N.A. 17.12.2015 (15:00 hrs IST) retender final_1_2_3_4.pdfloss or damages and or consequential...

Document Title

Document Type

Bid Type

CRFQ No

Date of RFQ

Pre-Bid Meeting

Last Date for Submission of Bid

RFQ issued by:

Tender through E- Procurement

For Security Assessment

Tender Specifications for Security A

RFP

Two part bids –Technical & commercial

1000246208

03.12.2015 N.A.

17.12.2015 (15:00 hrs IST)

I S Dept., P & C Section, Bharat Petroleum Corporation Ltd.1st Floor, CPO Building, “A” Installation, Sewree Fort Road,Sewree (East), Mumbai 400 015.

Procurement

Security Assessment

cal & commercial

Bharat Petroleum Corporation Ltd.

“A” Installation, Sewree Fort Road, 00 015.

1

Subject: Invitation of Tender for Security Assessment

Dear Sir / Madam, 1. You are invited to submit your offer in a two part bids for the subject job as per the technical

specifications and on the terms & conditions contained in this tender document.

2. Please visit the website https://bpcleproc.in for participating in the tender and submitting your bid online.

3. Bidders are required to submit their bids in two part bids consisting of the following, through this E-

Tender.

i) Techno-Commercial Bid: This should contain all technical details, Literature, Leaflets etc, confirmation of Commercial terms and conditions of the tender.

ii) Price bids: This should contain Prices/Taxes against the Bill of materials.

4. On opening bids in the system on the Tender due date and time, first technical bids will be opened.

5. Commercial bids of only those bidders, who qualify the techno-commercial criteria will be opened and evaluated further.

6. “The tenderers shall submit an interest free Earnest Money Deposit of Rs.1.00 lakh (Rupees one lakh

only) by crossed account payee Demand draft drawn on any nationalized/scheduled bank in favour of "Bharat Petroleum Corporation Ltd." payable at Mumbai. (Applicable only to unregistered vendors with BPCL.). EMD is exempted for MSME vendors and NSIC vendors subject to submission of the details of MSME Registration with Directorate of Industries or any other competent authorities and NSIC registration as applicable along with the technical bid. EMD of the unsuccessful bidder will be returned within due course after the evaluation of the price bid. EMD of the successful bidder will be returned only after successful execution of job against the Outline agreement/Purchase Order and submission of PBG(if applicable)”

7. You should submit your Techno-commercial & price bid through online mode to the BPCL e-tendering

site.

8. BPCL does not take any responsibility for any delay in submission of online bid due to connectivity problem or non-availability of site and/or non receipt of instrument i.e. DD due to postal delay. EMD and NDA to be submitted in physical form.

9. Incomplete tenders shall be liable for rejection without seeking any further clarification. We also

reserve the right to reject any or all tenders without assigning any reasons whatsoever. Yours faithfully, For Bharat Petroleum Corporation Ltd. Milind Mangalgiri Sr. Manager IS (Procurement & Contracts)

General Instructions to Tenderers for E-Tendering 1. Interested parties may download the tender from BPCL website (http://www.bharatpetroleum.in) or

the CPP portal (http://eprocure.gov.in) or from the e-tendering website (https://bpcleproc.in) and participate in the tender as per the instructions given therein, on or before the due date of the tender. The tender available on the BPCL website and the CPP portal can be downloaded for reading purpose only. For participation in the tender, please fill up the tender online on the e-tender system available on https://bpcleproc.in

2. For registration on the e-tender site https://bpcleproc.in, you can be guided by the "Instructions to

Vendors" available under the download section of the homepage of the website. As the first step, bidder shall have to click the "Register" link and fill in the requisite information in the "Bidder Registration Form". Kindly remember your e-mail id (which will also act as the login ID) and the password entered therein. Once you complete this process correctly, you shall get a system generated mail. Login in to the portal using your credentials. When you log in for the first time, system will ask you to add your Digital Signature. Once you have added the Digital Signature, please inform us by mail to the vendor administrator [email protected] with a copy to [email protected] for approval. Once approved, bidders can login in to the system as and when required.

3. As a pre-requisite for participation in the tender, vendors are required to obtain a valid Digital

Certificate of Class IIB and above (having both signing and encryption certificates) as per Indian IT Act from the licensed Certifying Authorities operating under the Root Certifying Authority of India (RCIA), Controller of Certifying Authorities (CCA). The cost of obtaining the digital certificate shall be borne by the vendor.

In case any vendor so desires, he may contact our e-procurement service provider M/s. E-Procurement Technologies Ltd., Ahmadabad (Contact no. Tel: +91 79 4001 6816 | 6848 | 6844 | 6868 & Tel: +91 22 65354113 | 65595111) for obtaining the digital signature certificate

4. Corrigendum/amendment, if any, shall be notified on the site https://bpcleproc.in. In case any

corrigendum/amendment is issued after the submission of the bid, then such vendors, who have submitted their bids, shall be intimated about the corrigendum/amendment by a system-generated email. It shall be assumed that the information contained therein has been taken into account by the vendor. They have the choice of making changes in their bid before the due date and time.

5. Price bid of only those vendors shall be opened whose Techno-Commercial bid is found to be

acceptable to us. The schedule for opening the price bid shall be advised separately. 6. Tenderer is required to complete the following process online on or before the due date/time of

closing of the tender: - Technical bid

- Price bid 7. Directions for submitting online offers, electronically, against e-procurement tenders directly through

internet: (i) Vendors are advised to log on to the website (https://bpcleproc.in) and arrange to register themselves

at the earliest, if not done earlier. (ii) The system time (IST) that will be displayed on e-Procurement web page shall be the time

considered for determining the expiry of due date and time of the tender and no other time shall be taken into cognizance.

(iii) Vendors are advised in their own interest to ensure that their bids are submitted in e-Procurement

system well before the closing date and time of bid. If the vendor intends to change/revise the bid already submitted, they shall have to withdraw their bid already submitted, change / revise the bid and submit once again. In case vendor is not able to complete the submission of the changed/revised bid within due date & time, the system would consider it as no bid has been received from the vendor against the tender and consequently the vendor will be out of contention. The process of change / revise may do so any number of times till the due date and time of submission deadline. However, no bid can be modified after the deadline for submission of bids.

(iv) Once the entire process of submission of online bid is complete, they will get an auto mail from the system stating you have successfully submitted your bid in the following tender with tender details.

(v) Bids / Offers shall not be permitted in e-procurement system after the due date / time of tender. Hence, no bid can be submitted after the due date and time of submission has elapsed.

(vi) No manual bids/offers along with electronic bids/offers shall be permitted. 8. For tenders whose estimated procurement value is more than Rs. 10 lakhs, vendors can see the

rates quoted by all the participating bidders once the price bids are opened. For this purpose, vendors shall have to log in to the portal under their user ID and password, click on the "dash board" link against that tender and choose the "Results" tab.

9. No responsibility will be taken by BPCL and/or the e-procurement service provider for any delay due

to connectivity and availability of website. They shall not have any liability to vendors for any interruption or delay in access to the site irrespective of the cause. It is advisable that vendors who are not well conversant with e-tendering procedures, start filling up the tenders much before the due date /time so that there is sufficient time available with him/her to acquaint with all the steps and seek help if they so require. Even for those who are conversant with this type of e-tendering, it is suggested to complete all the activities ahead of time. It should be noted that the individual bid becomes viewable only after the opening of the bid on/after the due date and time. Please be reassured that your bid will be viewable only to you and nobody else till the due date/ time of the tender opening. The non availability of viewing before due date and time is true for e-tendering service provider as well as BPCL officials.

10. BPCL and/or the e-procurement service provider shall not be responsible for any direct or indirect

loss or damages and or consequential damages, arising out of the bidding process including but not limited to systems problems, inability to use the system, loss of electronic information etc.

In case of any clarification pertaining to e-procurement process, the vendor may contact the following agencies / personnel:

For system related issues :

M/s. E-Procurement Technologies Ltd at contact no. Tel: +91 22 65354113 | 65595111 & Tel: +91 79 4001 6816 | 6848 | 6844 | 6868) followed with a e-mail to id [email protected]. For tender related queries: a. Mr. Anil Satpute of BPCL at contact no. 022-2417 6210 followed with an email to ID

[email protected] (Commercial queries) b. Mr. Asit Kumar Sethi of BPCL at contact no.022 2417 6263 followed with an email to ID

[email protected] (Technical queries) The responsible person of the tender is Mr. Milind Mangalgiri of BPCL at contact no. 022-2417 6123 / 2415 2723.

1. INTRODUCTION

BPCL is always be in the forefront of implementing new technologies among PSU Oil & Gas sector in India. The fast pace of technology evolution in BPCL is introducing increased risks to its operating environment. BPCL has implemented SAP R/3. All the SAP solutions have been implemented in three system landscape viz Development, Quality Assurance and Production. SAP Portal has been deployed as internal portal for customers, vendors, retired staff and partners to access over internet. Besides standard SAP applications, we have developed and implemented many home developed web based application using ABAP Dynpro, Java Dynpro, IBM Java and Microsoft .Net as development platform. These applications are accessible from both BPCL corporate network and Intenret. To provide the secure access to internal and external users, we have countrywide private network & security infrastructure as follows:

1. Network Switches and Routers 2. Internal Firewall, External firewall Virtual Private Network Device 3. Intrusion Prevention System 4. Secure Web Gateway 5. Security Information and Event Management System

BPCL require services for assessment of vulnerabilities, penetration testing for its Server, network & security devices. BPCL is aiming for following services:

1. Security Audits for Vulnerability Assessment(VA) and Penetration Testing(PT) 2. Application Security Audit 3. Cyber Security Mock drill 4. Incident Lifecycle Review 5. Forensic Investigation 6. Security workshops/Knowledge Sharing 7. Email Spear Phishing

The contract would be valid for 3 years. The tender is non-transferable. 2. Queries on technical and commercial aspects, if any, shall be address by Mr. Asit Kumar Sethi (e-mail

ID [email protected]) / Mr. Anil Satpute (e-mail ID [email protected]) 3. EVALUATION METHODOLOGY

A. Technical Evaluation Criteria

Technical bid will be accepted only if they are in the prescribed format in e-tender on/before due date, with complete information as per Annexure with necessary documents or documentary proof in support of the compliance. Only Technically Qualified bidders bid would be evaluated further.

Technical Bids would be evaluated for following technical criteria:

Criteria 1: The bidder should be in CERT-In empanelled list which should be valid up-to December 2015 published on CERT-In Website (www.cert-in.org.in). Criteria 2: The bidder should have conducted at least three application security, Forensic and VA-PT projects each in India within last three years. In which VAPT project should have at least one project with more than 200 devices as VAPT scope. Criteria 3: The bidder must have minimum ten staff with CISA/CISSP/CISM/CEH certifications.

Criteria 4:. The bidder must have capabilities to execute VAPT, Forensic and workshops at BPCL premise at Mumbai. Criteria 5: The bidder should have executed minimum two SAP application security assessments on platforms like (SCM,PS,PM,RE,FI&CO,SCM,PP,BI etc..) in India and provide references. Criteria 6: The tools used for scanning NONSAP system should use the tools mentioned in leader or

challenger quadrant of the latest “Gartner Magic Quadrant for Application Security” report.

Criteria 7: The tools used for scanning SAP Systems should be SAP certified.

B. Techno-Commercial Bid Evaluation Price bids of Technically Qualified bidders will be evaluated using criteria of ‘Overall Lowest Quote’ of Total Cost of Ownership (TCO). No charges other than mentioned in price bid shall be payable to successful bidder.

4. SCOPE OF WORK (SOW)

4.1 BPCL shall not provide any tools that may be required by the successful bidder for conducting the VA-PT.

4.2 BPCL will not make any additional payment for usage of tools proposed by the successful bidder. 4.3 The successful bidder’s laptop will not be connected to BPCL network. Hence, the VA/PT tools

should be installed on BPCL’s hardware for scanning the infrastructure, servers and applications if required to do from BPCL premises.

4.4 Successful bidder is expected to clearly stipulate activities that will be conducted onsite (at Datacenter / Disaster Recovery Site) and those that will be carried out from the bidder’s premises.

4.5 The core team assigned for the services as requested in this tender should have professionals in the following categories with valid certification mentioned thereon:

4.5.1. Information Security (CISA/CISM/CISSP) 4.5.2. Network ( CCNA/CCNP or equivalent) 4.5.3. Operating Systems (Certification from Microsoft/ Linux/Solaris/AIX ) 4.5.4. Database ( Oracle / MS SQL/ DB2 etc) 4.5.5. Ethical Hacking (CEH)

Successful bidder shall share the qualification details of the auditor prior to every assessment at BPCL.

4.6 After carrying out the VA-PT, application security audit , cyber security mock drill, Forensic Analysis & Incident lifecycle review, successful bidder to deliver the following:

4.6.1. Share the Assessment report of the findings (after filtering the vulnerabilities for false positives) for VAPT, Application security assessment & Incident lifecycle review. The report should contain:

i. Identification of auditee ii. Date, time and location of the audit iii. Standard followed iv. Summary of audit findings including identification tests, tools used and results of

tests performed (like vulnerability assessment, penetration testing, application security audit etc.)

• Tools used and methodology employed

• Positive security aspect identified

• List of vulnerability identified

• Description of vulnerability

• Risk rating or severity of vulnerability

• Category of risks: Very High/ High/ Medium/ Low

• Test cases used for the assessing the vulnerabilities

• Illustration of the test cases

• Proof/evidence (Screenshot) of the vulnerabilities identified v. Analysis of vulnerability and issue of concern vi. Recommendation for corrective action as per industry standard and best practices.

4.6.2. All the summery reports submitted should be signed by technically qualified persons

and he/she should take ownership of document submitted to BPCL. 4.6.3. Conduct Post VAPT review /Audit Compliance after implementing the

recommendations. 4.6.4. Share final detailed review report Recommendations along with solutions.

4.7 Successful bidder shall submit the schedules and pre-requisites for half-yearly VA-PT, Security

mock drill, Spear Phishing & Incident lifecycle review audits 15 days prior to the activities. 4.8 Successful bidder shall furnish evidence (like copy of the license/ PO & Invoice etc.) of acquiring

the SAP certified tools as per the tender criteria, which should be valid for a contract period of three years before start of the scanning activity for the first time.

4.9 Workshop/ Session materials prepared by the bidder for BPCL purpose will be BPCL’s intellectual property.

4.10 Vulnerability assessment and Penetration Testing should cover BPCL’s Information Systems Infrastructures which includes Network Devices, Security Devices, Servers, Operating Systems, Databases, Applications, System configured with External IP’s , websites, etc. of the under mentioned locations:

SL No Location Offices

01 Mumbai Corporate Datacenter (CDC)

02 Greater Noida Integrated Datacenter (IDC)

4.11 Vulnerability Assessment and Penetration Testing (VA – PT):

4.10.1 Vulnerability Assessment and Penetration testing should cover, Operating System

Layer, Application Layer, Database Layer , Network Layer and Security Layer 4.10.2 Risk analysis for identifying and assessing risks associated with VAPT should be

submitted prior to the activity. 4.10.3 Tool based vulnerability scan. 4.10.4 Following testing activities need to be completed in VAPT.

i. Information Gathering Scanning:-

a. Network Scanning

b. Port Scanning c. Service Identification Scanning d. Vulnerability Scanning e. Malware Scanning

ii. Vulnerability Assessment:

Indicative list of checks carried out for Servers- Operating Systems / Databases / Web servers/Exchange server/Active Directories

a. Number of administrative user accounts b. Users with weak passwords and dormant accounts c. Insecure registry settings / configuration files d. Patches not applied / inadequate security configurations etc. e. Server Assessment (OS, Security configuration etc.) f. Security Device Assessment (IOS, Security Configuration etc.) g. Website Assessment (Security configuration, security certificates, services

etc.). h. Vulnerability Research and verification i. Submit report as per point no 4.6.

Indicative list of checks carried out for Network & Security Devices – Routers/Switches / Firewalls/IPS etc.

a. Service configurations b. Password security etc. c. Firewall /ACLs (Access Control List) d. Access mechanisms e. SNMP configuration f. Network Device Assessment (Security Configuration etc.) g. Submit report as per point no 4.6.

iii. Penetration Testing:

This approach should be based on best practices refined over time and experience. Approach to adopt proven methodologies such as Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology (OSSTM). For externally assessed IT components, type of tests would differ based upon the level of privileges agreed and granted during the engagement.

Indicative list of checks to be carried out during Penetration Testing: Step 1: Gather information about target

a. Check name server responses b. Examine network perimeter c. Conclude on architecture of the remote infrastructure

Step 2: System Fingerprinting

a. Normal port scanning b. Port scanning with IDS evasion techniques c. System Fingerprinting (OS, Services, etc.)

Step 3: Vulnerability Assessment a. Tool based vulnerability scan b. Validation of the vulnerability and filtering of false positive.

Step 4: Vulnerability Research & Exploitation

a. Exploitation of identified vulnerabilities b. Gain privileged account from successful exploits c. Scenario build up for Denial of Service attacks d. Submit report as per point no 4.6.

4.10.5 Approximately 40 SID or 60 IP’s of SAP systems would be involved during VAPT.

Since VAPT would be half yearly basis, approx. 20 SID/30 IP’s of SAP systems would be taken for half yearly VAPT exercise.

4.12 Application Security Audit

The Application security review of hosted application (Internal & External) should be performed using the tools with considerable manual intervention. During the grey box testing, you are expected to test the functionality of the application using more than one role and identify issues that cannot be found using automated scanners. Number of roles will be shared during the testing phase (average of 3 roles). Application Security testing shall include testing for common vulnerabilities mentioned in forums such as OWASP, but not limited to that should be performed are as listed. Successful bidder will carry out following Greybox, Blackbox, Code review, mobile app review and Vulnerability Assessment tests as per the request received from BPCL.

4.11.1. Tests to be conducted during Grey Box Testing are: a. Injection flaws such as SQL, OS etc. b. Cross site scripting test c. Broken access control test d. Session management & Cookie management test e. Buffer overflow, invalid inputs, insecure Storage etc. f. Improper error handling test g. Denial of service attack test h. Insecure configuration management test inclusive of all layers i.e. Network,

Operating System, Database and Application i. Password strength on authentication pages j. Exploitable hacking vulnerabilities k. Any other attacks, which are vulnerability to the website and web-application

4.11.2. Tests to be conducted during Black Box Testing are:

a. Check name server responses b. Examine network perimeter c. Conclude on architecture of the remote infrastructure d. Normal port scanning e. Port scanning with IDS evasion techniques f. System Fingerprinting (OS, Services, etc.) g. Improper error handling test h. Tool based vulnerability scan i. Password Cracking, Brute force attack j. Validation of the vulnerability and filtering of false positive.

k. Exploitation of identified vulnerabilities l. Gain privileged account from successful exploits m. Scenario build up for Denial of Service attacks

4.11.3. Tests to be conducted during Source Code Review are: a. Format String missing b. Buffer overflow c. Memory leaks d. Security concerns on API’s used e. Tests of Black-box testing.

4.11.4. Tests to be conducted during Mobile application Review are:

a. Comprehensive Security testing of customized Mobile applications, prepared on Android, Windows Mobile, Apple IOS, Blackberry & Java application platform

4.11.5. Submit report as per point no 4.6.

4.13 Cyber Security Mock Drill

4.12.1. The Cyber Security Mock drill objective:

a. Evaluate the effectiveness of security incident management process. b. Measure attack, detection, response, mitigation and recovery capabilities.

4.12.2. Cyber Security Mock Drills to be conducted to assess preparedness to withstand cyber-

attacks. Requisite number of web-based applications (vulnerable) will be provided by vendor on a DVD or downloadable basis, post which application will be installed on a server on a separate network environment which is different from production environment. Successful bidder is expected to simulate the attack on this server.

4.12.3. Output of cyber security drill by the successful bidder in the form of Mock Drill Report to

measure BPCL’s security posture: a. Action taken for securing the application b. Attack detection – ability for timely detection of attacks. c. Response action – repeating and coordination d. Mitigation actions – list of action along with time stamps e. Recovery action –times taken to restore normal operations

4.14 Incident Life cycle Review

Incident life cycle review would involve review of incident response process of our existing SIEM solutions by simulating an attack and verifying the SIEM for the effectiveness of the alert configured on SIEM, as well as review of existing rules of SIEM & suggest new reports, if any required.

4.13.1. Successful bidder can simulate an attack and verify the SIEM for the effectiveness of

the alerting configured on SIEM. Additionally review the following: a. Reviewing the integration of the different technologies with the SIEM. b. Reviewing the effectiveness of the integration of various technologies with

SIEM. c. Reviewing the user roles and responsibilities around the SIEM.

d. Reviewing the correlation of rules on the SIEM. e. Review of reports that are generated from SIEM.

Forensics / Incident Investigation

Forensic would be used for advanced analysis during Incident Management on Cyber Incidents or virus outbreak. In addition it would be used to finding evidential data, collecting it, preserving it and presenting it in a manner acceptable in a court of law. BPCL shall approach the successful bidder for below activities:

4.14.1. Obtain understanding of the incident 4.14.2. Determine the scope of forensic technology procedures required to be carried out

based on the nature of the incident. 4.14.3. Carry out any of the below forensic procedures but not limited to that should be

performed are as listed: a. Determine the cause for compromise of the system, hard disk drive imaging,

authentication / verification : Create bit stream copy of original source HDD of the said user and to ensure integrity of disk image as well as the original source HDD.

b. Event log analysis: Find instance of remote system access / instances of system compromise

c. Internet history analysis: Find historical data concerning hacked account d. Seek evidence in cached instances of RAM data e. Firewall logs for analysing inbound connections to the identified computer f. Gateway log analysis to map inbound traffic with respect to outbound traffic g. Antivirus/ system firewall log analysis: Check system compromise through

Trojan attacks. h. HDD normal data analysis i. Discover the source of botnet in case of DoS/DDoS, virus or spam outbreak.

4.14.4. Prepare a detailed analysis report and present findings to management

4.15 Security workshop & Knowledge sharing sessions Security Training & workshop would be used to increase awareness on latest security threats and best practices followed globally to enhance corporate IT security. BPCL shall approach the successful bidder to conduct learning session and workshop on latest security threats as per BPCL demand at CDC, Mumbai & IDC, Greater Noida. Prices quoted for Security Workshop & knowledge sharing sessions shall include incidental expenses if any. No additional / extra claim other than price quoted shall be entertained during contract period.

4.16 Email Spear Phishing

Spear phishing would be by performing by sending email spoofing fraud attempt to employees to glean out confidential data and gain unauthorized access to organization’s confidential data or internal network. This would assess the vulnerability within the organization and help in user awareness.

BPCL shall approach the successful bidder for below activities:

4.16.1. Successful bidder to design a look alike website and host the website on the Internet

4.16.2. Send out email with instruction to access the portal. 4.16.3. Harvest the user & client side details in a database / Trigger client site exploits. 4.16.4. Submit a report on the results of the spear-phishing attack and show various

trends, as well as analysis of success percentage by user category, location, departments etc.

4.17 Frequency of services to be performed during the year

SL No Activity Frequency Scope Items

1 Vulnerability Assessment and Penetration testing

Twice a Year 250 IP’s

2 Application security audit (Grey Box testing or Black Box testing or Mobile application or Source Code review)

In a period of three years

Dynamic and Static Pages 0 -5 Pages ----- 60 Applications 5-10 Pages ---- 10 Applications 10-50 Pages --- 10 Applications 50-100 Pages --10 Applications 100-150 Pages - 5 Applications 150-500 Pages - 5 Applications

3 Cyber security Mock Drill Twice in a year

4 Incident life cycle Review Twice in a year Existing BPCL SIEM solution

5 Forensics / Incident Investigation


On demand

6 Security workshop & Knowledge sharing sessions


On demand

7 Email Spear Phishing Twice a year 200 email id’s

Assumption for grey box testing

A minimum of 12 Dynamic pages can be tested per day A minimum of 60 pages can be tested per day Assumption for Black box testing

A minimum of 20 Dynamic pages can be tested per day A minimum of 80 pages can be tested per day

Assumption for Mobile Application testing

A minimum of 1 mobile application tested per day Assumption for Source Code review testing

A minimum of 12 Dynamic pages can be tested per day A minimum of 60 pages can be tested per day

5. TERMS OF DELIVERY

5.1. The services are required for a period of 3 years from the date of Letter of Intent (LOI) / Out Line

Agreement (OLA). The services to commence within 10 days from the date of LOI/OLA. 5.2. Successful bidder should arrange resource to carryout VAPT, Application Security Audit, SIEM

review, Security Mock Drill, Security Workshops and Mail Spear Phishing activities within 15 days from the receipt of the request from BPCL.

5.3. Successful bidder shall arrange competent resource for forensic investigation within 2 days from the receipt of the request from BPCL.

6. OTHER

6.1 The contract would be valid for a period of three years from the date of release of LOI/contract. 6.2 The price quoted in the price bid should cover all charges as mentioned deliverable in the SOW. 6.3 All prices quoted should in Indian Rupees (INR).

7. PAYMENT TERMS

7.1 Payment shall be made on the actual usage of services. 7.2 100% payment will be made for item no. 10, 20, 40, 50 & 80 post completion of each activity and

on submission of invoice duly authorized by concerned BPCL officials. 7.3 For item no. 30, 60 & 70: Payment on application security, Forensic & training shall be made for

each application on man-day/ hourly basis after submitting report as requested in this tender and

on submission of invoice duly authorized by concerned BPCL official.

8. PENALTY

8.1 If the successful bidder fails to complete the delivery of services as per clause 4, BPCL shall

impose LD, a sum of Rs. 1,000/- for each days of delay or part thereof from the due date. The maximum LD shall not be more than 5% of the total contract value.

8.2 All the LDs are independent of each other and are applicable separately and concurrently for each activity as mentioned in the Scope of work.

8.3 LD is not applicable for the reason attributable to BPCL and Force majeure. The bidder shall submit the proof authenticated by the bidder and BPCL officials that the delay is attributed to BPCL and force majeure at the time of submission of invoice.

9. BILL OF MATERIAL

Item No

Description of Scope Quantity Frequency

10 Vulnerability Assessment & Penetration Testing of critical servers and infrastructure covering Network and Security devices

250 IP Twice a year

20 Confirmation of VA-PT findings

250 IP

Twice a year

30 Application Security Audit for internal and external applications

- Greybox testing

- Blackbox

- Application Code review

- Mobile app review

200 man days over 3 years

as and when on demand

40 Cyber Security Mock Drill

Twice a year

50 Incident life cycle Review

Twice a year

60 Forensics / Incident Investigation 400 hours over 3 years


70 Security workshop & Knowledge sharing sessions 150 Man days over 3 years


80 Email Spear Phishing 200 users Twice a year

10. UN-PRICED BID

Sr. No.

Item Description Quan tity

UOM Unit Rate

Amt (Excl. Taxes)

Ser Tax

(%age)

Ser Tax Amt

Grand Total

10

Vulnerability Assessment & Penetration Testing of critical servers and infrastructure covering Network and Security devices (250 IP - TWICE IN A YEAR - 6 EVENTS IN 3 YEARS)

6 EACH

20

Confirmation of VA-PT findings (250 IP - TWICE IN A YEAR - 6 EVENTS IN 3 YEARS)

6 EACH

30

Application Security Audit for internal and external applications - Blackbox - Greybox testing. - Application Code review - Mobile App Review

200 MANDAYS

40

Cyber Security Mock Drill (TWICE IN A YEAR - 6 EVENTS IN 3 YEARS)

6 EACH

50 Incident life cycle Review (TWICE IN A YEAR - 6 EVENTS IN 3 YEARS)

6 EACH

60 Forensics / Incident Investigation on demand

400 Hours

70 Security workshop & Knowledge sharing sessions at Mumbai / Greater Noida

150 MANDAYS

80 Email Spear Phishing (200 Users) – TWICE IN A YEAR

6 EACH

Total

** Please quote unit rate for each event, per Manday and per Manhour which shall be multiplied by quantity & applicable taxes for arriving at total cost of contract. 11. Other Contractual Stipulations

a. We reserve the right to reject the tender without assigning any reason whatsoever. b. Right to Audit: BPCL reserves the right to audit or inspect work performed by the vendor. BPCL

may participate directly or through an appointed representative, e.g., Mutually Agreeable external auditor, in order to verify that the tasks related to this project have been performed in accordance to the procedures indicated.

c. NDA Clause: The successful bidder has to sign the 'Non Disclosure Agreement(NDA)' on Rs.

100/- stamp paper (Non Judicial) from their competent authority as a compliance for the 'Non Disclosure Agreement' in line with BPCL's IS Security Policy(Soft copy of NDA will be provided to you once the tender is finalized). Purchase orders will not be placed without entering into above NDA. If NDA has already been submitted, please ignore this clause.

d. IP (Intellectual Property)

• Organization retains all rights to its pre-existing intellectual property and any intellectual property it creates in connection with the agreement; and

• The vendor assigns to organization all rights in any work product developed pursuant to the agreement and acknowledges that all materials created by the vendor pursuant to the agreement shall be deemed to be owned by the organization. If the vendor will not agree to an assignment, then the vendor should, at a minimum, grant organization a perpetual, irrevocable, worldwide, royalty-free license to use the work product developed pursuant to the agreement.

e. Force Measure Clause: The parties to this agreement cannot be responsible for any failure of performance or delay in performance of their obligations there under if such failure or delay shall be the result of any Government Directive relevant to this agreement or due to war, hostilities, act of public enemy, riots or civil commotion’s, strikes, lock out, fire, floods, epidemics or act of God, arrests and restraints or rulers and people political or administrative acts of recognized or defacto Government Import or Export restrictions, compliance with any Government or local authority or any other cause or cause beyond the control of the parties hereto.

f. Arbitration clause:

• In case of any dispute or differences arising under and out of, or in connection with the contract, shall be referred to the sole arbitration by an arbitrator appointed under the provision of Indian arbitration Act and conciliation Act 1996 and subject to jurisdiction of courts in Mumbai only.

• In case of any dispute in the interpretation of the terms and conditions of the tender, the decision of the Corporation shall be final and binding.

g. Third Party and Outsourcing Services Policy(BPCL-TPOSP) The successful bidder has to sign the ' Third Party and Outsourcing Services Policy' from their competent authority as a compliance in line with BPCL's IS Security Policy. (Soft copy of BPCL-TPOSP will be provided to you once the tender is finalized). Purchase orders will not be placed without entering into above BPCL-TPOSP.

h. Limitation of liability will be restricted to Total Contract Value. i. BPCL reserves the right to terminate the contract by giving 30 days’ notice without assigning any

reason. j. This contract can be extended by another 3 month at the same rate, terms and condition if the

contract is awarded to you.

ALL ABOVE TERMS & CONDITIONS ARE ACCEPTABLE TO US. SIGNATURE & NAME OF THE PERSON COMPANY SEAL

ANNEXURE-A

COMPLIANCE SHEET

Please provide the following information as part of your RFP bid. All information required herein must be provided. Please upload this Compliance sheet along with the evidence during submission of your technical bid.

S. No

Description Compliance (YES/NO)

Evidence /Remark

1

The bidder should be in CERT-In empanelled list which should be valid up-to December 2015 published on CERT-In Website (www.cert-in.org.in). Evidence: Bidder to submit the copy of CERT-In empanelment issued by CERT-In.

2

The bidder should have conducted at least three application security, Forensic and VA-PT projects each in India within last three years. In which VAPT project should have at least one project with more than 200 devices as VAPT scope. Evidence: Bidder should share past POs on application security, Forensic and VAPT of 200 devices in last three years.

3

The bidder must have minimum ten staff with CISA/CISSP/CISM/CEH certifications. Evidence: Bidder should share the resume of the skilled staff with CISA/CISSP/CISM/CEH certifications.

4

The tools used for scanning NONSAP system should use the tools mentioned in leader or challenger quadrant of the latest “Gartner Magic Quadrant for Application Security” report. Evidence: Bidder to share the list of tools used for scanning NONSAP system, which are mentioned in leader or challenger quadrant of the latest “Gartner Magic Quadrant for Application Security” report.

5

The bidder should have executed minimum two SAP application security assessments on platforms like (SCM,PS,PM,RE,FI&CO,SCM,PP, BI etc..) in India and provide references. Evidence: Bidder should submit the PO of SAP application security assessment.

6 The tools used for scanning SAP Systems should be SAP certified. Evidence: Bidder should share proposed SAP tool name and its certification to be used for SAP systems.

7

The tools used for scanning (VA-PT and application security) should be SAP Certified. Evidence: Bidder should share the list of tools used for scanning which must appear in leader or challenger quadrant of Gartner Magic Quadrant for Application Security.

8

Bidder should have capabilities to execute VAPT, Forensic and workshops at BPCL premise at Mumbai. Evidence: Submit an undertaking on bidder letterhead duly signed by the Company Secretary / authorized signatory that the bidder have capabilities to execute VAPT, Forensic and workshops at BPCL premises at Mumbai as and when required.

9

Submit an undertaking on bidder letterhead duly signed by the Company Secretary / authorized signatory that the bidder will furnish evidence (like copy of the license/ PO & Invoice etc.) of acquiring the SAP certified tools as per the tender criteria before start of the scanning activity.

10 BPCL’s RFP duly stamped & signed by the authorized signatory in token of acceptance of all terms & conditions mentioned in this document.

11 Non-Disclosure Agreement (NDA) form (Specimen enclosed) duly signed by the Authorized signatory.

12 Third Party and Outsourcing Services Policy (Specimen enclosed) duly signed by the Authorized signatory.

13 List of Deviations, if any else submit NIL deviation statement (as per

format enclosed herewith).

FORMAT

NON DISCLOSURE AGREEMENT This Agreement is made as of the ------------- 2015 between BHARAT PETROLEUM CORPORATION LTD. (BPCL) a Government of India Enterprise, having its registered office and Corporate office at Bharat Bhavan , 4&6 , Currimbhoy Road , Ballard Estate , Mumbai -400001 hereinafter referred as First Part which expression shall unless repugnant to the subject or the context mean and included its successors, nominees or assigns and M/s ------------------ -------- --------------------------------------------------------- a company incorporated under the Indian Companies Act, 1956, and having its registered office at ------------------------------------ ------------------------------------------------------ herein after called “-Second Part ” which expression shall unless repugnant to the subject or the context mean and include its successors, nominees or assigns. Whereas in order to pursue the business purpose of this particular project as specified in Annexure A (the “Business Purpose”), M/s---------------------------------------------------------------------------------------------- recognize that there is a need to disclose certain information, as defined in para 1 below, to be used only for the Business Purpose and to protect such confidential information from unauthorized use and disclosure. In consideration of First Part’s disclosure of such information, Second Part agrees as follows:

1. This Agreement will apply to all confidential and proprietary information disclosed by First part to Second part, including information which the disclosing party identifies in writing or otherwise as Confidential before or within thirty days after disclosure to the receiving party (“Confidential Information”).

Confidential Information consists of certain specifications, designs, plans, drawings, software, processes, prototypes and/or technical information, and all copies and derivatives containing such Information, that may be disclosed to other part by first part for and during the Purpose, which disclosing party considers proprietary or confidential (“Information”). Confidential Information may be in any form or medium, tangible or intangible, and may be communicated/disclosed in writing, orally, or through visual observation or by any other means by other part (hereinafter referred to as the receiving party) by the First Part (hereinafter referred to as one disclosing party). Information shall be subject to this Agreement, if it is in tangible form, only if clearly marked as proprietary or confidential as the case may be, when disclosed to the receiving party or, if not in tangible form, its proprietary nature must first be announced, and it must be reduced to writing and furnished to the receiving party within thirty (30) days of the initial disclosure.

2. M/s --------------------------- i.e. Second Part ----------------------------------hereby agreed that during the

Confidentiality Period:

a) The receiving party shall use Information only for the Purpose, shall hold Information in confidence using the same degree of care as it normally exercises to protect its own proprietary information, but not less than reasonable care, taking into account the nature of the Information, and shall grant access to Information only to its employees who have a need to know, but only to the extent necessary to carry out the business purpose of this project as defined in exhibit A, shall cause its employees to comply with the provisions of this Agreement applicable to the receiving party, shall reproduce Information only to the extent essential to fulfilling the Purpose, and shall prevent disclosure of Information to third parties. The receiving party may, however, disclose the Information to its consultants and contractors with a need to know; provided that by doing so, the receiving party agrees to bind those consultants and contractors to terms at least as restrictive as those stated herein, advise them of their obligations, and indemnify the disclosing party for any breach of those obligations.

b) Upon the disclosing party's request, the receiving party shall either return to the disclosing party all Information or shall certify to the disclosing party that all media containing Information have been destroyed.

3. The foregoing restrictions on each party's use or disclosure of Information shall not apply to

Information that the receiving party can demonstrate:

a) Was independently developed by or for the receiving party without reference to the Information, or was received without restrictions; or

b) Has become generally available to the public without breach of confidentiality obligations of the receiving party. The information shall not be deemed to be available to the general public merely because it is embraced by more general information in the prior possession of Recipient or of others, or merely because it is expressed in public literature in general terms not specifically in accordance with the Confidential Information; or

c) Was in the receiving party's possession without restriction or was known by the receiving party without restriction at the time of disclosure and receiving party declare of possession of such confidential information within a day upon such disclosure by disclosing party ; or

d) Pursuant to a court order or is otherwise required by law to be disclosed', provided that Recipient has notified the disclosing party immediately upon learning of the possibility of any such court order or legal requirement and has given the disclosing party a reasonable opportunity and co-operate with disclosing party to contest or limit the scope of such required disclosure including application for a protective order.

e) Is disclosed with the prior consent of the disclosing party; or

f) The receiving party obtains or has available from a source other than the disclosing party without breach by the receiving party or such source of any obligation of confidentiality or non-use towards the disclosing party.

4. Receiving party agrees not to remove any of the other party’s Confidential Information from the

premises of the disclosing party without the disclosing party’s prior written approval and exercise extreme care in protecting the confidentiality of any Confidential Information which is removed, only with the disclosing party’s prior written approval, from the disclosing party’s premises. Receiving party agrees to comply with any and all terms and conditions the disclosing party may impose upon any such approved removal, such as conditions that the removed Confidential Information and all copies must be returned by a certain date, and that no copies are to be made off of the premises.

5. Upon the disclosing party’s request, the receiving party will promptly return to the disclosing party

all tangible items containing or consisting of the disclosing party’s Confidential Information all copies thereof.

6. Receiving party recognizes and agrees that all of the disclosing party’s Confidential Information is

owned solely by the disclosing party (or its licensors) and that the unauthorized disclosure or use of such Confidential Information would cause irreparable harm and significant injury, the degree of which may be difficult to ascertain. Accordingly, receiving party agrees that the disclosing party will have the right to obtain an immediate injunction enjoining any breach of this Agreement, as well as the right to pursue any and all other rights and remedies available at law or in equity for such a breach.

7. As between the parties, all Information shall remain the property of the disclosing party. By

disclosing Information or executing this Agreement, the disclosing party does not grant any license, explicitly or implicitly, under any trademark, patent, copyright, mask work protection right, trade secret or any other intellectual property right. The disclosing party disclaims all warranties regarding the information, including all warranties with respect to infringement of intellectual property rights and all warranties as to the accuracy or utility of such information. Execution of this Agreement and the disclosure of Information pursuant to this agreement does not constitute or imply any commitment, promise, or inducement by disclosing party to make any purchase or sale, or to enter into any additional agreement of any kind.

8. Disclosing party’s failure to enforce any provision, right or remedy under this agreement shall not

constitute a waiver of such provision, right or remedy.

This Agreement will be construed in, interpreted and applied in accordance with the laws of India.

9. This Agreement and Exhibit A attached hereto constitutes the entire agreement of the parties with respect to the parties' respective obligations in connection with Information disclosed hereunder and supersedes all prior oral and written agreements and discussions with respect thereto. The parties can amend or modify this Agreement only by a writing duly executed by their respective authorized representatives. Neither party shall assign this Agreement without first securing the other party's written consent.

10. This Agreement will remain in effect for three years from the date of the last disclosure of Confidential Information, at which time it will terminate, unless extended by the disclosing party in writing.

11. With regard to the confidential information of M/s disclosed to BPCL, BPCL agrees to comply

with all the obligations of receiving party mentioned in this Agreement. IN WITNESS WHEREOF, the parties hereto have executed this Agreement by their duly authorized officers or representatives. M/S ----------------------- BHARAT PETROLEUM CORPORATION LIMITED Signature: _____________ Signature: ____________ Printed Name: _________ Printed Name: ___________ Designation: ________________ Designation: ________________________ Exhibit A 1. Business Purpose: ……………………………………………………………

……………………………………………………………………………………. 2. Confidential Information of M/s ------------------------------------------------

All communication/ information submitted to the BPCL relating to the proposal of M/s _______________ for the purpose of procurement and subsequent integration with existing infrastructure of BPCL, marked as confidential.

3. Confidential Information of BPCL:

a) All details relating to architecture and other Network infrastructure details of BPCL etc. b) All information shared in oral or in written form by BPCL with M/s----------------------------------------------

--------------------------------. c) Any information desired by M/s ----------------------------- shall be justified for. d) Information downloaded or taken in physical form shall be returned/ destroyed after use and not

copied. e) Draft Technical specifications for the various projects and Tender documents for the same.

BPCL: ___________________ M/s------------------------------------------- Signed Signed

FORMAT

NIL DEVIATION STATEMENT

This is to certify that, the specifications of the services which I/we have mentioned in the Technical Bid, and which I/we shall supply if I/we am/are awarded with the work, are in conformity with the specifications of the bidding document and that there are no deviations of any kind from the requirement specifications. Also, I/we have thoroughly read the bidding document and subsequent corrigendum. By signing this certificate, we hereby submit our token of unconditional acceptance to all the terms & condition of the bidding document without any deviations. I/we also certify that the price I/we have quoted is inclusive of all the cost factors involved in the end-to-end execution of the project, to meet the desired Standards set out in the bidding document. Thank You, Name of the Bidder:- Authorised Signatory / Company Secretary Designation:- Seal of the organization:- Date:- Place:-

Third Party and Outsourcing Services Policy Bharat Petroleum Corporation Ltd

Version 1.0 Page 1 of 8

Bharat Petroleum Corporation Limited

Third Party and Outsourcing Services Policy

(BPCL – TPOSP)



Document Control

S. No. Type of Information Document Data

1. Document Title Third Party and Outsourcing Services Policy (BPCL – TPOSP)

2. Document Code BPCL/TPOSP

3. Date of Release <10/JUL/2014>

4. Document Revision No Version 1.0

5. Document Owner A K Gidwani, CISO

6. Documents Author(s) V Natarajan

Asit K Sethi

7. BPCL Policy Reference

8. Policy Section Reference

Document Approvers

S. No. Approver Approved Through /

Nominee(s) Nominee(s) Contact

1.

2.

3.

Document Change Approvals

Version No.

Revision Date Nature of Change Date Approved



Contents 1.1 Introduction ..................................................................................................................................... 4

1.2 Responsibility ............................................................................................................................... 4

1.3 Policy Statement and Objectives: ................................................................................................ 4

1.4 Risk Assessment Requirements for third party services ............................................................ 5

1.5 Access Control for third party service provider .......................................................................... 5

1.6 Security conditions in third party contracts ................................................................................ 5

1.7 Security conditions in Outsourcing Contracts ........................................................................... 6

1.8 Service level Agreements ............................................................................................................. 6

1.9 Third party service delivery management ................................................................................... 7

1.9.1 Service Delivery ........................................................................................................................ 7

1.9.2 Monitoring and Reviewing of third party services.................................................................. 7

1.9.3 Managing changes to Third party services .............................................................................. 7



1.1 Introduction

The security of the BPCL might be put at risk by access from users of third party or outsourcing

agencies. A risk assessment should be carried out to determine the specific security requirements in

such cases. A formal contract (SLA / NDA) with third parties or outsourcing agencies should also be

established stating the necessary security conditions and service levels. All security requirements

resulting from the risk assessment should form part of the contract.

1.2 Responsibility

Business Units / Functional Heads are responsible for enforcing the implementation of BPCL TPOSP

within their Business Units/Functions.

It is responsibility of every third party and their employees, who handle, process, manage and/or store

information of BPCL to read, understand and adhere to the BPCL TPOSP

1.3 Policy Statement and Objectives:

Security of BPCL’s information assets used by the third party for providing services to BPCL is of

paramount importance and Confidentiality, Integrity and Availability of these shall be maintained

at all the times by the third party concerned through the controls commensurate with the

classification of information asset.

The objectives of BPCL Third Party and Outsourcing Services Policy is to ensure that

a. A risk assessment is carried out to determine the security implications and control

requirements, where there is a requirement for third party access to critical or sensitive

information systems.

b. Vendors, consultants, contractors and customers are subjected to the same access restrictions

to which an internal user is subjected to.

c. A formal contract is be established prior to a third party being granted access to the BPCL

information and data.

d. The risks posed to BPCL by outsourcing all or part of its operations will be addressed in a

contract agreed between the parties.

e. Service level agreement, clearly defining service level criterion, will be entered into with third

parties and outsourcing agencies, where applicable.

f. Implement and maintain appropriate level of information security and service delivery in line

with the third party service delivery agreements.

g. The BPCL TPOSP is reviewed at regular intervals and appropriate amendments are done to

the policy, as required, ensuring



1.4 Risk Assessment Requirements for third party services

A risk assessment will be carried out to identify any requirements for specific controls in case of any

third party access to sensitive or critical information systems of BPCL.

The risk assessment will take into account the type of access required and the value of information,

controls employed by the third party and the implications of this access to the security of the BPCL.

All security requirements identified from risk assessment will be reflected as security conditions in

third party contract.

1.5 Access Control for third party service provider

BPCL will subject vendors, consultants, contractors and customers to at least the same access

restrictions to which an internal user would be subject. Further, the third party users will be restricted

to the minimum information required to complete the contracted work.

The vendors, consultants, contractors and customers will only be provided access to BPCL

Information resources after authorization.

All third party users accessing BPCL information and data, from within the premises or from external

sites will be provided with a unique login-id and password, to maintain accountability.

The third party users will not connect to the local area network from their laptops or computers unless

authorized.

Third party laptops authorized to connect to the BPCL's network will be segregated from BPCL's local

area network through the use of VLANs

Periodic and random reviews will be conducted to ensure that appropriate access restrictions are in

place.

Security Breaches - Any employee who identifies a security violation by third party will immediately

report the same to the Information Security Manager and Department Head

1.6 Security conditions in third party contracts

Arrangements involving third party access will be based on a formal contract. The contract will have

all the necessary security conditions and service levels to ensure compliance with the BPCL security

policies and procedures. The following terms will be considered for inclusion in the contract:

Controls to ensure the return or destruction of information and data at the end of, or at

an agreed point in time during the contract.

Restrictions on copying and disclosing information.

The respective liabilities of the parties to the agreement.

Intellectual property rights (IPRs) and copyright assignment and protection of any

collaborative work like development of software / application



Access controls agreements covering permitted access methods, and the control and use

of unique identifiers such as User Accounts and passwords

Scanning of Network and unauthorized login / access attempts to BPCL Network and /

or network devices.

The right to audit contractual responsibilities

Involvement of the third party with subcontractors

The contract will be established before access to BPCL’s information and data is granted.

All third party users will read and sign a non-disclosure agreement before access is granted to

the user.

All contractual agreements will be reviewed by the Legal department of the BPCL

In case of Annual Maintenance Contracts (AMC) of computer hardware / UPS / ACs with

third parties, preventive maintenance along with the frequency will form part of the contract.

The Premises / IT department will ensure that the preventive maintenance is carried out by

the third party as agreed in the Annual Maintenance Contract.

The contract will include the agreement with vendors on escrow for software code

1.7 Security conditions in Outsourcing Contracts

The risks posed by outsourcing the management of all or part of the facilities or information systems;

networks and/or desktop environments will be addressed in a contract agreed between the parties.

The contract will include the following, at a minimum:

Physical and Logical access controls to limit the access to the BPCL’s business

information.

Availability of services in event of disaster.

Arrangement will be in place to ensure that all parties involved in outsourcing are aware

of the security responsibilities and requirements.

The responsibilities and liabilities in the event of information security incident such as

loss of data.

All Outsourced Service Agreements involving information owned by the BPCL will need to be

approved.

1.8 Service level Agreements

When building a relationship with a new vendor, the respective department shall define the SLA

requirements which would be embedded in the contract to be signed.

With respect to BPCL’s objectives and requirements, the SLA team will collect, analyze, and draw

conclusions about issues that comprise the BPCL Infrastructure / Environment and BPCL’s desired

level of system availability and performance - both from an IT perspective and from a functional

standpoint.



Systems problem and downtime

The IT personnel will maintain a register for all hardware and software problems. This register will

also state the manner in which the problems were resolved.

IT will ensure that a system downtime log is maintained.

1.9 Third party service delivery management

1.9.1 Service Delivery

Third parties shall ensure that security controls, service definitions and delivery levels included in the

service delivery agreements are implemented, operated and maintained by third parties

Respective business units shall ensure that service definitions, service delivery levels and security

controls included in the third party service delivery agreements are implemented operated and

maintained by the third parties

1.9.2 Monitoring and Reviewing of third party services

The services, reports and records provided by the third party should be regularly monitored and

reviewed, and audits should be carried out by the business units

The review shall include:

Monitoring service performance levels to check adherence to the agreements

Reviewing service reports produced by the third party and arrange regular progress

meetings required by the agreements

Resolve and manage any identified problems

1.9.3 Managing changes to Third party services

Changes to the provision of services, including maintaining and improving existing information

security policies, procedures and controls, should be managed, taking account of the criticality of

business systems and processes involved and re-assessment of risks.

The changes to be considered include

Changes requested by the BPCL such as enhancements to the current services offered,

development of any new applications and systems etc.

Changes in third party services such as change of vendors, use of new technologies etc.

Declaration

I_____________ on behalf of M/s _____________ have read, understand and ensure to adhere

as per BPCL TPOSP.



Following are the members has been appointed from M/s_____________ for the project

__________________

Mr. _________________

Mr.___________________

Mr.__________________

Mr.___________________

Mr.__________________

3rd Party: M/s_________________

BPCL Witness:

Authorized Signatory:

Signature:

Name: Designation: Date:

Name: Designation: Date:

Company Seal:

N.A. 17.12.2015 (15:00 hrs IST) retender final_1_2_3_4.pdfloss or damages and or consequential...

Documents

Transcript of N.A. 17.12.2015 (15:00 hrs IST) retender final_1_2_3_4.pdfloss or damages and or consequential...