Tender No: PSB/HOIT/RFP/145/2020 Dated: 26.02 · Information for Online Participation This Tender...
Transcript of Tender No: PSB/HOIT/RFP/145/2020 Dated: 26.02 · Information for Online Participation This Tender...
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 1 of 57
LIMITED TENDER
Request for Proposal from the Empanelled Auditors of the Punjab and Sind
Bank, for Information System Audit of Data Centre, Critical Applications, IT
Processes etc. of the Bank
Tender No: PSB/HOIT/RFP/145/2020 Dated: 26.02.2020
PUNJAB & SIND BANK
Head office Information Technology Department
2nd Floor, Plot No. 151, Sector 44, Institutional Area,
Gurugram-122003
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 2 of 57
Contents
Sr.
No.
Particulars Page
No.
1. INTRODUCTION 5
2. SCOPE OF WORK 6
3. OTHER IMPORTANT TERMS & CONDITIONS 13
4. TERMS & CONDITION 14
5. RESOLUTION OF DISPUTE 24
6. CORRUPT or FRADULANT PRACTICES 25
7. INDEMNITY 26
8. BIDDER`s OBLIGATION 26
9. INTELLECTUAL PROPERTY RIGHT 26
10. SIGNING OF CONTRACT 27
11. PUBLICITY 27
12. ANNEXURE A 29
13. ANNEXURE B 35
14. ANNEXURE C 51
15. ANNEXURE D 55
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 3 of 57
KEY INFORMATION
Particulars Details
Tender Number PSB/HOIT /RFP/145/2020 Dated: 26.02.2020
Tender Title Request for Proposal from the Empanelled
Auditors of the Punjab and Sind Bank, for
Information System Audit of Data Centre, Critical
Applications, IT Processes etc. of the Bank
Eligibility The Empaneled IS Auditors of Punjab and Sind
Bank for three years as per the Expression of
Interest PSB/HOIT/EoI/133/2018-19 Dated:
22.03.2019.
Performance Bank Guarantee Rs.1,00,000.00(Rs. One lakh only) in the form of
Bank guarantee valid for 12 months
Date of Publishing the tender 26.02.2020
Last Date for submission of Pre-
Bid Query
02.03.2020 by 3:00 pm
(queries must be mailed to [email protected]
only in MS- excel format quoting tender reference
number in the subject)
Last Date and time for submission
of Bids
11.03.2020 by 03:00 pm
Date and Time of Opening of
Technical Bids
11.03.2020 at 03:30 pm
Date and Time of opening of
Indicative Commercial Bids
11.03.2020 at 5.00 pm
Place of submission and Opening
of Bids
Punjab & Sind Bank
Head Office, 2nd Floor, Information Technology
Department, Plot No. 151, Institutional Area,
Sector 44, Gurugram- 122003
Contact Persons for any
clarifications/ Submission of Bids
Gaurav Kumar Yadav (AGM IT)/ Arun
Ahlawat (Officer- Inspection)
Contact Numbers Gaurav Kumar Yadav (AGM IT) - 9555813220
Arun Ahlawat (Officer) -8396049100
* If any of the dates given above happens to be Holiday in Gurugram, the related activity shall be undertaken on the next working day at
the same time.
Information for Online Participation
This Tender will follow e-Tendering process which will be conducted by Bank’s
authorized e-Tendering Service Provider M/s C1 India Pvt. Ltd. through website:
https://psb.eproc.in
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 4 of 57
Following activities will be conducted online through the above website:
1. Procurement of RFP document including all Annexures
2. Addendums to the RFP
3. Submission of Technical Bid & Indicative Commercial Bid by the Bidder
4. Opening of Technical Bid & Indicative Commercial Bid by the Bank
5. Reverse Auction
6. Announcement of results, if any
Instructions:
1. Bidders who wish to participate will have to register with the website
(https://psb.eproc.in). Bidders will be required to create login id & password on
their own in registration process.
2. Bidder who wish to participate in this tender need to procure Class III Digital
Signature Certificate (With Both DSC Components, i.e. Signing & Encryption)
from any of the licensed Certifying Agency. Bidders can view the list of licensed
CAs from www.cca.gov.in.
3. In case of any clarification/ queries regarding online registration/ participation,
Bidders may reach out to: Email: [email protected] Ph: 0124-
4302033/36/37
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 5 of 57
1. INTRODUCTION
1.1 About the Bank
PUNJAB & SIND BANK, a leading Public Sector Bank having its Head Office at New
Delhi is implementing many key technology solutions like Core Banking (CBS),
Internet Banking (e-banking),Tele Banking, Mobile Banking, onsite / offsite ATMs,
Integrated Treasury Systems, RTGS, SFMS, NEFT etc. The Bank has chosen FINACLE
Software of M/s. INFOSYS Ltd., as the Core Banking Solution and implanted CBS
in 100% branches and offices.
1.2 Present Status of the Bank
The Bank is using the financial software Finacle (7.0.25) for carrying out the Banking
operations. The bank has a widespread network of 1500 plus branches, 25 Zonal Offices,
more than 30 Departments in Head Office, 9 Regional Clearing Centers, 2 Training
Centers and 9 Currency Chests all networked under Centralized Banking Solution. It also
has a network of more than 1250 ATMs spread across the country including onsite and
offsite ATMs. The Bank’s CBS Project Office and HO Information Technology
Department are located in New Delhi & Gurugram, respectively. The Bank’s Data Center
(DC) is located in Vashi Mumbai and Disaster Recovery Center at Greater Noida and both
are managed by Bank’s CBS System Integrator M/s Wipro. The DC is connected to the
branches, Zonal Office and Head Office through Bank-wide Wide Area Network. The
entire network uses Leased Lines, RF, VSAT and Backup connectivity through ISDN lines
& RF etc. The ATMs, Mail Messaging System and other applications also use the WAN.
The Disaster Recovery Center of Bank has similar setup as that of Data Centre of financial
software setup.
1.3 Purpose of RFP:
This RFP seeks to engage a Service Provider who has the capability and experience for
Conducting Information Systems (IS) Audit including Application audit of Core Banking
Solution, other applications and to make appropriate recommendations, as covered under
the Scope of Work. Carrying out risk analysis of all IT assets of the Bank and preparation
of Risk Matrix based on Guidelines issued by RBI and Govt. of India.
The aim of the RFP is to solicit proposals from empanelled IS Auditors for undertaking
above detailed assignments.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 6 of 57
2. SCOPE OF WORK:
2.1 Scope of Work Related to IS (Information Systems) Audit:
a. The Scope of work mainly relates to conducting of Information System and Security
Audit including Cyber Security Audit of different Information systems/applications/
Databases / Operating Systems / Security devices, appliances and Solutions / Network
Equipments/ Information Technology (IT) Process like sharing information through web
services, host to host etc. in use by the Bank, as listed in Annexure-C, including those
systems used by other agencies for providing services in respect of activities which are
outsourced. The scope also includes the VAPT of all systems as listed in Annexure-C and
Annexure- D.
2.2 The IS Audit shall be performed:
a. Bidder is expected to carry out IS Audit activities including but not limited to the points
mentioned in the scope of this RFP. Further the Bidder has to evaluate and comment on
compliance by Bank as per RBI Circular on Cyber Security Framework,
Information/Cyber Security Policy/ Procedures/Processes of the Bank, ISO 27001:2013
standards, other RBI guidelines and Industry best practices etc.
b. The guidelines issued by RBI, Govt. of India, NPCI, UIDAI, Cert-In etc.
c. Punjab & Sind Bank IS Audit Policy, Punjab & Sind Bank’s IT security Policies &
Procedures and Punjab & Sind Bank Cyber Security Policy.
d. IT Act, 2000 as amended from time to time.
2.3 IS Audit of each of the systems shall broadly cover the following aspects:
− Physical and Environmental controls
− Logical access Controls
− Operating System/database review including Vulnerability Assessment
− Application Review
− Business process Review
− Vulnerability Assessment
− Penetration Testing
− Network and Security Review including VA and Penetration test
− Backup procedure Review
− Business Continuity/Disaster Recovery plans/practices
− Review of Outsourced Activities
− Virus protection and Patch management.
− Capacity utilization of servers and applications
− Review of Basic minimum Configuration applicable for each system as per
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 7 of 57
best practice i.e. Baseline Secure Configuration review.
− Application Security Life Cycle (ASLC) review.
− Database Configuration Audit.
− Secure Code Practice Review.
− IT General Controls Review.
− General Process Controls Review.
2.4 Vulnerability Assessment (VA)
The scope also includes conducting Vulnerability Assessment and Penetration Tests
(VAPT) covering operating systems, database, networking and Security Infrastructure
and various on-line applications facing customers as listed in Annexure-C and all other
assets listed in Annexure-D.
The purpose of the vulnerability assessment is to discover all systems on perimeter
network or internet facing and to assess these systems for securities vulnerabilities.
Vulnerability assessment shall attempt to determine vulnerabilities that may enable
unauthorized logical access to protected system via the external network interfaces of the
Banks network. The vendor will conduct vulnerability assessment against network and
security infrastructure components to identify services in use and potential vulnerabilities
present.
IS auditors are expected to conduct the audit against the standard configuration document
that Bank has created, as also the latest global standards and industry best practices.
2.5 Penetration Tests (PT)
The objective of the Penetration Testing is to determine the effectiveness of the security
of organizations infrastructure and its ability to withstand an intrusion attempt. The
security assessment should use the industry standard penetration test methodologies and
scanning techniques, and will focus on applications. The application tests should cover
but not limited to OWASP Top 10 attacks. IS Auditor shall perform application security
testing, to identify security vulnerabilities in the Banks applications that may be exploited
by a user to obtain unauthorized access.
The IS Auditors shall use automated and manual testing techniques to exploit the
weaknesses identified in the application logic, in areas like authentication, authorization,
information leakage, field variable control, session timeout & logout, cache control, serve
side logic, client side logic, error handling, application administration and encryption.
The Scope for penetration testing should include but not limited to list of internet facing
websites/ applications. It is explicit that penetration tester should conduct vulnerabilities
assessment consulting with concerned personnel and proper permission of the Bank.
The bidder is to carry out an application review covering the functionality, security, and
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 8 of 57
controls within the applications. A list of a minimum set of activities to be performed as
detailed in scope of work. The auditor has to conduct VA, PT & white box testing (with
credentials) for security assurance of the applications.
2.6 IT General Controls Review
The IS Auditors shall assess the data processing that takes place in systems and IT occurs
in a controlled environment, supporting data integrity and security and the need of
complying with local laws and their requirements relating to information security. The
scope of work for IT General Controls Review:
i) Change Management Review
ii) Logical Access
iii) Backup Management
iv) Incident Response Management
v) Observing DR Drill Activities
vi) Integration of system servers, devices with PIM
vii) Others (Audit logging and review mechanism, Patch Management, Antivirus
Management etc.
2.7 General Process Audit Review
The IS Auditors shall assess whether the data processing that takes place in systems and
IT occurs in a controlled environment, supporting data integrity and security. The scope
of work for General Process Audit review is:
i) Assess the controls implemented in the system.
ii) Logical Access Controls - Review all types of Application Level Access Controls
including proper controls for access logs and audit trails for ensuring Sufficiency &
Security of Creation, Maintenance and Backup of the same. Only authorized users should
be able to edit, input or update data in the applications or carry out activities as per their
role and/or functional requirements
iii) Assess sufficiency & accuracy of event logging, adequacy of Audit trails, SQL
command prompt usage, database level logging etc.
iv) Review and analysis of database procedures to check various calculations in the
system
v) Assess interface controls - Application interfaces with other applications and security
in their data communication.
vi) Assess authorization controls such as Maker Checker, Exceptions, Overriding
exception & Error condition.
vii) Assess Data integrity & File Continuity Controls
viii) Assess controls for user maintenance, password policies being followed are as per
Banks IT& IS security policy.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 9 of 57
ix) Assess controls for segregation of duties and accesses of production staff and
development staff with access control over development, test and production regions.
x) Review of all types of Parameter maintenance and controls implemented.
xi) Assess controls for change management procedures including testing &
documentation of change.
xii) Identify gaps in the application security parameter setup in line with the Banks
security policies and leading best practices
xiii) Audit of management controls including systems configuration/ parameterization &
systems development.
xiv) Audit of controls over operations including communication network, data
preparation and entry, production, file library, documentation and program library, Help
Desk and technical support, capacity planning and performance, Monitoring of
outsourced operations.
xv) Review of customizations done to the Software & the SDLC Policy followed for such
customization.
xvi) Verify adherence to Legal & Statutory Requirements.
xvii) Review segregations of Roles/Responsibilities with respect to Application software
to improve internal controls
xviii) Review of documentation for formal naming standards, design process of job roles,
activity, groups, profiles, assignment, approval & periodic review of user profiles,
assignment & use of Super user access.
xix) Check the sufficiency and coverage of UAT test cases, review of defects & tracking
mechanism deployed by vendor & resolution including re-testing & acceptance.
xx) Backup/Fallback/Restoration /Recovery & Restart procedures
2.8 Policy, Process and Procedure review
a. Information Security Policy
b. Cyber Security Policy
c. Data Privacy Policy
d. Integrated Risk Management Policy
e. Fraud Risk Management Policy
f. Operational Risk Management Policy
g. Cyber Crisis Management Plan
h. IT Policy
i. Business Continuity Plan & Disaster Recovery Policy
j. Information/Cyber Security Processes, Procedures & Guidelines.
k. IT Processes, Procedures & Guidelines
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 10 of 57
2.8.1 Review of Information Security/Cyber Security vis-à-vis RBI Circular on
Cyber Security Framework
• Review of preparedness of the Bank vis-à-vis RBI Circular on Cyber Security
Framework in Banks.
• Vetting of Self-assessment of gaps vis-à-vis Baseline Security & Resilience
Requirements.
2.8.2 Review of IT infrastructure from the point of view of Information/Cyber
Security
• Review of the Current Security Architecture and Security Technology of the
organization.
• Review Vulnerability Assessment [VA] and Penetration Testing [PT] for Servers
and Network/Security devices, Application Security Testing [Web and Mobile App
Sec] being done for the bank.
• Incident Management review in which IS auditor should review whether
Incidents are managed, monitored and reported as per the RBI guidelines or other
regulators like Cert-in, NCIIPC etc.
• Review Secure Configuration Documents adopting best practices for Servers OS,
Web application, Database, Security Devices, Network Devices, Desktops, Laptops,
Mobile devices etc.
• Review of Network Security including various wireless technologies, Security
Design, Access Control, etc.
• Review of the existing network topology/ Network Security Architecture and
deployment of the security controls within the organization like Firewalls, IDS/IPS,
network segmentation, WAF, Mail Gateway, Patch Management, Active Directory
(AD), AV, SIEM, PIM, DAM, Anti APT etc.
• Review of access rules (ACLs) of network & security devices.
2.9 Network Management
• Review of overall network management as per as per RBI guidelines or other
regulators and industry best practices.
• Review of network design – scalability and redundancy
• Review Network cabling and IP Sec implementation
• Evaluate processes adopted for:
• Transmission of data
• Bandwidth management
• Uptime against the SLAs
• Fault Management
• Capacity planning
• Audit log review and maintenance
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 11 of 57
• Performance management
• Audit log review and maintenance
• Review of Network performance management
• Analyze the logs maintained for Network Incident
• Review of security architecture implementation
• Review of password management.
• Review of Network Information security administration.
• Review of Cryptography.
• Review of Policies and rule sets including ACLs (Access Control Lists).
• Review of Violation logging management.
• Review of Information storage & retrieval.
• Audit of PKI management.
• Audit of PIN management.
• Review access control documentation and configuration
• Network and Security Equipment
• Ensure Router, Firewall, Proxy, Intrusion Prevention System, ATM Switch,
Network Switch, Modems etc. procured and installed are in line with business
strategy/IT Policy/Information/Cyber Security policy of BANK/ Industry best
practice/Regulatory guidelines
• Evaluate the installation, deployment/ placement, configuration, security,
policies defined in respective equipment for meeting the security requirement of
the LAN & WAN as per IT Policy/Information/Cyber Security policy of BANK
and industry best practices.
2. 10 Database Management System and Data Security
• Review of Database Access & Data Security as per RBI guidelines or other
regulators and industry best practices.
• Review of procedures to ensure that all data are classified in terms of sensitivity
and necessary safeguards for its confidentiality, integrity and authenticity are
taken as per Information/Cyber Security Policy
• Ensure logical access controls which ensure the access to data is restricted to
authorized users
• Review to ensure that confidentiality and privacy requirements are met
• Review of authorization, authentication and access control
• Ensure that segregation of duties is in place for accessing data
• Review of protection of sensitive Information during transmission and transport.
• Ensure separation and rotation of duties should be in place
• Review of controls procedures for sensitive DB passwords.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 12 of 57
• Review to ensure that patches and new versions are updated as and when
released by Bidder/ Research and Development team. If not done then comment
upon vulnerabilities and availability of services of existing version being used.
• Review of physical access and protection.
• Ensure confidentiality requirements are met.
• Review of Database Backup Management.
• Ensure patches and new versions are updated as and when released by vendor/
Research and Development team.
2.11 Wide Area Network
• Review of Integration between BANK and NPCI/IDRBT/RBI/UIDAI/e-sign
Vendor/Card Vendor/Bill Desk/ Mastercard/ VISA/ SWIFT/Market Feeds etc.
• Bidder should check configuration of Network and security devices at
DC/DR/NLDC and other locations.
2.12 Security Operations Centre
• Review of SOC infrastructure and implementation
• Review of SOC processes, SLA Management process for SOC
• Review the configuration parameters and adequacy of staff working at SOC
• Review of reporting responsibility and periodicity of report
• Review of work authorization system between outsource service provider and
bank‘s team
• Review of access control, customer data privacy & confidentiality maintained at
SOC
• Review of SOC implementation as per RBI guidelines or other regulators and
industry best practices.
2.13 Network Operations Centre
• Review of NOC infrastructure and implementation
• Review of NOC processes, SLA Management process for NOC and check for
the adherence of these SLAs
• Review the configuration parameters and adequacy of staff working at NOC
• Review of reporting responsibility and periodicity of report generated
• Review of NOC implementation as per RBI guidelines or other regulators and
industry best practices.
2.14 Access Control and Change Management
• Review of access control process for Bank`s employee/SI/Vendor/Contractor to
any BANK assets including DC/DR/NLDC and other locations as per
Information Security Policy of BANK, RBI/other regulatory guidelines &
industry best practice.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 13 of 57
• Review of Change management process for IT assets including applications, H/w,
Network & security solutions etc.
2.17. Execution of work:
2.17.1 The successful bidder shall submit a detailed plan clearly indicating the tentative
dates and estimated time for IS Audit of all the systems.
2.17.2 During the course of audit, if the bidder/ service provider observes any major
deficiencies, they shall immediately bring such observations, deficiencies, areas of
improvement and suggestions for improvement to the notice of the concerned persons.
The service provider shall also discuss with, guide/help the Bank staff in implementation
of the critical and important suggestions.
2.17.3 At the end of IS Audit, the service provider shall submit a detailed report
containing all the observations, deficiencies, areas of improvement and suggestions for
improvement, for each system separately. An executive summary should also form a part
of the Final Report.
2.17.4 Since it will take some time setting right the deficiencies, on the Bank intimating
them to do so, the service provider shall conduct a compliance audit, to confirm setting
right of the deficiencies and implementation of the suggestions. The service provider shall
submit a detailed report after compliance audit.
2.17.5 The assignment will be for conducting IS Audit for one time only. Bank, at its
option, will review and entrust the assignment either in full or in part subsequently.
3. OTHER IMPORTANT TERMS & CONDITIONS:
Sr.
No.
Phase Objectives Timeline Deliverables Payment
Schedules
1. Phase-
I
Conduct of IS
Audit as per scope,
evaluation,
discussion on the
findings and
submission of final
reports
6 weeks ISA Report :-
1.Executive
summary
2. ISA Report Core
findings along with
Risk Analysis
3. ISA Report
Detailed findings /
Checklists
1. 70% after
completion of
PHASE-I.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 14 of 57
4. ISA Report :-
Analysis of reports
/Corrective
Measures &
Suggestions along
with Risk Analysis.
2. Phase-
II
Compliance
Audit, Review &
Certification
2
weeks
Compliance
Report:-
1. Compliance
Audit report.
2. To provide the
BANK an ISA
compliance
certificate
including
certificate as per
RBI guidelines for
Internet Banking.
2. 30% after
completion of
PHASE-II.
Note: The detail of Phase, deliverables, payment schedule is described in Annexure-A.
4. TERMS AND CONDITIONS:
a. The empanelment will be cancelled if the empanelled IS Auditor refuses to accept
purchase order or having accepted the purchase order, fails to carry out his obligations
mentioned therein.
4.1. Clarifications on the RFP
a. Queries/clarifications shall not be entertained over phone.
b. All the queries and clarifications must be sought in writing to the email id:
c. Bidders are also requested to collate queries and submit them together seeking
clarifications/responses from the Bank. It shall be ensured that all the queries and
clarifications are communicated in writing on or before pre-bid query date. Queries
received thereafter will not be entertained.
d. Bank will email the clarifications/amendment (if any) to the empanelled IS Auditors.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 15 of 57
4.2. Two Part Bid:
The bidder shall submit his response to the present tender separately in two parts – “The
Technical Bid” and ‘Indicative Commercial bid’. Technical Bid will contain Eligibility and
product specifications whereas Commercial bid will contain the pricing information.
a. All the envelopes must be super-scribed with the following information –
Type of Bid – Conducting IS Audit of Data Centre, Critical Applications, IT Processes
etc. (Technical Bid)
Type of Bid - Conducting IS Audit of Data Centre, Critical Applications, IT Processes
etc. (Indicative Commercial Bid)
Due Date :, Name of Bidder :, Name of the Authorized Person :, Contact Number :
b. All schedules, Formats and Annexure shall be stamped and signed by an authorized
official of the bidder`s company.
c. Submission of bids
The Bank expects the bidders to carefully examine all instructions, terms and conditions
mentioned in this RFP document before submitting its unconditional compliance as part
of the RFP. Failure to furnish all information required or submission of an RFP not
substantially responsive to the RFP in every respect will be at the bidder’s risk and may
result in the rejection of its response.
d. Bids duly sealed shall be submitted, in person, on or before the last Date and Time
for bid submission at the address mentioned below. Bid also required to be submitted
electronically as mentioned in KEY-INFORMATION of this document.
Punjab & Sind Bank,
Second Floor
Information Technology Department
Plot No 151, Institutional Area,
Sector 44, Gurugram, Pin 122003
Any other mode of submission, e.g. by courier, fax, e-mail etc. will not be accepted.
Bids will be opened in the presence of the bidder representatives who choose to attend the
opening of tender on the specified date, time and place of bid opening. All bidders are
advised to be present at the time of bid opening. No separate intimation will be given in
this regard.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 16 of 57
4.3. No Erasures or Alterations:
a. The original bid (Technical Bid and Commercial Bid) shall be prepared in indelible ink.
b. Technical details must be completely filled up. All the hand-written details in the bid
must be initialed by the persons or person who sign(s) the bids.
c. All the pages of the bid must be initialed by an authorized representative with a round
stamp of the bidding firm.
4.4. Validity:
a. The bid shall remain valid for a period of 180 days from the last date of submission of
the bid.
b. At the option of the Bank, the bidder shall extend the validity of bid for such required
period (s), as the Bank may require during the evaluation process.
4.5. Technical Bid:
a. The Technical Bid shall be complete in all respects and contain all the information asked
for in this RFP document in an organized and structured manner. All the details sought
must be submitted in the prescribed pro-forma only (as per the attached formats).
Additional/ supporting documents, write-ups, etc., if any, should be furnished separately.
b. The Technical Bid shall be submitted in separate sealed envelope, super scribed as
“Conducting IS Audit of Data Centre, Critical Applications, IT Processes etc. (Technical
Bid)”.
c. The Technical Bid shall not contain any price information.
d. The Bank, at its discretion, may not evaluate a bid in case of non-submission or partial
submission of details sought.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 17 of 57
e. The Technical Bid shall comprise of the following (as per the formats):
Sr.
No
ANNEXURE No. SUBJECT PAGE No.
1 ANNEXURE – I PROFILE OF THE BIDDER 36
2 ANNEXURE – II PROFILE OF THE PROPOSED
CORE AUDIT TEAM
37
3 ANNEXURE – IV BID FORM 39
4 ANNEXURE – VII TECHNICAL DEVIATION 46
5 ANNEXURE – VIII COMMERCIAL DEVIATION 47
6 ANNEXURE – IX LETTER OF CONFIRMATION 48
7 ANNEXURE- X COMPLIANCE FOR REVERSE
AUCTION
49
8 ANNEXURE- XI LETTER OF AUTHORITY FOR
PARTICIPATING IN REVERSE
AUCTION
50
4.6. Indicative Commercial Bid:
The commercial bid evaluation will be carried out by opening sealed indicative
commercial bids.( Indicative Commercial bids of the technically qualified bidders only
opened). After that, based on the indicative commercial bids, reverse auction will be
conducted. Post reverse auction, the bidders with the lowest commercial proposals will be
designated as L1 Bidder.
4.6.A Reverse Auction
The Bank shall conduct the reverse auction on TOTAL COST OF IS AUDIT and the
price so obtained after closure of Reverse Auction shall be taken into account for
Commercial Evaluation. Bidders have to submit final price to the Bank within 48 hours
of closure of Reverse Auction process.
In case any technically qualified bidder does not take part in reverse auction, then he
will not be considered for commercial evaluation. The procedure of reverse auction will
be notified to the shortlisted bidders separately. The Reverse Auction process will be
conducted online through Bank’s authorized e-Tendering Service Provider M/s C1
India Pvt. Ltd through website: https://psb.eproc.in.
In case of any clarification/ queries regarding Reverse Auction Process, Bidders may
reach out to: Email: [email protected] Ph: 0124-4302033/36/37.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 18 of 57
4.6. B. Business Rules for Reverse Auctions:
Applicability
Reverse auctions are carried out under the framework of rules that are called Business
Rules.
1. All bidders participating in reverse auction shall understand/accept and give an
undertaking for compliance with the same to the Bank in the prescribed format
“Annexure X: Compliance for Reverse Auction”.
2. Any bidder not willing to submit such an undertaking shall be disqualified for further
participation in the e-procurement process in question.
4.6. C. Compliance/Confirmation from Bidder
The bidders participating in reverse auction shall submit the following documents duly
signed by the same Competent Authority who signs the offer document in response to
the RFP:
Acceptance of Business Rules for Reverse Auction and undertaking as per format in
Annexure X: Compliance for Reverse Auction.
4.6. D. Training to bidders:
1. The Bank may facilitate training for participation in reverse auction either on its own
or through the service provider for the reverse auction.
2. On request where necessary, the Bank/service provider may also conduct a ‘mock
reverse auction’ to familiarize the bidders with reverse auction process.
3. Any bidder not participating in training and/or ‘mock reverse auction’ shall do so at
his own risk and it shall not be open for him to make any request / complaint / grievance
later.
4. Each bidder shall participate in the training at his / their own cost.
5. The venue, date, time etc. for training in reverse auction shall be advised at the
appropriate time.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 19 of 57
6. No request for postponement/fixing of training date/time shall be entertained which
is the sole view and discretion of the Bank, might result in any avoidable delay to either
the Reverse Auction or the whole process of selection of bidder.
4.6. E. Date/time of reverse auction
1. The date and time of commencement of reverse auction as also duration of ‘Reverse
Auction Time’ shall be communicated at least 4 working Days prior to such auction
date.
2. Any force majeure or other condition leading to postponement of auction shall entitle
the Bank to postponement of auction even after communication, but the Bank shall be
obliged to communicate to all participating bidders the ‘postponement’ prior to
commencement of such ‘Reverse Auction’.
4.6.F. Conduct of Reverse Auction
1. The reverse auction shall be conducted on a specific web portal meant for this
purpose.
2. The reverse auction may be conducted by the Bank itself or through a service provider
specifically identified/appointed/empanelled by the Bank.
4.6.G. Transparency in Bids
All bidders will be able to view during the auction time the current lowest price in portal.
Bidder shall be able to view not only the lowest bid but also the last bid made by him
at any point of time during the auction time.
4.6.H. Masking of Names
1. Names of bidders shall be masked in the Reverse Auction process and bidders will
be given suitable dummy names.
2. After completion of Reverse Auction, the service provider / auctioneer shall submit
a report to the Bank with all details of bid and the original names of the bidders as also
the L1 bidder with his original name.
4.6.I. Start Price
Reverse Auction process shall commence at and after electronically loading the “START-
UP PRICE” on the basis of lowest Audit Cost arrived at after evaluation of commercial
bids or lesser than the lowest Audit Cost arrived at as evaluated by the Bank.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 20 of 57
4.6.J. Decremented Bid Value
1. The bidders shall be able to bid only at a specified decrement value or multiple thereof
and not at any other fractions. The Bid decrement value shall be decided by the
Competent Authority of the Bank.
2. For the sake of convenience of bidders, the web portal shall display the next possible
decremented value of bid. It is not, however, obligatory on the part of bidders to bid at
the next immediate lower level only. (That is, bids can be even at 2 or 3 lower levels
than the immediate lower level.)
4.6.K. Reverse Auction Process
1. The Bank shall, however, be entitled to cancel the Reverse Auction process, if in its
view procurement or Reverse Auction process cannot be conducted in a fair manner and
/ or in the interest of the Bank.
2. The successful bidder shall be obliged to provide a commercial bid (ANNEXURE-
III) as the last bid price at the close of auction.
4.6.L. Changes in Business Rules
1. Any change in Business Rules as may become emergent and based on the experience
gained may be made by the Bank.
2. Any/all changes made in Business Rules shall be uploaded on the Website of the
Bank https://www.psbindia.com/ immediately.
3. If any reverse auction process has commenced and a change is made in Business
Rules, it shall be informed immediately to each bidder participating in the Reverse
Auction and his concurrence to/ acceptance of the change shall be obtained in writing
by the Bank.
4.6.M. Don’ts applicable to the Bidders
1. No bidder or any of its representatives shall involve itself in any price manipulation
directly or indirectly with other bidders. If any such practice comes to the notice, Bank
shall disqualify the bidders concerned from the process.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 21 of 57
2. Bidder shall not disclose details of bids or any other details concerning Reverse
Auction process of the Bank to any other third party without specific permission in
writing from the Bank.
3. Neither Bank nor service provider/ auctioneer can be held responsible for
consequential damages such as no power supply, system problem, inability to use the
system, Loss of electronic information, power interruptions, UPS failure, etc. at bidders’
place. (Bank shall, however, entertain any such issues of interruptions, problems with
open mind and fair degree of transparency in the process before deciding to stop or
extend the auction.)
4.6.N. Errors and omissions:
On any issue, not specifically dealt with in these Business Rules, the decision of the bank
shall be final and binding on all concerned.
4.6.O. The indicative Commercial Bid shall be submitted in separate sealed envelope,
super scribed as “Conducting IS Audit of Data Centre, Critical Applications, IT Processes
etc. (Indicative Commercial Bid)”.
1. The Commercial Bid should provide all relevant price information in Indian Rupees
only.
2. The responses shall be strictly as per the terms and conditions of this RFP. Bidders are
advised not to attach or specify any terms and conditions. The Bank reserves its right to
reject the bids received with any additional terms and conditions specified by the Bidder.
3. The Commercial Bid shall comprise of Annexure-III (Format for Commercial BID) &
Annexure-VIII (Commercial Deviation).
4. The prices mentioned in the commercial bid shall strictly be in conformity with the
price composition specified in Annexure-A clause 4.5 (Price Composition).
5. The Commercial Bid shall include all taxes, duties, fees, and other charges as may be
levied under the applicable law as on the date of submission of the bid. However, the
GST component of the prices shall be payable extra on actual basis.
6. The total cost must be quoted in WORDS AND FIGURES. In case of discrepancy
between the words and figures, lower of the two would be considered as the price quoted
and the same will be binding on the bidder.
7. Indicative Commercial Bid of only those bidders, who qualify in Technical Bid
evaluation, will be opened.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 22 of 57
4.7 Evaluation Procedure:
The Evaluation will be a Two-stage process:
1. Technical Evaluation
2. Commercial Evaluation- (through Reverse Auction)
a. The evaluation of technical bids will be done by a team of officials, which may include:
i. Scrutiny of eligibility criteria to determine the eligibility of bidders;
ii. Scrutiny of the bids to verify whether the same is in accordance with the RFP terms.
b. In the process of scrutiny of the bids, Bank may seek additional inputs and
clarifications as may be needed. The request for such clarifications and the response will
necessarily be in writing.
c. Bid found to be meeting the Bank`s requirements based on the technical evaluation
only will be considered for further commercial evaluation.
d. The evaluation by the Bank will be undertaken by a Committee of internal Bank
officials and may include Consultant. The decision of Banks’ Committee shall be
considered final.
4.8. Right to Alter Quantities
a. The Bank reserves the right to alter quantities, revise/modify all or any of the
specifications, delete some items specified in this bid, when finalizing its requirements or
declare the RFP void, without assigning any reason, before or after receiving the
responses. That is, the Bank reserves its right to add or remove the Information systems
in respect of which the IS Audit is to be conducted.
4.9. No Commitment to Accept Lowest or Any Tender
The Bank shall be under no obligation to accept the lowest or any other bid received in
response to this tender notice and shall be entitled to reject any or all tenders without
assigning any reason whatsoever.
4.10. Rotation of Audit Team
If the selected Bidder has already carried out IS Audit of our bank, the Bidder shall change
the entire team and to depute a fresh team.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 23 of 57
4.11. Price freezing and Contract Period
a. The final prices stated above, shall remain frozen for a minimum period of upto two
years from the date of the purchase order.
b. The Contract would be valid for one time IS Audit exercise only.
4.12. Cancellation of the assignment:
The Bank reserves its right to cancel the assignment in the event of one or more of the
following conditions:
a. Delay in commencement of the IS Audit beyond four weeks after the assignment order
or beyond the date given by the bank in the purchase order.
b. Delay in completion of all the phases of the IS Audits beyond the time specified in the
assignment letter.
4.13. Liquidated Damages:
4.13.1 Notwithstanding the Bank's right to cancel the assignment, 0.5% of the order value
per week or part thereof would be payable to the Bank for delay in the execution of this
assignment order beyond specified schedule, subject to a maximum of 5% of the value of
the said phase.
4.13.2 Bank reserves it's right to recover these amounts by any mode such as adjusting
from any payments to be made by the Bank to the bidder.
4.13.3 The Bank however may review and consider waiving imposition of liquidated
damages for delays beyond the control of the Bidder.
4.14. RFP Ownership: The RFP and all supporting documentation are the sole property of Punjab & Sind Bank
and shall not be redistributed without prior written consent of Punjab & Sind Bank.
Violation of this would be a breach of trust and may, inter-alia, cause the bidders to be
irrevocably disqualified. The aforementioned material must be returned to Punjab & Sind
Bank while submitting the bid, or upon request. However, bidders can retain one copy
for reference.
4.15. Bid Ownership: The bid and all supporting documentation submitted by the
bidders shall become the property of the Bank. The bid and documentation may be
retained, returned or destroyed as the Bank decides.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 24 of 57
4.16. Confidentiality:
This document contains information confidential and proprietary to the Bank.
Additionally, the bidders will be exposed by virtue of the contracted activities to the
internal business information of the Bank. Disclosures of receipt of this RFP or any part
of the aforementioned information to parties not directly involved in providing the
services requested could result in the disqualification of the bidders, premature
termination of the contract, or legal action against the bidders for breach of trust.
4.17. Non Transferable Tender:
This tender document is not transferable. Only the bidder, who has been empanelled by
the Bank will be eligible for participation in the evaluation process.
4.18. Language of BID:
The bid prepared by the Bidder, all correspondence and documents relating to the
bid exchanged by the Bidder & the Bank shall be written in English.
5. RESOLUTION OF DISPUTES:
5.1 The Bank and the bidder shall make every effort to resolve amicably by direct
informal negotiation any disagreement or dispute arising out of or in connection with the
Contract.
5.2 If, after thirty (30) days from the commencement of such informal negotiations, the
Bank and the bidder have been unable to resolve amicably a Contract dispute, either party
may require that the dispute be referred for resolution to the formal mechanisms.
Such disputes or differences shall be settled in accordance with the Arbitration and
Conciliation Act, 1996. Where the value of contract is above Rs.1 crore, the arbitral
tribunal shall consist of 3 arbitrators, one each to be appointed by the Bank and the Bidder.
The third arbitrator shall be chosen by mutual discussion between the Bank and the
Bidder.
5.3 The arbitration proceedings shall be held at New Delhi, India, and the language of the
arbitration proceedings shall be English. The arbitrators shall hold their sittings at New
Delhi. The arbitration proceedings shall be conducted in English language. Subject to the
above, the courts of law at New Delhi alone shall have the jurisdiction in respect of all
matters connected with the Contract/Agreement.
5.4 The decision of majority of arbitrators shall be final and binding upon both parties.
The cost and expenses of Arbitration Proceedings will be paid as determined by arbitral
tribunal. However, expenses incurred by each party in connection with the preparation,
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 25 of 57
presentation, etc., of its proceedings as also the fees and expenses paid to the arbitrator
appointed by such party or on its behalf shall be borne by each party; and
5.5 Where the value of the contract is Rs.1 crore and below, the disputes or
differences arising shall be referred to the sole arbitrator. The sole Arbitrator shall
be appointed by agreement between the parties. If the parties not agreed upon the
selection of the Arbitrator then Bank will appoint any ex staff not below the rank
of DGM as Arbitrator.
5.6 All disputes are subject to the exclusive jurisdiction of the Court at New Delhi.
5.7 To ensure transparency, equity, and competitiveness and in compliance with the
CVC guidelines, this tender shall be covered under the Integrity Pact (IP) policy of the
Bank.
Sh. Ratan Kishore Bajaj has been appointed as IEM (Independent External Monitor)
for the Bank.
IEM can be contacted at:-
Sh. Ratan Kishore Bajaj,
Email: [email protected]
Mob: 9818156262
6. CORRUPT OR FRAUDULENT PRACTICES:
6.1 As per CVC directives, it is required that Bidders/Suppliers/Contractors observe
the highest standard of ethics during the procurement and execution of such contracts.
In pursuance of this policy;
i) “Corrupt practice” means the offering, giving, receiving or soliciting of anything
of value to influence the action of a public official in the procurement process or
in contract execution; And
ii) “Fraudulent practice” means a misrepresentation of facts in order to influence a
procurement process or the execution of contract to the detriment of the Bank and
includes collusive practice among Bidders (prior to or after bid submission) designed
to establish bid prices at artificial non-competitive levels and to deprive the Bank of the
benefits of free and open competition;
6.2 The Bank will reject a bid for award if it determines that the Bidder
recommended for award has engaged in corrupt or fraudulent practices in competing
for the contract in question;
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 26 of 57
6.3 The Bank will declare a firm ineligible, either indefinitely or for a stated period
of time, to be awarded a contract if at any time it determines that the firm has
engaged in corrupt or fraudulent practices in competing for, or in executing a contract.
7. INDEMNITY:
7.1 The bidder (Contractor) will indemnify the Bank against all actions,
proceedings, claims, suits, damages and any other expenses for causes attributable
to the bidder.
7.2 The total liability of the selected bidder under the contract will not exceed the total
cost of the project.
8. BIDDER’S OBLIGATIONS:
8.1 The bidder is obliged to work closely with the Bank`s staff, act within its own
authority and abide by directives issued by the Bank during the IS AUDIT
activities.
8.2 The bidder is responsible for managing the activities of its personnel and will hold
itself responsible for any misdemeanors.
8.3 The bidder is under obligation to provide IS AUDIT services as per the contract
to various Offices of the Bank.
8.4 The bidder will treat as confidential all data and information about the Bank, obtained
in the execution of his responsibilities, in strict confidence and will not reveal such
information to any other party without the prior written approval of the Bank.
9. INTELLECTUAL PROPERTY RIGHTS:
9.1. The Bidders shall indemnify the Bank against all third party claims of
infringement of copyright, patent, trademark, industrial design or any other intellectual
property rights arising from use of the Software package or any part thereof in India
and abroad.
9.2. In the event of any claim asserted by the third party of infringement of copyright,
patent, trademark or industrial design rights arising from the use of the solution or any
part thereof in India and abroad, the Bidder shall act expeditiously to extinguish
such claims. If the Bidder fails to comply and the Bank is required to pay compensation
to a third party resulting from such infringement, the Bidder shall be responsible for the
compensation including all expenses, court costs and lawyer fees. The Bank will give
notice to the Bidder of such claims, if it is made, without delay.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 27 of 57
9.3 Performance Bank Guarantee
The successful bidder has to submit the Performance Bank Guarantee for
Rs.1,00,000.00/( Rupees One Lakh only) for the due performance of the contract, valid
for 15 months.
In case Auditor fails to perform the contract or fails to pay the due penalty, if any, as
demanded by bank, Bank shall invoke the Bank Performance Guarantee to recover
penalty/damages.
10. SIGNING OF CONTRACT:
10.1 At the time when the Bank notifies the Bidder that its bid has been accepted,
the Bank will send the Bidder the Contract Form (Annexure-VI) provided in the
RFP, incorporating all agreements between the parties.
10.2 Within 10(Ten) days of receiving the Contract Form, the successful bidder shall
sign the contract and return it to the Bank along with the required Performance
Bank Guarantee.
10.3 Bank reserves the right to select the next ranked bidder if the selected bidder
withdraws his bid after selection or at the time of finalization of the contract or
disqualified on detection of wrong or misleading information in the bid.
10.4 In case the bidder fails to comply with the terms & conditions mentioned in
RFP and/ or in case the bidder withdraws his bid after selection, the empanelment as
IS Auditor will be cancelled and such bidder’s name will be included in the list of
ineligible persons / firms for not considering for any future assignment.
10.5 Contract Amendment: No variation in or modification of the terms of the
Contract shall be made except by written amendment signed by the parties.
10.6 The bidder shall not assign, in whole or in part, its obligations to perform
under the Contract, except with the Bank`s prior written consent.
11. PUBLICITY:
Any publicity by the bidder in which the name of the Bank is to be used shall be done
only with the explicit written permission of the Bank.
Disclaimer
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 28 of 57
Subject to any law to the contrary, and to the maximum extent permitted by law, Punjab
& Sind Bank and its officers, employees, contractors, agents, and advisers disclaim all
liability from any loss or damage (whether foreseeable or not) suffered by any person
acting on or refraining from acting because of any information including forecasts,
statements, estimates, or projections contained in this RFP document or conduct ancillary
to it whether or not the loss or damage arises in connection with any negligence, omission,
default, lack of care or misrepresentation on the part of Punjab & Sind Bank or any of its
officers, employees, contractors, agents, or advisers.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 29 of 57
Annexure A
OTHER IMPORTANT TERMS & CONDITIONS
The bidder has to undertake IS audit in a phased manner as described below:-
PHASE I – CONDUCT OF IS AUDIT AS PER SCOPE, EVALUATION, DISCUSSION
ON THE FINDINGS AND SUBMISSION OF FINAL REPORTS
PHASE II – COMPLIANCE AUDIT, REVIEW & CERTIFICATION
The activities covered under each Phase are appended below:
1. PHASE I
1.1 Conduct of Information Systems Audit as per the SCOPE OF WORK as defined in
Clause 2.
1.2 The Bank will call upon the bidder, on placement of the order , to carry out
demonstration and/or walkthrough, and/or presentation and demonstration of all or
specific aspects of the IS AUDIT at the Bank s desired location or, for a
walkthrough, at a mutually agreed location. All the expenses for the above will be borne
by the concerned bidder.
1.3 Audit schedule to be provided 7 working days prior to the start of audit along with the
name of the auditors who will be conducting the audit. Resumes of the auditors as assigned
above for the project to be provided to the Bank beforehand and they should be deputed to
the assignment only after Bank s Consent.
1.4 Commencement of IS Audit of IT Setups / branches as per the scope of Work.
1.5 Execute Vulnerability Assessment/Penetration testing of the entire network including
Internet Banking, Mobile Banking, Tele Banking and Corporate Website as per the scope
of work and Annexure- C & D on the written permission of the Bank and in the presence
of Bank`s Officials, Analysis of the findings and Guidance for Resolution of the same.
1.6 Detailing the Security Gaps
1.7 Document the security gaps i.e. vulnerability, security flaws, loopholes, etc. observed
during the course of the review of the CBS & other IT infrastructure of the Bank as per the
scope of Audit.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 30 of 57
1.8 Document recommendations for addressing these security gaps and categorize
the identified security gaps based on their criticality, resource/effort requirement to
address them.
1.9 Chart a roadmap for the Bank to ensure compliance and address these Security gaps.
1.10 Addressing the Security Gaps
1.11 Help in Fixing/ addressing the Security flaws, gaps, loopholes, shortfalls
Vulnerabilities in deployment of applications / systems which can be fixed immediately.
If recommendations for Risk Mitigation / Removal could not be implemented as suggested,
alternate solutions to be provided.
1.12 Recommend fixes for systems vulnerabilities in design or otherwise for application
systems and network infrastructure.
1.13 Suggest changes/modifications in the Security Policies and Security Architecture
including Network and Applications of PUNJAB & SIND BANK to address the same.
1.14 Final Reports of ISA Findings :- Bidder has to discuss the preliminary report
findings / observations recommendations /suggestions with the Bank and subject to the
acceptance of the preliminary report by the bank, the bidder has to submit the Final
report.
1.15 The final reports of the ISA findings will be submitted in parts as detailed under
Deliverables Section:-
ISA Report: - Executive summary
ISA Report Core findings along with Risk Analysis
ISA Report Detailed findings / Checklists
ISA Report:-Analysis of reports /Corrective Measures & Suggestions along with Risk
Analysis
1.16 Acceptance of the Final Report.
2. PHASE II.
2.1 Compliance Review
An exercise to review the compliance with the findings and recommendations of ISA had
to be undertaken by the bidder. This exercise would be undertaken preferably within 30
days from the date of completion of Phase I. However , the final date for the start
of Compliance Audit will be intimated by the bank suitably. This exercise would
encompass evaluation of the general/overall level of compliance undertaken by the Bank
against the shortcomings reported in the ISA Reports.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 31 of 57
2.2 Certification for compliance with the findings of the ISA & Final Sign Off On
completion of the compliance review and before final sign off, the bidder has to provide
the BANK an ISA compliance certificate including certificate as per RBI guidelines
for Internet Banking.
2.3 Documentation Format:-All documents will be handed over in three copies, signed,
legible, neatly and robustly bound on A-4 size, good-quality paper Soft copies of all the
documents, properly encrypted in MS Word /MS Excel /PDF format also to be submitted
in CDs/DVDs along with the hard copies All documents will be in plain English .
3. DELIVERY SCHEDULE:
3.1 The delivery of the Reports of Phase I should be effected within 8 weeks of
placement of purchase order.
4. TERMS OF PAYMENT:
4.1 The Bidder (s) request(s) for payment shall be made to the Bank in writing,
accompanied by an invoice describing, as appropriate and services performed and by
documents submitted and upon fulfillment of other obligations stipulated in the Contract.
4.2 Payments shall be made promptly by the Bank on submission of an invoice/claim
supported by all required documents by the Bidder.
4.3 Payment will be made to the Bidder in Indian Rupees only.
4.4 Payment Schedule: -
Payment will be made on completion of following milestones:
70% after completion of PHASE-I
30% after completion of PHASE-II
** TDS would be deducted at source for any payment made by the BANK as per the
prevailing Rules of Government of India.
4.5 Price Composition: The price quoted should be inclusive of following:
a) Professional Charges
b) Travel and Halting expenses, including local conveyance
c) Out of pocket expenses
d) Excluding GST
4.6 Work Contract tax or any other tax+, if any, applicable shall be borne by the Bidder.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 32 of 57
4.7 The commercial bid shall be on a fixed price basis and in Indian Rupees. No price
variation should be asked for relating to increases in customs duty, any taxes, foreign
currency price variation etc.
4.8 All costs and expenses incurred by bidder in any way associated with the development,
preparation, and submission of responses, including the attendance at meetings,
discussions, demonstrations, reference site visits etc. and providing any additional
information required by Punjab & Sind Bank, will be borne entirely and exclusively by the
bidder.
5. TAXES & DUTIES:
5.1 The bidder will be entirely responsible to pay all taxes including corporate tax,
income tax, license fees, duties etc. except GST in connection with delivery of the services
at site.
5.2 Wherever the laws and regulations require deduction of such taxes at the source of
payment, the Bank shall effect such deductions from the payment due to the bidder. The
remittance of amount so deducted and issue of certificate for such deductions shall
be made by the Bank as per the laws and regulations in force.
5.3 GST if any, which will be applicable, will be paid by the Bank on actual basis on
production of proof.
5.4 Nothing in the contract shall relieve the bidder from his responsibility to pay any
tax that may be levied in India on income and profits made by the bidder in respect
of this contract.
5.5 Payment of Other Expenses:
a. The selected bidder will have to visit various offices of the Bank, at various locations
like Mumbai, Chennai, Delhi, Noida etc. during the course of IS Audit. The Bank will not
pay any expenses towards travelling, lodging and boarding of the members of IS Audit
team of the selected bidder. They will have to make their own travel and stay arrangements.
b. The bidder may perform a site inspection at its own cost to verify the appropriateness of
the sites/facilities before start of the Audit.
6. PROJECT SCHEDULE:
The selected bidder has to depute its officials at Information Systems Audit Cell, HO
Inspection Department, Gurugram within 10 days from the date of signing of the
contract, for holding a formal meeting. During the said meeting, the bidder has to
give a brief technical overview / presentation regarding the technical methodology being
adopted by them to conduct the said audit.
The bidder has to maintain the schedule time frame as mentioned below:-
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 33 of 57
The timeframe for completion for Phase I of the project would be maximum 6 weeks.
The time frame for completion for Phase II would be maximum 2 weeks.
An exercise to review the compliance with the findings and recommendations of IS Audit
had to be undertaken by the bidder (Phase-II). This exercise would be undertaken
preferably within 180 days from the date of completion of phase I. However, Final date
for the start of compliance Audit will be informed by the Bank in due course of time.
The Final ISA certificate is to be issued within a week of Audit Compliance Review.
7. DELIVERABLES:-
The major deliverables in this project are noted below:-
7.1 Information Systems Audit as per the Scope of Work.
7.2 Vulnerability Assessment/Penetration testing of the entire network including Internet
Banking as per the scope of work and Annexure C & D, Analysis of the findings and
Guidance for Resolution of the same.
7.3 ISA Report (Type - Documentation)
7.3.1 Audit Report:-
Broadly the Audit Report shall contain and keep the undernoted points in view:-
-Gaps, Deficiencies, Vulnerabilities observed in audit. Specific observations will be given
indicating name and important address of equipment Risk associated with Gaps,
deficiencies, vulnerabilities observed Analysis of vulnerabilities and issues of concern.
-Recommendations for corrective action.
-Category of Risk. (High/Medium/ Low)
-Summary of audit findings including identification tests, tools used and results of test
performed during IS Audit. Report on audit covering compliance status of the IS Audit. All
observations will be thoroughly discussed with process owners before finalization of
report. Audit report should be submitted in the following order:
-Location, Domain/Module, Hardware, Operating Systems.
-Detailed report of network audit including VAPT with recommendations and suggestions.
-Detailed report of VAPT.
-Audit report shall incorporate a certificate that the report covers every area specified in
the scope of the BID.
The IS Audit Reports have to be submitted at the end of Phase I and the sets of reports
would comprise of the following sub reports:-
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 34 of 57
7.3.2 ISA Report: - Executive Summary:-
-An executive summary should form a part of the FINAL REPORT.
7.3.3 ISA Report: Core Findings along with Risk Analysis:
-The bidder will submit a report bringing out the core findings of the IS Audit exercise
in the existing practices along with Risk Analysis of individual items, with reference
to the best practices &standards.
7.3.4 ISA Report: Detailed Findings/Checklists:
-The detailed findings of the ISA would be brought out in this report which will cover in
details all aspects viz. identification of flaws / gaps /vulnerabilities in the systems (
specific to equipments/resources –indicating name and IP address of the equipment with
Office and Department name), identifications of threat sources, identification of Risk,
Identification of inherent weaknesses, Servers/Resources affected with IP Addresses etc.
Report should classify the observations into Critical /Non Critical category and asses
the category of Risk Implication as HIGH/MEDIUM/LOW RISK based on the impact.
The various checklist formats, designed and used for conducting the IS Audit as per
the scope, should also be included in the report separately for Servers (different
for different OS), RDBMS, Network equipments , security equipments etc, so that
they provide minimum domain wise baseline security standard /practices to achieve
a reasonably secure IT environment for technologies deployed by Punjab & Sind
Bank. The Reports should be substantiated with the help of snap shots/evidences
/documents etc. from where the observations were made.
7.3.5 ISA Report :- In Depth Analysis of findings /Corrective Measures &Suggestions
along with Risk Analysis :- The findings of the entire IS Audit Process should be
critically analyzed and controls should be suggested as corrective /preventive
measures for strengthening / safeguarding the IT assets of the Bank against existing
and future threats in the short /long term. Report should contain
suggestions/recommendations for improvement in the systems wherever required. If
recommendations for Risk Mitigation / Removal could not be implemented as suggested,
alternate solutions to be provided. Also, if the formal procedures are not in place for any
activity, evaluate the process & the associated risks and give recommendations for
improvement as per the best practices.
7.3.6 Provide Certification for the ISA (Type - Documentation & Service At the end of IS
Audit process, the bidder has to provide Bank certification for IS Audit including a
certificate as per RBI guidelines for Internet Banking.
7.3.7 Documentation Format:-All documents will be handed over in three copies, signed,
legible, neatly and robustly bound on A-4 size, good-quality paper Soft copies of all the
documents, properly encrypted in MS Word /MS Excel /PDF format also to be submitted
in CDs/DVDs along with the hard copies All documents will be in plain English .
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 35 of 57
7.3.8 LIST OF COUNT OF SERVERS/DEVICES IN DIFFERENT AUDITEE
LOCATIONS (It may vary in actual scenario) is enclosed as Annexure ‘D’.
Note:- The list may vary in actual scenario. Any new addition/ up gradation in hardware,
software, new deliverables, change in architecture during the contract period at Data
Center, DRS etc will also be covered in the audit. Exact details of the devices
/equipments at the various auditee locations will be provided to the final shortlisted
bidder at the time of placing of order.
ANNEXURE B: SCHEDULE OF REQUIREMENTS
I N D E X
Sr.
No.
ANNEXURE No. SUBJECT PAGE
No.
1 ANNEXURE – I PROFILE OF THE BIDDER 36
2 ANNEXURE – II PROFILE OF THE PROPOSED CORE
AUDIT TEAM
37
3 ANNEXURE – III FORMAT FOR COMMERCIAL BID 38
4 ANNEXURE – IV BID FORM 39
5 ANNEXURE – V PERFORMANCE SECURITY FORM 40
6 ANNEXURE – VI CONTRACT FORM 44
7 ANNEXURE – VII TECHNICAL DEVIATION 46
8 ANNEXURE – VIII COMMERCIAL DEVIATION 47
9 ANNEXURE – IX LETTER OF CONFIRMATION 48
10 ANNEXURE- X COMPLIANCE FOR REVERSE
AUCTION
49
11 ANNEXURE- XI LETTER OF AUTHORITY FOR
PARTICIPATING IN REVERSE
AUCTION
50
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 36 of 57
ANNEXURE –I (TECHNICAL BID):- PROFILE OF THE BIDDER
RFP REF No:- PSB/HOIT/RFP/145/2020 Dt. 26.02.2020
DESCRIPTION DETAILS
Registered address of the Bidder
Address:
Address for Correspondence of the Bidder
STD- Phone:
e-mail Id:
FAX No:
Contact name of the official who can
commit on the contractual terms and
the name of an alternate official who
may be contacted in the absence of the
former
Primary Contact:
Name:
Designation:
STD- Phone No:
Mobile Phone :
e-mail ID :
Name :
Designation:
STD- Phone No:
Mobile Phone :
e-mail ID :
Contact addresses if different from
above
Official Website Web Site URL :
Authorized Signatory with Seal
Date:
Place:
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 37 of 57
Annexure II :- (Technical Bid) PROFILE OF THE PROPOSED CORE AUDIT
TEAM TO BE ASSIGNED FOR THE PROJECT
S.N. NAME DESIG. PART
TIME/
FULL
TIME
ROLE IN
IS AUDIT
(TASK/
MODULE)
PROFESSIONAL
QUALIFICATION
YEARS
OF IS
AUDIT
EXP.
1
2
3
4
5
6
7
8
9
10
Authorized Signatory with Seal
Date:
Place:
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 38 of 57
Annexure III:- (Indicative Commercial bid)
FORMAT FOR INDICATIVE COMMERCIAL BID
PARTICULARS AMOUNT (IN RS) INCLUDING ALL
TAXES OTHER THAN GST
Cost of IS Audit as per the scope of
work defined in the RFP (Inclusive
of all fees & expenses)
TOTAL COST OF IS AUDIT
(Total Amount in Words: - Rupees )
Authorized Signatory with Seal
Date:
Place:
Note:-
➢ The Commercial Bid should contain the Total Cost of Audit, on a fixed cost
Basis. Punjab & Sind will neither provide nor reimburse any expenditure towards any
type of Accommodation, Travel Ticket, Airfares, Train fares, Halting expenses, Transport,
Lodging , Boarding etc.
➢ The prices quoted above should be inclusive of all taxes & Duties as applicable
except GST. The commercial bid will be evaluated based on TOTAL COST OF IS AUDIT
i.e. Amount including all taxes but excluding GST.
➢ GST shall be payable extra on actual basis.
➢ Providing Indicative Commercial bid other than this format may lead to rejection of the
bid.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 39 of 57
Annexure IV :- (Technical Bid)
BID FORM
To Date:
PUNJAB & SIND BANK,
H.O. IT Department,
2nd floor, Bank House,
21, Rajendra Place,
New Delhi – 110008
Having examined the RFP including all Annexures, the receipt of which is hereby
duly acknowledged, we the undersigned, offer to provide IS Audit services in
conformity with the said RFP in accordance with the Price Composition indicated in
the Commercial Bid and made part of the Bid.
We undertake, if our bid is accepted, to deliver the services in accordance with the delivery
schedule specified in Annexure A.
We agree to abide by this bid for the period of 180 days from the last date of submission of
the bid and it shall remain binding upon us and may be extended at any time before the
expiration of that period.
We undertake that, in competing for (and, if the award is made to us, in executing)
the above contract, we will strictly observe the laws against fraud and corruption in
force in India namely “Prevention of Corruption Act 1988”.
We understand that the Bank is not bound to accept the lowest of any bid the Bank
may receive.
Dated this ________________ day of _____________ 20 .
(Signature) (In the Capacity of)
Duly authorized to sign bid for and on behalf of
(Name & Address of Bidder) ________________________________
Business_________________________ Address________________
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 40 of 57
Annexure V: - PERFORMANCE BANK GUARANTEE
(Issued by a nationalized /scheduled commercial Bank)
(ON A NON-JUDICIAL STAMP PAPER OF RS. 100.00)
Tender Reference No: ______________________Date _________________
TO:
PUNJAB & SIND BANK,
H.O. IT Department,
2nd floor, Plot No. 151,
Sector 44,
Gurugram – 122003
Bank Guarantee No.
Bank Guarantee Amount
Expiry Date
Claim Period
Dear Sir,
GUARANTEE FOR PERFORMANCE OF CONTRACT/AGREEMENT
THIS GUARANTEE AGREEMENT executed at ________ day of_____________
Two Thousand ___________
BY: ______________________ Bank, a body corporate constituted under
_______________, having its Registered Office/ Head Office at ______________, and
a Branch Office at_____________________________________________________
(Hereinafter referred to as “the Guarantor”, which expression shall, unless it be
repugnant to the subject, meaning or context thereof, be deemed to mean and include
its successors and assigns)
IN FAVOUR OF:
Punjab & Sind Bank, a body corporate, established under the Banking Companies
(Acquisition and Transfer of Undertakings) Act 1980 and having its Registered Office
at 21, Rajendra Place, New Delhi 110008 (hereinafter referred to as “Bank” which
expression shall unless it be repugnant to the subject, meaning or context thereof, be
deemed to mean and include its successors and assigns),
WHEREAS Bank had called for the bids for Information System Audit of Data Centre,
Critical Applications, IT Processes etc. of the Bank and for the purposes
M/s……………………… have been appointed as the Vendor (hereinafter referred to
as "Vendor") and accordingly has entered into Contract / Agreement on ………..
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 41 of 57
(Agreement) with Bank subject to the terms and conditions contained in the said
documents and the Vendor has duly confirmed the same.
AND WHEREAS pursuant to the Bid Documents, the Agreement, and the other related
documents (hereinafter collectively referred to as “the said documents”, the Bank has
agreed to avail the service from M/s……………………. has agreed to provide to the
Bank, the Services Information System Audit of Data Centre, Critical Applications, IT
Processes etc. of the Bank, more particularly described in the Schedule/Annexure to the
said documents, subject to payment of the contract price as stated in the said documents
and also subject to the terms, conditions, covenants, provisions and stipulations
contained the said documents.
AND WHEREAS the Vendor has duly signed the said documents.
AND WHEREAS in terms of the said documents, inter alia, the Vendor is required to
procure an unconditional and irrevocable performance Bank guarantee, in favour of the
Bank, from a Bank acceptable to the Bank for a sum of Rs…………………
(Rupees…………………………………………………….. Only) for the faithful
observance and performance by the Vendor of the terms, conditions, covenants,
stipulations, provisions of the Agreement /the said documents.
AND WHEREAS at the request of the Vendor, the Guarantor has agreed to issue the
Guarantee in favour of the Bank for a sum of Rs. …………
(Rupees………………………………………………..Only).
AND WHEREAS at the request of the Vendor, the Guarantor has agreed to guarantee
the Bank that the Vendor shall faithfully observed and performed of the terms of the
said documents.
NOW THEREFORE THIS AGREEMENT WITNESSETH AS FOLLOWS:
In consideration of the above premises, the Guarantor hereby unconditionally,
absolutely and irrevocably guarantees to the Bank as follows:
(1) The guarantor hereby agree and guarantee that the Vendor shall faithfully observed
and performed all the terms and conditions stipulated in the Contract/Agreement and
the said documents.
(2) The Guarantor hereby guarantees and undertakes to pay, on demand and without
demur, reservation, contest, recourse or protest or without any reference to the Vendor,
to the Bank at its office at New Delhi forthwith, and all monies payable by the Vendor
to the extent of Rs.………………………………………. against any loss, costs,
damages, etc. suffered by the Bank on account of default of the Vendor in the faithful
observance and performance of the terms, conditions, covenants, stipulations,
provisions of the Agreement / said documents, without any demur, reservation, contest,
recourse or protest or without any reference to the Vendor. Any such demand or claim
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 42 of 57
made by the Bank, on the Guarantor shall be final, conclusive and binding
notwithstanding any difference or any dispute between the Bank and the Vendor or any
dispute between the Bank and the Vendor pending before any Court, Tribunal,
Arbitrator, or any other authority.
(3) The Guarantor agrees and undertakes not to revoke this Guarantee during the
currency of these presents, without the previous written consent of the Bank and further
agrees that the Guarantee herein contained shall continue to be enforceable until and
unless it is discharged earlier by the Bank, in writing.
(4) The Bank shall be the sole judge to decide whether the Vendor has failed to perform
the terms of the Agreement / said documents for providing the Services by the Vendor
to the Bank, and on account of the said failure what amount has become payable by the
Vendor to the Bank under this Guarantee. The decision of the Bank in this behalf shall
be final, conclusive and binding on the Guarantor and the Guarantor shall not be entitled
to demand the Bank to establish its claim under this Guarantee but shall pay the sums
demanded without any objection, whatsoever.
(5) To give effect to this guarantee, the Guarantor will be deemed to be the Principal
Debtor to the Bank.
(6) The liability of the Guarantor, under this Guarantee shall not be affected by:
(a) any change in the constitution or winding up of the Vendor or any absorption, merger
or
(b) amalgamation of the Vendor with any other company, corporation or concern; or
(c) any change in the management of the Vendor or takeover of the management of the
Vendor by the Government or by any other authority; or
(d) acquisition or rationalization of the Vendor and/or of any of its undertaking(s)
pursuant to any law; or
(e) any change in the constitution of Bank / Vendor; or
(f) any change in the setup of the Guarantor which may be by way of change in the
constitution,
(g) winding up, voluntary or otherwise, absorption, merger or amalgamation or
otherwise; or the absence or deficiency of powers on the part of the Guarantor to give
Guarantees and/or Indemnities or any irregularity in the exercise of such powers.
(7) This guarantee will remain in force up to 15 months from the date of signing of the
contract.
(8) Notwithstanding anything contained in this Guarantee, the Guarantor hereby agrees
and undertakes to extend the validity period of this guarantee for a further period as
may be requested by the Bank, from time to time.
(9) This guarantee shall be binding upon us and successors -in -interest and shall be
irrevocable.
(10) For all purposes connected with this Guarantee and in respect of all disputes and
differences under or in respect of these presents or arising there from the courts of New
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 43 of 57
Delhi where the Bank has its Head Office shall alone have jurisdiction to the exclusion
of all other courts.
(11) Notwithstanding anything contained herein above:
I. Our liability under this Bank Guarantee shall not exceed Rs ……………. (Rupees
……………………….. only)
II. This Bank Guarantee shall be valid up to…………….
III. We are liable to pay the guaranteed amount or any part thereof under this Bank
Guarantee only and only if you serve on us a written claim or demand on or before
………………… (mention validity period + claim period)
IN WITNESS WHEREOF the Guarantor has caused these presents to be executed on
the day, month and year first herein above written as hereinafter appearing.
SIGNED SEALED AND
DELIVERED BY the within
named Guarantor (Vendor Bank),
______________________,
by the hand of Shri. __________, its authorised official.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 44 of 57
Annexure VI: - CONTRACT FORM (SAMPLE)
(Non-Judicial Stamp Paper of appropriate value)
RFP REF. NO.
CONTRACT NUMBER:
THIS AGREEMENT made the _________ day of ______, 20___ Between PUNJAB
& SIND BANK (hereinafter “the Purchaser”) of one part and __________ (Name of
Selected Bidder) of ____________ (City and Country of Bidder) (hereinafter “the Bidder”)
of the other part:
WHEREAS the Purchaser is desirous that certain services should be provided by the
Bidder, viz. ________________ ________________ (Brief description of Services) and
has accepted a bid by the Bidder for Information System Audit of Data Centre, Critical
Applications, IT Processes etc. of the Bank.
NOW THIS AGREEMENT WITNESSETH AS FOLLOWS:
1. In this Agreement words and expressions shall have the same meanings as are
respectively assigned to them in the Conditions of Contract referred to.
2. The following documents shall be deemed to form and be read and construed as part
of this Agreement, viz. :
(a) RFP No. PSB/HOIT/RFP/145/2020 dated 26.02.2020 and all its
addendums/modifications.
(b) The Bid form and price schedule submitted by the bidder and subsequent amendments
made into it as accepted by the bank.
(c) the Scope of works, deliverables
(d) all terms & conditions as per RFP and Annexures.
3. In consideration of the payments to be made by the Purchaser to the Bidder in terms of
Purchase Order for IS AUDIT services placed by Head Office of the Purchaser, the
bidder hereby covenants with the Purchaser to provide the services therein in conformity
in all respects with the provisions of the contract.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 45 of 57
4. The Purchaser hereby covenants to pay the bidder in consideration of the provision
of services , the Purchase order Price or such other sum as may become payable under the
provisions of the Contract at the times and in the manner prescribed by the Contract.
IN WITNESS whereof the parties hereto have caused this Agreement to be executed
in accordance with their respective laws the day and year first above written.
Signed, sealed and Delivered by the Said ________________________ (For the Bidder) in
presence of _______________________
Signed, sealed and Delivered by the Said ________________________ (For the Purchaser)
in presence of ______________________
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ / 19-20 DATED: Page 46 of 57
Annexure VII :- (Technical Bid)
TECHNICAL DEVIATION STATEMENT
The following are the particulars of deviations from the requirements of the tender/ bid:-
CLAUSE DEVIATION REMARKS
(Including justification)
Whether it has any
commercial implications
(Reply in yes*/ no)
The eligibility criterion & offered IS AUDIT services furnished in the bidding document
shall prevail over those of any other documents forming a part of our bid except only to the
extent of deviations furnished in this statement.
Dated ________________ Signature and seal of the Bidder
Note: Where there is no deviation, the statement should be returned duly signed with
an endorsement indicating “No Deviations”.
* If reply is yes, it must be specified in Annexure- XVI (Commercial Deviation
Statement Form), else the commercial implication will be treated as NIL.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/145 /2020 DATED: 26.02.2020 Page 47 of 57
Annexure VIII :- (Commercial Bid)
COMMERCIAL DEVIATION STATEMENT FORM
The following are the particulars of deviations from the requirements of the tender/ bid:
CLAUSE DEVIATION REMARKS
(Including justification)
The cost of offered IS AUDIT services furnished in the bidding document (Annexure- III)
shall prevail over those of any others document forming a part of our bid except only to the
extent of deviations furnished in this statement.
Dated ________________ Signature and seal of the Bidder
NOTE: Where there is no deviation, the statement should be returned duly signed with
an endorsement indicating “No Deviations”.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 48 of 57
Annexure IX (Technical Bid)
LETTER OF CONFIRMATION
The Asstt. General Manager,
PUNJAB & SIND BANK,
H.O. IT Department,
2nd floor, plot No. 151,
Sector 44,
Gurugram – 122003
Dear Sir,
We confirm that we will abide by the conditions mentioned in the Tender Document
(RFP and annexure) in full and without any deviation subject to Annexure- VII
& VIII. We shall observe confidentiality of all the information passed on to us in course
of the IS Audit process and shall not use the information for any other purpose than the
current tender.
We confirm that we have not been blacklisted by any Govt. Department /PSU / PSE or
Banks or otherwise not involved in any such incident with any concern whatsoever,
where the job undertaken / performed and conduct has been questioned by any
authority, which may lead to legal action.
We also confirm that we are not a bidder /consultant to the bank involved in
either supply/installation of Hardware/Software, implementation of Security/Network
Infrastructure of the Bank or providing services excluding IS Audit services, in
the past three years directly or indirectly through a consortium.
Place:
Date:
(Authorized Signatory)
SEAL
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 49 of 57
Annexure X
Compliance for Reverse Auction
RFP No: PSB/HOIT/RFP/xxx/2019-20 Date:
Punjab & Sind Bank,
2nd floor, Information Technology Department,
Plot No. 151, Sector 44,
Gurugram – PIN 122003
Dear Sir,
We ______________________ (name of the company) hereby confirm having submitted
our bid for participating in Bank’s RFP dated _________ for procurement of
____________.
1 We also confirm having read the terms of RFP as well as the Business Rules relating to
the Reverse Auction for this RFP process.
2 We hereby undertake and agree to abide by all the terms and conditions stipulated by
Punjab & Sind Bank in the RFP document including all annexures and the Business Rules
for Reverse Auction.
3 We shall participate in the on-line auction conducted by ……………….. (Auctioneer
Company) and submit our commercial bid. We shall also abide by the procedures
prescribed for online auction by the auctioneer company.
4 We, hereby confirm that we will honour the Bids placed by us during the auction
process, failing which we shall forfeit the Earnest Money Deposit. We also understand
that the bank may debar us from participating in future tenders.
5 We confirm having nominated Mr. ________________, designated as ______________
of our company to participate in the Reverse Auction on behalf of the company. We
undertake that the company shall be bound by the bids made by him in Reverse Auction.
6 We accordingly authorize Bank and/ or the reverse auction company to issue user ID
and password to the above named official of the company.
7 Both Bank and the auction company shall contact the above named official for any and
all matters relating to the Reverse Auction.
8 We, hereby confirm that we will honour the Bids placed by Mr. __________ on behalf
of the company in the auction process, failing which we will forfeit the EMD. We agree
and understand that the bank may debar us from participating in future tenders for any
such failure on our part.
9 We undertake to submit the confirmation of last bid price by us to the auction
company/Bank within 48 working hours of the completion of event. We also undertake to
submit the Bill of Materials for the TCO (Total Cost of Ownership) in terms of RFP.
Name of Authorized Representative: _______________________
Signature of Authorized Representative: ____________________
Verified above signature
Date: Seal and signature of the bidder
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 50 of 57
ANNEXURE – XI
Letter of Authority for Participating in Reverse Auction
Punjab & Sind Bank
Second Floor
IT Department
Plot Number 151, Sector 44,
Gurugram, 122003
Dear Sir,
We _____________________ (name of the Company) have submitted our bid for
participating in Bank’s RFP dated _________________ for procurement of
_______________.
We also confirm having read and understood the terms of the RFP as well as the business
rules relating to the Reverse Auction for this RFP process.
As per the terms of RFP and Business Rules, we nominate Mr. __________________,
designated as ______________________ of our company to participate in the Reverse
Auction.
We accordingly authorize Bank and/ or the Auction Company to issue user ID and
password to the above named official of the company.
Both Bank and the auction company shall contact the above named official for any and
all matters relating to the Reverse Auction.
We, hereby confirm that we will honor the Bids placed by Mr. __________________ on
behalf of the company in the auction process, failing which Bank shall have the right to
forfeit the EMD. We agree and understand that the Bank may debar us from participating
in future tenders for any such failure on our part.
(Signature)
(Name of Authorized Signatory)
(Designation)
(Date)
Place:
(Name and address of the bidder)
(Company Seal)
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 51 of 57
ANNEXURE “C”
A. Systems/ Applications and its Locations (tentative)
1.1 Information Systems Audit should cover entire Information Systems
Infrastructure which includes Servers & other hardware items, Operating Systems,
Databases, Application Systems, Technologies, Networks, Facilities, Process & People
of the under noted locations :
Sr.
No.
Particulars DC DR NLDC
1. CBS Servers,
Interfaces, Network &
Other Devices, Finacle
Application
Navi Mumbai Greater
Noida
Navi Mumbai
2. ATM Switch & Back
Office, ATM Card
(Debit & Prepaid
Cards)
Chennai Mumbai N.A.
3. Financial Inclusion,
Centralized FI gateway
Application solution
Navi Mumbai Greater
Noida
N.A.
4. E-KYC (Biometrics) Navi Mumbai Greater
Noida
N.A.
5. Internet Banking
Application
Navi Mumbai Greater
Noida
Navi Mumbai
6. Mobile Banking
Application
Navi Mumbai Greater
Noida
Navi Mumbai
7. Mail Messaging
Solution
Navi Mumbai Greater
Noida
Navi Mumbai
8. Intranet of the bank Navi Mumbai Greater
Noida
Navi Mumbai
9. SMS Alert System Mumbai Pune
10. RTGS/NEFT etc. HO.IT Deptt.
Rajendra Place
Greater
Noida
11. Cheque Truncation
System (CTS) -
Northern Grid
Ranjit Nagar, New
Delhi
Greater
Noida
12. Cheque Truncation
System (CTS) -
Southern Grid
RCC, Chennai
(Opex Model)
13. Cheque Truncation
System (CTS) -
Western Grid
RCC,Mumbai
(Opex Model)
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 52 of 57
14. Treasury Solution Navi Mumbai Greater
Noida
N.A.
15. UPI Mumbai New Delhi N.A.
16. BBPS Mumbai Chennai --
17. POS, Cash@POS Mumbai Bangalore --
18. Bharat QR Code Mumbai Bangalore --
19. Aadhar Enable
Payment System
(AEPS)
Navi Mumbai Greater
Noida
20. Merchant Aadhar
Payment System
Hyderabad Navi
Mumbai
21. Accumen Pro Connect
(Liquidity
Management System)
HO.IT Deptt.
Rajendra Place
Greater
Noida
22. Call Centre Noida Noida
23. GST Navi Mumbai Greater
Noida
24. SWIFT Navi Mumbai HO.Fex
Deptt.
N.D.
(To be
soon
shifted to
Greater
Noida)
--
25. Card Management Chennai Mumbai --
26. CCIL Server HO.IT Deptt.
Rajendra Place
Greater
Noida
--
27. ALM Vashi Mumbai Greater
Noida
--
28. AML Navi Mumbai Greater
Noida
--
29. Data Archival
Retrieval (DAR)
Navi Mumbai Greater
Noida
--
30. Security Operation
Center (SOC)
Navi Mumbai Greater
Noida
Navi Mumbai
31. Third Party
Applications
1. PKI
2. C-KYC
3. E-TDS
4. LOS-Loan
Origination
System
Navi Mumbai Greater
Noida
Navi Mumbai
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 53 of 57
5. RTTS - Real Time
Transaction
System (RTTS)
6. EIRMS- Risk
Management
Systems for
Standardized &
Advanced
Approaches
7. GST Suvidha
Provider
8. Internal Credit
Rating Solution
9. Settlement,
Reconciliation &
Dispute
Management
10. e-Procurement &
e-Auction Services
11. PFMS
B. IS AUDIT OF INTERNET BANKING (WWW.PSBONLINE.CO.IN),
MOBILE BANKING
(HTTPS://WWW.PSBMOBILE.COM/MPAYPSBWAP/PSB),
INTRANET.PSB.CO.IN, WEBMAIL.PSB.CO.IN, UPI, BHIM, FI AND
CORPORATE WEBSITE (WWW.PSBINDIA.COM) OF THE BANK
While conducting the IS Audit, the guidelines/ recommendations issued by CERT-In
and Reserve Bank of India should be strictly complied with.
C. Vulnerability Assessment & Penetration Testing (Internal and External)
The Bidder is expected to conduct a VA/PT of the deployed solution at the Data Centre
and the Disaster Recovery Site and ensure compliance of the security gaps. A list of a
minimum set of activities to be performed as detailed in scope of work.
D. Application Review and Testing
The bidder is to carry out an application review covering the functionality, security,
and controls within the applications. A list of a minimum set of activities to be
performed as detailed in scope of work. The auditor has to conduct VA, PT & white
box (with credentials) testing for security assurance of the applications.
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 54 of 57
E. Scope of Assessment of UPI:
The IS Auditors have to conduct the system and app audit to ensure data
integrity, encryption and the app security in the compliance of NPCI circular
no. NPCI/2019-20/IS/003 dated 10.12. 2019 and risk and compliance
framework for UPI ecosystem. The minimum following reports are expected
from the IS Auditor:
• Vulnerability Assessment of the IT Servers (web, App, DB, OS),
networking and security devices that participated in the UPI ecosystem
including that of TPAP.
• Black box penetration testing of the IT Servers, networking and security
devices that participated in the UPI ecosystem including that of TPAP.
• Configuration Audit as per CIS Benchmark for IT Servers, networking and
security devices that participated in the UPI ecosystem including that of
TPAP.
• Application security testing report (both SAST & DAST) performed on the
UPI PSP Application/ SDK/ Merchant/ TPAP application.
• Source Code review report performed on the UPI PSP Application/ SDK/
Merchant/ TPAP application.
F. ATM Switch- Cyber Security Controls for ATM Switch Application
Service Providers (ASPs)
The IS Auditors have to review the compliance of RBI circular no. DoS.CO/
CSITE/BC.4084/31.01.015/2019-20 dated 31.12. 2019. The list of prescribed
controls is indicative but not exhaustive.
• Preventing access of unauthorised software
• Environmental Controls
• Network Management and Security
• Secure Configuration
• Application Security Life Cycle (ASLC)
• Patch/Vulnerability and Change Management
• User Access Control / Management
• Data Leak prevention strategy
• Audit Logs
• Incident Response and Management
• Advanced Real-time Threat Defence and Management
• Vulnerability assessment and Penetration Test
• Forensics
• Arrangement for continuous surveillance - Setting up of Cyber Security
Operation Center (C-SOC)
• Compliance with various standards
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 55 of 57
ANNEXURE ‘D’
LIST OF SERVERS/DEVICES IN DIFFERENT AUDITEE LOCATIONS
(It may vary in actual scenario)
Sr.
no. Purpose Model
Quantity
DC DR NLDC
Servers , Storage & Tape Library
1
CBS Servers
(Database +
Application)
Oracle T4-4 2 2 NA
2
CBS Servers
(Database +
Application)
Oracle T4-1 6 6 NA
3 SASCL Server Oracle T3-1 1 NA NA
4 Storage EMC VNX 5500 in DC & DR
and EMC VNX 5300 in near site 1 1 1
5 Storage EMC VNXe 3100 1 NA NA
6 SAN Switch Cisco SAN Switch 2 2 2
7 Tape Drive Tandberg T40+ Tape library 1 1 NA
8 Blade Chassis Cisco UCS chassis 6 4 NA
9 Windows Servers Cisco UCS Blade server 42 28 NA
Networks equipment
1 MPLS Routers ASR1002-10G-SEC/K9 2 2 2
2 IPSec Routers ASR1002-10G-VPN/K9 2 2 NA
3 Routers CISCO2921-SEC/K9 4 2 NA
4 Routers CISCO2921-SEC/K9 2 1 NA
5 Core Switches N7K-C7009-BUN2-R 2 2 NA
6 Server Farm WS-C3750X-24T-S 3 2 2
7 Uplink Switches WS-C3750X-24T-S 4 4 NA
8 DMZ Switches WS-C2960G-24TC-L 2 2 NA
9 Web Zone ACE-4710-04-K9 4 4 NA
10 ISE SLB ACE-4710-04-K9 4 4 NA
11 Internet Section APV 2600 2 2 NA
12 Replication APV 2600 2 2 NA
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 56 of 57
Sr. no. Purpose Model Quantity
DC DR NLDC
Security Equipments
1 Intranet
Firewall ASA5585-S20P20XK9 2 2 NA
2 RA VPN
Firewall ASA5545-K9 2 2 NA
3 Internet
Firewall CP4200 2 2 NA
4 CP Security
Mgmt Smart-1 1 NA NA
5 CP Smart Event SM503-EVNT 1 NA NA
6 Access Control CSACS-1121-K9 1 1 NA
7 Admission
Control ISE-3395-K9 8 8 NA
8 Web Gateway MFE Web Gateway 5500
Appl-B 2 1 NA
9 Email Gateway MFE Email Gateway 5500
Appl-C 2 1 NA
Sr. no. Purpose Model Quantity
DC DR NLDC
Other
1 Network
Monitoring LMS-4.1-2.5K-K9 1 1 NA
2 Security
Monitoring L-CSMPR250-4.2-K9 1 1 NA
3 NAC Cisco L-ISE-ADV5Y-5K= 4 3 NA
LIST OF SERVERS/DEVICES IN SOC
Sr. no. Device Model/Version Purpose Quantity
DC DR
Hardware (Switch, Servers , Storage & Appliances)
1 Barracuda WAF 660A Web Application Monitoring 2 2
2 DDI 510 ANTI-APT
2 2
3 DDAN 1100 2 2
4 SAN Switch Brocade SAN
Switch NA 2 2
5 Netapp SAN Storage 212 C Storage 1 1
6 Netapp NL Storage 224 C Storage 1 1
7 CISCO UCS Server C220 M5 Server for Virtual
implementation 5 2
8 CISCO Catalyst N/W
Switch 2960L
Network equipment for N/w
connectivity
4 4
Security Technology (ANTI-APT) Virtual
INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT
PROCESSES ETC. OF PUNJAB & SIND BANK
RFP REF. NO.: HO/HO IT/RFP/ 145 / 2020 DATED: 26.02.2020 Page 57 of 57
1 IMSVA 9.1.0.1960 E-mail Solution 2 2
2 TMCM 7 Controlling manager 1 NA
Security Technology (SIEM) Virtual
1 VLC
11.3.2.0 Log Solution
1 1
2 Decoder 1 NA
3 Concentrator 1 NA
4 ESA 1 NA
5 Archiver 1 NA
6 SA Server 1 NA
Security Technology (PIM) Virtual
1 Application 4.8.5.0
Privilege Access Management
1 1
2 DB NA 1 1
3 Gateway Centos 7 1 1
Security Technology (SEC-OPS) Virtual
1 Application 6.5
Archer Ticketing Tool
1 1
2 DB NA 1 1
3 Gateway NA 1 1
Other
1 VMWare Vsphere
Client 6.5 OS for ESXI Hosting 1 1
2 ESXI 6.5 OS for UCS Server 5 2
3 Windows Server Microsoft 2012
To establish different applications and
technology (SECOPS, PIM, VCSA)
8 6