Current / Cash Credit / Overdraft) Term Deposit Module with Auto generated receipt Number Receipt is classified according to purpose Code. Friday Position Report

(R041806) is generated Rate wise and Period wise Report (R020238) is generated. Purpose wise Term Deposit Balance Certificate (R020217) Customer Level Term Deposit Interest Certificate (R020254) Daily Position of Fixed Deposit. (R020544) Form 26QA program window based (R020366) Advances Module Outward Bills for Collection Module Other Bills for Collection – Covering Letter (R060116) Inward Bills Collection Module Customer Advice for Realization of Inward Bills (R054087) Inward and Outward Clearing Module. Electronic Clearing System Module Cash ModuleMonthly Cash position Statement (R011188) Dead Stock Module Safe Deposit Locker Module Sundry Creditors and Sundry Debtors Module Anti Money laundering (AML)

Page 8 of 31

Regional Offices

Drawal based disbursement Module for the Sugar factories, Spinning Mills, Spinning Co-operative Societies

Head Office Checking Accounts (Savings / Current / Cash Credit / Overdraft) Centralized Inward Clearing for Branches and Sub members of the Bank. Term Deposit Module with Auto generated receipt Number. Receipt is linked to purpose Code. Friday Position Report (R041806) is

generated. Rate wise and Period wise Report (R020238) is generated. Purpose wise Term Deposit Balance Certificate (R020217) Customer Level Term Deposit Interest Certificate (R020254) Daily Position of Fixed Deposit. (R020544) Form 26QA program window based (R020366) Advances Module Outward Bills Collection Module Outward Bills for Collection – Covering Letter (R060116) Inward Bills for Collection Module Customer Advice for Realization of Inward Bills (R054087) Remittances AIMAS Module for Demand Draft / Mail Transfer / Telegraphic

Transfer Various Advices are generated. ID based Signature View Program. Borrowing Module. Instruments with Special Series Electronic Clearing System Module Cash Module Dead Stock Module Sundry Creditors and Sundry Debtors Module Cheque Truncation System CTS 2010

2.6.2 P2B (Software for HRDM at Head Office ) Payroll Provident Fund Leave Service Register Income Tax Pension

2.6.3 RTGS and CCIL Servers

Software installed as per RBI Guidelines: Real Time Gross Settlement PDO Negotiated Dealing System Structured Financial Messaging System – National Electronic Funds Transfer CROMS, GILTS, FOREX, NDS CALL

Page 9 of 31

2.6.4 Treasury Departments

Kastle – Treasury, KastleVAR: - 3i Infotech Ltd.

DP Back Office – CMC Ltd.

2.6.5 CPID Department, Vashi :

Kastle ALM (Asset Liability Management)

Page 10 of 31

3. Invitation of Offers:

3.1 The Maharashtra State Co-operative Bank Ltd, (MSCB) invites sealed offers (in duplicate) from eligible, reputed companies/firms for QuickInformation System Audit of Core Banking, , Data Centre, Networking Infrastructure and Other Integrated Systems of The Maharashtra State Co-Operative Bank Ltd. Head Office, Fort, Mumbaias per the terms and conditions of this Tender.

3.2 The Tender document may be obtained by paying a non-refundable fee of Rs.1000/-(RupeesOne

thousand only) in cash or in the form of demand draft in favor of “The Maharashtra State Cooperative Bank Ltd, Mumbai” payable at Mumbai ,from the office of The Managing Director of the Bank during office hours between 11.00 am to 16.00 pm The same may also be downloaded from the official website of MSCB and may be submitted along with non-refundable fee of Rs. 1000/- (Rupees One thousand only) in the form of demand draft as mentioned herein before. The details are given below:

Document Reference MSCB/ITD/ SYS-AUDIT /291/2015-16

Price of Tender Document 1000/-each by Cash or Demand Draft Only

Date of Commencement of Sale of

Document

11.01.2016, 11.00 a.m.

Last Date of Sale of Documents 01.02.2016

Pre Bid Meeting 18.01.2016 at 11.30 a.m.

Last Date and Time for receipt of offers

from Vendors

02.02.2016 upto 3.30 p.m.

Address for Communication Manager, ITD, The Maharashtra State Co-operative Bank

Ltd 9, Maharashtra Chambers of Commerce

Lane, Fort, Mumbai - 400 001.

Contact Telephone Numbers 022-22800502 / 712

FAX Numbers 022-2204 24 84 / 2204 34 21

Email ID ksprabhu@mscbank.com

Page 11 of 31

4. Bank’s Objective is to access the IT systems todays status as compare to last system audit carried out. Conducting Quick / Basic Systems audit of Information systems and IT infrastructure is togetbasic assurance from a third party auditor that:

BANK’S information systemsand data are secure, integrated and accurate throughout processing.

BANK’S information assets / resources (hardware / software) are secured against unauthorized access / usage /damage / changes

BANK’S networks are protected

BANK’S computer operations are carried out in a controlled environment.

Effectiveness of controls exercised by out-sourced vendors for Facility Management Services Vendor

BANK has appropriate controls for o systems development life cycle o projectmanagement o Implementation

BANK has complied for all required statutory requirements based on last audit report

Page 12 of 31

5. The Scope of the Project:

5.1 System Audit of CBS Network, Data Centre, CBS-Back office, Head office and 3 Branches & 2

Regional Offices on ad hock basis.

5.2 CBS Back Office and Data Centre functional audit covering User / Help Desk /Parameters / Access / Back end corrections /Change Management etc.

5.3 Systems audit of Core Banking Applications including OMNI Enterprise - CBS main Application etc. from Infrasoft Technology India Ltd. Mumbai. Broad areas to be covered are as per Annexure -I.

5.4 Network Audit, NMS (Network Monitoring system) & Administrative Process with report and recommendations. Broad areas to be covered are as per Annexure - II.

5.5 Process audit of minimum 5 CBS Regional offices/ branches with focus on basic operational control like password controls, control of user ids, operating system security, anti-malware controls, maker checker controls, segregation of duties, rotation of personnel, physical security, review of exception reports/audit trails.

5.6 Quick assessment & Systems Audit of the Information Systems of Standard applications and

legacy applications (either integrated with Core Banking Solution or working as standalone) such as: a. Depository participant - Controlling office Credit Card Centre b. Treasury Branch - Treasury Domestic / Forex /Wealth Management System c. Anti-Money Laundering /KYC/Customer verification d. M I S e. R T G S / NEFT f. H R M S / Payroll / P F g. Risk Management h. Service Branch (in-house clearing software) Forex related software i. Financial Inclusion application j. Cheque Truncation System (CTS 2010)

5.7 Review of current Security measures provided and recommendations on its improvement.

5.8 Record Management / Record processes and controls

Policies for media handling, disposal and transit

Procedures of handling, storage and disposal of information andmedia

Storage of media backups

Protection of records from loss, destructions and falsification in accordance to statutory, regulatory, contractual and business requirement

Page 13 of 31

6. Deliverables Under Systems Audit:

Systems Auditor will deliver detailed reports covering following by adopting System Audit norms applicable in India.

Data Centre Audit Report

CBS Application System Audit

Interface Application

RO / Branch Wise Audit Report

Network / Wide Area Network Audit Report 7. Eligibility/Evaluation criteria for the bidder:

7.1 The bidder should be a Registered company/firm under the Indian Companies Act 1956 and

Should be in existence for at least five years as on 31.03.2015 and should have three years’ experience in Information System Audit of Banks and Cooperative Banks as its one of the major source of revenue stream.

7.2 The bidder company should have a minimum yearly turnover of Rs. 10 Lakhs (Rs. Ten Lakhs in last three financial years from the assignments carried out in the area of Systems Audit from operations in India). The bidder should have made net profits in succession for the last 2 years. The relevant documents to be submitted as part of the proposal are the last three financial years audited Balance Sheets and Profit & Loss Account reports, along with the technical BID. Bidders are requested to give the information with proof / certificates of experience in accordance with the requirement so that the evaluation process can be expedite in short time.

7.3 The company should have never been blacklisted / barred / disqualified by any regulator / statutory body and the bidder/firm is otherwise not involved in any such incident whatsoever, where the job undertaken / performed and conducted has been questioned by any authority, which may lead to legal action. Self -declaration to that effect should be submitted along with the technical Bid. On a later date if self-declaration is found to be void it may entail disqualification.

7.4 Should have prior experience in application functionality, security and controls review of the core banking solution for at least 2 scheduled banks /cooperative banks in India in the past 3 years.

7.5 Should have conducted penetration testing and vulnerability testing in at least 2 Scheduled banks / cooperative banks in India and should have sufficiently trained technical resources to conduct the tests.

7.6 Should have resources that are trained on the Core Banking solutions

Page 14 of 31

7.7 To ensure audit independence, the bidder should not be a vendor / consultant for supply / installation / maintenanceof Hardware/Software components of the Bank or involved in implementing Security & Network infrastructure of the Bank, but excluding Systems Audit Services, either directly or indirectly through a consortium, in the past three years to MSCBank. However, the Bank reserves the right to decide if any of the activities mentioned above affects the auditor’s independence or not for the current audit assignment at its own discretion

7.8 The Core Audit team assigned for Information Security Audit of the Auditee, should have at least three qualified professionals with qualifications such as CGEIT (Certified in the Governance of Enterprise IT) / CISA / CISSP /CCNA / CCNE /ISO 27001/ BS7799 Lead Auditor / OCM & OCP, out of which at least one person should be CISA certified. Bidder must warrant that these key project personnel to be deployed in this project have been sufficiently involved in similar projects in the past. Bidders should provide information about such key project personnel who are proposed to be part of the Systems Audit team along with the Bid Document. Bidder should ensure that the members of Core Audit team are actively involved in the conduct of the Audit throughout the period of the contract.

7.9 The bidder should have conducted minimum three Systems audit of Data Centre/ DRS etc.

connected with minimum 20 branches /Offices during last 3 years out of which at least two audit should be for Scheduled banks in India. The proposal should include certificates stating successful completion of the mentioned audit engagements. The conduct of Systems Audit as mentioned above should include :-

I. Security assessment of server’s/security equipment/ network equipment III. Review of compliance of systems and procedures as per Organization’s IT Policy/

guidelines. IV. Systems Audit of Core Banking Application suite.

(Conduct of audit of any one activity will not be considered as complete Systems Audit of Core Banking /data center/DR Site)

7.10 Qualified professionals to be deployed for the job.

The entire Security Audit work has to be got done by qualified CISA/CISSP Professionals having requisite expertise in Systems Audit. The Bank expects that the Systems Audit should be completed & submits the report within four weeks. If a bidder does not agree and wish to quote different time period, he /she should mention so very clearly. Only Persons having CISA/CISSP/GIAC (SANS)/ BS7799 qualifications and with adequate experience will be utilized by the Systems Audit firm for auditing the Information Systems security architecture.

Page 15 of 31

The Chart for Evaluation would be as follows:

Note: The vendors who secure minimum 50 marks in technical bid are qualified for opening of financial bids.

8. General compliance to Regulations of Reserve Bank of India / NABARD/ other Regulatory

bodies and agencies:

The Systems Auditor will also undertake to comply with all the requirements of the guidelines of Reserve Bank of India or other appropriate agencies as regards Information Systems Standards issued from time to time.

9. BIDDERS INFORMATION (along with Envelope-1 technical Bid ): 1. Name

2. Constitution and year of establishment

3. Registered Office/Corporate office/Mailing Address 4. Names & Addresses of the Partners if applicable 5. Contact Person(s)

Sr.No Particulars Max Marks Marks Obtained

1 Company Turnover i) Rs10 Lakhs to less than 50 Lakhs ii) Rs50 lacks to less than 1 Crore. iii) Rs1 Crores to less than 4 Crores iv) Rs4 Crores and above

4

4 + 2 = 6 6 + 2 = 8 8 + 2 =10

2 Experience of Conducting System Audit during last 3 years i) 2 IS audit of Data Centre/ DRS ii) More than 2 and less than 4 IS Audit iii) More than 4 and less than 8 IS Audit iv) More than 8

4

4 + 2 = 6 6 + 2 = 8 8 + 2 =10

3 Penetration testing and Vulnerability testing 15

4 Qualification (5 prof x 5 marks each = Total 25 Marks) (For 5 qualified professionals)

a) Educational Qualification b) Total Experience of System Audit c) Experience in handling Projects d) Knowledge of Marathi

2 1 1 1

5 Financial 20

6 Presentation 20

Total 100

Page 16 of 31

6. Telephone, Fax, e-mail 7. Number of CISA Qualified persons working in your firm along with names and

experience. 8. Number of CISSP Qualified Persons working in the firm along with the names and

experience. 9. Number of BS7799 OR equivalent lead auditors working in the firm along with the

names and experience. 10. Qualified network professional 11 . Qualified ethical hackers 12. Number of years of experience in Information System Audit. 13. Describe Project Management methodology for the proposed Systems Audit

assignment, clearly indicating about the composition of various teams. 14. Describe Audit Methodology and Standards to be used for Systems Audit. 15. Indicate Project Plan with milestones and the time frame of completion of different

activities of the project. 16. List of Deliverables as per the ‘Scope of Work’. 17. Role and responsibility of MSC Bank and the Audit firm. Explain other requirements

from MSCBank, if any. 18. Please give details of Information System Audit of Core Banking System carried out for

Scheduled Commercial / Co-operative Banks in the past 3 years. Please give the details of services and the scope.

19. Please give brief financial particulars of your firm for the last 3 years along with the

volume of business handled.(The information will be kept confidential) 1. Net Profit/Loss 2. Total Turnover 3. Revenue earned from Systems Audit.

20. The team must have experience in SYSTEMS audit of Security Technologies with multiple certifications such as RSA, CISCO Pix, Check Point, ISS, and Trend etc.

21. Capabilities for offering automated penetrative checks.

Page 17 of 31

22. Specify that technical consultants are certified on types of tools to be used for audit. 23. Details of Location and infrastructure of Security Operations Centre from where services

such as external vulnerability analysis and penetration testing are conducted / managed. 24. Capability on security remote management for security checking and device

management. 25. Details of Internal expertise in networking, application development, security

integration with application. 26. Details of largest Information System Audit executed including the scope, service cost

and details of services. 27. Any other related information, not mentioned above, which the audit firm wish to

furnish.

DECLARATION

We hereby declare that the information submitted above is complete in all respects and true to the best of our knowledge. We understand that in case any discrepancy or inconsistency or incompleteness is found in the information submitted by us, our application is liable to be rejected.

Date: Authorized Signatory. Note:

The Technical Bid shall include the detailed project plan corresponding to the deliverables as required by MSCBank for the Project. The project plan should indicate the milestones and time frame of completion of the different activities of the project. The audit firm is required to give details of the project management methodology, Audit Standards and methodology along with the quantum of resources to be deployed for the project, in the technical bid. Resources and support required from the MSC Bank may also be clearly defined.

10. FORMAT OF CURRICULUM VITAE (CV):

For Key Personnel (team leader/s) likely to be associated with the SYSTEMS Audit of CBS (Separate sheets for each person)

Page 18 of 31

Position:

Name of Firm:

Name of Personnel:

Profession:

Date of Birth:

Years with Firm:

Nationality:

Membership of Professional Societies:

Detailed Tasks Assigned: (past 5 years) (Giving an outline of person's experience and training most pertinent to tasks on assignment. Describe degree of responsibility held by the person on relevant previous assignments and give dates and locations)

Employment Record: (Starting with present position, list in reversed order)

Qualifications Technical and Academic with year of passing:

Page 19 of 31

11. COMMERCIAL BID (Envelope-2 Commercial Bid)

The Commercial Bid should contain the Total project cost, on a fixed cost basis in Indian rupees. MSCBank will not provide any reimbursement for traveling, lodging/boarding, local conveyance or any other related expenses.

11.1 The format for the commercial bid is given below :

Serial

NO.

Name of the Task Cost

Rs.

Taxes

Rs.

Total

Cost Rs.

Time in number of

Weeks.

01 System Audit of Core Banking Application

Suit CBS All related Modules for Head

Office and Branch operations

02 System Audit of other applications used

in the Bank

03 System Audit of 3 Branches & 2 Regional

offices of the Bank

04 System Audit of Data Center including

Network management and Network

Security Audit

05 All other items mentioned in the Scope.

TOTAL Cost in Rs. 00

Total time in number of weeks. 00 00 00

We are aware that only the total amount inclusive of taxes will be reckoned for lowest cost. TDS will be deducted from the amount at the rates prevailing as on the date of payment.

Date: Authorized Signatory.

Page 20 of 31

12. Contents of document to be submitted:

The bidder shall submit the following: Envelope-1 Technical Offer.

1) Bidder’s Information as per format 2) Acceptance of the terms and conditions as contained in this document. 3) Supporting documents in respect of proof of Systems Audit for Internet Banking

/Core Banking Services issued by the Head of the I T Department of the Bank. 4) Total turnover with break-up towards SYSTEMS Audit. 5) Resume of the qualified professionals on the rolls of the company who will be

involved in the audit of our bank. 6) Bid security for Rs.10,000/- Rupees Ten thousand only in the form of Demand

Draft in favor of the Maharashtra State co-operative bank Ltd. payable Mumbai. 7) Power of Attorney of the person signing the document. 8) Articles of Association, Memorandum of Association of the company. 9) Audited balance sheets for the last three years

Envelope-2 Commercial Offer. 10) Commercial offer (as per format) in separate sealed cover

Page 21 of 31

13. Other Terms and Conditions

13.1 Vendors should note that there will be no negotiations on their commercial offer hence final

offer should be quoted. 13.2 Two Bid System Tender

Offers (Technical & Commercial) in duplicate must be submitted, giving full particulars as required, in two separate sealed envelopes at the address given below, on or before -02.02.2016 up to 3.30 p.m.Both the envelopes should be securely sealed and stamped.

The envelopes must be super-scribed with the following information:

• Type of Offer (Technical or Commercial) • Tender Reference Number • Name and address of Vendor

ENVELOPE -1 (Technical Offer):

The Technical offer (T.O.) should be complete in all respects and contain all information asked for, except prices. The T.O. should cover all items asked for. It should not contain any price information. The T.O. should be complete to indicate that all the services asked for are quoted. If the Tender document is down loaded from the Website, then DD of Rs.One Thousand only towards the cost of the Tender document should be enclosed, as mentioned herein before, along with the T O.

ENVELOPE-II (Commercial Offer):

The sealed Commercial Envelope will contain Commercial offer for the MSC Bank requirements as per the format mentioned in the Tender document.

The Commercial Offer (C.O) should give all relevant price information and should not contradict the T.O. in any manner. These two envelopes containing the Technical and Commercial Offer should be separately submitted.

13.3 Pre Bid Meeting

Pre Bid meeting of the vendors collecting the tender document will be held on 18.01.2016 at 11.30 a.m. before the last date of submission of the offers at our Head Office, Mumbai. During the Pre-bid meeting only those queries communicated by the Vendors (who have collected the Tender) in writing (by email of the Manager ITD MSC Bank) at least two working days, in

advance, will be discussed and clarified.

Page 22 of 31

13.4 Non-transferable.

The Vendor, if selected, will not be allowed to sub contract the work under the Tender as it is non-transferable.

13.5 Offer validity Period

The offer should remain valid for a period of 90 days from the date of the Offer.

13.6 Address of Communication.

Offers should be addressed to the following Authority at the address given below:

The Managing Director,

The Maharashtra State Coop. Bank Ltd. Head Office, SirVithhaldasThackerseyMemorialBuilding,

9, Maharashtra Chambers of Commerce Lane, Fort, MUMBAI - 400 001.

Tel Nos: 022-22800502/ 2204 6331. Fax No. 2204 2484.

Offers should be submitted to:

The Manager, Information Technology Division 1st Floor, Head Office of the Bank at the above address. The Email Id for communication is ksprabhu@mscbank.com, Tel. 022-22800600/712

13.7 Opening of Offers by MSCB

Technical Offers will be opened by MSC Bank and scrutinized for validity and eligibility and clarifications might be sought from the Vendors, if required. Commercial offers of only those Vendors who’s Technical Offers are found to be valid and eligible, will be opened. The offers received within the prescribed date and time will only be considered.

13.8 Preliminary Scrutiny

MSCB will scrutinize the Technical offers to determine whether they are complete, whether any errors have been made, whether required technical documentation have been furnished, whether the documents have been properly signed, and whether the offers fulfill the eligibility criteria.

Page 23 of 31

13.9 Clarification of Offers

To assist in the scrutiny, evaluation and comparison of offers, MSCB may, at its discretion, ask some or all vendors for clarification of their offer. The request for such clarifications and the response shall be in writing only.

13.10 No Commitment to Accept Lowest or Any Offer.

MSCB shall be under no obligation to accept the lowest or any other offer received in response to this Tender and shall be entitled to reject any or all offers, in part or in full, without assigning any reason whatsoever.

13.11 Short-listing of Vendors.

MSCB will short list technically qualifying vendors and commercial offers of only these vendors will be opened.

13.12 Documentation.

All documents and information asked for in the Tender document should be furnished in the Bid, failing which the Bid is likely to be rejected.

13.13 Furnishing of Technical Details

It is mandatory to provide the technical details and other details asked for along with the offer. The offer may not be evaluated by MSCB in case of non-submission or partial submission of technical/important details.

13.14 Format for Technical Offer

The Technical Offer must be submitted in an organized and structured manner. No brochures / leaflets etc. should be submitted in loose form.

The required format for submission of technical offer is as follows:

1. Index 2. Covering letter- 3. Technical Offer completes with all the details and the information asked for about the

Vendor. 4. Details of Track Record/experience/expertise. 5. Terms and Condition Compliance Table. This table must cover vendor's response to all

the terms and conditions specified in the Tender document 7. Cost of the Tender document as mentioned in the Tender, if down-loaded from the Net.

Page 24 of 31

13.15 Format of Commercial offer

a. Covering letter b. Price Schedule along with the service delivery schedule in the format prescribed.

13.16 Erasures or Alterations

The offers containing erasures or alterations will not be considered. There should be no hand-written material, corrections or alterations in the offer. Technical details must be completely filled up. MSCB may treat offers not adhering to these guidelines as unacceptable.

13.17 Track Record of similar Projects executed.

The vendor should provide proof that, of the required relevant experience and expertise in delivering the services asked for in the Tender in the most satisfactory manner.

13.18 Location of the center from where the Services asked for are proposed to be delivered should be mentioned clearly.

13.19 Earnest Money Deposit

The Vendors are required to deposit Rs. 10,000/- (Rupees: Ten thousand only) as Earnest Money Deposit. Offers made without EMD will be rejected. The EMD should be in the form of Valid Bank Draft payable at Mumbai in favor of "The Maharashtra State Co-operative Bank Ltd." or a Bank Guarantee. Interest will not be paid on EMD amount. EMD money will be adjusted / refunded within one month from the date of financial bid opening based on allocation of project to concerned vendor.

13.20 Quality Standards.

The vendor is required to adopt highest Quality standards while working on the Project.

13.21 Costs & Currency

No cost Escalation will be allowed. All prices should be fixed prices and quoted in INR.

13.22 Fixed Price

The price in INR shall be exclusive of all taxes and levies applicable on actual basis.

Page 25 of 31

13.23 Payment Terms.

The Systems Audit Service Provider’s fees will be paid in the following manner:

10% Of the Systems Audit Service Provider’s fees after two weeks of commencement of the audit work and on submission of audit plan / procedures and methodology covering all the points as per Scope of Work for Systems Audit.

• 30% of the Systems Audit Service Provider’s fees on submission of Draft Report/s . • 30% of the Systems Audit Service Provider’s fees on presentation of and discussions

on the Draft report/s with the top management

30% of the Systems Audit Service Provider’s fees on submission of Final Audit Report/s covering all the points as per the Scope of Work.

13.24 Signing of Contract.

The successful bidder shall be required to enter into a contract with MSC Bank, within 30 days of the award of the tender or within such extended period as may be specified by MSC Bank on the basis of the Tender Document, the offer of the successful bidder, Work Order and the letter of acceptance and such other terms and conditions as may be determined by the Bank to be necessary for the due performance of the work

13.25 Delays in the Information System Audit.

The Information System Auditor (the Vendor) must strictly adhere to the audit schedule, as committed and specified in the work order

13.26 Support from MSC Bank.

The vendor has to clearly mention what support is required to be given by the Bank to the Vendor for /while executing the project in terms of manpower, space, equipment, other facilities etc. It may be noted that MSC Bank will not make any payments towards reimbursement of any expenses for local travel, food and any other sundry expenses incurred by the vendor for the project.

13.27 Order Cancellation

MSCB reserves its right to cancel the order in the event of one or more of the following conditions:

Delay in delivery of services as committed.

Quality of deliverables

Resources availability

Skill Sets of Resources conducting Audit

Performance Issues

Incompetent personnel carrying out job at bank on behalf of vendor

Page 26 of 31

13.28 Right to Alter Scope of work.

In case it is required, in the interest of the Bank, to make any changes in the scope of the work, the Bank reserves it’s right to do so with the mutual consent in writing of the bank and the vendor.

13.29 Indemnity

Vendor shall indemnify, protect and save MSCB against all claims, losses, costs, damages, expenses, action suits and other proceeding, resulting from infringement of any patent, trademarks, copyrights etc. or such other statutory infringements in respect of all the Services etc. supplied by him.

13.30 Publicity

Any publicity by the vendor in which the name of MSCB is to be used should be done only with the explicit written permission of MSCB.

13.31 Resolution of Disputes

MSCB and the vendor shall make every effort to resolve amicably, by direct informal negotiation, any disagreement or dispute arising between them under or in connection with the contract. If after thirty days from the commencement of such informal negotiations, MSCB and the vendor have been unable to resolve amicably a contract dispute; either party may require that the dispute be referred for resolution by formal arbitration.

All questions, disputes or differences arising under and out of, or in connection with the contract, shall be referred to two Arbitrators: One Arbitrator to be nominated by MSCB and the other to be nominated by the Vendor. In the case of the said Arbitrators not agreeing, then the matter will be referred to an umpire to be appointed by the Arbitrators in writing before proceeding with the reference. The award of the Arbitrators, and in the event of their not agreeing, the award of the Umpire appointed by them shall be final and binding on the parties. The arbitration and reconciliation act 1996 shall apply to the arbitration proceedings and the venue of the arbitration shall be Mumbai.

Page 27 of 31

Annexure – A

Tender Offer Cover Letter Date: Tender Reference No. MSCB/ITD/ SYS-AUDIT/291 /2015-16 Date: 11.01.2016 To: (Name and address of Purchaser) Gentlemen: Having examined the Tender document including all Annexure the receipt of which is hereby duly acknowledged, we, the undersigned, offer our Services and Expertise in conformity with the said Tender document for the sum mentioned in the Price Schedule or such other sums as may be ascertained in accordance with the Schedule of Prices attached herewith and made part of this Bid. We undertake, if our Bid offer is accepted, to commence the assignment within two weeks and to complete delivery of all the services and the deliverables committed as stipulated in the offer. We agree to abide by this Tender offer till 90 days from the date of Offer. If we are selected, this Tender, together with your temporary/Final Work Order and our acceptance thereof , shall constitute a binding contract between us Until a formal contract is prepared and executed,. We have read the various terms and conditions of the Tender under reply and hereby agree to abide by the same.We hereby state that we satisfy all the terms and conditions of the Eligibility criteria mentioned in the Tender and therefore feel eligible to submit our proposal. We hereby submit our Technical as well as Commercial Proposal together with EMD and other information as required in duplicate separately in sealed envelopes. We have submitted herewith the following documents.

1. Offer cover letter (Annexure - A) 2. Details of the vendor / bidder as per the format. 3. All other information as required in the Tender. 4. Terms and conditions compliance Table 5. Pricing/delivery schedule Table in the format prescribed.

The required EMD and the cost of Tender document Rs. One thousand only, (if down-loaded from the WEB site) is/are also enclosed in the form of DD along with the Offer.

Page 28 of 31

We understand that you are not bound to accept the lowest or any offer you may receive. Dated this ______ day of _______. Signature: ______________________ (In the capacity of): _______________ Duly authorized to sign the Tender offer for and on behalf of Encl: Authorized Signatory for _______________ Contact person. Date: Address & Seal: Note: All pages of Annexure ‘A’ should be signed and sealed by authorized representative of bidder. The authority letter in favor of signatory should also be enclosed. The Request for Proposal document should also be signed and sealed and enclosed with Annexure ‘A’ in sealed envelope.

Page 29 of 31

Annexure - I

Scope for Systems Audit of Core Banking Solution ("CBS") Software

1. Input controls 2. Processing controls 3. Output controls 4. Logical access control 5. Controls over automated processing /updation of records, review or check of critical calculations

such asinterest rates, repayment schedule, etc., review of the functioning of automated scheduled tasks, output reports design, reports distribution, etc.

6. Auditability both at client side and server side including sufficiency and accuracy of event logging, SQL prompt command usage, Database level logging all other interfaces with other applications etc.

7. Extent of parameterization. 8. Functionality. 9. Internal control built in at application software level, database level, server and client side 10. Backup/Fallback/Restoration procedures and contingency planning. 11. Suggestion with respect to application software to improve internal controls. 12. Manageability with respect to ease of configuration, transaction roll backs, time taken for end of

day, day begin operations and recovery procedures 13. Software Audit Assessment on following items:

Hard coded user-id and password,EDI, Web Server and otherinterfaces at Network level, Application level Recovery and restart procedures Sufficiency and coverage of UAT test cases, review of UAT defects and tracking mechanism deployed by vendor and resolution.

14. Testing / re-testing and acceptance Review of customizations done to the software 15. Suggest any application specific Audit tools or programs 16. Review of Software benchmark results and load and stress testing of IT infrastructure performed by

the Vendors 17. Adequacy of Audit trails and meaningful logs 18. Adherence to Legal and Statutory Requirements. 19. Adequacy of antivirus measures at CBS environment. 20. Adequacy of hardening of all Servers(data center and branches) and review of

Application of latest patches supplied by various vendors for known vulnerabilities as published by CERT,SANS etc.

21. Apart from the Systems Audit of the application software, Systems Audit should be carried out at DataCenter and at least ten branches.

Page 30 of 31

Annexure - II

Scope forSystems Audit of Network Infrastructure Components, Networks and Application Security

1. Net Scanning –General threat and security Assessment:It is the process of measuring and prioritizing the risks associated with network- and host based systems and devices to allow rational planning of technologies and activities that manage business risk.

a. Password Cracking b. Intrusion Detection System / Intrusion prevention system Testing c. Firewall d. Router Testing e. Denial of Service (DOS) Testing f. Distributed DOS Testing g. Containment Measures Testing h. While doing the penetration test on Servers in live environment the ISA should ensure

optimum performance of the systems. 2. Review of Network Monitoring Software (NMS) installed to monitor critical servers of the entire

network including the branches for sizing etc., to monitor the network components of LAN & WAN, Fault Management, Performance Management of the network, Inventory Management, automatic discovery of network components etc.

3. NMS is also implemented for Proactive Monitoring, Reporting and to Generate Performance Reports of Core Banking Network. These functional capabilities need to be reviewed and audited.

4. Network Security Audit a. Physical and logical security measures, tools and processes implemented b. Configuration of Firewalls & Routers c. Effectiveness of Intrusion Detection system and / automated audit trial of all the users of

network d. Check if adequate security is available in the various Network connectivity provided e. Check if remote logon is enabled and if so, whether it is identifiable by terminal IDs / IP

addresses. f. Check if remote logon through services such as ftp, telnet, etc., is disabled. If not, ensure that

the same has been implemented as instant guidelines. g. In case of WAN (Wide Area Networks), are the Router maintained securely to ensure efficient

Systems Administration. h. Focus should be on detecting the basic system security issues arising out of multiple access

levels. Review the activities of Network Administrator/System Administrator and suggest Improvements and controls, if any, required.

5. Security Device Audit a. Configuration, policy/rule sets, signatures, Inspection, Logging, Location, redundancy, port

restrictions, patches & updates, Administration & Management b. Firewalls (CISCO and FortiGATE) c. Network Intrusion Prevention Systems d. Host Intrusion Detection Systems

Page 31 of 31

6. Big Fix: Patch Management ............................................................END of Document.............................................................