comment/ suggestion/ deviation/ query bank's · pdf filerfp ref no. bcc:ciso: ......

12
RFP for VAPT of Internet facing applications and related infrastructure RFP Ref No. BCC:CISO:RFP:107/17 dated 05/05/2015 Pre Bid Query Replies Date : 22/05/2015 S.No. Pa ge # Point / Section # Clarification point as stated in the tender document Category of Comment/ Suggestion/ Deviation/ Comment/ Suggestion/ Deviation/ Query Bank's Response 1 6 1.13.1 Application Money & Earnest Money Clarification/ Deviation Request XXXXXXXX is registered under Micro, Small and Medium Enterprise (MSME) with Government of India. We are registered as ‘Medium’ enterprise under the MSME Certificate. There are various benefits extended by Govt to MSME sector. Some of the benefits are highlighted below, 1. Preference in procuring Govt tenders 2. Waiver in earnest money in Govt tenders 3. Free of cost Govt tenders Would the Bank also extend the above benefits to us a MSME registered organization-bidder? Bank's RFP terms are uniform for all the Bidders. 2 14 2.3 ...websites maintained at Bank‟s premises in Mumbai & Hyderabad including Bank‟s website hosted at the Service Provider‟s Data Centre. Query Whether the all website's are available on internet? Which is the location of Service Provider where the websites are hosted? Please refer to section 2.3 Project Scope under Section II of RFP. 3 15 2.3 In addition to the remote Assessment, selected Bidder shall also perform the onsite assessment of the assets under the Scope of the RFP. Query - Please let us know the locations for onsite assessment. Mumbai and Hyderabad 4 15 2.3 In addition to the remote Assessment, selected Bidder shall also perform the onsite assessment of the assets under the Scope of the RFP. Query - Please let us know for which in-scope activities, assessment will be required to perform onsite. Vulnerability Assessment 5 15 2.3 In addition to the remote Assessment, selected Bidder shall also perform the onsite assessment of the assets under the Scope of the RFP. Query - Would the team be required to travel to the DR location of Hyderabad, or the connectivity will be provided remotely? Onsite assessment is to be carried out in Mumbai and Hyderabad 6 15 2.3 Period of Assignment will be Two years. The frequency for conducting VAPT should be at half yearly. However, the Bank at its own discretion can change the frequency. Query Please confirm if OPEN issues identified in one cycle will be rechecked in next six month cycle. Yes 7 15 2.3 Period of Assignment will be Two years. The frequency for conducting VAPT should be at half yearly. However, the Bank at its own discretion can change the frequency. Query Efforts will be calculated considering half yearly frequency for all in- scope activities. Are we expected to provide quotes considering different frequencies No 8 15 2.3 Period of Assignment will be Two years. The frequency for conducting VAPT should be at half yearly. However, the Bank at its own discretion can change the frequency. Query (Yearly/Six months/Monthly) Query replied above. 9 15 2.3 The frequency for conducting VAPT should be at half yearly. However, the Bank at its own discretion can change the frequency. Suggestion Kindly remove this clause as it will be difficult to estimate the cost if the frequency of Audit is uncertain. And Vendors will have to keep a higher margin to cover this. Not Agreeable. Query replied above. 10 15 2.3.1 VAPT activities : VAPT should be comprehensive but not limited to following activities: Query - Please confirm if Penetration Testing also required to be done, including exploitation? Yes, from the internet. 11 15 2.3.1 VAPT activities : VAPT should be comprehensive but not limited to following activities: Query - Please confirm if the below mentioned activities are to be considered as a part of VAPT:

Upload: lekien

Post on 10-Mar-2018

236 views

Category:

Documents


5 download

TRANSCRIPT

RFP for VAPT of Internet facing applications and related infrastructure

RFP Ref No. BCC:CISO:RFP:107/17 dated 05/05/2015

Pre Bid Query Replies Date : 22/05/2015

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

1 6 1.13.1 Application Money & Earnest Money Clarification/

Deviation

Request

XXXXXXXX is registered under Micro, Small and Medium Enterprise (MSME)

with Government of India. We are registered as ‘Medium’ enterprise under

the MSME Certificate. There are various benefits extended by Govt to

MSME sector. Some of the benefits are highlighted below,

1. Preference in procuring Govt tenders

2. Waiver in earnest money in Govt tenders

3. Free of cost Govt tenders

Would the Bank also extend the above benefits to us a MSME registered

organization-bidder?

Bank's RFP terms are uniform

for all the Bidders.

2 14 2.3 ...websites maintained at Bank‟s

premises in Mumbai & Hyderabad

including Bank‟s website hosted at the

Service Provider‟s Data Centre.

Query Whether the all website's are available on internet?

Which is the location of Service Provider where the websites are

hosted?

Please refer to section 2.3

Project Scope under Section II

of RFP.

3 15 2.3 In addition to the remote Assessment,

selected Bidder shall also perform the

onsite assessment of the assets under

the Scope of the RFP.

Query -   Please let us know the locations for onsite assessment. Mumbai and Hyderabad

4 15 2.3 In addition to the remote Assessment,

selected Bidder shall also perform the

onsite assessment of the assets under

the Scope of the RFP.

Query -   Please let us know for which in-scope activities, assessment will be

required to perform onsite.Vulnerability Assessment

5 15 2.3 In addition to the remote Assessment,

selected Bidder shall also perform the

onsite assessment of the assets under

the Scope of the RFP.

Query -   Would the team be required to travel to the DR location of

Hyderabad, or the connectivity will be provided remotely?

Onsite assessment is to be

carried out in Mumbai and

Hyderabad

6 15 2.3 Period of Assignment will be Two years.

The frequency for conducting VAPT

should be at half yearly. However, the

Bank at its own discretion can change the

frequency.

Query Please confirm if OPEN issues identified in one cycle will be

rechecked in next six month cycle.Yes

7 15 2.3 Period of Assignment will be Two years.

The frequency for conducting VAPT

should be at half yearly. However, the

Bank at its own discretion can change the

frequency.

Query Efforts will be calculated considering half yearly frequency for all in-

scope activities. Are we expected to provide quotes considering

different frequencies

No

8 15 2.3 Period of Assignment will be Two years.

The frequency for conducting VAPT

should be at half yearly. However, the

Bank at its own discretion can change the

frequency.

Query (Yearly/Six months/Monthly) Query replied above.

9 15 2.3 The frequency for conducting VAPT

should be at half yearly. However, the

Bank at its own discretion can change

the frequency.

Suggestion Kindly remove this clause as it will be difficult to estimate the cost if

the frequency of Audit is uncertain. And Vendors will have to keep a

higher margin to cover this.

Not Agreeable.

Query replied above.

10 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   Please confirm if Penetration Testing also required to be done,

including exploitation?Yes, from the internet.

11 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   Please confirm if the below mentioned activities are to be

considered as a part of VAPT:

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

12 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   DDOS attacks Please refer to RFP clause 2.3.1

VAPT Activities

13 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   War Dialing Please refer to RFP clause 2.3.1

VAPT Activities

14 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   Containment Measurement Testing Please refer to RFP clause 2.3.1

VAPT Activities

15 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   IPS/IDS Fine turning of signatures Please refer to RFP clause 2.3.1

VAPT Activities

16 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   Please confirm if Code Review is required to be carried out as a

part of VAPT activities. If yes, please provide with Lines of Code for

each application/instance.

No Source code review is

expected, however client side

code review is included in the

scope.

17 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   Please confirm if Network Security Review is part of scope? If yes,

then at what level e.g. Paper based design review?Yes, including design review

18 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   Please confirm if OS security configuration review to be performed

for all in-scope devices/serversYes as per clause 2.3.1

19 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -   Please confirm if rulebase review to be performed for all firewalls. If

yes, let us know approximate number of rules per firewall.Yes as per clause 2.3.1

20 15 2.3.1 VAPT activities : VAPT should be

comprehensive but not limited to following

activities:

Query -  Please let us know what activities needs to be conducted under

Website Assessment (Process). Will this be a part of VAPT?

Please refer clause 2.3.2

21 15 2.3.1 Application Security Testing & Code Review Information

Request

What applications are under the scope of code review? Can the Bank

provide an approx size of each application in terms of LoC (Lines of Code)?

This will help in accurate estimation of commercials.

No Source code review is

expected, however client side

code review is included in the

scope.

22 15 2.3.1 VAPT activities Information

Request

Do all the activities need to be done onsite or can the activities be done

remotely as well? If onsite can the Hyderabad DC and other locations if any

be audited from the Bank's Mumbai DC/ Office premises, instead of

physically travelling?

Vulnerability Assessment is to

be done onsite at both Mumbai

and Hyderabad in addition to

the offsite assessment/PT.

23 15 2.3.1 VAPT activities Information

Request

From the 11 IPs mentioned for external PT, does this require Application PT

on those IPs as well? If so, are these applications distinct from the 11

mentioned in the RFP? In such a case, kindly provide details of such

applications.

Applications are hosted at

these -11- public IPs.

24 15 2.3.1 Application Security Testing & Code Review Information

Request

How many rounds of revalidation testing are required for this activity by

the Bank?Query replied above.

25 15 2.3.1 VAPT activities Information

Request

How many rounds of revalidation testing are required for this activity by

the Bank?Query replied above.

26 15 2.3.1 Website Assessment (Process) Information

Request

We request the Bank to describe the process review expected - functional

review, or from the pure perspective of information security only.Please refer to activities

indicated in clause 2.3.1 and

2.3.2

27 15 2.3.1 Application Security Testing & Code Review Information

Request

Will the Bank provide the banking accounts, debit and credit cards needed

for the testing or will the Bidder need to open accounts and obtain the

same as would be needed for testing? In such case will the Bank facilitate

the opening of the same to ensure minimum time and cost to the Bidder?

Bank will provide access to

facilitate testing.

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

28 15 2.3.1 Application Security Testing & Code

Review

Query Application Security Testing includes tool based code review. Is

Manual Code review required? If yes, kindly provide the technology

used and no. of lines of code to be examined.

Query replied above.

29 15 2.3.1 IDS/IPS review & Fine tuning of

Signatures

Query Which IDS/IPS is in use? Details will be shared with the

successful Bidder

30 15 2.3.1 Code Review Query Is Code review in scope? Query replied above.

31 15 2.3.1 Code Review Suggestion Which app are in scope for code review from following list:

1. Internet Payment Gateway

1.1 Moto & SSL interfaces

2. Internaltional Retail E-banking (14 different instances) (User & Admin

module)

3. International Corporate E-banking (14 different instances) (User & Admin

module)

4. Domestic Retail E-banking (User & Admin module)

5. Domestic Corporate E-banking (User & Admin module)

6. Online Trading

6.1 Depositary Application

7. Mobile Banking App (Transaction/ Top up/ ticketing/ m-commerce)

8. Corporate Email App

1. CMS

2. BOB KM (Intranet)

3. Mobile OTP generation App

4. NEFT / RTGS App

1. 2 Web sites

Query replied above. List of

applications for VAPT is given in

clause 2.3.4.

32 15 2.3.1 Code Review Query Please provide approx LOC for the apps which are in scope for this

assessment.Query replied above.

33 15 2.3.1 Application Security Testing Suggestion We understand all the apps listed are in scope for grey Box:

1. Internet Payment Gateway

1.1 Moto & SSL interfaces

2. Internaltional Retail E-banking (14 different instances) (User & Admin

module)

3. International Corporate E-banking (14 different instances) (User & Admin

module)

4. Domestic Retail E-banking (User & Admin module)

5. Domestic Corporate E-banking (User & Admin module)

6. Online Trading

6.1 Depositary Application

7. Mobile Banking App (Transaction/ Top up/ ticketing/ m-commerce)

8. Corporate Email App

1. CMS

2. BOB KM (Intranet)

3. Mobile OTP generation App

4. NEFT / RTGS App

1. 2 Web sites

Are there any Additional applications (modules) in scope?

Query replied above. List of

applications for VAPT is given in

clause 2.3.4.

34 15 2.3.1 E-banking (14 different instances) Query Vulnerability scanning needs to be done for full infrastructure (server+

devices) Approx 200+ Internal Ips Indicative numbers are provided

in clause 2.3.3. Details will be

shared with the successful

Bidder

35 15 2.3.1 Vulnerability scanning Query Does the scope include scanning network segments and finding live Ips? No

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

36 15 2.3.1 Network Scanning Query Please provide the count of Modems in scope for this activity Indicative numbers are provided

in clause 2.3.3. Details will be

shared with the successful

Bidder

37 15 2.3.1 Firewall Rule base audit Query How many firewalls in scope? Indicative numbers are provided

in clause 2.3.3. Details will be

shared with the successful

Bidder

38 15 2.3.1 Firewall Rule base audit Query How many rules per firewall (approx count) Indicative numbers are provided

in clause 2.3.3. Details will be

shared with the successful

Bidder

39 15 2.3.1 IDS/ IPS review Query How many IPS / IDS are in scope? Indicative numbers are provided

in clause 2.3.3. Details will be

shared with the successful

Bidder

40 15 2.3.1 Containment Measure Testing Query What kind of security Assessment is exoected here, pls mention. Details will be shared with the

successful Bidder

41 15 2.3.1 Functional validations Query XXXXXX will perform business rule security validation for this, is this as per

expectation?From Security angle only

42 15 2.3.1 Website Assessment (Process) Query What kind of security Assessment is exoected here, pls mention. Please refer to RFP clause 2.3.2

43 15 2.3.2 Website/Web – Application Assessment Information

Request

Do all the activities need to be done onsite or can the activities be done

remotely as well? If onsite can the Hyderabad DC and other locations if any

be audited from the Bank's Mumbai DC/ Office premises, instead of

physically travelling?

Query replied above.

44 15 2.3.4 Internaltional Retail

3. International Corporate E-banking

Query Are there 14 different apps for each country? Or a single common app for

them?Different instances for each

country

45 16 2.3.3 Scope

Clarification

As per the section , there are 89 Internal IP address and 11 External

Internet facing IP address in Scope of Infrastructure Penetration

Testing ?

Indicative numbers are provided

in clause 2.3.3. Details will be

shared with the successful

Bidder

46 16 2.3.3 VAPT External Internet IPs : 11 Query Whether the VAPT External Internet IPs : 11 are all Application IP's Yes

47 16 2.3.3 Quantity(DC), Quantity (DR) Query How many out of the 89 Devices (81 servers, 4 Network Devices, 4

Security Devices) in Dc and DR are Intranetnet/Internet IP's

External -11- IPs

48 16 2.3.4 List of Applications Query Need following details for each application Details will be shared with the

successful Bidder

49 16 2.3.4 List of Applications Query -   Number of dynamic pages Details will be shared with the

successful Bidder

50 16 2.3.4 List of Applications Query -   Number of roles and privileges Details will be shared with the

successful Bidder

51 16 2.3.4 List of Applications Query -   Please confirm if all application testing is to be performed as Grey-

Box Security Testing (test credentials would be required to be

shared)

Query replied above.

52 16 2.3.4 List of Applications Query -   Number of Modules available in each application Details will be shared with the

successful Bidder

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

53 16 2.3.4 List of Applications Query -   Are we allowed to do intrusive testing on live applications where in

live data modification might take place for successful security

testing?

Yes, from the internet.

54 16 2.3.4 List of applications Query Does application has separate instance for each country. Query replied above

55 16 2.3.4 List of applications : ...E-Banking

International (Australia, Botswana, Fiji,

Ghana, Kenya, Mauritius, New Zealand,

Oman, Seychelles, Tanzania, UAE,

Uganda, UK, USA)

Query Does scope includes application testing for the modules/instances for

all countries.Yes

56 16 2.3.4 List of applications : ...Mobile Banking Query Is mobile application testing is in scope? If yes, please let us know

type of platforms.Mobile Banking application is

hosted in Service provider's

environment at Mumbai and

Chennai. Details will be shared

with the successful Bidder.

Mobile Banking is supported on

Java based, Android, Windows,

IOS and Blackberry based

mobile devices.

57 16 2.3.4 List of applications : Application

Virtualization, E-mail system

Query Please confirm web application security testing is in scope for these

two applications.Yes

58 16 2.3.4 Scope

Clarification

As per the section ,there are 11 applications in scope of Application

penetration testing ? Is Application virtualization and Email System

to be considered as a single applciation or set of applications ?

Please provide the details.

Single application

59 16 2.3.4 Detailed

Scope

understandin

g

Kindly provide the application landscape of all applications

mentioned in This section with number of web pages per

application to be tested?

Details will be shared with the

successful Bidder

60 16 2.3.4 To

understand

where there

is any web

services in

scope?

Does any of the In scope Web applications use any web services? ? If

yes, please let us know the total number of web services, the

methods employed (e.g.: SOAP/HTTP, Restful API) and the average

number of operations and parameters per web service to be tested?

Details will be shared with the

successful Bidder

61 16 2.3.4 List of Applications Query List the number of static and Dynamic pages for each Applications Details will be shared with the

successful Bidder

62 16 2.3.4 List of Applications Query Are all applications available on internet?

BOB KM (Intranet) if this application will also be made available on

internet.

Yes

bob km IS also accessible from

the Internet

63 16 2.3.4 Arcot App Query Only 2FA feature needs to be assessed Yes from Security angle

64 17 2.3.4 Application Virtualization - App & infra Query What kind of security Assessment is exoected here, pls mention. Query replied above

65 17 2.3.5.1 Is it only Non Intrusive Penetration testing to be done for all

Applications?

It is mentioned that ""Conduct VAPT as per the scope defined in RFP

with Disturbing operations "?

Query replied above.

Please refer to clause 2.3.5.1.a

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

66 17 2.3.5.1

Phase I

point c

Remediation What type of support expected from XXXXX during the remediation

phase ?

Please refer to RFP clause

2.3.5.1

67 18 2.3.5.2 The final report has to be submitted

within -2- months of submission of the

initial draft report.

Query Will the Final Report include the Post Implementation Review of

findings reported in the Draft Report?

Post implementation review will

take place in next assessment

cycle.

68 20 2.4 DETAILS OF INFRASTRUCTURE AT

BANK’S DC/DR:.... Irrespective of the

present status of applications, systems,

processes, interfaces, hardware,

networking equipments, security devices

etc implemented at DC/DR site, all future

changes including new initiatives will be

covered as part of the scope of work

during the term of the engagement.

Query It was mentioned that all future changes including new initiative will

be part of scope during the term of the engagement. Yes

69 20 2.4 DETAILS OF INFRASTRUCTURE AT

BANK’S DC/DR:.... Irrespective of the

present status of applications, systems,

processes, interfaces, hardware,

networking equipments, security devices

etc implemented at DC/DR site, all future

changes including new initiatives will be

covered as part of the scope of work

during the term of the engagement.

Query If the future requirement increased more than 10% of the original

scope, please let us know additional fee will be calculated.No

70 20 2.3.6 Separate reports should be provided for

international territories.

Query Which reports would be required separately for International

Territories?

All reports pertaining to Infra

and Applications

71 21 2.4 Details of IT Security Policy Bank has IT

Security Policy approved by the Board of

Directors. Bank also has 21 Standard and

Guideline documents which is approved by

the Top Management Steering

committee(TMSC) on IT Security and 14

Procedure documents in place. Bank also has

Purging and Archival policy and Business

continuity plan approved by the Board of

Directors.

Query What kind of security Assessment is exoected here, pls mention. Or it was

just an informational text.Clause is for information of the

Bidders.

72 23 3.1.6 Auditor should disclose the details of

automated tools used for accomplishing

the audit process. The auditor must have

the valid license of the said automated

tool(s).

Tools to be

used

Please confirm if the VA tool has to be deployed in the premises of

the bank for conducting the audit. Also, need a confirmation

whether this tool has to integrated with other technologies which

the bank might be having in their environment as of now.

Vendor has to bring in their own

assessment tools. There will not

be any integration of Vendor's

tool with the Bank's own tools.

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

73 23 3.1.6 Auditor should disclose the details of

automated tools used for accomplishing

the audit process. The auditor must have

the valid license of the said automated

tool(s).

Tools to be

used

Kindly confirm if penetration testing is also to be done through a

licensed tool. We have this concern because ethical hacking/ black

box testing/ penetration testing is ideally done through a

combination of multiple tools which might include freeware/ open

source tools.

Disclosure of tools used for

EH/PT/Black Box testing/VA etc

is required.

74 23 3.1.6 Tools

Clarification

Are there any Application Security Penetration Testing Tools such as

IBM Appscan , HP Web inspect etc. available with BOB ? If yes, can

XXXXXX leverage these tools for penetration Testing?

query replied above

75 23 3.1.6 Tools

Clarification

Are there any Network Penetration Testing Tools such as Nexpose,

Nessus, Qualys etc. available with BOB ? If yes, can XXXXXX leverage

these tools for penetration Testing?

query replied above

76 24 3.1.11 3.1.11 Payment Terms Suggestion This is to request to modify the payment terms as "50 % Payment to be

released along with the purchase order.25 % payment to be released on

submission of initial report and remaining 25 % payment to be released on

submission of the final report".

No change from RFP terms

77 29 3 Should have a minimum average annual

turnover of Rs.25.00 crores (Rupees

Twenty Five Crores) during last three

financial years viz. 20011-12, 2012-13

and 2013-14 and at least 25% revenue

must have come from the testing &

Consulting services

Eligibility

Criteria

We are in the business of system integration and have got a

dedicated arm for security services offerings like VA, PT, app sec,

compliance and consulting. However, our P&L or balance sheet

doesn't have explicit details of the revenue contributed from infra

and service. With this respect, request you to dilute the clause to

"Should have a minimum average annual turnover of Rs.25.00

crores (Rupees Twenty Five Crores) during last three financial

years viz. 20011-12, 2012-13 and 2013-14 "

Clarification : Should have a

minimum average annual

turnover of Rs.25.00 crores

(Rupees Twenty Five Crores)

during last three financial years

viz. 20011-12, 2012-13 and 2013-

14 and at least Rs. 6.25Cr

revenue must have come from

testing & Consulting services.

Certificate from Chartered

Accountant clearly mentioning

revenue from Testing &

Consulting services would

suffice.

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

78 29 3 Should have a minimum average annual

turnover of Rs.25.00 crores (Rupees Twenty

Five Crores) during last three financial years

viz. 20011-12, 2012-13 and 2013-14 and at

least 25% revenue must have come from the

testing & Consulting services. Copy of

audited Balance Sheet and P&L statement for

the financial years 2011-12, 2012-13 and

2013-14.

Modification/

Deviation

Request for

MSME bidders

“We are a Indian OEM in the business of pure home-grown Indian

Application Security Products and Services only, but we find ourselves hard

pressed to meet the turnover and profitability criteria.

In spite of being a high growth and high volume business that we currently

do with over 700 customers, several of which are among the peer Banks of

Bank of Baroda such as ICICI Bank, IndusInd Bank, Bank of India, Central

Bank of India, HDFC Bank, Federal Bank, Syndicate Bank, and two of our

own products on offer, i.e. web application firewall & application security

scanner, we will need another year to reach the figure of 25 Cr and then

further sustain that for the next three years.

Since the Bank has asked for CERT-IN empanelled information security

companies to participate, it may be noted that except for the few large

organizations in the list most will not be able to qualify with this criteria.

Considering that our business (and that of most of the smaller Cert-In

empanelled vendors) is purely related to information security services, and

nowhere contains any infrastructure sales of hardware products of any

nature, or any other kind of services not related to information security, it

is our request to further consider amending the clause to reflect only the

business done by the bidder(s) from a pure Information Security Services

perspective if it would suit the Bank. With this change, the Bank may well

ask for clearly demarcated Information Security Services revenue from

Testing & Consulting of 7.5 Cr over three years (as an example – or 6.25 Cr

considering 25% of 25 Cr) to understand the capability, spread and real

genuine market acceptance of the Information Security Services business

of the bidder(s), providing the Bank a good selection of competent and

serious bidders.

No change from RFP terms

79 29 3 ANNEXURE-A : ELIGIBILITY CRITERIA :

Should have a minimum average annual

turnover of Rs.25.00 crores (Rupees

Twenty Five Crores) during last three

financial years viz. 20011-12, 2012-13

and 2013-14 and at least 25% revenue

must have come from the testing &

Consulting services.

Suggestion Our companies major focus is IS Audit & we have a very good

experience in VAPT & completed similar projects successfully in PSU

also. So we request you to amend this criteria as : “Should have a

minimum annual turnover of Rs.10.00 crores (Rupees Ten Crores)

during last three financial years viz. 20011-12, 2012-13 , 2013-14

No change from RFP terms

80 29 3 Should have a minimum average annual

turnover of Rs.25.00 crores (Rupees

Twenty Five Crores) during last three

financial years viz. 20011-12, 2012-13

and 2013-14 and at least 25% revenue

must have come from the testing &

Consulting services.

Deviation Plesse consider CA certificate for the same. Query replied above

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

81 29 4 Should have made net profits for the last

3 financial years viz.2011-12, 2012-13

and 2013-14.

Deviation Please consider the last 3 year as 2012-13, 2013-14 and 2014-15.

OR

Must be net profit making entity continuously for the last

threeyears, that is financial years - 2011-12, 2012-13 and 2013-14

OR

Must be a cash profit making entity (Net profit +

depreciation)continuously for the last three years, that is financial

years - 201112,

2012-13 and 2013-14 AND must have a networth* of Rs. 75crores in

the last two financial years.

No change from RFP terms

82 29 5 The Bidder should be empanelled by

CERT –In as Information Security Audit

Organization and should remain in panel

up to 31st March, 2017 during the

currency of contract.

Eligibility

Criteria

We are empanelled with Cert-IN in the latest list till 31st August,

2015. However, the process for re-empanelment has not been

initiated by Cert-In. In such a case, we request Bank of Baroda that

whether the current empanelment till Aug, 2015 will hold good for

letting us participate in the engagement and what sould be the

documentary evidence required to be submitted against this clause

Bidder must be emplanelled

with Cert-In for the current year

as on date of RFP response

submission, which must be

maintained upto 31/03/2017.

83 29 5 The Bidder should be empanelled by

CERT –In as Information Security Audit

Organization and should remain in panel

up to 31st March, 2017 during the

currency of contract –

The CERT-In Empanelment is renewed every 3 years, it may be

possible that the  vendors participating in the Bid would have got the

empanelment in the last 2 years; the renewal for which may be due

this year. Our suggestion to this point is that for the submissions all

the vendors should have a valid empanelment certificate

irrespective of the date of expiry. It will be the responsibility of the

shortlisted bidder to maintain a valid empanelment certificate

throughout the duration of the assignment and the bank reserves

the right to terminate the contract if the bidder fails to do so.

query replied above

84 29 6 Should have conducted VAPT for at least

two Banks‟ in last 3 years

Eligibility

Criteria

As a part of ISO 27001 engagements gap analysis, we have

conducted VA PT exercises in a number of engagements. However,

the purchase order/ work order of such engagements doesn't

explicitly highlight VA PT as a separate exercise. Please confirm if

such work orders/ purchase orders will be entertained by Bank of

Baroda as a valid proof for having conducted VA PT exercise in the

past

Can be considered if the same is

mentioned in the client

certificate

85 29 6 Copy of purchase order and Client

certificate

Documents

required

Request the bank to change the clause to "Copy of purchase order

or Client certificates"

Noted

86 29 6 Should have conducted VAPT for at least

two Banks‟ in last 3 years. (Copy of

purchase order and Client certificate to

be submitted)

Deviation Please consider Should have conducted VAPT for at least One

Banks‟ in last 3 years.

(Copy of purchase order to be submitted)

Signoff/Feedback back will be considered as Client Certificate

No change from RFP terms.

(Query replied above)

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

87 29 SECTION-

IV

ANNEXURE-A : ELIGIBILITY CRITERIA

Should have conducted VAPT for at least

two Banks‟ in last 3 years.

Query Please confirm if Purchase Order would suffice as a supporting

document for relevant project experienceQuery replied above

88 30 7 Bidder should have at least 5 years

experience in offering Information

Security Services such as Security

assessment, defining security policies

procedures & baselines, Risk

Assessment, security consulting

assignments to clients in India

Eligibility

Criteria

Please confirm if a single work order which is equal to more than 5

years will suffice agains this eligibility clause or is there a minimum

number of such references to be shared with Bank of Baroda

No change from RFP terms

89 30 7 Copy of purchase order and Client

certificate

Documents

required

Request the bank to change the clause to "Copy of purchase order

or Client certificates"

Query replied above

90 30 The fulfillment of above eligibility criteria

except items 3 & 4 above, wouldbe

ascertained as of 31.12.2014.

Deviation Please consider this as of 30.04.2015 No change from RFP terms

91 32 Technical

Evaluation

Criteria

Must possess experience in conducting

VA & PT of IT Infrastructure ( Servers,

Network devices, Security Devices,

Databases) of Data Centre / Disaster

recovery for at least 1 Bank in India in

each of the last 4 years e.g. 2011, 2012,

2013, 2014

Evaluation

Parameters

a. As a part of ISO 27001 engagements gap analysis, we have

conducted VA PT exercises in a number of engagements. However,

the purchase order/ work order of such engagements doesn't

explicitly highlight VA PT as a separate exercise. Please confirm if

such work orders/ purchase orders will be entertained by Bank of

Baroda as a valid proof for having conducted VA PT exercise in the

past

b. We request Bank of Baroda to kindly include BFSI sector

experience as acceptable references of having conducted VA PT on

infrastructure and banking applications

Query replied above.

No change from RFP terms

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

92 32 Technical

Evaluation

Criteria

Must possess experience in conducting

VA & PT of IT Infrastructure ( Servers,

Network devices, Security Devices,

Databases) of Data Centre / Disaster

recovery for at least 2 Banks in India in 4

years e.g. 2011,2012,2013,2014

Evaluation

Parameters

a. As a part of ISO 27001 engagements gap analysis, we have

conducted VA PT exercises in a number of engagements. However,

the purchase order/ work order of such engagements doesn't

explicitly highlight VA PT as a separate exercise. Please confirm if

such work orders/ purchase orders will be entertained by Bank of

Baroda as a valid proof for having conducted VA PT exercise in the

past

b. We request Bank of Baroda to kindly include BFSI sector

experience as acceptable references of having conducted VA PT on

infrastructure and banking applications

Query replied above.

No change from RFP terms

93 32 Technical

Evaluation

Criteria

Must have extensive experience in VA &

PT of any one of the Internet facing

applications e.g. internet banking, cash

management system, online trading,

Payment Gateway for at least 1 Bank in

India in each of the last 4 years

e.g.,2011,2012, 2013, 2014

Evaluation

Parameters

a. As a part of ISO 27001 engagements gap analysis, we have

conducted VA PT exercises in a number of engagements. However,

the purchase order/ work order of such engagements doesn't

explicitly highlight VA PT as a separate exercise. Please confirm if

such work orders/ purchase orders will be entertained by Bank of

Baroda as a valid proof for having conducted VA PT exercise in the

past

b. We request Bank of Baroda to kindly include BFSI sector

experience as acceptable references of having conducted VA PT on

infrastructure and banking applications

Query replied above.

No change from RFP terms

94 32 Technical

Evaluation

Criteria

Must have extensive experience in VA &

PT of Internet facing applications e.g.

Internet banking, Cash management

system, Online trading, Internet Payment

Gateway for at least 2 Banks in India in

the last 4 years e.g.,2011,2012, 2013,

2014

Evaluation

Parameters

a. As a part of ISO 27001 engagements gap analysis, we have

conducted VA PT exercises in a number of engagements. However,

the purchase order/ work order of such engagements doesn't

explicitly highlight VA PT as a separate exercise. Please confirm if

such work orders/ purchase orders will be entertained by Bank of

Baroda as a valid proof for having conducted VA PT exercise in the

past

b. We request Bank of Baroda to kindly include BFSI sector

experience as acceptable references of having conducted VA PT on

infrastructure and banking applications

Query replied above.

No change from RFP terms

95 41 Annexure F 1. Vulnerability Assessment & Penetration

Testing for Internet facing infrastructure

hosted in Bank‟s environment at DC & DR

Query Does this include only Config Review, Vul scan, Firewall Rule base review,

IPS review, Internal PT, War dialing and SNA of DMZ segment? Please

confirm

query replied above

96 41 Annexure F 2. Vulnerability Assessment & Penetration

Testing for Internet facing Applications

hosted in Bank‟s environment (For a set of

11 IPs)

Query Does this include only External PT of 11 IP, Grey Box Assessment & Code

review of above mentioned number of apps (Q2 & Q3)? Please confirmquery replied above

97 41 Annexure F 3. Vulnerability Assessment & Penetration

Testing of Bank‟s Website

www.bankofbaaroda.com hosted at

outsourced environment

Query Does this include only Black Box Assessment ( Pre Login Pages) of 2

websites? Pls confirmquery replied above.Website is

hosted in Mumbai and

Bangalore at the service

provider's environment

S.No. Pa

ge

#

Point /

Section #

Clarification point as stated in the

tender document

Category of

Comment/

Suggestion/

Deviation/

Comment/ Suggestion/ Deviation/ Query Bank's Response

98 41 Annexure F 3. Vulnerability Assessment & Penetration

Testing of Bank‟s Website

www.bankofbaaroda.com hosted at

outsourced environment

Query Does this include only Grey Box Assessment ( Pre + Post Login Pages) of 2

websites? Pls confirmquery replied above

99 41 Annexure F 3. Vulnerability Assessment & Penetration

Testing of Bank‟s Website

www.bankofbaaroda.com hosted at

outsourced environment

Query Does this include only Code Review Assessment of 2 websites? Pls provide

Approx LOC.query replied above

100 41 Annexure J 1. Vulnerability Assessment & Penetration

Testing for Internet facing infrastructure

hosted in Bank‟s environment at DC & DR

Query Are there any activities to be excluded in this pricing slot? query replied above

101 41 Annexure J 1. Vulnerability Assessment & Penetration

Testing for Internet facing infrastructure

hosted in Bank‟s environment at DC & DR

Query Are there any additional activities to be included in this pricing slot? query replied above

102 41 Annexure J 3. Vulnerability Assessment & Penetration

Testing of Bank‟s Website

www.bankofbaaroda.com hosted at

outsourced environment

Query Are there any activities to be excluded in this pricing slot? query replied above

103 41 Annexure J 3. Vulnerability Assessment & Penetration

Testing of Bank‟s Website

www.bankofbaaroda.com hosted at

outsourced environment

Query Are there any additional activitiesto be included in this pricing slot? query replied above

104 42 Annexure J 2. Vulnerability Assessment & Penetration

Testing for Internet facing Applications

hosted in Bank‟s environment (For a set of

11 IPs)

Query Are there any activities/ Apps to be excluded in this pricing slot? query replied above

105 43 Annexure J 2. Vulnerability Assessment & Penetration

Testing for Internet facing Applications

hosted in Bank‟s environment (For a set of

11 IPs)

Query Are there any additional activities / Apps to be included in this pricing slot? query replied above

106 45 Annexure J Commercial Bid Format Information

Request

We request a discussion on the Commercial format to understand it better

to avoid any possible ambiguity. (E.g. Line item for code review, VA Firewall

review Etc. Unitized prices will help the Bank and bidder in case of scope

creep over the 10% mentioned in the RFP)

No change in Commercial Bid

Format Annexure J

107 2.3.3 DR in HYD Query Can the infra located in HYD be remotely access from BOB Mumbai Premise

during assessment?No