comment/ suggestion/ deviation/ query bank's · pdf filerfp ref no. bcc:ciso: ......
TRANSCRIPT
RFP for VAPT of Internet facing applications and related infrastructure
RFP Ref No. BCC:CISO:RFP:107/17 dated 05/05/2015
Pre Bid Query Replies Date : 22/05/2015
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
1 6 1.13.1 Application Money & Earnest Money Clarification/
Deviation
Request
XXXXXXXX is registered under Micro, Small and Medium Enterprise (MSME)
with Government of India. We are registered as ‘Medium’ enterprise under
the MSME Certificate. There are various benefits extended by Govt to
MSME sector. Some of the benefits are highlighted below,
1. Preference in procuring Govt tenders
2. Waiver in earnest money in Govt tenders
3. Free of cost Govt tenders
Would the Bank also extend the above benefits to us a MSME registered
organization-bidder?
Bank's RFP terms are uniform
for all the Bidders.
2 14 2.3 ...websites maintained at Bank‟s
premises in Mumbai & Hyderabad
including Bank‟s website hosted at the
Service Provider‟s Data Centre.
Query Whether the all website's are available on internet?
Which is the location of Service Provider where the websites are
hosted?
Please refer to section 2.3
Project Scope under Section II
of RFP.
3 15 2.3 In addition to the remote Assessment,
selected Bidder shall also perform the
onsite assessment of the assets under
the Scope of the RFP.
Query - Please let us know the locations for onsite assessment. Mumbai and Hyderabad
4 15 2.3 In addition to the remote Assessment,
selected Bidder shall also perform the
onsite assessment of the assets under
the Scope of the RFP.
Query - Please let us know for which in-scope activities, assessment will be
required to perform onsite.Vulnerability Assessment
5 15 2.3 In addition to the remote Assessment,
selected Bidder shall also perform the
onsite assessment of the assets under
the Scope of the RFP.
Query - Would the team be required to travel to the DR location of
Hyderabad, or the connectivity will be provided remotely?
Onsite assessment is to be
carried out in Mumbai and
Hyderabad
6 15 2.3 Period of Assignment will be Two years.
The frequency for conducting VAPT
should be at half yearly. However, the
Bank at its own discretion can change the
frequency.
Query Please confirm if OPEN issues identified in one cycle will be
rechecked in next six month cycle.Yes
7 15 2.3 Period of Assignment will be Two years.
The frequency for conducting VAPT
should be at half yearly. However, the
Bank at its own discretion can change the
frequency.
Query Efforts will be calculated considering half yearly frequency for all in-
scope activities. Are we expected to provide quotes considering
different frequencies
No
8 15 2.3 Period of Assignment will be Two years.
The frequency for conducting VAPT
should be at half yearly. However, the
Bank at its own discretion can change the
frequency.
Query (Yearly/Six months/Monthly) Query replied above.
9 15 2.3 The frequency for conducting VAPT
should be at half yearly. However, the
Bank at its own discretion can change
the frequency.
Suggestion Kindly remove this clause as it will be difficult to estimate the cost if
the frequency of Audit is uncertain. And Vendors will have to keep a
higher margin to cover this.
Not Agreeable.
Query replied above.
10 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Please confirm if Penetration Testing also required to be done,
including exploitation?Yes, from the internet.
11 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Please confirm if the below mentioned activities are to be
considered as a part of VAPT:
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
12 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - DDOS attacks Please refer to RFP clause 2.3.1
VAPT Activities
13 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - War Dialing Please refer to RFP clause 2.3.1
VAPT Activities
14 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Containment Measurement Testing Please refer to RFP clause 2.3.1
VAPT Activities
15 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - IPS/IDS Fine turning of signatures Please refer to RFP clause 2.3.1
VAPT Activities
16 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Please confirm if Code Review is required to be carried out as a
part of VAPT activities. If yes, please provide with Lines of Code for
each application/instance.
No Source code review is
expected, however client side
code review is included in the
scope.
17 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Please confirm if Network Security Review is part of scope? If yes,
then at what level e.g. Paper based design review?Yes, including design review
18 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Please confirm if OS security configuration review to be performed
for all in-scope devices/serversYes as per clause 2.3.1
19 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Please confirm if rulebase review to be performed for all firewalls. If
yes, let us know approximate number of rules per firewall.Yes as per clause 2.3.1
20 15 2.3.1 VAPT activities : VAPT should be
comprehensive but not limited to following
activities:
Query - Please let us know what activities needs to be conducted under
Website Assessment (Process). Will this be a part of VAPT?
Please refer clause 2.3.2
21 15 2.3.1 Application Security Testing & Code Review Information
Request
What applications are under the scope of code review? Can the Bank
provide an approx size of each application in terms of LoC (Lines of Code)?
This will help in accurate estimation of commercials.
No Source code review is
expected, however client side
code review is included in the
scope.
22 15 2.3.1 VAPT activities Information
Request
Do all the activities need to be done onsite or can the activities be done
remotely as well? If onsite can the Hyderabad DC and other locations if any
be audited from the Bank's Mumbai DC/ Office premises, instead of
physically travelling?
Vulnerability Assessment is to
be done onsite at both Mumbai
and Hyderabad in addition to
the offsite assessment/PT.
23 15 2.3.1 VAPT activities Information
Request
From the 11 IPs mentioned for external PT, does this require Application PT
on those IPs as well? If so, are these applications distinct from the 11
mentioned in the RFP? In such a case, kindly provide details of such
applications.
Applications are hosted at
these -11- public IPs.
24 15 2.3.1 Application Security Testing & Code Review Information
Request
How many rounds of revalidation testing are required for this activity by
the Bank?Query replied above.
25 15 2.3.1 VAPT activities Information
Request
How many rounds of revalidation testing are required for this activity by
the Bank?Query replied above.
26 15 2.3.1 Website Assessment (Process) Information
Request
We request the Bank to describe the process review expected - functional
review, or from the pure perspective of information security only.Please refer to activities
indicated in clause 2.3.1 and
2.3.2
27 15 2.3.1 Application Security Testing & Code Review Information
Request
Will the Bank provide the banking accounts, debit and credit cards needed
for the testing or will the Bidder need to open accounts and obtain the
same as would be needed for testing? In such case will the Bank facilitate
the opening of the same to ensure minimum time and cost to the Bidder?
Bank will provide access to
facilitate testing.
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
28 15 2.3.1 Application Security Testing & Code
Review
Query Application Security Testing includes tool based code review. Is
Manual Code review required? If yes, kindly provide the technology
used and no. of lines of code to be examined.
Query replied above.
29 15 2.3.1 IDS/IPS review & Fine tuning of
Signatures
Query Which IDS/IPS is in use? Details will be shared with the
successful Bidder
30 15 2.3.1 Code Review Query Is Code review in scope? Query replied above.
31 15 2.3.1 Code Review Suggestion Which app are in scope for code review from following list:
1. Internet Payment Gateway
1.1 Moto & SSL interfaces
2. Internaltional Retail E-banking (14 different instances) (User & Admin
module)
3. International Corporate E-banking (14 different instances) (User & Admin
module)
4. Domestic Retail E-banking (User & Admin module)
5. Domestic Corporate E-banking (User & Admin module)
6. Online Trading
6.1 Depositary Application
7. Mobile Banking App (Transaction/ Top up/ ticketing/ m-commerce)
8. Corporate Email App
1. CMS
2. BOB KM (Intranet)
3. Mobile OTP generation App
4. NEFT / RTGS App
1. 2 Web sites
Query replied above. List of
applications for VAPT is given in
clause 2.3.4.
32 15 2.3.1 Code Review Query Please provide approx LOC for the apps which are in scope for this
assessment.Query replied above.
33 15 2.3.1 Application Security Testing Suggestion We understand all the apps listed are in scope for grey Box:
1. Internet Payment Gateway
1.1 Moto & SSL interfaces
2. Internaltional Retail E-banking (14 different instances) (User & Admin
module)
3. International Corporate E-banking (14 different instances) (User & Admin
module)
4. Domestic Retail E-banking (User & Admin module)
5. Domestic Corporate E-banking (User & Admin module)
6. Online Trading
6.1 Depositary Application
7. Mobile Banking App (Transaction/ Top up/ ticketing/ m-commerce)
8. Corporate Email App
1. CMS
2. BOB KM (Intranet)
3. Mobile OTP generation App
4. NEFT / RTGS App
1. 2 Web sites
Are there any Additional applications (modules) in scope?
Query replied above. List of
applications for VAPT is given in
clause 2.3.4.
34 15 2.3.1 E-banking (14 different instances) Query Vulnerability scanning needs to be done for full infrastructure (server+
devices) Approx 200+ Internal Ips Indicative numbers are provided
in clause 2.3.3. Details will be
shared with the successful
Bidder
35 15 2.3.1 Vulnerability scanning Query Does the scope include scanning network segments and finding live Ips? No
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
36 15 2.3.1 Network Scanning Query Please provide the count of Modems in scope for this activity Indicative numbers are provided
in clause 2.3.3. Details will be
shared with the successful
Bidder
37 15 2.3.1 Firewall Rule base audit Query How many firewalls in scope? Indicative numbers are provided
in clause 2.3.3. Details will be
shared with the successful
Bidder
38 15 2.3.1 Firewall Rule base audit Query How many rules per firewall (approx count) Indicative numbers are provided
in clause 2.3.3. Details will be
shared with the successful
Bidder
39 15 2.3.1 IDS/ IPS review Query How many IPS / IDS are in scope? Indicative numbers are provided
in clause 2.3.3. Details will be
shared with the successful
Bidder
40 15 2.3.1 Containment Measure Testing Query What kind of security Assessment is exoected here, pls mention. Details will be shared with the
successful Bidder
41 15 2.3.1 Functional validations Query XXXXXX will perform business rule security validation for this, is this as per
expectation?From Security angle only
42 15 2.3.1 Website Assessment (Process) Query What kind of security Assessment is exoected here, pls mention. Please refer to RFP clause 2.3.2
43 15 2.3.2 Website/Web – Application Assessment Information
Request
Do all the activities need to be done onsite or can the activities be done
remotely as well? If onsite can the Hyderabad DC and other locations if any
be audited from the Bank's Mumbai DC/ Office premises, instead of
physically travelling?
Query replied above.
44 15 2.3.4 Internaltional Retail
3. International Corporate E-banking
Query Are there 14 different apps for each country? Or a single common app for
them?Different instances for each
country
45 16 2.3.3 Scope
Clarification
As per the section , there are 89 Internal IP address and 11 External
Internet facing IP address in Scope of Infrastructure Penetration
Testing ?
Indicative numbers are provided
in clause 2.3.3. Details will be
shared with the successful
Bidder
46 16 2.3.3 VAPT External Internet IPs : 11 Query Whether the VAPT External Internet IPs : 11 are all Application IP's Yes
47 16 2.3.3 Quantity(DC), Quantity (DR) Query How many out of the 89 Devices (81 servers, 4 Network Devices, 4
Security Devices) in Dc and DR are Intranetnet/Internet IP's
External -11- IPs
48 16 2.3.4 List of Applications Query Need following details for each application Details will be shared with the
successful Bidder
49 16 2.3.4 List of Applications Query - Number of dynamic pages Details will be shared with the
successful Bidder
50 16 2.3.4 List of Applications Query - Number of roles and privileges Details will be shared with the
successful Bidder
51 16 2.3.4 List of Applications Query - Please confirm if all application testing is to be performed as Grey-
Box Security Testing (test credentials would be required to be
shared)
Query replied above.
52 16 2.3.4 List of Applications Query - Number of Modules available in each application Details will be shared with the
successful Bidder
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
53 16 2.3.4 List of Applications Query - Are we allowed to do intrusive testing on live applications where in
live data modification might take place for successful security
testing?
Yes, from the internet.
54 16 2.3.4 List of applications Query Does application has separate instance for each country. Query replied above
55 16 2.3.4 List of applications : ...E-Banking
International (Australia, Botswana, Fiji,
Ghana, Kenya, Mauritius, New Zealand,
Oman, Seychelles, Tanzania, UAE,
Uganda, UK, USA)
Query Does scope includes application testing for the modules/instances for
all countries.Yes
56 16 2.3.4 List of applications : ...Mobile Banking Query Is mobile application testing is in scope? If yes, please let us know
type of platforms.Mobile Banking application is
hosted in Service provider's
environment at Mumbai and
Chennai. Details will be shared
with the successful Bidder.
Mobile Banking is supported on
Java based, Android, Windows,
IOS and Blackberry based
mobile devices.
57 16 2.3.4 List of applications : Application
Virtualization, E-mail system
Query Please confirm web application security testing is in scope for these
two applications.Yes
58 16 2.3.4 Scope
Clarification
As per the section ,there are 11 applications in scope of Application
penetration testing ? Is Application virtualization and Email System
to be considered as a single applciation or set of applications ?
Please provide the details.
Single application
59 16 2.3.4 Detailed
Scope
understandin
g
Kindly provide the application landscape of all applications
mentioned in This section with number of web pages per
application to be tested?
Details will be shared with the
successful Bidder
60 16 2.3.4 To
understand
where there
is any web
services in
scope?
Does any of the In scope Web applications use any web services? ? If
yes, please let us know the total number of web services, the
methods employed (e.g.: SOAP/HTTP, Restful API) and the average
number of operations and parameters per web service to be tested?
Details will be shared with the
successful Bidder
61 16 2.3.4 List of Applications Query List the number of static and Dynamic pages for each Applications Details will be shared with the
successful Bidder
62 16 2.3.4 List of Applications Query Are all applications available on internet?
BOB KM (Intranet) if this application will also be made available on
internet.
Yes
bob km IS also accessible from
the Internet
63 16 2.3.4 Arcot App Query Only 2FA feature needs to be assessed Yes from Security angle
64 17 2.3.4 Application Virtualization - App & infra Query What kind of security Assessment is exoected here, pls mention. Query replied above
65 17 2.3.5.1 Is it only Non Intrusive Penetration testing to be done for all
Applications?
It is mentioned that ""Conduct VAPT as per the scope defined in RFP
with Disturbing operations "?
Query replied above.
Please refer to clause 2.3.5.1.a
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
66 17 2.3.5.1
Phase I
point c
Remediation What type of support expected from XXXXX during the remediation
phase ?
Please refer to RFP clause
2.3.5.1
67 18 2.3.5.2 The final report has to be submitted
within -2- months of submission of the
initial draft report.
Query Will the Final Report include the Post Implementation Review of
findings reported in the Draft Report?
Post implementation review will
take place in next assessment
cycle.
68 20 2.4 DETAILS OF INFRASTRUCTURE AT
BANK’S DC/DR:.... Irrespective of the
present status of applications, systems,
processes, interfaces, hardware,
networking equipments, security devices
etc implemented at DC/DR site, all future
changes including new initiatives will be
covered as part of the scope of work
during the term of the engagement.
Query It was mentioned that all future changes including new initiative will
be part of scope during the term of the engagement. Yes
69 20 2.4 DETAILS OF INFRASTRUCTURE AT
BANK’S DC/DR:.... Irrespective of the
present status of applications, systems,
processes, interfaces, hardware,
networking equipments, security devices
etc implemented at DC/DR site, all future
changes including new initiatives will be
covered as part of the scope of work
during the term of the engagement.
Query If the future requirement increased more than 10% of the original
scope, please let us know additional fee will be calculated.No
70 20 2.3.6 Separate reports should be provided for
international territories.
Query Which reports would be required separately for International
Territories?
All reports pertaining to Infra
and Applications
71 21 2.4 Details of IT Security Policy Bank has IT
Security Policy approved by the Board of
Directors. Bank also has 21 Standard and
Guideline documents which is approved by
the Top Management Steering
committee(TMSC) on IT Security and 14
Procedure documents in place. Bank also has
Purging and Archival policy and Business
continuity plan approved by the Board of
Directors.
Query What kind of security Assessment is exoected here, pls mention. Or it was
just an informational text.Clause is for information of the
Bidders.
72 23 3.1.6 Auditor should disclose the details of
automated tools used for accomplishing
the audit process. The auditor must have
the valid license of the said automated
tool(s).
Tools to be
used
Please confirm if the VA tool has to be deployed in the premises of
the bank for conducting the audit. Also, need a confirmation
whether this tool has to integrated with other technologies which
the bank might be having in their environment as of now.
Vendor has to bring in their own
assessment tools. There will not
be any integration of Vendor's
tool with the Bank's own tools.
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
73 23 3.1.6 Auditor should disclose the details of
automated tools used for accomplishing
the audit process. The auditor must have
the valid license of the said automated
tool(s).
Tools to be
used
Kindly confirm if penetration testing is also to be done through a
licensed tool. We have this concern because ethical hacking/ black
box testing/ penetration testing is ideally done through a
combination of multiple tools which might include freeware/ open
source tools.
Disclosure of tools used for
EH/PT/Black Box testing/VA etc
is required.
74 23 3.1.6 Tools
Clarification
Are there any Application Security Penetration Testing Tools such as
IBM Appscan , HP Web inspect etc. available with BOB ? If yes, can
XXXXXX leverage these tools for penetration Testing?
query replied above
75 23 3.1.6 Tools
Clarification
Are there any Network Penetration Testing Tools such as Nexpose,
Nessus, Qualys etc. available with BOB ? If yes, can XXXXXX leverage
these tools for penetration Testing?
query replied above
76 24 3.1.11 3.1.11 Payment Terms Suggestion This is to request to modify the payment terms as "50 % Payment to be
released along with the purchase order.25 % payment to be released on
submission of initial report and remaining 25 % payment to be released on
submission of the final report".
No change from RFP terms
77 29 3 Should have a minimum average annual
turnover of Rs.25.00 crores (Rupees
Twenty Five Crores) during last three
financial years viz. 20011-12, 2012-13
and 2013-14 and at least 25% revenue
must have come from the testing &
Consulting services
Eligibility
Criteria
We are in the business of system integration and have got a
dedicated arm for security services offerings like VA, PT, app sec,
compliance and consulting. However, our P&L or balance sheet
doesn't have explicit details of the revenue contributed from infra
and service. With this respect, request you to dilute the clause to
"Should have a minimum average annual turnover of Rs.25.00
crores (Rupees Twenty Five Crores) during last three financial
years viz. 20011-12, 2012-13 and 2013-14 "
Clarification : Should have a
minimum average annual
turnover of Rs.25.00 crores
(Rupees Twenty Five Crores)
during last three financial years
viz. 20011-12, 2012-13 and 2013-
14 and at least Rs. 6.25Cr
revenue must have come from
testing & Consulting services.
Certificate from Chartered
Accountant clearly mentioning
revenue from Testing &
Consulting services would
suffice.
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
78 29 3 Should have a minimum average annual
turnover of Rs.25.00 crores (Rupees Twenty
Five Crores) during last three financial years
viz. 20011-12, 2012-13 and 2013-14 and at
least 25% revenue must have come from the
testing & Consulting services. Copy of
audited Balance Sheet and P&L statement for
the financial years 2011-12, 2012-13 and
2013-14.
Modification/
Deviation
Request for
MSME bidders
“We are a Indian OEM in the business of pure home-grown Indian
Application Security Products and Services only, but we find ourselves hard
pressed to meet the turnover and profitability criteria.
In spite of being a high growth and high volume business that we currently
do with over 700 customers, several of which are among the peer Banks of
Bank of Baroda such as ICICI Bank, IndusInd Bank, Bank of India, Central
Bank of India, HDFC Bank, Federal Bank, Syndicate Bank, and two of our
own products on offer, i.e. web application firewall & application security
scanner, we will need another year to reach the figure of 25 Cr and then
further sustain that for the next three years.
Since the Bank has asked for CERT-IN empanelled information security
companies to participate, it may be noted that except for the few large
organizations in the list most will not be able to qualify with this criteria.
Considering that our business (and that of most of the smaller Cert-In
empanelled vendors) is purely related to information security services, and
nowhere contains any infrastructure sales of hardware products of any
nature, or any other kind of services not related to information security, it
is our request to further consider amending the clause to reflect only the
business done by the bidder(s) from a pure Information Security Services
perspective if it would suit the Bank. With this change, the Bank may well
ask for clearly demarcated Information Security Services revenue from
Testing & Consulting of 7.5 Cr over three years (as an example – or 6.25 Cr
considering 25% of 25 Cr) to understand the capability, spread and real
genuine market acceptance of the Information Security Services business
of the bidder(s), providing the Bank a good selection of competent and
serious bidders.
No change from RFP terms
79 29 3 ANNEXURE-A : ELIGIBILITY CRITERIA :
Should have a minimum average annual
turnover of Rs.25.00 crores (Rupees
Twenty Five Crores) during last three
financial years viz. 20011-12, 2012-13
and 2013-14 and at least 25% revenue
must have come from the testing &
Consulting services.
Suggestion Our companies major focus is IS Audit & we have a very good
experience in VAPT & completed similar projects successfully in PSU
also. So we request you to amend this criteria as : “Should have a
minimum annual turnover of Rs.10.00 crores (Rupees Ten Crores)
during last three financial years viz. 20011-12, 2012-13 , 2013-14
No change from RFP terms
80 29 3 Should have a minimum average annual
turnover of Rs.25.00 crores (Rupees
Twenty Five Crores) during last three
financial years viz. 20011-12, 2012-13
and 2013-14 and at least 25% revenue
must have come from the testing &
Consulting services.
Deviation Plesse consider CA certificate for the same. Query replied above
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
81 29 4 Should have made net profits for the last
3 financial years viz.2011-12, 2012-13
and 2013-14.
Deviation Please consider the last 3 year as 2012-13, 2013-14 and 2014-15.
OR
Must be net profit making entity continuously for the last
threeyears, that is financial years - 2011-12, 2012-13 and 2013-14
OR
Must be a cash profit making entity (Net profit +
depreciation)continuously for the last three years, that is financial
years - 201112,
2012-13 and 2013-14 AND must have a networth* of Rs. 75crores in
the last two financial years.
No change from RFP terms
82 29 5 The Bidder should be empanelled by
CERT –In as Information Security Audit
Organization and should remain in panel
up to 31st March, 2017 during the
currency of contract.
Eligibility
Criteria
We are empanelled with Cert-IN in the latest list till 31st August,
2015. However, the process for re-empanelment has not been
initiated by Cert-In. In such a case, we request Bank of Baroda that
whether the current empanelment till Aug, 2015 will hold good for
letting us participate in the engagement and what sould be the
documentary evidence required to be submitted against this clause
Bidder must be emplanelled
with Cert-In for the current year
as on date of RFP response
submission, which must be
maintained upto 31/03/2017.
83 29 5 The Bidder should be empanelled by
CERT –In as Information Security Audit
Organization and should remain in panel
up to 31st March, 2017 during the
currency of contract –
The CERT-In Empanelment is renewed every 3 years, it may be
possible that the vendors participating in the Bid would have got the
empanelment in the last 2 years; the renewal for which may be due
this year. Our suggestion to this point is that for the submissions all
the vendors should have a valid empanelment certificate
irrespective of the date of expiry. It will be the responsibility of the
shortlisted bidder to maintain a valid empanelment certificate
throughout the duration of the assignment and the bank reserves
the right to terminate the contract if the bidder fails to do so.
query replied above
84 29 6 Should have conducted VAPT for at least
two Banks‟ in last 3 years
Eligibility
Criteria
As a part of ISO 27001 engagements gap analysis, we have
conducted VA PT exercises in a number of engagements. However,
the purchase order/ work order of such engagements doesn't
explicitly highlight VA PT as a separate exercise. Please confirm if
such work orders/ purchase orders will be entertained by Bank of
Baroda as a valid proof for having conducted VA PT exercise in the
past
Can be considered if the same is
mentioned in the client
certificate
85 29 6 Copy of purchase order and Client
certificate
Documents
required
Request the bank to change the clause to "Copy of purchase order
or Client certificates"
Noted
86 29 6 Should have conducted VAPT for at least
two Banks‟ in last 3 years. (Copy of
purchase order and Client certificate to
be submitted)
Deviation Please consider Should have conducted VAPT for at least One
Banks‟ in last 3 years.
(Copy of purchase order to be submitted)
Signoff/Feedback back will be considered as Client Certificate
No change from RFP terms.
(Query replied above)
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
87 29 SECTION-
IV
ANNEXURE-A : ELIGIBILITY CRITERIA
Should have conducted VAPT for at least
two Banks‟ in last 3 years.
Query Please confirm if Purchase Order would suffice as a supporting
document for relevant project experienceQuery replied above
88 30 7 Bidder should have at least 5 years
experience in offering Information
Security Services such as Security
assessment, defining security policies
procedures & baselines, Risk
Assessment, security consulting
assignments to clients in India
Eligibility
Criteria
Please confirm if a single work order which is equal to more than 5
years will suffice agains this eligibility clause or is there a minimum
number of such references to be shared with Bank of Baroda
No change from RFP terms
89 30 7 Copy of purchase order and Client
certificate
Documents
required
Request the bank to change the clause to "Copy of purchase order
or Client certificates"
Query replied above
90 30 The fulfillment of above eligibility criteria
except items 3 & 4 above, wouldbe
ascertained as of 31.12.2014.
Deviation Please consider this as of 30.04.2015 No change from RFP terms
91 32 Technical
Evaluation
Criteria
Must possess experience in conducting
VA & PT of IT Infrastructure ( Servers,
Network devices, Security Devices,
Databases) of Data Centre / Disaster
recovery for at least 1 Bank in India in
each of the last 4 years e.g. 2011, 2012,
2013, 2014
Evaluation
Parameters
a. As a part of ISO 27001 engagements gap analysis, we have
conducted VA PT exercises in a number of engagements. However,
the purchase order/ work order of such engagements doesn't
explicitly highlight VA PT as a separate exercise. Please confirm if
such work orders/ purchase orders will be entertained by Bank of
Baroda as a valid proof for having conducted VA PT exercise in the
past
b. We request Bank of Baroda to kindly include BFSI sector
experience as acceptable references of having conducted VA PT on
infrastructure and banking applications
Query replied above.
No change from RFP terms
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
92 32 Technical
Evaluation
Criteria
Must possess experience in conducting
VA & PT of IT Infrastructure ( Servers,
Network devices, Security Devices,
Databases) of Data Centre / Disaster
recovery for at least 2 Banks in India in 4
years e.g. 2011,2012,2013,2014
Evaluation
Parameters
a. As a part of ISO 27001 engagements gap analysis, we have
conducted VA PT exercises in a number of engagements. However,
the purchase order/ work order of such engagements doesn't
explicitly highlight VA PT as a separate exercise. Please confirm if
such work orders/ purchase orders will be entertained by Bank of
Baroda as a valid proof for having conducted VA PT exercise in the
past
b. We request Bank of Baroda to kindly include BFSI sector
experience as acceptable references of having conducted VA PT on
infrastructure and banking applications
Query replied above.
No change from RFP terms
93 32 Technical
Evaluation
Criteria
Must have extensive experience in VA &
PT of any one of the Internet facing
applications e.g. internet banking, cash
management system, online trading,
Payment Gateway for at least 1 Bank in
India in each of the last 4 years
e.g.,2011,2012, 2013, 2014
Evaluation
Parameters
a. As a part of ISO 27001 engagements gap analysis, we have
conducted VA PT exercises in a number of engagements. However,
the purchase order/ work order of such engagements doesn't
explicitly highlight VA PT as a separate exercise. Please confirm if
such work orders/ purchase orders will be entertained by Bank of
Baroda as a valid proof for having conducted VA PT exercise in the
past
b. We request Bank of Baroda to kindly include BFSI sector
experience as acceptable references of having conducted VA PT on
infrastructure and banking applications
Query replied above.
No change from RFP terms
94 32 Technical
Evaluation
Criteria
Must have extensive experience in VA &
PT of Internet facing applications e.g.
Internet banking, Cash management
system, Online trading, Internet Payment
Gateway for at least 2 Banks in India in
the last 4 years e.g.,2011,2012, 2013,
2014
Evaluation
Parameters
a. As a part of ISO 27001 engagements gap analysis, we have
conducted VA PT exercises in a number of engagements. However,
the purchase order/ work order of such engagements doesn't
explicitly highlight VA PT as a separate exercise. Please confirm if
such work orders/ purchase orders will be entertained by Bank of
Baroda as a valid proof for having conducted VA PT exercise in the
past
b. We request Bank of Baroda to kindly include BFSI sector
experience as acceptable references of having conducted VA PT on
infrastructure and banking applications
Query replied above.
No change from RFP terms
95 41 Annexure F 1. Vulnerability Assessment & Penetration
Testing for Internet facing infrastructure
hosted in Bank‟s environment at DC & DR
Query Does this include only Config Review, Vul scan, Firewall Rule base review,
IPS review, Internal PT, War dialing and SNA of DMZ segment? Please
confirm
query replied above
96 41 Annexure F 2. Vulnerability Assessment & Penetration
Testing for Internet facing Applications
hosted in Bank‟s environment (For a set of
11 IPs)
Query Does this include only External PT of 11 IP, Grey Box Assessment & Code
review of above mentioned number of apps (Q2 & Q3)? Please confirmquery replied above
97 41 Annexure F 3. Vulnerability Assessment & Penetration
Testing of Bank‟s Website
www.bankofbaaroda.com hosted at
outsourced environment
Query Does this include only Black Box Assessment ( Pre Login Pages) of 2
websites? Pls confirmquery replied above.Website is
hosted in Mumbai and
Bangalore at the service
provider's environment
S.No. Pa
ge
#
Point /
Section #
Clarification point as stated in the
tender document
Category of
Comment/
Suggestion/
Deviation/
Comment/ Suggestion/ Deviation/ Query Bank's Response
98 41 Annexure F 3. Vulnerability Assessment & Penetration
Testing of Bank‟s Website
www.bankofbaaroda.com hosted at
outsourced environment
Query Does this include only Grey Box Assessment ( Pre + Post Login Pages) of 2
websites? Pls confirmquery replied above
99 41 Annexure F 3. Vulnerability Assessment & Penetration
Testing of Bank‟s Website
www.bankofbaaroda.com hosted at
outsourced environment
Query Does this include only Code Review Assessment of 2 websites? Pls provide
Approx LOC.query replied above
100 41 Annexure J 1. Vulnerability Assessment & Penetration
Testing for Internet facing infrastructure
hosted in Bank‟s environment at DC & DR
Query Are there any activities to be excluded in this pricing slot? query replied above
101 41 Annexure J 1. Vulnerability Assessment & Penetration
Testing for Internet facing infrastructure
hosted in Bank‟s environment at DC & DR
Query Are there any additional activities to be included in this pricing slot? query replied above
102 41 Annexure J 3. Vulnerability Assessment & Penetration
Testing of Bank‟s Website
www.bankofbaaroda.com hosted at
outsourced environment
Query Are there any activities to be excluded in this pricing slot? query replied above
103 41 Annexure J 3. Vulnerability Assessment & Penetration
Testing of Bank‟s Website
www.bankofbaaroda.com hosted at
outsourced environment
Query Are there any additional activitiesto be included in this pricing slot? query replied above
104 42 Annexure J 2. Vulnerability Assessment & Penetration
Testing for Internet facing Applications
hosted in Bank‟s environment (For a set of
11 IPs)
Query Are there any activities/ Apps to be excluded in this pricing slot? query replied above
105 43 Annexure J 2. Vulnerability Assessment & Penetration
Testing for Internet facing Applications
hosted in Bank‟s environment (For a set of
11 IPs)
Query Are there any additional activities / Apps to be included in this pricing slot? query replied above
106 45 Annexure J Commercial Bid Format Information
Request
We request a discussion on the Commercial format to understand it better
to avoid any possible ambiguity. (E.g. Line item for code review, VA Firewall
review Etc. Unitized prices will help the Bank and bidder in case of scope
creep over the 10% mentioned in the RFP)
No change in Commercial Bid
Format Annexure J
107 2.3.3 DR in HYD Query Can the infra located in HYD be remotely access from BOB Mumbai Premise
during assessment?No