bank of baroda bankingapplication

8/19/2019 bank of baroda BankingApplication

1/45

Bank of Baroda Baroda Corporate Centre, Mumbai

Confidential Page 1 of 45 Project Office, BCC, Mumbai

RFP Document forComprehensive audit ofBanking Applications

Created on 3/11/2009

Request for Proposal (RFP)

for

Selection of Service Provider for Conducting

Comprehensive Audit of Banking Application System ( India and Foreign

Territories)

Bank of BarodaProject Office

Baroda Corporate CentreMumbai

Nov 03, 2009


2/45





[A] Important Dates :

1. Issuance of RFP Document by Bank from : 06/11/2009

2. Last Date of Submission of Response by the Bidder : 30/11/2009

[B] Important Clarifications :

Following terms are used in the document interchangeably to mean:

1. Bank of Baroda, BOB, BoB, and Bank means “Bank of Baroda”.

2. Recipient, Respondent and Bidder means “Respondent to the RFP

Document’.3. RFP means the “Current RFP Document”

4. SP means the “ Service Provider”

5. VA & PT means Vulnerability Assessment and Penetration Testing

Confidentiality

This document is meant for the specific use by the Company / person/s interested to participate in thecurrent tendering process. This document is in its entirety is subject Copyright laws. Bank of Barodaexpects the bidders or any person acting on behalf of the bidders to strictly adhere to the instructions given in the document and maintain confidentiality of information. The bidders will be held responsible for any misuse of the information contained in the document and liable to be prosecuted by Bank ofBaroda in the event of such a circumstance is brought to the notice of the Bank. By downloading thedocument, the interested party is subject to confidentiality clauses.


3/45





Section – I


4/45





1. Introduction and Disclaimer

This Request for Proposal document (“RFP”) has been prepared solely to enableBank of Baroda in the selection of suitable organisations to tender for theprovision for conducting Comprehensive Audit of the Banking Applicationinstalled under the Technology Enabled Business Transformation Project.

The RFP document is not a recommendation, offer or invitation to enter into acontract, agreement or other arrangement in respect of the services. The provisionof the services is subject to observance of selection process and appropriatedocumentation being agreed between Bank of Baroda and any successful bidderas identified after completion of the selection process as detailed under Section –III, Para 25.

2. Information Provided

The RFP document contains statements derived from information that is believed

to be reliable at the date obtained but does not purport to provide all of theinformation that may be necessary or desirable to enable an intending contractingparty to determine whether or not to enter into a contract or arrangement withBank of Baroda in relation to the provision of services. Neither Bank of Barodanor any of its employees, agents, contractors, or advisers gives any representationor warranty, express or implied as to the accuracy or completeness of anyinformation or statement given or made in this RFP document. Neither Bank ofBaroda nor any of its employees, agents, contractors, or advisers has carried outor will carry out an independent audit or verification or due diligence exercise inrelation to the contents of any part of the RFP document.

3. For Respondent Only

The RFP document is intended solely for the information of the party to whom itis issued and no other person or organisation.

4. Service Provider Eligibility Criteria

The SP company is required to meet the following eligibility criteria and provideadequate documentary evidence for each of the criteria stipulated below:

1. Must be a Government Organization/PSU/PSE/partnership firm/LLP orlimited company.

2. Must be in existence for five years as on 31.03.2009 (in case of

mergers/acquisition/restructuring or name change, the date ofestablishment of the earlier/original Partnership Firm/Limited Companycan be taken in to account).

3. Must have a minimum turnover of at least Rs 2 Billion in the past two yearsout of which, at least, 25% of the revenue must have come from the testing& Consulting Services


5/45





4. Must have made profits for the past 3 years in succession5. Should have never been blacklisted/barred/disqualified by any

regulator/statutory body.6. Must have the experience in reviewing of application and IT Systems.7. Must not be application/implementers/Solution providers, assistance

providers for implementation with an alliance with Hewlett Packard inBank of Baroda.

8. Must not be a direct competitor providing solution/application beingprovided/ implemented by Hewlett Packard to the Bank.

9. Must have on rolls at least one team leader (Project Manager) and oneadditional member who has similar experience as that of the ProjectManager who would have personally involved in at least one similarassignment. The Engagement Manager must have at least experience of theTesting Services and Audit Services for 3 years.

10. Must have existence in India.

5. Confidentiality

The RFP document is confidential and is not to be reproduced, transmitted, ormade available by the Recipient to any other party. The RFP document isprovided to the Recipient on the basis of the undertaking of confidentiality givenby the Recipient to Bank of Baroda. Bank of Baroda may update or revise the RFPdocument or any part of it. The Recipient acknowledges that any such revised oramended document is received subject to the same terms and conditions as thisoriginal and subject to the same confidentiality undertaking.

The Recipient will not disclose or discuss the contents of the RFP document withany officer, employee, consultant, director, agent, or other person associated or

affiliated in any way with Bank of Baroda or any of its customers, suppliers, oragents without the prior written consent of Bank of Baroda.

6. Disclaimer

Subject to any law to the contrary, and to the maximum extent permitted by law,Bank of Baroda and its officers, employees, contractors, agents, and advisersdisclaim all liability from any loss or damage (whether foreseeable or not)suffered by any person acting on or refraining from acting because of anyinformation, including forecasts, statements, estimates, or projections contained inthis RFP document or conduct ancillary to it whether or not the loss or damagearises in connection with any negligence, omission, default, lack of care or

misrepresentation on the part of Bank of Baroda or any of its officers, employees,contractors, agents, or advisers.


6/45





7. Costs Borne by Respondents

All costs and expenses incurred by Recipients / Respondents in any wayassociated with the development, preparation, and submission of responses,including but not limited to attendance at meetings, discussions, demonstrations,etc. and providing any additional information required by Bank of Baroda, will be

borne entirely and exclusively by the Recipient / Respondent.

8. No Legal Relationship

No binding legal relationship will exist between any of the Recipients /Respondents and Bank of Baroda until execution of a contractual agreement.

9. Recipient’s Obligation to Inform Itself

The Recipient must conduct its own investigation and analysis regarding anyinformation contained in the RFP document and the meaning and impact of thatinformation.

10. Evaluation of Offers

Each Recipient acknowledges and accepts that Bank of Baroda may, in its absolutediscretion, apply whatever criteria it deems appropriate in the selection of ServiceProvider, not limited to the selection criteria set out in this RFP document.

The RFP document will not be construed as any contract or arrangement, whichmay result from, the issue of this RFP document or any investigation or reviewcarried out by a Recipient. The Recipient acknowledges by submitting itsresponse to this RFP document that it has not relied on any information,representation, or warranty given in this RFP document.

11.a Earnest Money Deposit (EMD)

As part of compliance , intending bidders must pay along with RFP an EarnestMoney Deposit of Rs 50,000/- (Rs fifty thousand only). The earnest money shallbe paid by Demand Draft/Bankers Cheque/Pay Order drawn in favour of Bankof Baroda – payable at Mumbai. The earnest money will not carry any interest.The EMD will be refunded to non-Selected RFP Respondents along with theintimation of rejection of their bid. In case of selected respondents the deposit willbe adjusted against the security deposit payable under the terms of contract..

The EMD made by the bidder will be forfeited if:

• The Respondent withdraws his tender before processing the same.

• The Respondent withdraws his tender after processing but beforeacceptance of “Letter of Selection for Final RFP” issued by Bank.


7/45





• The Selected Respondent withdraws his tender before furnishing anunconditional and irrevocable Performance Bank Guarantee / securitydeposit.

• The Respondent violates any of the provisions of the term and conditionsof this tender specification.

11.b) Security Deposit; -

The EMD amount deposited by the successful bidder will be converted as securityDeposit. Excess amount of EMD (i.e. EMD – 5% of the contract value) ofsuccessful bidder will be refunded by the bank with two weeks from the date ofacceptance of contract, however if the EMD amount is less than the amountequivalent of contract value then the successful bidder has to deposit thedifference amount (i.e 5% of the contract value – EMD amount) by way ofDemand Draft/Banker’s Cheque/Pay Order drawn in favor of the Bank of Barodapayable at Mumbai, within one week from the date of awarding the contract. The

Security deposit will be refunded by the bank after successful completion of theproject.

Amount of Security Deposit will be rounded off to the nearest thousand. BankGuarantee in lieu of Security Deposit is not acceptable.

11.c ) Performance Bank Guarantee :-

The Selected bidder has to provide an unconditional and irrevocable PerformanceBank Guarantee of 10% of the contract value from the Public Sector Bank in India(Other than Bank of Baroda) towards due performance of the contract in

accordance with the specifications, terms and conditions of RFP document, within15 days from the date of letter of indent (LOI). The Bank Guarantee shall be keptvalid three months , beyond the tentative completion period of project.

11.d Application Money

The intending bidders should pay along with bids an Application money of Rs5000/- (rupees Five Thousand only) The application money shall be paid byDemand Draft/Banker’s Cheque/Pay Order drawn in favour of Bank of Barodapayable at Mumbai. The application money is non-refundable.

11.e Execution of SLA/NDA:

The SP company should execute (a) a Service Level Agreement, which wouldinclude all the services and terms and conditions of the services to be extendedas detailed herein and as may be prescribed by the Bank and (b) Non-disclosure


8/45





Agreement. The SP should execute the SLA and NDA within one month from thedate of acceptance of Letter of Appointment..

12. Errors and Omissions

Each Recipient must notify Bank of Baroda of any error, omission, or discrepancyfound in this RFP document.

13. Acceptance of Terms

A Recipient will, by responding to Bank of Baroda RFP, be deemed to haveaccepted the terms as stated above from Para 1 to Para 12.

14. Lodgment of RFP Response (To be read in conjunction with Section – III,Para 4)

14.1 RFP Closing Date for submission of Response

RFP Response may be received by the officials indicated below not later than 4:00pm (Indian Time – GMT +5:30) by 30th November 2009.

Submission of Response to Bank of BarodaTwo (2) paper copies and one (1) electronic copy (Microsoft XP Word and Excel,on CD ROM) of all submissions must be supplied to Bank of Barodaaddressed to General Manager (Projects & IT Operations) at :

General Manager (Projects & IT - Operations)Bank of Baroda ,Baroda Corporate CentreC-26, Block – G, Bandra – Kurla Complex,Bandra (East)Mumbai – 400051, India

For any further clarification you may contact

Mr AK Singh

Chief manager (Projects & IT Operations)

LL 022-66985254/

Mr S Salunke 66985234

Submission will be valid if :

• Copies of the RFP are submitted before the aforementioned closing time.

• Submission is not by Fax transmission.

• Response is submitted in two separate sealed envelopes with separatemarking “Technical Proposal” & “Commercial Proposal”

• All separate copies of RFP and attachments must be provided in a sealed envelope or sachet “.


9/45





Only One Submission Permitted

Only one submission of response to RFP by each Vendor / Service Provider willbe permitted. In case of partnerships / consortium, only one submission ispermitted through the lead vendor / service provider.

14.2 Registration of RFP

Registration will be effected upon Bank of Baroda receiving the RFP response inthe above manner (Para 14.1). The RFP must be accompanied with all documents,information, and details If the submission to this RFP does not include all theinformation required or is incomplete or submission is through Fax mode, theRFP is liable to be rejected.

All submissions, including any accompanying documents, will become theproperty of Bank of Baroda. Recipients shall be deemed to license, and grant allrights to, Bank of Baroda to reproduce the whole or any portion of theirsubmission for the purpose of evaluation, to disclose the contents of the

submission to other Recipients who have registered a submission and to discloseand/or use the contents of the submission as the basis for any resulting RFPprocess, notwithstanding any copyright or other intellectual property right thatmay subsist in the submission or accompanying documents.

14.3 Late RFP Policy

Respondents are to provide detailed evidence to substantiate the reasons for a lateRFP submission.

RFPs lodged after the closing date for lodgment of RFPs may be registered byBank of Baroda and may be considered and evaluated by the evaluation team at

the absolute discretion of Bank of Baroda. It should be clearly noted that Bank ofBaroda has no obligation to accept or act on any reason for a late submittedresponse to RFP.

Bank of Baroda has no liability to any person who lodges a late RFP for anyreason whatsoever, including RFPs taken to be late only because of anothercondition of responding.

14.4 RFP Validity Period

RFPs will remain valid and open for evaluation according to the terms for aperiod of at least six (6) months from the time the RFP submission process .

14.5. Requests for Information

Recipients are required to direct all communications related to this RFP, includingnotification of late RFP submission, through the Nominated Point of Contactperson i.e. General Manager (Projects & IT – Operations).


10/45





All questions relating to the RFP, technical or otherwise, must be in writing onlyto the Nominated Point of Contact.Bank of Baroda will not answer any communication initiated by Respondentslater than five business days prior to the due date for lodgment of RFPs.However, Bank of Baroda may in its absolute discretion seek, but under noobligation to seek, additional information or material from any Respondents afterthe RFP closes and all such information and material provided must be taken toform part of that Respondent’s response.

Respondents should invariably provide details of their email address(es) asresponses to queries will only be provided to the Respondent via email.

If Bank of Baroda in its absolute discretion deems that the enquiring Respondentwill gain an advantage by a response to a question, then Bank of Baroda reservesthe right to communicate such response to all Respondents.

Bank of Baroda may in its absolute discretion engage in discussion or negotiationwith any Respondent (or simultaneously with more than one Respondent) afterthe RFP closes to improve or clarify any response.

15. Notification

Bank of Baroda will notify the Respondents in writing as soon as practicableabout the outcome of the RFP evaluation process, including whether theRespondent’s RFP response has been accepted or rejected. Bank of Baroda is notobliged to provide any reasons for any such acceptance or rejection.

16. Disqualification

Any form of canvassing/lobbying/influence/query regarding short listing, statusetc will be a disqualification.

17. Timeframe

The following is an indicative timeframe for the overall selection process. Bank ofBaroda reserves the right to vary this timeframe at its absolute and sole discretionshould the need arise. Changes to the timeframe will be relayed to the affectedRespondents during the process.

RFP Issuance Date 06 November, 2009RFP Response Due 30 November, 2009

RFP Evaluation date 31 May 2010


11/45





Section - II


12/45





1. Bank of Baroda – the Company

Bank of Baroda is the one of the largest Public Sector Banks in India with over 33million accounts with about 3 to 5 million transactions per day and a Branchnetwork of over 3000 branches in India and in other 21 overseas countries. Bankhas over 1500 branches in rural/semi urban areas and with 70 offices / branchesin 21 countries overseas.

The Bank has undertaken a massive project for modernization of its bankingprocesses to become a national bank of international standard. To initiate thismodernization process, the Bank has conducted a Business Driven IT strategyformulation exercise assisted by Gartners.

2. Business & IT Strategy

The aim of Bank of Baroda’s IT Strategy is to conduct a Technology Enabled

Business Transformation of current business processes through three keyendeavors:

1. The phased deployment of core applications and supporting IT infrastructureto enable the implementation of best-practice in :

– Banking and financial services

– Corporate operations

2. The development of a Governance of IT model and capability within Bank ofBaroda.

3. The structured development of enhanced IT capability within Bank of Baroda

based on :– Outsourcing of daily IT operations

– Developing and retaining key skills in planning, programme andproject management, and sourcing management

It is projected that the implementation of the IT Strategy will occur over a three tofive year period

3. Bank’s Vision for Business TransformationBank’s vision in going for a technology-enabled transformation is :

To become the most preferred Public Sector Bank within three years and totransform into a Universal Financial Services organization offering a fullrange of financial products to corporate and personal customers

To become a customer - centric organization providing financial productsand services based on customer needs in all markets it operates


13/45





To provide products and services in an efficient, effective and responsivemanner and on-demand through multiple channels

The transformation should be rapid and visible in order to enable the Bank to reapearly benefits. The strategic goals of Bank of Baroda are :

The development of a customer centric business, The delivery of product through multi-channel distribution, The set up of new Lines of Business through re-organization of existing

lines of business along customer requirements, The set up of global functions by way of establishment of a corporate

center An improvement of operational effectiveness.

4. System Integrator (SI) of the Project

Towards realizing the above objectives, Bank’s current Technology Enabled

Business Transformation Project (Project Shikhar), Bank has selected HewlettPackard India Sales Private Ltd. (HP) as the System Integrator for the Project.Broad scope of deliverables under the Project is as under :

• Procurement/supply and installation H/W, System S/W, ApplicationS/W

• Core Banking System and associated modules

• Other applications (Support Services like General Ledger, HRNeS, PayRoll, Integrated Risk Management, Data warehouse, CRM, MIS, ATMSwitch, Mail Messaging, Intranet, Self-Service, E-Learning, AssetManagement, Card Management, e-banking, Payment Gateway, Treasury)

• Customization & Parameterization• Implementation and maintenance of application software (S/W)

• Designing of complete network architecture for the Bank• Procurement/supply and installation of various networking equipments,

implementing Branch LAN and enterprise-wide WAN & NetworkManagement for the entire WAN

• Data Centre & Disaster Recovery Site – Build, Operate & Transfer

• Procurement, follow up and maintenance of network bandwidth/leasedlines, ISDN and other networking needs

• Domestic and International Branch Roll-out

• Proposing and Implementing Information Security Management System

• Training & Transformation Management• Programmed Management

• Designing, developing and implementing System integration

• All supporting infrastructure & Services (e.g., Data Centre/DRC, Servers,Desktops, Laptops etc., Managed Services)


14/45





• Data communication networks (e.g., WAN, LAN, Voice)

5. Products / Applications being implemented by HP

The SI has proposed and has been implementing the following applications forthe Bank.

Support services:

Functionality Product Finance, General Ledger,Accounting, Consolidated GL,Finance

Finacle Core, Oracle Financials, OracleFinancial Services applications Budgeting

Sourcing and Procurement Oracle AP, Purchasing

Human Resource Management Oracle HR, Oracle training &administration, self Service , Fluous Payroll

Risk Management and Decision

support

Finacle Core, OFSA- Risk Manager, Kvar+,

Kondor Global Limits, Kondor Credit VarPerformance Management Oracle OFSA – Performance Analyser,Transfer Pricing, Activity basedManagement, Balanced Scorecard Modules

Marketing Decision SupportMCIF – Customer Segmentation,Campaign management

Finacle Core, Oracle Trading Communityarchitecture, Oracle Customer online,Oracle marketing Online, Oracle Salesonline

Customer Relationship ManagerCRM Analytics

OFSA – And Oracle CRM Based on OracleLogical Data Model - TCA+ OracleFinancial data model

Enterprise Information systems OFSA- Performance Analyser, Riskmanager,HP- Knowledge Management System

Funds and regulatory

Functionality Product Treasury Kondor +, KTP

Investment and Brokerage Opus Trade – front end trading systeminterfacing to depositories as well asbrokers and clearing houses

International Banking and ForeignExchange

Finacle Core for Basic FX and MM dealsprocessingBrowser support for K+ dealing atinternational treasury locations wherewarranted

Interactions with Other banks CBS - Clearing systems, RTGS, interface


15/45





Treasury to NDS interface

Interactions with Reserve Bank ofIndia

CBS – RTGS interfaceTreasury – RTGS interface

Core Processing

Functionality Product Core banking Finacle Core including Trade finance and

RemittancesDeposits Savings and investment Finacle core retail and corporate

Loans Credit Lending Finacle Core Retail and Corporate LendingProduct Management Finacle Core Parameter driven Product

management

Customer Information System Finacle Core CIF, Oracle TCANon Banking financial Products Cards – (Interface to existing cards system

in phase-I), Opus CardsTransaction Payment Systems Finacle core, Electra Payment Gateway,

Base24 Switch

Delivery

Functionality Product

Personal Productivity andGroupware

Microsoft Exchange

Help Instruction and Training Online help from all applicationTraining using existing Training center

infrastructureSet up of e- learning infrastructureOracle i-learningOracle Training and Administration

Imaging and Printing Scanners and printers – HPOmni Capture –New GenOmni docs – New Gen

Work flow and DocumentManagement

Omni Flow for enterprise workflowOmni docs for document Management

Transaction Processing Base24 ATM SwitchElectra payment Gateway

Reporting Finacle Reporting ToolOracle Discoverer


16/45





Access

Functionality Product

Staff Interface Oracle Self ServiceFluous Self ServiceHP Knowledge managementOracle Portal

Teller Functions/Service CenterInterface

Finacle Core

Self Service Telephone and Internet Servion IVR Phone bankingPayment Gateway Electra Payment Gateway

Internet Banking Finacle eChannels , eCorporateOther Agents and Channels Finacle SMS banking

Kiosk

Security Various including Trendmicro Anti Virus,

Checkpoint Firewall, Cisco pix


17/45





Section - III


18/45





1. Current RFP Objectives :

1.1 Project Objective

The Bank wishes to appoint competent Service Provider (SP) for carrying out`Comprehensive Audit of the IT Systems installed at the Data Centre, Mumbaiand Disaster Recovery Centre, Hyderabad implemented by HP. The SP will beresponsible as per the scope and timelines outlined below.

Although the Bank has selected an SI for implementation of various systems andis in the process of implementing the complete suit of solutions for its branchesand Administrative Offices including overseas offices, Subsidiaries etc., the Bankis looking for the Comprehensive Audit for all its Banking application systems(India & foreign territories) installed and systems which will subsequently beinstalled.

The selected service provider is required to provide service of comprehensiveaudit including the following services: Performance Testing (PT), OptimisationTesting, High Availability Testing, Scalability Testing with reference to the fourcore architectural principles- Performance, Scalability, High Availability,Investment Protection.

Bank may, at its full discretion, choose to avail of the services for all services orpart thereof. Such decision may be advised in course of the project.

1.2 Project Scope

A description of the envisaged scope is enumerated as under. However, the Bankreserves its right to change the scope of the RFP considering the size and varietyof the requirements and the changing business conditions.

Based on the contents of the RFP, the selected SP shall be required toindependently arrive at Approach and Methodology, based on globallyacceptable standards and best practices, suitable for the Bank, after taking intoconsideration the effort estimate for completion of the same and the resource andthe equipment requirements. The Selected Service Provider is required to conductthe detailed Risk assessment of IT Assets/Resources of the Bank at DC/DR andsuggest the control measures for the risk identified.

The Bank expressly stipulates that the SP’s selection under this RFP is on theunderstanding that this RFP contains only the principal provisions for the entireassignment and that delivery of the deliverables and the services in connectiontherewith are only a part of the assignment. The SP shall be required to undertaketo perform all such tasks, render requisite services and make available suchresources as may be required for the successful completion of the entire


19/45





assignment at no additional cost to the Bank.

The SP’s involvement is expected to be spread across a period of at least , 24months from the date of contract.

The services as indicated in Para 1.2.1 will be covered under the scope of theComprehensive Audit of the Banking Applications (Domestic & International

territory) Indicative details of services may involve:

1.2.1 Review/Audit of1. Periodic Audit of all Customer facing (VA&PT) Web based application at 6

month Interval up to 18 months.2. Business Application Software (CBS & Other Business application)3. Compliance Verification of this audit report with in 6 Months.

1.2.2..A) . Threat & Vulnerability Analysis audit of customer facing Web basedApplication

Testing tools have to be arranged by the bidder

Appropriate updated tools should be used for each phase of test.Application implemented in foreign territory is also a part of review/audit.:

Review of security assessment of the technology platforms at the DataCenter

Review the operations and management of Bank-wide NetworkArchitecture

Review of security and parameter setting for all IT Infrastructure withinthe Data Centre including review of Placement of security equipments,

network equipments for securing database, application, web servers ofvarious applications housed at Data Centre Review of Configuration and Monitoring of logs of Intrusion Prevention

System, firewalls and response capabilities Carryout Ethical hacking to expose security gaps and demonstrate the

effectiveness of security measures. Vulnerability & Penetration Test must be designed to simulate a real

world attack keeping in view prevailing RBI guidelines, IT Act 2000 andother applicable regulations in India.

Vulnerabilities for defacement and unauthorized modification ofcorporate web sites

Search for back door traps in the programs

Check if commonly known holes in the software, especially the browserand the email software exist through ethical hacking

Review of policies for performing periodic monitoring of activity on thefirewall server to check for malicious activity.

Review of Policies for performing periodic health check on all serverswith the Data center


20/45





Review of Backup and restore policy Review of periodic analysis of logs to bring in changes to the security

posture to mitigate risks from newly identified threats Check for existence of proper guidelines to retire any infrastructure. It is

to be ensured that the data on such asset is backed up and is removedfrom the asset before it is retired. Data that becomes inconsequential or

irrelevant due to various factors must be archived using a properarchival mechanism. Data, which needs to be destroyed, must bedestroyed immediately and proper guidelines need to be defined as aprocess for the same.

Review of firewall configurations and associated policies andprocedures covering Firewall design, operational security, auditing,logging, monitoring, alerting, IP forwarding etc.

Switch Diagnostic review Router Diagnostic review Pro-active virus prevention and detection procedures are in place and

implemented. Virus definitions are updated regularly Procedures for monitoring of Updation of virus definitions

Process for incident reporting Mechanism to respective data Owner(particularly to foreign territory)

1.2.2.B) Security and controls review of the ATM, Internet Banking, On-lineTrading, Cash Management, Depository services and Channel bankingencompassing

To review the Transaction flow in Bank’s internet banking Adequate internal controls are in place to minimize errors, discourage

fraud Interface with other organizations for utility payments

Process of creation of Internet Banking Ids PIN management Authentication controls ATM card application, generation and Issue Process ATM PIN generation and distribution procedures Operating System, application and the Data on the ATM Switch Interface system between the Host and the ATM switch Procedures for off-line transactions ATM switch center & ATM terminals Review of Backup and recovery procedures for ATM related data and

transactions All applicable testing for various on-line channels facing customers

Check if the data between ATM and switch is flowing in encrypted formand not as plain text and evaluate sniffing risk if any

To review the Risk Management Process(Risk Identification,Assessment &Treatment)


21/45





Security & Control Objectives (Data Confidentiality, System Integrity,Availability, Customer & Transaction Authenticity, and Customer and itsData Protection)

Managing Outsourcing risks, Monitoring Outsourcing Arrangements. Distributed Denial of Services attacks (DDOS) Customer Education Mechanism.

Incident Response Planning and Reporting Process for Internet based attack, reporting, response & Planning

mechanism.

1.2.3. Review/ Audit of Business Application Software to be conducted for thefollowing application vs Territory :

√ Indicates Application has been in Live operation in respective territoryX Indicates Application has not been made live in respective territory

s r n o

I n d i a

U A E

O M A N

F I J I

M a u r i t i u s

B o t s w a n

a

T a n z a n i a

U K

T & T

K e n y a

U g a n d a

H o n g K o

n g

C h i n a

G h a n a

G u y a n a

B a h a m a s

B a h r a i n

S o u t h A f

r i c a

S e y c e l l u s

S i n g a p o r e

1 CBS √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

2 AML √ √ √ √ √ √ √ √ X √ √ √ X X √ √ X √ √ X

3

FinancialManagement System-OracleFinancials(EWGL) √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

4BarodaConnect √ √ √ √ √ √ √ X X X X X X X X X X X √ X

5

StraightThroughProcess(RTGS/NEFT) √ X X X X X X X X X X X X X X X X X X X

6ATM Switch(Base24) √ √ √ √ √ √ √ X √ X X X X X X X X X X X

7

GlobalTreasury&Enterprisewide LimitManagement √ √ X X X X X √ X X X X X X X √ √ X X X

8

Bank WideMail andMessagin

g System √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

9

BarodaCashManagement √ X X X X X X X X X X X X X X X X X X X

10TelephoneBanking √ X X X X X X X X X X X X X X X X X X X

11 HRNES √ X X X X X X X X X X X X X X X X X X X


22/45





12 Pay roll √ X X X X X X X X X X X X X X X X X X X

13

RetailDepository System √ X X X X X X X X X X X X X X X X X X X

14

DataWarehousingand OracleFinancial

ServicesApplication √ X X X X X X X X X X X X X X X X X X X

15 Crisil √ X X X X X X X X X X X X X X X X X X X

16

CardManagement System √ X X X X X X X X X X X X X X X X X X X

Review/Audit of application which will be implemented in next 24 months( Call Centre, E-trading (Online Trading), CRM, CBS (USA, Belgium)

Other application which should also be reviewed are

Internet Payment Gateway, Online trading System,, Asset Management System,

Hire Purchase & Leasing, Performance Management, Knowledge Management,Solution Architecture & Design Services, Enterprise Management System,Information Security Management System, Data Archival System, ChequeTruncation System, Document Management System – Workflow Automation,Centralized Antivirus, Credit/DebitCard Management (FSS) provided by HP,Centralized SWIFT Interface with CBS and its process.

Tools used by service provider should be tested before implementation by theservice provider..

1.2.4 For the banking applications (Domestic & International territory) mentionedabove the review should include and is not limited to:

• Perform Application , Security & Controls Review• Study the applications for adequate input, processing and output controls• Development of suitable testing methodology / testing strategy document

• Conduct various tests to verify existence and effectiveness of the controlsfor all functionalities, schemes and products supported by the applicationsunder review

• Perform a test of controls setup in the all applications• Identify ineffectiveness of the intended controls in the software and analyze

the cause for its ineffectiveness• Controls over automated processing / updations of records, review or

check of critical calculations, review of the functioning of automatedscheduled tasks, output reports design, reports distribution, etc.

• Extent of parameterization.• Backup/Fall back/Restoration procedures and contingency planning• Suggestion on segregation of roles and responsibilities with respect to

application software to improve internal controls.

• Adequacy, Accuracy, Data Integrity of the MIS Reports and Audit Reports


23/45





• Manageability with respect to ease of configuration, transaction roll backs,time taken for end of day, day begin operations and recovery procedures

• Hard coded & Virtual user-id and password• Interfaces with CBS Software of many other applications / services, both in

house and 3rd party systems / solutions – security, confidentiality, integrity,accuracy and non-repudiation of the data between systems

• Recovery and restart procedures• Adequacy of Audit trails and Logs• Adherence to Legal and Statutory Requirements.• Appropriate user maintenance and password policies being followed• Review user profiles created at the database level against job roles• Review of the outsourcing practices.• That the Bank’s Internet Banking Policy meets all the parameters / criteria

laid down in the communications of RBI on internet banking in India.• Review of Controls in ATM Operations including ATM Card Management,

ATM Switch Operations, Support to Branches/Users, Incident ReponseCapability.

• Review of controls in RTGS/NEFT Operational environment Support tobranches/Users/Department, Incident response capability, Robustness ofserver Administrative practices.

• Review of identification, Authentications, Authorization Mechanism inRTGS/NEFT.

• To review effectiveness and efficiency of the Application Software.• To review Setting of various parameters, updation thereof and actual

working of them as intended and accurately.

• To review the Patch Management of all software and Control over thePatch Management.

• To review Programmed Change Management•

To review Source Code Maintenance /Escrow arrangement• To understand and appreciate the Strengths, Flexibility and Weakness ofthe all System as implemented and constraints imposed by system on user.

• To review the ‘application security parameters and setup’ to the Bank’sSecurity Policy and leading industry best practices.

• To review whether Audit trails are adequate to monitor the application.

• To review whether Day end controls are in place to ensure integrity of thetransactions as per bank’s guidelines/system of authorizations like Maker-Checker are followed.

• To review user manuals, operating manuals and systems manuals and toverify the version/updation controls are in place.

• To review version control for all application software• To review issue log/ Application call status and process with the application

vendors

• To review application response time from end user perspective incomparison with peer bank/ industry best practice


24/45





• To review the Proper MIS reporting in case where manual control duringlife cycle of product.

• To Review application control of all data upload/download• To review whether Access level controls are appropriately built in and

implemented into the application and to verify whether only authorizedusers are able to edit, input or update the data in the application or carry

out activities as per their role..• To verify whether access is given on a ‘need-to-know’ and ‘need to-do’

basis.• To review all the services that are required to run the application Finacle

are properly maintained and managed eg .Finlist val, resin, CRV, RTGS,Appache web server etc

• To review the process of application controls including boundary controls,input controls, communication controls, database controls, and outputcontrols.

• To review Backups and recovery procedure / control.• To review whether any weaknesses in controls or in application are there

which lead to leakage of income or to non compliance of regulatoryrequirements.

1.2.5 Core Banking Solution- Finacle : Domestic & International In additionto all the above mentioned points specific attention to be given to the belowmentioned points

Finacle application is to be reviewed for both domestic and Internationalterritories as per the requirements of respective regulatory and securityrequirements. The review should include and is not limited to:

• To review whether Bank has proper control over software updates and to

check if such updates/customizations have been maintained inchronological order.

• To review the application security features built within Finacle and toidentify gaps in the application security parameter setup in line with thebank’s security policies and leading best industry practices.

• To review of Finacle Core Banking Solution in all the modules implementedin CBS (viz GBM, Trade finance, lockers etc) and all modules in totality withreference to the specifications given in the functional requirement of RFPfloated and the procedures of the bank.

• To review the process of controls over the proxy / parking transactions.• To review the control over the inter sol transactions and the collection of

charges there on and to verify proper control is there to reconcile thetransactions at End of Day Operations.

• To review the controls over the periodical / mass run system generatedtransactions (viz interest/Charge application) and to verify proper controlreports and proper procedures are in place to minimize the impact onBank’s profit.


25/45





• To review whether adequate controls over accounting and adjustments ofsensitive accounts like sundry/suspense / Office accounts are in place.

• To review interface with other systems such as Internet Banking, Govt.Business module, Treasury module, ATM Controller Software (BASE24),Payment Gateway, Payment Messaging Solutions, RTGS/NEFT,Enterprise General Ledger, Data ware House, CMS (Cash Management

Solution) etc. for accuracy, completeness, timeliness and consistency ofdata.

2. Compliance Verification SP should verify the compliance audit report ofentire audit report and submit final report within six months of the auditreport.

3. Deliverables

During the course of review, the SP will suggest the following in addition toother critical observation/ methods/ improvements as deemed fit from the pointof view of the SP professional experience for each of the services mentionedabove :

o All observations will be thoroughly discussed with process ownersbefore finalization of report

o Reports will be submitted as soft copy in doc and pdf format as wellas one signed hard copy.

o Reports will be submitted territory wise in compliance with respectiveregulators.

o All reports will be prepared with the following information:Gaps, deficiencies, vulnerabilities observed – specific observations

should be given with detailso Risk associated with Gaps, deficiencies vulnerabilities observed

Category of Risk – High/Medium/Lowo Recommendations/ Procedures for removing Gaps, deficiencies,

vulnerabilities observedo Preparation of Final Testing Report with areas of improvemento On completion of the Comprehensive Review and audit of Banking

application handover all reports, templates, and policies to the Bank

4 Submission of Bids (Please refer to Section – I, Para 14)

The bids shall be in two parts viz. Technical Proposal and Commercial Proposal.

Both Technical and Commercial Proposals shall be submitted in separate sealedenvelopes superscribing “TECHNICAL PROPOSAL FOR COMPREHENSIVEAUDIT OF BANKING APPLICATION SYSTEMS on top of the envelopecontaining the technical bid and “COMMERCIAL PROPOSAL FORCOMPREHENSIVE AUDIT OF BANKING APPLICATION SYSTEMS: on topof the envelope containing commercial bid. These two separate sealed envelopes


26/45





should be put together in the sealed master envelope superscribing “PROPOSALfor COMPREHENSIVE AUDIT OF BANKING APPLICATION SYSTEMS:

The Technical Proposal will be evaluated first for technical suitability. CommercialProposal shall be opened only for the short-listed bidders who have qualified in

the Technical Proposal evaluation.

The Technical Proposal shall contain the technical proposal to the requirement ofthe Bank as along with Annexure–A, C, D and E

A copy of the Commercial Proposal masking the prices is to be submitted alongwith the Technical Proposal.

The Commercial Proposal shall be submitted as per Annexure B.

The bidder shall submit the Proposals properly filed so that the papers are notloose. The Bidder shall submit the proposal in suitable capacity of the file suchthat the papers do not bulge out and tear during scrutiny.

The technical proposal shall be organized and submitted as per the followingsequence:

a) Table of Contents (list of documents enclosed)b) Technical proposal with detailed activities broken down, effort estimate,manpower estimated to be deployed along with annexure D and annexure Ec) Compliance certificate for all the terms and conditions as per Annexure-Cd) All copies of certificates, documentary proofs etc.e) A CD containing soft copy of the proposal

f) Annexure Ag) Masked Annexure B

All the relevant pages of the proposals (except literatures , datasheets andbrochures) are to be numbered and be signed by authorized signatory on behalfof the Bidder. The number should be a unique running serial Number. across theentire document.

The bidder has to submit a soft copy of the entire proposal in a CD. It should benoted that in case of any discrepancy in information submitted by the bidder inhard-copy and soft-copy, the hard-copy will be given precedence. However, incase of non-submission of any hard copy document, if the same is found

submitted in the soft-copy, Bank reserves right to accept the same at itsdiscretion.

The Bids shall be addressed and submitted to :

GENERAL MANAGER (PROJECTS & IT - Operations)


27/45





BANK OF BARODABaroda Corporate CentreBandra Kurla Complex, Bandra (East)Mumbai 400 051

The bids (arranged as mentioned above) are to be submitted at the Secretariat of

the General Manager (Projects & IT – Operations), marked with the appropriatelabel, at the above address before the due date & time as specified. The bidsubmitted anywhere else is liable to be rejected.

It may be noted that all queries, clarifications, questions etc., relating to this RFP,technical or otherwise, must be in writing only and should be to the nominatedpoint of contact.

Bidders should provide their E-mail address in their queries without fail.

The bidder will submit an undertaking specifying that the bidder has obtained allnecessary statutory and obligatory permission if any to carry out project works,

The proposal should be prepared in English in MS Word format. The e-mailaddress and phone/fax numbers of the bidder should also be indicated on thesealed cover.

FORMATS OF BIDS: The bidders should use the formats prescribed by the Bankin the RFP for submitting both technical and commercial bids.


28/45





5 General Terms and Conditions (Please also refer to Section – I)

5.1 Adherence to Terms and Conditions:The bidders who wish to submit responses to this RFP should note that theyshould abide by all the terms and conditions contained in the RFP. If theresponses contain any extraneous conditions put in by the respondents, suchresponses may be disqualified and may not be considered for the selectionprocess.

5.2 Other terms and conditions :

1. Bank of Baroda reserves the right to :

• Reject any and all responses received in response to the RFP• Waive or Change any formalities, irregularities, or inconsistencies in

proposal format delivery• To negotiate any aspect of proposal with any bidder and negotiate with

more than one bidder at a time• Extend the time for submission of all proposals• Select the most responsive bidder (in case no bidder satisfies the eligibility

criteria in totality)• Select the next most responsive bidder if negotiations with the bidder of

choice fail to result in an agreement within a specified time frame.• Share the information/ clarifications provided in response to RFP by any

bidder, with any other bidder(s) /others, in any form.• Cancel the RFP/Tender at any stage, without assigning any reason

whatsoever.

6. Substitution of Project Team Members: During the assignment, thesubstitution of key staff identified for the assignment will not be allowed unlesssuch substitution becomes unavoidable to overcome the undue delay or thatsuch changes are critical to meet the obligation. In such circumstances, theservice provider can do so only with the concurrence of the Bank by providingother staff of same level of qualifications and expertise. If the Bank is notsatisfied with the substitution, the Bank reserves the right to terminate thecontract and recover whatever payments made by the Bank to the SP during

the course of this assignment besides claiming an amount, equal to thecontract value as liquidated damages. However, the Bank reserves the right toinsist the SP to replace any team member with another (with the qualificationsand expertise as required by the Bank) during the course of assignment.


29/45





7. Professionalism : The SP must provide professional, objective and impartialadvice at all times and hold the Bank’s interests paramount and must observethe highest standard of ethics while executing the assignment.

8. Adherence to Standards : The SP must adhere to laws of land and rules,regulations and guidelines prescribed by various regulatory, statutory

and Government authorities

9. The Bank reserves the right itself or through a consultant to conduct an audit/ongoing audit of the services provided by the SP. The cost of the audit/consultant shall be borne by the Bank

10. The Bank reserves the right to ascertain information from the banks and otherinstitutions to which the bidders have rendered their services for execution ofsimilar projects.

11. EXPENSES : It may be noted that Bank will not pay any amount/expenses/ charges / fees / traveling expenses / boarding expenses / lodging expenses

/ conveyance expenses / out of pocket expenses other than the “AgreedProfessional Fee”. However, traveling, boarding and lodging expenses, ifany, for site visit outside Mumbai for project related work will be discussedwith the Bank as to the need, duration, number of personnel involved, etc.,and will have to be cleared by the Bank in advance in writing. Settlement ofbills in such cases will be at rates mutually agreed and reimbursable againstproduction of tickets and bills. Mumbai will be considered as the basestation for the purpose of travelling.

12. The bidder can not change the Project Manager during entire period ofexecution of the assignment unless consented in written by the Bank.

13. The bid must contain the resource planning proposed to be deployed for theproject which includes, inter-alia, the number of personnel, skill profile of eachpersonnel, duration etc.


30/45





14. TERMS OF PAYMENT :

The SP’s fees will be paid in the following manner for each item/ activity which isdescribed in the Commercial Proposal (Annexure B) on a project to project basis :

• 10% of the professional fees on acceptance of testing methodology/strategydocument for VA &PT, Customer facing all hardware/network etc, CoreBanking Solution (Finacle) and other Banking applications.

• 10% of the professional fees on completion of first test of VA &PT first Test forall customer facing web applications.

• 20% of the professional fees on completion of review of Periodic Audit of allCustomer facing Web based application at 6 months interval up to 18 months

(Threat & Vulnerability analysis) on the security and architecture at the DataCentre, Bank-wide Network Architecture, security and parameter setting for allIT Infrastructure within the Data Centre and Disaster Recovery Site, ATM,Internet Banking, On-line Trading, depository Services and Channel bankingand submission of reports.

• 20 % of professional fees on Completion of Business Application Software(CBS)

• 20 % of professional fees on Completion of Business Application Software(Other Business application)

• Balance 20% of the professional fees on rectification /correction/implementation of suggestions by the SP and submission of the ComplianceVerification Final Report to the Bank.

• All invoices will be paid by the Bank within a period of 45 days from the date ofreceipt of undisputed invoices. Any dispute regarding the invoice will becommunicated to the selected bidder within 15 days from the date of receipt ofthe invoice. After the dispute is resolved, Bank shall make payment within 30days from the date the dispute stands resolved.

15. LIQUIDATED DAMAGES (LD) :

The Bank will impose a penalty of Rs. 50,000/- (Rupees Fifty thousand only) perweek or part thereof, for delay in not adhering to the time schedules.

If the selected Bidder fails to complete the due performance of the contract in

accordance to the specifications and conditions agreed during the final contractnegotiation, the Bank reserves the right either to cancel the contract or to acceptperformance already made by the bidder. The Bank reserves the right to recoveran amount equal to the value of contract by the Bank as Liquidated Damages fornon-performance.


31/45





Both the above are independent of each other and are applicable separately andconcurrently. However the same would not be applicable for reasons attributableto the Bank and Force Majeure. However, it is the responsibility of the bidder toprove that the delay is attributed to the Bank and Force Majeure. The bidder shallsubmit the proof authenticated by the bidder and Bank’s official that the delay isattributed to the Bank and/ or Force Majeure along with the bills requesting

payment.

16.Indemnity :

The bidder shall indemnify Bank and keep indemnified for against any loss ordamage by executing an instrument to the effect on a Non-Judicial stamp paperthat Bank may sustain on account of violation of patent, trademarks etc. by thebidder.

17.Authorized Signatory :

The selected bidder shall indicate the authorized signatories who can discuss andcorrespond with the bank, with regard to the obligations under the contract.

The selected bidder shall submit at the time of signing the contract, a certifiedcopy of the extract of the resolution of their Board, authenticated by CompanySecretary, authorizing an official or officials of the company or a Power of Attorneycopy to discuss, sign agreements/contracts with the Bank. The bidder shall furnishproof of signature identification for above purposes as required by the Bank.

18. Applicable Law and Jurisdiction of court :

The Contract with the selected bidder shall be governed in accordance with theLaws of India for the time being enforced and will be subject to the exclusive jurisdiction of Courts at Mumbai .

19.CANCELLATION OF CONTRACT AND COMPENSATION :

The Bank reserves the right to cancel the contract of the selected bidder andrecover expenditure incurred by the Bank on the following circumstances. TheBank would provide 30 days notice to rectify any breach/ unsatisfactory progress :

• The selected bidder commits a breach of any of the terms and conditions ofthe bid/contract.

• The bidder goes into liquidation voluntarily or otherwise.• An attachment is levied or continues to be levied for a period of 7 days

upon effects of the bid.• The progress regarding execution of the contract, made by the selected

bidder is found to be unsatisfactory.


32/45





• If deductions on account of penalty exceeds more than 10% of the totalcontract price.

After the award of the contract, if the selected bidder does not performsatisfactorily or delays execution of the contract, the Bank reserves the right to getthe balance contract executed by another party of its choice by giving one months

notice for the same. In this event, the selected bidder is bound to make good theadditional expenditure, which the Bank may have to incur to carry out biddingprocess for the execution of the balance of the contract. This clause is applicable,if for any reason, the contract is cancelled.

The Bank reserves the right to recover any dues payable by the selected bidderfrom the security deposit or any amount outstanding to the credit of the selectedbidder, including the pending bills and/or invoking Bank Guarantee, if any, underthis contract.

20.NON PAYMENT OF PROFESSIONAL FEES :

If any of the items/activities as mentioned in the price bid and as mentioned inannexure D are not taken up by the Bank during the course of this assignment, theBank will not pay the professional fees quoted by the SP in the Price Bid againstsuch activity/item.

21.ASSIGNMENT :

Neither the contract nor any rights granted under the contract may be sold,leased, assigned, or otherwise transferred, in whole or in part, by the ServiceProvider, without the advance written consent of the Bank and any suchattempted sale, lease, assignment or otherwise transfer shall be void and of no

effect .

22. Subcontracting :

The service provider shall not subcontract or permit anyone other than itspersonnel to perform any of the work, service or other performance required of theservice provider under the contract without the prior written consent of the Bank.

23. Force Majeure:

Any failure or delay by SP or Bank in the performance of its obligations, to the

extent due to any failure or delay caused by fire, flood, earthquake or similarelements of nature, or acts of God, war, terrorism, riots, civil disorders, rebellionsor revolutions, acts of governmental authorities or other events beyond thereasonable control of non-performing Party, is not a default or a ground fortermination. The affected Party shall notify the other party within reasonable timeperiod of the occurrence of a Force Majeure Event


33/45





24. Dispute Resolution: If a dispute, controversy or claim arises out of or relates to the contract, or breach,termination or invalidity thereof, and if such dispute, controversy or claim cannotbe settled and resolved by the parties through discussion and negotiation, then

the parties shall refer such dispute to arbitration. Both parties may agree upon asingle arbitrator or either party shall appoint one arbitrator and the two appointedarbitrators shall thereupon appoint a third arbitrator. The arbitration shall beconducted in English and a written order shall be prepared. The venue of thearbitration shall be Mumbai. The arbitration shall be held in accordance with theArbitration and Conciliation Act, 1996. The decision of the arbitrator shall be finaland binding upon the parties, provided that each party shall at all times be entitledto obtain equitable, injunctive or similar relief from any court having jurisdiction inorder to protect its intellectual property and confidential information.

25. SP Selection/Evaluation Process :

25.1 Evaluation CriteriaTechnical Bid Evaluation Criteria

Technical criteria are classified under 3 heads - Credentials, People andApproach & Methodology. The table below highlights the parameters under thetechnical criteria and scoring methodology.

Sr No

EvaluationParameters

Weightage

InformationsProvidedmeetsrequirement(100%)

InformationsProvidedPartially meetsrequirement(50%)

InformationsProvided doesnot meetsrequirement(0%)

1

Must haveconductedThreat &Vulnerabilityanalysis of thesecurityarchitecture,Bank-wideNetwork in

Data Centre /DisasterRecovery for atleast 2 PublicSector banks inthe last 3 years

15


34/45





2

Must haveconductedsecurity andcontrols reviewof the ATM ,InternetBanking , On-line Trading ,DepositorySevices etc andreview ofservice levelagreement formanagedservices at least2 public Sector

banks in the last3 years

15

3

Must haveexperience ofauditingBankingbusinessapplicationSoftware ie CBSetc

45

Sub-Total75

8

EngagementManager musthave handledsuch projects inthe firm for atleast four years

5

9

Overall personresponsiblemust havehandled such

projects in firmfor at least 6years

5


35/45





10

Proposed teammust haveexperience inexecutingsimilar projectsin banks out ofwhich at leastone should be apublic sectorbank

5

Sub-Total 15

11

Demonstrationof in-depthunderstandingof the Bank’sproject

requirementsthrough thetechnicalproposal

5

12

TechnicalProposal withdetailed broken-down activitiesto be performed,effortestimation,

manpower to bedeployed on aproject-to-project basis.

5

Sub-Total 25

Total Marks 100


36/45





Commercial Evaluation Criterion

Sl.No.

Major Activities TotalCost

1 Threat & Vulnerability Analysis (Periodicaudit at 6 month interval up to 18months)

2 Security and Controls review of the ATM, Internet Banking , On-line Trading ,Depository Sevices etc

3 Business Application Software (CBS &Other Business application)

4 Compliance of audit report

NET TOTAL COST

Computation Methodology for arriving at “Least Price/Least Quote”Bank will give 60% weightage to technical score while comparing the commercialquote. The Procedure is as under :A “Score(S)” will be calculated for all qualified bidders using the followingformula:

Where C Stands for nominal price quoted, Clow stands for the price quote of thelowest nominal bid. T Stands for technical evaluation score and Thigh stands forthe score of the technically highest bidder. X is equal to 0.4.


37/45





In the above example, ABC , with the highest score becomes the successfulbidder.

Bank reserve the right to negotiate the price with the finally short listed bidderbefore awarding the contract. It may be noted that Bank will not entertain anyprice negotiations with any other bidder, till the Least Price bidder declines toaccept the offer.

Note :

1. Banks exclude RRBs and Cooperative Banks2. The SP is required to provide documentary evidence for each of the above

criteria and the same would be required on the client’s letter head in caseof credentials

26. Project Timelines:

Sl. No. Major Activities Major Milestones (Only indicative.Bidder should add more detailedsteps / tasks so as strengthen thequality of the response)

TimeLines(Days)

1 Threat & Vulnerability Analysis(Periodic audit at 6 month intervalup to 18 months)

Review the adequacy of the securityarchitecture at the Data centreReview the Bank-wide NetworkarchitectureReview of security and parameter

setting for all IT Infrastructure withinthe Data Centre and Disaster recoverySiteSecurity and controls review of theATM, Internet Banking , On-lineTrading, depository Services andChannel banking

XXX

XXX

XXX

XXX

2 Security & Control Review ofATM, Internet Banking , OnlineTrading etc.

Security and Controls review of theATM , Internet Banking , On-lineTrading , Depository Sevices etc

3 Business Application Software(CBS & Other Businessapplication)

Audit of CBS for Domestic andinternational territoryAudit of Other banking businessapplication

XXX

XXX

4 Compliance of Audit Report Audit Compliance report XXX


38/45





27. Proposal and other formats

ANNEXURE ATechnical Proposal format:

Particulars to be provided by the bidder in the technical proposal –

No Particulars Details to be furnished by the bidder

1 Name of the bidder

2Year of establishment andconstitutionCertified copy of “Partnership

Deed” or “Certificate of

3Location of Registered office/Corporate office and address

4 Mailing address of the bidder

5Names and designations of thepersons authorized to makecommitments to the Bank

6Telephone and fax numbers ofcontact persons

7

E-mail addresses of contact

persons

8Details of:Description of business andbusiness backgroundService Profile & client profileDomestic & International presenceAlliance and joint ventures

9Whether the consulting processconfirms to ISO 9001(2000),BS7799, ISO17799 standards and if

so, furnish details of compliance.


39/45





10 Details of experience/knowledgepossessed in the areas ofProject Planning and managementreview, Resource Planning,Role and Responsibility definition,

Co-ordination across multiple

11Gross revenue of the bidder (not ofthe group)Year 2007-08Year 2008-09

Total From Audit

12Net Profit of the bidder (not of thegroup)Year 2007-08Year 2008-09

13Details of the similar assignmentsexecuted by the bidder during the

last two years(Name of the Bank, time taken forexecution of the assignment anddocumentary proofs from the Bank

14Details of the similar assignmentson hand as on date (Name of theBank, time projected for executionof the assignment and

15Name of the team leader identifiedfor this assignment and hisprofessional qualifications andexperience/expertiseDetails of similar assignmentshandled by the said team leader

As per annexure E

16Names of the other team membersidentified for this assignment andtheir professional qualificationsand experience/expertiseDetails of similar assignmentshandled by the said team membersDocumentary proofs for all the

assertions are to be enclosed

As per annexure E

17Estimated work plan and timeschedules for providing servicesfor this assignment


40/45





18 Effort estimate and elapsed timeare to be furnished in annexure D

As per annexure D

19Details of inputs, infrastructurerequirements required by thebidder to execute this assignment.

20Details of the bidder’s proposedmethodology/approach forproviding services to the Bankwith specific reference to the scope

21Details of deliverables the bidderproposes with specific reference tothe scope of work.

Declaration:

1. We confirm that we will abide by all the terms and conditions contained in theRFP.

2. We hereby unconditionally accept that Bank of Baroda can at its absolutediscretion apply whatever criteria it deems appropriate, not just limiting to thosecriteria set out in the RFP, in short listing of bidders.

3. All the details mentioned by us are true and correct and if Bank of Barodaobserves any misrepresentation of facts on any matter at any stage, Bank ofBaroda has the absolute right to reject the proposal and disqualify us from theselection process.

4. We confirm that this response, for the purpose of short-listing, is valid for aperiod of six months, from the date of expiry of the last date for submission ofresponse to RFP.

5. We confirm that we have noted the contents of the RFP and have ensured thatthere is no deviation in filing our response to the RFP and that the Bank will havethe right to disqualify us in case of any such deviations.

Place:Date :

Seal & Signature of the bidder


41/45





ANNEXURE B

Commercial Bid Format

Sr. No. Major Activities Major Deliverables (Onlyindicative. Bidder may addmore so as to strengthen thequality of the response)

EstimatedEffort(In mandays)

QuotedPrice(InRupees)

1 Threat & VulnerabilityAnalysis (Periodic Auditof all Customer facing webbased application)

Review the adequacy of thesecurity architecture at theData Centre

Review the Bank-wideNetwork architecture

Review of security andparameter setting for all ITInfrastructure within the DataCentre and Disaster recoverySite

2 Security & Control Reviewof ATM, Internet Banking ,Online Trading etc.

Security and controls reviewof the ATM, Internet Banking,On-line Trading, depositoryServices and Channel banking

3 Business Application

Software

Audit of CBS at Domestic &

International TerritoryAudit of other businessapplication at Domestic andInternational territory.

Please also furnish the following:

1. Average cost per man-day (in Rupees) :2. Rate per man-day for Senior Resource ( in Rupees) :3. Rate per man-day for other Resources ( in Rupees) :4. Rate per man-day external site duty ( Composite Rate) :


42/45





ANNEXURE CCompliance Certificate

To, Date :

The General Manager(Projects & IT – Operations)Bank of Baroda3rd , floorBaroda Corporate CentreBandra Kurla Complex, Bandra (East)Mumbai 400 051Dear Sir,Ref: -1. Having examined the Request for Proposal (RPF) including all annexures, the

receipt of which is hereby duly acknowledged, we, the undersigned offer to

provide the desired services for Comprehensive Audit of Banking applicationSystems in conformity with the said RPF and in accordance with our proposaland the schedule of Prices indicated in the Price Bid and made part of this bid.

2. If our Bid is accepted, we undertake to complete the project within thescheduled time lines.

3. We confirm that this offer is valid for six months from the last date forsubmission of RFP to the Bank.

4. This Bid, together with your written acceptance thereof and your notificationof award, shall constitute a binding Contract between us.

5. We undertake that in competing for and if the award is made to us, inexecuting the subject Contract, we will strictly observe the laws against fraudand corruption in force in India namely “Prevention of Corruption Act 1988”.

6. We agree that the Bank is not bound to accept the lowest or any Bid that theBank may receive.

7. We have not been barred/black-listed by any regulatory / statutory authorityand hold the necessary approvals/licenses/permission of statutory/regulatory authorities.

8. We shall observe confidentiality of all the information passed on to us incourse of the tendering process and shall not use the information for any otherpurpose than the current tender.

Signed DatedSeal & Signature of the bidder

Phone No.:Fax:E-mail:


43/45





ANNEXURE D

Estimated Effort and Elapsed Time

SlNo

Activities ElapsedTime

Effortin Mandays

Numberof teammemberswho willbedeployed

Remarks

1 Threat & VulnerabilityAnalysis

2 Security & Control Review ofATM & Other Applications

3 Business Application Software(CBS & Other Businessapplication)

Place:Date: Seal and Signature of Bidder:


44/45


45/45


ANNEXURE F

Comments on the Terms & Conditions, Services and Facilities provided:

Please provide your comments on the Terms & conditions in this section. You arerequested to categorize your comments under appropriate headings such as thosepertaining to the Scope of work, Approach, Work plan, Personnel schedule,Terms & Conditions etc. You are also requested to provide a reference of the pagenumber, state the clarification point and the comment/ suggestion/ deviation thatyou propose as shown below.]

Sr.No.

Page#

Point /Section#

Clarification point asstated in the tenderdocument

Comment/ Suggestion/Deviation

12

34

5

6

7

8

9

Project OfficeBank of BarodaBaroda Corporate Centre

Dated : 03/11/ 2009

End of Document

bank of baroda bankingapplication

Documents