request for proposal for information system audit of data ... · information system audit of data...

INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS, IT

PROCESSES ETC. OF PUNJAB & SIND BANK

RFP REF. NO.: HO/HO IT/RFP/106/ 17-18 DATED: 21.12.2017 of 50

Request for proposal for Information System Audit of Data Centre, Critical Applications, IT Processes etc. of the Bank

Tender No: PSB/HOIT/RFP/106/2017-18 Dated: 21.12.2017

PUNJAB & SIND BANK

Head office Information Technology Department 2nd Floor, Bank House, 21-Rajendra Place

New Delhi-110008




Contents

Sr.

No.

Particulars Page

No.

1. INTRODUCTION 4

2. ELIGIBILITY CRITERIA 5

3. SCOPE OF WORK 6

4. OTHER IMPORTANT TERMS & CONDITIONS 8

5. TERMS & CONDITION 9

6. RESOLUTION OF DISPUTE 14

7. CORRUPT or FRADULANT PRACTICES 15

8. INDEMNITY 16

9. BIDDER`s OBLIGATION 16

10. PATENT RIGHT 16

11. SIGNING OF CONTRACT 17

12. PUBLICITY 17

13. ANNEXURE A 18-24

14. ANNEXURE B 25-45

15. ANNEXURE C 46-48

16. ANNEXURE D 49-50




KEY INFORMATION

Particulars Details

Tender Number PSB/HOIT /RFP/106/2017-18

Tender Title Request for Proposal for Information

System Audit of Data Centre, Critical

Applications, IT Processes etc. of the

Bank

Participation Fee (Non Refundable) Rs. 1,000/- In form of DD favoring

Punjab & Sind Bank payable at New

Delhi

Bid Security (EMD) Rs. 1,00,000.00/- (In form of Bank

guarantee valid for 12 months)

Bid Validity 180 days

Performance Bank Guarantee Rs. 1,00,000.00/- In form of Bank

guarantee valid for 12 months

Date of Publishing the tender on Bank’s

Website 21.12.2017

Last Date for submission of Pre-Bid

Query 28.12.2017 by 3:00 pm (queries must be mailed to

[email protected] only in MS-

excel format quoting tender reference

number in the subject)

Date and Time for Pre Bid Meeting 29.12.2017 03:00 pm

Last Date and time for submission of

Bids 11.01.2018 03:00 pm

Date and Time of Opening of Technical

Bids 11.01.2018 03:30 pm

Date and Time of opening of

Commercial Bids

To be notified later to the qualifying

bidders only.

Place of submission and Opening of

Bids

Punjab & Sind Bank

Head Office, 2nd Floor, Information

Technology Department, Bank House,

21, Rajendra Place, New Delhi 110008

Contact Persons for any clarifications/

Submission of Bids

AGM (IT)

Contact Numbers Manoj Kumar (AGM IT) - 9811728292

Arun Ahlawat (Officer) -8396049100

* If any of the dates given above happens to be Holiday in Delhi, the related activity

shall be undertaken on the next working day at the same time.




1. INTRODUCTION

1.1 About the Bank

PUNJAB & SIND BANK, a leading Public Sector Bank having its Head Office at New

Delhi is implementing many key technology solutions like Core Banking (CBS), Internet

Banking (e-banking),Tele Banking, Mobile Banking, onsite / offsite ATMs, Integrated

Treasury Systems, RTGS, SFMS, NEFT etc. The Bank has chosen FINACLE Software of

M/s. INFOSYS Ltd., as the Core Banking Solution and implanted CBS in 100% branches

and offices.

1.2 Present Status of the Bank

The Bank is using the financial software Finacle (7.0.25) for carrying out the Banking

operations. The bank has a widespread network of 1500 plus branches, 24 Zonal Offices, 25

Departments in Head Office, 9 Regional Clearing Centers, 2 Training Centers and 9 Currency

Chests all networked under Centralized Banking Solution. It also has a network of more than

1250 ATMs spread across the country including onsite and offsite ATMs. The Bank’s CBS

Project Office and HO Information Technology Department is located in New Delhi. The

Bank’s Data Center (DC) is located in Vashi Mumbai and Disaster Recovery Center at Greater

Noida and both are managed by Bank’s CBS System Integrator M/s Wipro. The DC is

connected to the branches, Zonal Office and Head Office through Bank-wide Wide Area

Network. The entire network uses Leased Lines, RF, VSAT and Backup connectivity through

ISDN lines & RF etc. The ATMs, Mail Messaging System and other applications also use the

WAN. The Disaster Recovery Center of Bank has similar setup as that of Data Centre of

financial software setup.

1.3 Purpose of RFP:

This RFP seeks to engage a Service Provider who has the capability and experience for

Conducting Information Systems (IS) Audit including Application audit of Core Banking

Solution, other applications and to make appropriate recommendations, as covered under the

Scope of Work. Carrying out risk analysis of all IT assets of the Bank and preparation of Risk

Matrix based on Guidelines issued by RBI and Govt. of India.

The aim of the RFP is to solicit proposals from qualified bidders for undertaking above detailed

assignments. Interested eligible bidders may download the RFP from Punjab & Sind Bank

website www.psbindia.com or from Govt. of India web site www.tenders.gov.in.

http://www.tenders.gov.in/




2. ELIGIBILITY CRITERIA

Sr.

No.

Eligibility Criteria Support Documents to be

submitted

1

The bidder should be a

Company/Firm/ Organization

registered in India.

Certificate of Incorporation &

Commencement of Business

(whichever applicable) should be

submitted

2

The bidder should have a minimum

turnover of Rs. 50 lacs per year

during last three financial years

(i.e., 2014-15, 2015-16 and 2016-

17).

Audited Balance Sheet for last

three Financial Years 2014-15,

2015-16 and 2016-17 to be

submitted.

CA certificate with regard to

turnover is required to be submitted

by the bidder.

3

The bidder should be in business of

Information System auditing in

India at least for last three years as

on 31.03.2017.

Documentary proof duly signed by

authorized person is required to be

submitted.

4

The Bidder must have positive net

worth in last 3 financial years (i.e.

FY 2014-15, 2015-16 and 2016-

17).

Audited Financial Statements (and

Annual Reports, if applicable) for

the last three financial years, viz.

2014-15, 2015-16 and 2016-17 are

to be furnished. CA certificate

regarding Positive net worth needs

to be furnished.

5

The Bidder must have conducted at

least one Information System audits

of data center and other IT

Infrastructure of Scheduled

Commercial Banks in India

(including all the following aspects),

connected with a minimum 1000

branches, during last four years

(2014, 2015, 2016, 2017):

a) Vulnerability Assessment/

Penetration Testing of

servers/security equipment/

network equipment etc.;

b) Core Banking System and

interfacing applications

Letters from the organizations for

which the bidder had conducted

Information Systems audit (the

scope of the assignment should

have been clearly mentioned).




6

The Bidder should have a valid

CERT-In empanelment as on the last

date of submission of bid.

Cert-in empanelment document.

7

The Bidder has a minimum 5

professionals with CISA/ CISM/

CISSP or similar qualifications and

should be on permanent roll of the

organization.

Copies of the CVs of the

Information Systems Audit

professionals (CISA, CISM, CISSP

etc.,) including copies of their

relevant certifications as per the

prescribed format.

8 The Bidder should deploy auditing

team having “auditing experience”

of minimum 3 years, after the date

of related qualification including at

least one CISA professional

throughout the audit period.

Copies of the CVs of the

Information Systems Audit

professionals (CISA, CISM, CISSP

etc.,) including copies of their

relevant certifications as per the

prescribed format.

9 The Bidder should not be

banned/blacklisted/ debarred by any

Bank/PSU/GOI Department/ Indian

Financial Institutions as on date of

submission of bid.

An undertaking letter to be enclosed

by the Bidder clearly stating that

they are not banned/blacklisted/

debarred by any Bank, PSU/ GOI

Departments/ Indian Financial

Institutions as on date of submission

of bid.

Note: The bidder must comply with all the above mentioned criteria. Non-compliance of any

of the criteria will entail rejection of the bid summarily. Photocopies of relevant

documents/certificates should be submitted as proof in support of the claims made. The Bank

reserves the right to verify/evaluate the claims made by the bidder independently.

3. SCOPE OF WORK:

3.1 Scope of Work Related to IS (Information Systems) Audit:

a. The Scope of work mainly relates to conducting of Information System and Security Audit

including Cyber Security Audit of different Information systems/applications/ Databases /

Operating Systems / Security devices, appliances and Solutions / Network Equipments/

Information Technology (IT) Process like sharing information through web services, host to

host etc. in use by the Bank, as listed in Annexure-C, including those systems used by other

agencies for providing services in respect of activities which are outsourced. The scope also

includes the VAPT of all systems as listed in Annexure-C and Annexure- D.




3.2 The IS Audit should be performed:

a. According to ISO 27001:2013 standard.

b. The guidelines issued by RBI, Govt. of India, NPCI, UIDAI, Cert-In etc.

c. Punjab & Sind Bank IS Audit Policy, Punjab & Sind Bank’s IT security Policies &

Procedures and Punjab & Sind Bank Cyber Security Policy.

d. IT Act. 2000/2008.

3.3 IS Audit of each of the systems should broadly cover the following aspects:

− Physical and Environmental controls

− Logical access Controls

− Operating System/database review including Vulnerability Assessment

− Application Review

− Business process Review

− Network and Security Review including VA and Penetration test

− Backup procedure Review

− Business Continuity/Disaster Recovery plans/practices

− Review of Outsourced Activities

− Virus protection and Patch management.

− Capacity utilization of servers and applications

− Review of Basic minimum Configuration applicable for each system as per

best practice i.e. Baseline Secure Configuration review.

− Application Security Life Cycle (ASLC) review.

− Secure Code Practice Review.

3.4 Vulnerability Assessment and Penetration Tests (VAPT)

The scope also includes conducting Vulnerability Assessment and Penetration Tests (VAPT)

covering operating systems, database, networking and Security Infrastructure and various on-

line applications facing customers as listed in Annexure-C and all other assets listed in

Annexure-D.

3.5. Execution of work:

3.5.1 The successful bidder should submit a detailed plan clearly indicating the tentative dates

and estimated time for IS Audit of all the systems.

3.5.2 During the course of audit, if the bidder/ service provider observes any major

deficiencies, they should immediately bring such observations, deficiencies, areas of

improvement and suggestions for improvement to the notice of the concerned persons. The

service provider should also discuss with, guide/help the Bank staff in implementation of the

critical and important suggestions.




3.5.3 At the end of IS Audit, the service provider should submit a detailed report containing all

the observations, deficiencies, areas of improvement and suggestions for improvement, for

each system separately. An executive summary should also form a part of the Final Report.

3.5.4 Since it will take some time setting right the deficiencies, on the Bank intimating them to

do so, the service provider should conduct a compliance audit, to confirm setting right of the

deficiencies and implementation of the suggestions. The service provider should submit a

detailed report after compliance audit.

3.5.5 The assignment will be for conducting IS Audit for one time only. Bank, at its option,

will review and entrust the assignment either in full or in part subsequently.

4. OTHER IMPORTANT TERMS & CONDITIONS:

Sr.

No.

Phase Objectives Timeline Deliverables Payment

Schedules

1. Phase-I Conduct of IS Audit

as per scope,

evaluation, discussion

on the findings and

submission of final

reports

6 weeks ISA Report :-

1.Executive summary

2. ISA Report Core

findings along with

Risk Analysis

3. ISA Report Detailed

findings / Checklists

4. ISA Report :-

Analysis of reports

/Corrective Measures

& Suggestions along

with Risk Analysis.

1. 70% after

completion of

PHASE-I.

2. Phase-II Compliance Audit,

Review &

Certification

2 weeks Compliance Report:-

1. Compliance Audit

report.

2. To provide the

BANK an ISA

compliance certificate

including certificate

as per RBI guidelines

for Internet Banking.

2. 30% after

completion of

PHASE-II.

Note: The detail of Phase, deliverables, payment schedule is described in Annexure-A.




5. TERMS AND CONDITIONS:

5.1. Bid Price:

a. The RFP document can be downloaded from the Bank's website. However, the bidder will

have to pay, along with submission of their bid, a non-refundable fee of Rs. 1,000.00 in the

form of a demand draft issued by a scheduled commercial bank favoring Punjab & Sind Bank,

payable at New Delhi.

b. In the event of non-payment of the fee of Rs. 1,000.00 towards the RFP along with the

submission of the bid documents, the bid will not be considered.

5.2. Bid Security:

a. Bidder will have to provide a Bid security of Rs. 1.00 lakh (Rupees One lakh only) by way of

Bank Guarantee issued by a Scheduled Commercial Bank in favour of Punjab & Sind Bank,

valid for a period of one year from the last date of submission of bid.

b. The Bank reserves its right to reject the bid, in the event of non-submission of the bid-

security of Rs. 1.00 lakh.

c. No interest will be payable on the Bid Security amount.

d. The bid security amount will be forfeited if the bidder refuses to accept purchase order or

having accepted the purchase order, fails to carry out his obligations mentioned therein.

e. The Bid Security will be refunded to the unsuccessful bidders only after completion of the bid

process.

f. The Bid security of the successful bidder would be refunded after the signing of the contract

and furnishing of the Performance Security of Rs. One lacs.

5.3. Clarifications on the RFP

a. Queries/clarifications would not be entertained over phone.

b. All the queries and clarifications must be sought in writing to the email id:

[email protected].

c. Bidders are also requested to collate queries and submit them together seeking

clarifications/responses from the Bank. It should be ensured that all the queries and

clarifications are communicated in writing on or before pre-bid meeting. Queries received

thereafter will not be entertained.

d. Bank will publish the clarifications/amendment (if any) on the bank’s website.




5.4. Two Part Bid:

a. One hard copy of the Technical Bid and One Copy of the Commercial Bid must be submitted

at the same time, giving full particulars in separate sealed envelopes at the Bank‟s address given

below on or before the schedule given above. The bidder should submit a soft copy of the

technical bid on a CD/Pen drive. Bid (Technical & Commercial) must be submitted at the same

time, giving full particulars in separate sealed envelopes addressed to

The Asstt. General Manager (IT)

Punjab & Sind Bank,

HO IT Department,

Bank House, 21, Rajendra Place,

New Delhi-110008

b. All the envelopes must be super-scribed with the following information –

Type of Bid – Conducting IS Audit of Data Centre, Critical Applications, IT Processes etc.

(Technical Bid)

Type of Bid - Conducting IS Audit of Data Centre, Critical Applications, IT Processes etc.

(Commercial Bid)

Due Date :

Name of Bidder :

Name of the Authorized Person :

Contact Number :

c. All schedules, Formats and Annexure should be stamped and signed by an authorized official

of the bidder`s company.

d. The bid should be delivered preferably by hand or by post/ courier at the given address on or

before the bid submission date and time. Bids sent by fax, e-mail, will not be considered for

evaluation. e. Bids will be opened in the presence of the bidder representatives who choose to attend the

opening of tender on the specified date, time and place of bid opening. All bidders are advised

to be present at the time of bid opening. No separate intimation will be given in this regard.

5.5. No Erasures or Alterations:

a. The original bid (Technical Bid and Commercial Bid) shall be prepared in indelible ink.

b. Technical details must be completely filled up. All the hand-written details in the bid must be

initialed by the persons or person who sign(s) the bids.

c. All the pages of the bid must be initialed by an authorized representative with a round stamp

of the bidding firm.




5.6. Validity :

a. The bid should remain valid for a period of 180 days from the last date of submission of the

bid.

b. At the option of the Bank, the bidder should extend the validity of bid for such required

period (s), as the Bank may require during the evaluation process.

5.7. Technical Bid:

a. The Technical Bid should be complete in all respects and contain all the information asked

for in this RFP document in an organized and structured manner. All the details sought must be

submitted in the prescribed pro-forma only (as per the attached formats). Additional/ supporting

documents, write-ups, etc., if any, should be furnished separately.

b. The Technical Bid should be submitted in separate sealed envelope, super scribed as

“Conducting IS Audit of Data Centre, Critical Applications, IT Processes etc. (Technical Bid)”

c. The Technical Bid should not contain any price information.

d. The Bank, at its discretion, may not evaluate a bid in case of non-submission or partial

submission of details sought.

e. The Technical Bid should comprise of following (as per the formats):

Sr.

No.

ANNEXURE No. SUBJECT PAGE No.

1 ANNEXURE – I PROFILE OF THE BIDDER 26

2 ANNEXURE – II ORGANISATIONAL STRUCTURE 27

3 ANNEXURE – III FINANCIAL INFORMATION 28

4 ANNEXURE – IV DECLARATION BY BIDDER 29

5 ANNEXURE – V MANPOWER DETAILS 30

6 ANNEXURE – VI EXPERIENCE & EXPERTISE 31

7 ANNEXURE – VII PERFORMANCE STATEMENT 32

8 ANNEXURE – VIII TEAM PROFILE 33

9 ANNEXURE – IX CVs OF TEAM LEADS & OTHERS 34

10 ANNEXURE – XI BID FORM 36

11 ANNEXURE – XII BID SECURITY FORM 37

12 ANNEXURE – XV TECHNICAL DEVIATION 43

13 ANNEXURE – XVII LETTER OF CONFIRMATION 45




5.8. Commercial Bid:

a. The Commercial Bid should be submitted in separate sealed envelope, super scribed as

“Conducting IS Audit of Data Centre, Critical Applications, IT Processes etc. (Commercial

Bid)”.

b. The Commercial Bid should provide all relevant price information in Indian Rupees only.

c. The responses should be strictly as per the terms and conditions of this RFP. Bidders are

advised not to attach or specify any terms and conditions. The Bank reserves its right to reject

the bids received with any additional terms and conditions specified by the Bidder.

d. The Commercial Bid should comprise of Annexure-X (Format for Commercial BID-Page

35) & Annexure- XVI (Commercial Deviation-Page 44).

e. The prices mentioned in the commercial bid should strictly be in conformity with the price

composition specified in Annexure-A clause 4.5.

f. The Commercial Bid should include all taxes, duties, fees, and other charges as may be

levied under the applicable law as on the date of submission of the bid. However, the tax

component of the prices should be shown separately.

g. The total cost must be quoted in WORDS AND FIGURES. In case of discrepancy between

the words and figures, lower of the two would be considered as the price quoted and the same

will be binding on the bidder.

h. Commercial Bid of only those bidders, who qualify in Technical Bid evaluation, will be

opened.

5.9 Evaluation Procedure:

a. The evaluation of technical bids will be done by a team of officials, which may include:

i. Scrutiny of eligibility criteria to determine the eligibility of bidders;

ii. Scrutiny of the bids to verify whether the same is in accordance with the RFP terms.

b. In the process of scrutiny of the bids, Bank may seek additional inputs and clarifications as

may be needed. The request for such clarifications and the response will necessarily be in

writing.

c. Bid found to be meeting the Bank`s requirements based on the technical evaluation only will

be considered for commercial evaluation. Cost comparison will be on the basis of TCO (total

cost of ownership).

5.10 Right to Alter Quantities

a. The Bank reserves the right to alter quantities, revise/modify all or any of the specifications,

delete some items specified in this bid, when finalizing its requirements or declare the RFP

void, without assigning any reason, before or after receiving the responses. That is, the Bank




reserves its right to add or remove the Information systems in respect of which the IS Audit is

to be conducted.

5.11 No Commitment to Accept Lowest or Any Tender

The Bank shall be under no obligation to accept the lowest or any other bid received in

response to this tender notice and shall be entitled to reject any or all tenders without assigning

any reason whatsoever.

5.12 Rotation of Audit Team

If the selected Bidder has already carried out IS Audit of our bank, the Bidder should change

the entire team and to depute a fresh team.

5.13 Price freezing and Contract Period

a. The final prices stated above, shall remain frozen for a minimum period up to two years

from the date of the purchase order.

b. The Contract would be valid for one time IS Audit exercise only

5.14 Cancellation of the assignment:

The Bank reserves its right to cancel the assignment in the event of one or more of the

following conditions:

a. Delay in commencement of the IS Audit beyond four weeks after the assignment order or

beyond the date given by the bank in the purchase order.

b. Delay in completion of all the phases of the IS Audits beyond the time specified in the

assignment letter.

5.15 Liquidated Damages:

5.15.1 Notwithstanding the Bank's right to cancel the assignment, 0.5% of the order value per

week or part thereof would be payable to the Bank for delay in the execution of this assignment

order beyond specified schedule, subject to a maximum of 5% of the value of the said phase.

5.15.2 Bank reserves it's right to recover these amounts by any mode such as adjusting from

any payments to be made by the Bank to the bidder.

5.15.3 The Bank however may review and consider waiving imposing of liquidated damages

for delays beyond the control of the Bidder.




5.16 RFP Ownership:

The RFP and all supporting documentation are the sole property of Punjab & Sind Bank and

should not be redistributed without prior written consent of Punjab & Sind Bank. Violation of

this would be a breach of trust and may, inter-alia cause the bidders to be irrevocably

disqualified. The aforementioned material must be returned to Punjab & Sind Bank while

submitting the bid, or upon request. However, bidders can retain one copy for reference.

5.17 Bid Ownership:

The bid and all supporting documentation submitted by the bidders shall become the property

of the Bank. The bid and documentation may be retained, returned or destroyed as the Bank

decides.

5.18 Confidentiality:

5.18.1 This document contains information confidential and proprietary to the Bank.

Additionally, the bidders will be exposed by virtue of the contracted activities to the internal

business information of the Bank. Disclosures of receipt of this RFP or any part of the

aforementioned information to parties not directly involved in providing the services requested

could result in the disqualification of the bidders, premature termination of the contract, or

legal action against the bidders for breach of trust.

5.18.2 Selected bidder will have to sign a legal non-disclosure agreement with the Bank before

starting the project.

5.19 Non Transferable Tender:

This tender document is not transferable. Only the bidder, who has purchased this tender in its

name or submitted the necessary RFP price (for downloaded RFP) will be eligible for

participation in the evaluation process.

5.20 Language of BID:

The bid prepared by the Bidder, all correspondence and documents relating to the bid

exchanged by the Bidder & the Purchaser shall be written in English.

6. RESOLUTION OF DISPUTES:

6.1 The Purchaser and the bidder shall make every effort to resolve amicably by direct informal

negotiation any disagreement or dispute arising out of or in connection with the Contract.

6.2 If, after thirty (30) days from the commencement of such informal negotiations, the

Purchaser and the bidder have been unable to resolve amicably a Contract dispute, either party

may require that the dispute be referred for resolution to the formal mechanisms. Such




disputes or differences shall be settled in accordance with the Arbitration and Conciliation Act,

1996. Where the value of contract is above Rs.1 crore, the arbitral tribunal shall consist of 3

arbitrators, one each to be appointed by the Bank and the Bidder. The third arbitrator shall be

chosen by mutual discussion between the Bank and the Bidder.

6.3 The arbitration proceedings shall be held at New Delhi, India, and the language of the

arbitration proceedings shall be English.

6.4 The decision of majority of arbitrators shall be final and binding upon both parties. The

cost and expenses of Arbitration Proceedings will be paid as determined by arbitral tribunal.

However, expenses incurred by each party in connection with the preparation, presentation,

etc., of its proceedings as also the fees and expenses paid to the arbitrator appointed by such

party or on its behalf shall be borne by each party; and

6.5 Where the value of the contract is Rs.1 crore and below, the disputes or differences arising

shall be referred to the sole arbitrator. The sole Arbitrator shall be appointed by agreement

between the parties.

7. CORRUPT OR FRAUDULENT PRACTICES:

7.1 As per CVC directives it is required that Bidders/Suppliers/Contractors observes the

highest standard of ethics during the procurement and execution of such contracts. In

pursuance of this policy;

i) “ Corrupt practice” means the offering, giving, receiving or soliciting of anything of

value to influence the action of a public official in the procurement process or in

contract execution; And

ii) “ Fraudulent practice” means a misrepresentation of facts in order to influence a

procurement process or the execution of contract to the detriment of the Purchaser and

includes collusive practice among Bidders (prior to or after bid submission) designed to

establish bid prices at artificial non-competitive levels and to deprive the Purchaser of the

benefits of free and open competition;

7.2 The Purchaser will reject a bid for award if it determines that the Bidder

recommended for award has engaged in corrupt or fraudulent practices in competing for

the contract in question;

7.3 The Purchaser will declare a firm ineligible, either indefinitely or for a stated period

of time, to be awarded a contract if at any time it determines that the firm has engaged

in corrupt or fraudulent practices in competing for, or in executing a contract.




8. INDEMNITY:

8.1 The bidder (Contractor) will indemnify the Bank against all actions, proceedings,

claims, suits, damages and any other expenses for causes attributable to the bidder.

8.2 The total liability of the selected bidder under the contract will not exceed the total cost of

the project.

9. BIDDER’S OBLIGATIONS:

9.1 The bidder is obliged to work closely with the Purchaser s staff, act within its own

authority and abide by directives issued by the Purchaser during the IS AUDIT

activities.

9.2 The bidder is responsible for managing the activities of its personnel and will hold itself

responsible for any misdemeanors.

9.3 The bidder is under obligation to provide IS AUDIT services as per the contract to

various Offices of the Bank.

9.4 The bidder will treat as confidential all data and information about the Purchaser, obtained

in the execution of his responsibilities, in strict confidence and will not reveal such

information to any other party without the prior written approval of the Purchaser

10. PATENT RIGHT:

10.1 The Bidders shall indemnify the Purchaser against all third party claims of

infringement of patent, trademark or industrial design rights arising from use of the

Software package or any part thereof in India and abroad.

10.2 In the event of any claim asserted by the third party of infringement of copyright,

patent, trademark or industrial design rights arising from the use of the solution or any part

thereof in India and abroad, the Bidder shall act expeditiously to extinguish such claims.

If the Bidder fails to comply and the Purchaser is required to pay compensation to a third party

resulting from such infringement, the Bidder shall be responsible for the compensation

including all expenses, court costs and lawyer fees. The Purchaser will give notice to

the Bidder of such claims, if it is made, without delay.




11. SIGNING OF CONTRACT:

11.1 At the time when the Purchaser notifies the Bidder that its bid has been accepted,

the Purchaser will send the Bidder the Contract Form (Annexure-XIV) provided in the

RFP, incorporating all agreements between the parties.

11.2 Within 21(Twenty One) days of receipt of Contract Form, the bidders shall sign and date

the contract and return it to the Purchaser along with the required Performance Security.

11.3 Bank reserves the right to select the next ranked bidder if the selected bidder

withdraws his bid after selection or at the time of finalization of the contract or disqualified

on detection of wrong or misleading information in the bid.

11.4 In case the bidder fails to comply with the Clause 11.1 and 11.2 or in case the

bidder withdraws his bid after selection as per Clause 11.3 the bid security of the bidder will be

forfeited.

11.5 Contract Amendment: No variation in or modification of the terms of the Contract

shall be made except by written amendment signed by the parties.

11.6 The bidder shall not assign, in whole or in part, its obligations to perform under

the Contract, except with the Purchaser s prior written consent.

12. PUBLICITY:

Any publicity by the bidder in which the name of the Purchaser is to be used should be done

only with the explicit written permission of the Purchaser.

Disclaimer

Subject to any law to the contrary, and to the maximum extent permitted by law, Punjab &

Sind Bank and its officers, employees, contractors, agents, and advisers disclaim all liability

from any loss or damage (whether foreseeable or not) suffered by any person acting on or

refraining from acting because of any information including forecasts, statements, estimates, or

projections contained in this RFP document or conduct ancillary to it whether or not the loss or

damage arises in connection with any negligence, omission, default, lack of care or

misrepresentation on the part of Punjab & Sind Bank or any of its officers, employees,

contractors, agents, or advisers.




Annexure-A

OTHER IMPORTANT TERMS & CONDITIONS

The bidder has to undertake IS audit in a phased manner as described below:-

PHASE I – CONDUCT OF IS AUDIT AS PER SCOPE, EVALUATION, DISCUSSION ON THE

FINDINGS AND SUBMISSION OF FINAL REPORTS

PHASE II – COMPLIANCE AUDIT, REVIEW & CERTIFICATION

The activities covered under each Phase are appended below:

1. PHASE I

1.1 Conduct of Information Systems Audit as per the SCOPE OF WORK as defined in Clause 3.

1.2 The Bank will call upon the bidder, on placement of the order , to carry out

demonstration and/or walkthrough, and/or presentation and demonstration of all or specific

aspects of the IS AUDIT at the Bank s desired location or, for a walkthrough, at a

mutually agreed location. All the expenses for the above will be borne by the concerned bidder.

1.3 Audit schedule to be provided 7 working days prior to the start of audit along with the name of

the auditors who will be conducting the audit. Resumes of the auditors as assigned above for the

project to be provided to the Bank beforehand and they should be deputed to the assignment only

after Bank s Consent.

1.4 Commencement of IS Audit of IT Setups / branches as per the scope of Work.

1.5 Execute Vulnerability Assessment/Penetration testing of the entire network including Internet

Banking, Mobile Banking, Tele Banking and Corporate Website as per the scope of work and

Annexure- C & D on the written permission of the Bank and in the presence of Bank`s Officials,

Analysis of the findings and Guidance for Resolution of the same.

1.6 Detailing the Security Gaps

1.7 Document the security gaps i.e. vulnerability, security flaws, loopholes, etc. observed during the

course of the review of the CBS & other IT infrastructure of the Bank as per the scope of Audit.

1.8 Document recommendations for addressing these security gaps and categorize the

identified security gaps based on their criticality, resource/effort requirement to address them.

1.9 Chart a roadmap for the Bank to ensure compliance and address these Security gaps.

1.10 Addressing the Security Gaps




1.11 Help in Fixing/ addressing the Security flaws, gaps, loopholes, shortfalls

Vulnerabilities in deployment of applications / systems which can be fixed immediately. If

recommendations for Risk Mitigation / Removal could not be implemented as suggested , alternate

solutions to be provided.

1.12 Recommend fixes for systems vulnerabilities in design or otherwise for application

systems and network infrastructure.

1.13 Suggest changes/modifications in the Security Policies and Security Architecture including

Network and Applications of PUNJAB & SIND BANK to address the same.

1.14 Final Reports of ISA Findings :- Bidder has to discuss the preliminary report findings /

observations recommendations /suggestions with the Bank and subject to the acceptance of the

preliminary report by the bank, the bidder has to submit the Final report.

1.15 The final reports of the ISA findings will be submitted in parts as detailed under Deliverables

Section:-

ISA Report :- Executive summary

ISA Report Core findings along with Risk Analysis

ISA Report Detailed findings / Checklists

ISA Report :-Analysis of reports /Corrective Measures & Suggestions along with Risk Analysis

1.16 Acceptance of the Final Report .

2. PHASE II .

2.1 Compliance Review An exercise to review the compliance with the findings and recommendations of ISA had to be

undertaken by the bidder. This exercise would be undertaken preferably within 30 days from

the date of completion of Phase I. However , the final date for the start of Compliance

Audit will be intimated by the bank suitably. This exercise would encompass evaluation of the

general/overall level of compliance undertaken by the Bank against the shortcomings reported in the

ISA Reports .

2.2 Certification for compliance with the findings of the ISA & Final Sign Off On completion of the

compliance review and before final sign off, the bidder has to provide the BANK an ISA

compliance certificate including certificate as per RBI guidelines for Internet Banking.

2.3 Provide Certification for the ISA at the end of IS Audit process , the bidder has to provide Bank

certification for IS Audit including a certificate as per RBI guidelines for Internet Banking.

2.4 Documentation Format:-All documents will be handed over in three copies, signed, legible,

neatly and robustly bound on A-4 size, good-quality paper Soft copies of all the documents,

properly encrypted in MS Word /MS Excel /PDF format also to be submitted in CDs/DVDs along

with the hard copies All documents will be in plain English .




3. DELIVERY SCHEDULE:

3.1 The delivery of the Reports of Phase I should be effected within 8 weeks of placement of

purchase order.

4. TERMS OF PAYMENT:

4.1 The Bidder s request(s) for payment shall be made to the Purchaser in writing,

accompanied by an invoice describing, as appropriate and services performed and by documents

submitted and upon fulfillment of other obligations stipulated in the Contract.

4.2 Payments shall be made promptly by the Purchaser on submission of an invoice/claim

supported by all required documents by the Bidder.

4.3 Payment will be made to the Bidder in Indian Rupees only.

4.4 Payment Schedule: -

Payment will be made on completion of following milestones:

70% after completion of PHASE-I

30% after completion of PHASE-II

** TDS would be deducted at source for any payment made by the BANK as per the

prevailing Rules of Government of India.

4.5 Price Composition: The price quoted should be inclusive of following:

a) Professional Charges

b) Travel and Halting expenses, including local conveyance

c) Out of pocket expenses

d) Excluding GST

4.6 Work Contract tax, if any, applicable should be borne by the Bidder.

4.7 The commercial bid shall be on a fixed price basis and in Indian Rupees. No price variation

should be asked for relating to increases in customs duty, any taxes, foreign currency price variation

etc. except GST,

4.8 All costs and expenses incurred by bidder in any way associated with the development,

preparation, and submission of responses, including the attendance at meetings, discussions,

demonstrations, reference site visits etc. and providing any additional information required by

Punjab & Sind Bank, will be borne entirely and exclusively by the bidder.




5.0 TAXES & DUTIES:

5.1 The bidder will be entirely responsible to pay all taxes including corporate tax, income

tax, license fees, duties etc. except GST in connection with delivery of the services at site.

5.2 Wherever the laws and regulations require deduction of such taxes at the source of payment,

the Bank/ purchaser shall effect such deductions from the payment due to the bidder. The

remittance of amount so deducted and issue of certificate for such deductions shall be made

by the Purchaser as per the laws and regulations in force.

5.3 GST if any, which will be applicable should be clearly mentioned separately which will be paid

by the Bank on actual basis on production of proof.

5.4 Nothing in the contract shall relieve the bidder from his responsibility to pay any tax that

may be levied in India on income and profits made by the bidder in respect of this contract.

5.5 Payment of Other Expenses:

a. The selected bidder will have to visit various offices of the Bank, at various locations like

Mumbai, Chennai, Delhi, Noida etc. during the course of IS Audit. The Bank will not pay any

expenses towards travelling, lodging and boarding of the members of IS Audit team of the selected

bidder. They will have to make their own travel and stay arrangements.

b. The bidder may perform a site inspection at its own cost to verify the appropriateness of the

sites/facilities before start of the Audit.

6. PROJECT SCHEDULE:

The selected bidder has to depute its officials at Information Systems Audit Cell, HO Inspection

Department, New Delhi within 10 days from the date of signing of the contract, for holding

a formal meeting During the said meeting the bidder has to give a brief technical overview /

presentation regarding the technical methodology being adopted by them to conduct the said audit.

The bidder has to maintain the schedule time frame as mentioned below:-

The timeframe for completion for Phase I of the project would be maximum 6 weeks

The time frame for completion for Phase II would be maximum 2 weeks

An exercise to review the compliance with the findings and recommendations of IS Audit had to be

undertaken by the bidder (Phase-II). This exercise would be undertaken preferably within 180 days

from the date of completion of phase I. However, Final date for the start of compliance Audit

will be informed by the Bank in due course of time.

The Final ISA certificate is to be issued within a week of Audit Compliance Review.




7. DELIVERABLES:-

The major deliverables in this project are noted below:-

7.1 Information Systems Audit as per the Scope of Work.

7.2 Vulnerability Assessment/Penetration testing of the entire network including Internet Banking as

per the scope of work and Annexure C & D, Analysis of the findings and Guidance for Resolution

of the same.

7.4 ISA Report (Type - Documentation)

7.4.1 Audit Report :-

Broadly the Audit Report should contain keeping the undernoted points in view :-

Gaps, Deficiencies, Vulnerabilities observed in audit. Specific observations will be given

indicating name and important address of equipment Risk associated with Gaps, deficiencies,

vulnerabilities observed Analysis of vulnerabilities and issues of concern.

Recommendations for corrective action.

Category of Risk. Very High/ High/Medium/ Low.

Summary of audit findings including identification tests, tools used and results of test performed

during IS Audit. Report on audit covering compliance status of the IS Audit. All observations will

be thoroughly discussed with process owners before finalization of report. Audit report should be

submitted in the following order:

Location, Domain/Module, Hardware, Operating Systems.

Detailed report of network audit including VAPT with recommendations and suggestions.

Detailed report of VAPT.

Audit report shall incorporate a certificate that the report covers every area specified in the

scope of the BID.

The IS Audit Reports have to be submitted at the end of Phase I and the sets of reports would

comprise of the following sub reports:-

7.4.2 ISA Report :- Executive Summary :-

An executive summary should form a part of the FINAL REPORT.




7.4.3 ISA Report: Core Findings along with Risk Analysis:

The bidder will submit a report bringing out the core findings of the IS Audit exercise in the

existing practices along with Risk Analysis of individual items, with reference to the best

practices &standards.

7.4.4 ISA Report: Detailed Findings/Checklists :

The detailed findings of the ISA would be brought out in this report which will cover in details all

aspects viz. identification of flaws / gaps /vulnerabilities in the systems ( specific to

equipments/resources –indicating name and IP address of the equipment with Office and

Department name ) ,identifications of threat sources, identification of Risk , Identification of

inherent weaknesses ,Servers/Resources affected with IP Addresses etc. Report should classify

the observations into Critical /Non Critical category and asses the category of Risk

Implication as VERY HIGH/HIGH/MEDIUM/LOW RISK based on the impact. The various

checklist formats, designed and used for conducting the IS Audit as per the scope, should

also be included in the report separately for Servers (different for different OS), RDBMS,

Network equipments , security equipments etc , so that they provide minimum domain wise

baseline security standard /practices to achieve a reasonably secure IT environment for

technologies deployed by Punjab & Sind Bank. The Reports should be substantiated with the

help of snap shots/evidences /documents etc. from where the observations were made.

7.4.5 ISA Report :- In Depth Analysis of findings /Corrective Measures &Suggestions along

with Risk Analysis :- The findings of the entire IS Audit Process should be critically analyzed

and controls should be suggested as corrective /preventive measures for strengthening /

safeguarding the IT assets of the Bank against existing and future threats in the short /long

term. Report should contain suggestions/recommendations for improvement in the systems

wherever required. If recommendations for Risk Mitigation /Removal could not be

implemented as suggested , alternate solutions to be provided. Also, if the formal procedures are not

in place for any activity, evaluate the process & the associated risks and give

recommendations for improvement as per the best practices.

7.4.6 Provide Certification for the ISA (Type - Documentation & Service At the end of IS Audit

process, the bidder has to provide Bank certification for IS Audit including a certificate as per RBI

guidelines for Internet Banking.

7.4.7 Documentation Format:-All documents will be handed over in three copies, signed, legible,

neatly and robustly bound on A-4 size, good-quality paper Soft copies of all the documents,

properly encrypted in MS Word /MS Excel /PDF format also to be submitted in CDs/DVDs along

with the hard copies All documents will be in plain English .




7.4.8 LIST OF COUNT OF SERVERS/DEVICES IN DIFFERENT AUDITEE LOCATIONS (It

may vary in actual scenario) is enclosed as Annexure ‘D’.

Note:- The list may vary in actual scenario. Any new addition/ up gradation in hardware, software,

new deliverables, change in architecture during the contract period at Data Center, DRS etc

will also be covered in the audit. Exact details of the devices /equipments at the various

auditee locations will be provided to the final shortlisted bidder at the time of placing of order.




ANNEXURE B: SCHEDULE OF REQUIREMENTS

I N D E X

Sr. No. ANNEXURE No. SUBJECT PAGE No.

1 ANNEXURE – I PROFILE OF THE BIDDER 26

2 ANNEXURE – II ORGANISATIONAL STRUCTURE 27

3 ANNEXURE – III FINANCIAL INFORMATION 28

4 ANNEXURE – IV DECLARATION BY BIDDER 29

5 ANNEXURE – V MANPOWER DETAILS 30

6 ANNEXURE – VI EXPERIENCE & EXPERTISE 31

7 ANNEXURE – VII PERFORMANCE STATEMENT 32

8 ANNEXURE – VIII TEAM PROFILE 33

9 ANNEXURE – IX CVs OF TEAM LEADS & OTHERS 34

10 ANNEXURE – X FORMAT FOR COMMERCIAL BID 35

11 ANNEXURE – XI BID FORM 36

12 ANNEXURE – XII BID SECURITY FORM 37

13 ANNEXURE – XIII PERFORMANCE SECURITY FORM 39

14 ANNEXURE – XIV CONTRACT FORM 41

15 ANNEXURE – XV TECHNICAL DEVIATION 43

16 ANNEXURE – XVI COMMERCIAL DEVIATION 44

17 ANNEXURE – XVII LETTER OF CONFIRMATION 45




ANNEXURE –I (TECHNICAL BID) :- PROFILE OF THE BIDDER

RFP REF No:- PSB/HOIT/RFP/106/2017-18 Dt. 21.12.2017

DESCRIPTION DETAILS

Registered address of the Bidder

Address:

Address for Correspondence of the Bidder

STD- Phone:

e-mail Id:

FAX No:

Contact name of the official who

can commit on the contractual terms

and the name of an alternate official

who may be contacted in the

absence of the former

Primary Contact:

Name:

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Alternate Contact:

Name :

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Contact addresses if different from

above

Official Website Web Site URL :

Authorized Signatory with Seal

Date:

Place:




ANNEXURE –II (TECHNICAL BID) :- ORGANISATIONAL STRUCTURE


DESRCRIPTION DETAILS

Business Structure of the Bidder –Government

organization / PSU /Partnership Firm /Limited

Co. / LLP/ Private Ltd. Co. (Enclose relevant

registration details)

Registered Office

Bidder’s Organization’s date of

inception/Commencement of Business

No. of completed years in existence as on the last

date of bid submission

Constitution

Names of Directors

Core Business of Bidder

Bidder is engaged in Information Systems

Audits since (month & year) & total experience (in

years/months) in IS Audit Services

Whether Information Systems Audit is a core

function of the bidder?

Empanelment with CERT-In as IS Audit

Organization – current status ( Enclose

Empanelment details)

Empanelment valid from :-

Empanelment valid up to :-

Whether submitting the Bid as a part of any

consortium (Yes/No)


Date:

Place:




ANNEXURE – III (TECHNICAL BID) :- FINANCIAL INFORMATION

RFP REF No:- PSB/HOIT/RFP/106/2017-18 Dated: 21.12.2017


Total Turnover over the past three years

from operations in India

2014-15 Rs.

2015-16 Rs.

2016-17 Rs.

Authenticated proof of Audited Balance-

Sheet etc for the last 2 years(Enclosed

Relevant documents are ):

1)

2)

3)

Net Profit of the Organization for last 3

years

2014-15 Rs.

2015-16 Rs.

2016-17 Rs.

Authenticated proof of Audited Balance-

Sheet etc for the last 3 years(Enclosed

Relevant documents are ):

1)

2)

3)


Date:

Place:




ANNEXURE –IV (TECHNICAL BID) :- DECLARATIONS BY BIDDER



Bidder warrants financial solvency i.e.

ability to meet all debts as and when they

fall due

(substantiate)

Bidder confirms that it has not been

blacklisted by any Govt. Department

/PSU/PSE or Banks or the bidder/firm

is otherwise not involved in any such

incident with any concern whatsoever

(substantiate)

Bidder confirms that it has not been a

Bidder /consultant for supply of

Hardware/Software components of the

bank or involved in implementing

Security & Network Infrastructure or

providing services excluding IS Audit

Services , either directly, or indirectly

through a consortium, in the past three

years to PUNJAB & SIND BANK

(Enclose a relevant declaration

/confirmation to this effect – Annexure

XVII)

(substantiate)


Date:

Place:




ANNEXURE –V (TECHNICAL BID) :- MANPOWER DETAILS



Number of Professional Manpower

available for IS Audits in the

organization (Mention count for the

Permanent employees only )

S.N. PROFESSIONAL

1. CISA / CISM

2. CISSP

3. BS 7799/ISO27001LA

4. CCNA / CCNE

5. DISA / ISA

6. OCP / OCM

7. OTHERS

8. TOTAL

Details Of Teams Leads / Project

leads/Key Personnel who have led

prior IS audit assignments of DC/DRS etc.

in a Bank or other organization.

(Enclose Individual Curriculum Vitae of

Team Leads / Project Leads and other

key personnel assigned for the project

as per Annexure VIII & IX).

CISA :

CISSP :

BS7799/ISO 27001 LA :

Any Other :


Date:

Place:




ANNEXURE –VI (TECHNICAL BID) :- EXPERTISE & EXPERIENCE



Details of the Assignments where the

bidder has performed IS audit of Data

Centre / DRS & Related Infrastructure in

a Bank/Other organization during the last

two years

Tools used for IS Audit of DC,DRS, PG

etc.

Methodology adopted for IS Audit of DC,

DRS etc.

Bidder’s experience & Expertise in IS

Audit of CBS Data Centre / DRS , VAPT

of the entire CBS Infrastructure including

Internet Banking, IS Audit of ATM

Switch, IS Audit of Payment gateway, IS

Experience & Expertise in Vulnerability

Assessments in Audit of specialized CBS

branches like Service Branch (Enclose

Relevant documents) Experience &

Expertise in Penetration Testing of CBS

n/w .

(Enclose Relevant documents)


Date:

Place:




Annexure VII :-( Technical Bid)

PERFORMANCE STATEMENT OF THE BIDDER (We expect minimum three

references)



Name of the Bank / organization

Address of the Bank / organization

Project Name(Mention only IS Audit of DC

/DRS/VAPT & allied Infrastructure related projects in

Banks/other organizations)

Sites covered under the Project

IS Audit start date

Current status of the Project

Duration of the Project

Modules covered in IS audit

Infrastructure/Facilities covered in IS Audit

Contact person details from the Bank

1)Name:-

2) Designation :-

3)Phone No. :-

4)Email Id :-

Names of project staff/ professionals involved

Nature of audit work that was outsourced (if any)


Date:

Place:




Annexure VIII :- (Technical Bid) PROFILE OF THE PROPOSED CORE AUDIT

TEAM TO BE ASSIGNED FOR THE PROJECT


S.N. NAME DESIG. PART

TIME/

FULL

TIME

ROLE IN

IS AUDIT

(TASK/

MODULE)

PROFESSIONAL

QUALIFICATION

YEARS

OF IS

AUDIT

EXP.

1

2

3

4

5

6

7

8

9

10


Date:

Place:




Annexure IX (Technical Bid) INDIVIDUAL CV’s FOR TEAM LEAD & OTHER

MEMBERS OF THE CORE AUDIT TEAM TO BE ASSIGNED FOR THE

PROJECT


(To be furnished on separate sheet for each member of the audit team ) DESRCRIPTION DETAILS

Name of the member

Role of the Member

Employee of the audit firm / company

since:

Designation:

Educational Qualification:

Other Certifications/accreditations:

Employment History

Total Banking Experience (no. of years,

areas of experience)

Experience in similar IS Audit projects in the past three

years(including client details, role of member, activities performed,

duration of experience)

S.NO. Client Organization

Details Of

assignment done

& Role Assigned

Experience in

Months & years


Date:

Place:




Annexure X :- (Commercial bid)

FORMAT FOR COMMERCIAL BID

RFP Ref. No: PSB/HOIT/RFP/106/2017-18 Dated: 21.12.2017 PARTICULARS BASE AMOUNT (IN

RS) INCLUDING ALL

TAXES AS PER THE

CURRENT RATE

EXCLUDING GST

(A)

GST AS PER THE

CURRENT RATE

APPLICABLE

(B)

TOTAL

AMOUNT

(A+B=C)

Cost of IS Audit as

per the scope of

work defined in the

RFP (Inclusive of all

fees & expenses)

TOTAL COST OF

IS AUDIT

(Total Base Amount (As per column A) in Words: - Rupees )


Date:

Place:

Note:-

The Commercial Bid should contain the Total Project cost, on a

fixed cost Basis. Punjab & Sind will neither provide nor reimburse any

expenditure towards any type of Accommodation, Travel Ticket, Airfares,

Train fares, Halting expenses, Transport, Lodging , Boarding etc.

The prices quoted above should be inclusive of all taxes & Duties

as applicable except GST. The commercial bid will be evaluated based on

column (A) i.e. Base Amount including all taxes as per the current rate excluding

GST.

GST should be mentioned in the separate column as provided in the format

Providing commercial bid other than this format may lead to rejection of

the bid.




Annexure XI :- (Technical Bid)


BID FORM

To Date:

PUNJAB & SIND BANK,

H.O. IT Department,

2nd floor, Bank House,

21, Rajendra Place,

New Delhi – 110008

Having examined the RFP including all Annexures, the receipt of which is hereby

duly acknowledged, we the undersigned, offer to provide IS Audit services in

conformity with the said RFP in accordance with the Price Composition indicated in

the Commercial Bid and made part of the Bid.

We undertake, if our bid is accepted, to deliver the services in accordance with the

delivery schedule specified in Annexure A.

We agree to abide by this bid for the period of 180 days from the last date of submission

of the bid and it shall remain binding upon us and may be extended at any time before the

expiration of that period.

We undertake that, in competing for (and, if the award is made to us, in

executing) the above contract, we will strictly observe the laws against fraud and

corruption in force in India namely “Prevention of Corruption Act 1988”.

We understand that the Bank is not bound to accept the lowest of any bid the

Bank may receive.

Dated this ________________ day of _____________ 20 .

(Signature) (In the Capacity of)

Duly authorized to sign bid for and on behalf of

(Name & Address of Bidder) ________________________________

Business_________________________ Address________________




Annexure XII :- (Technical Bid)

BID SECURITY FORM

(SAMPLE FORMAT OF BANK GUARANTEE (BG) FOR BID SECURITY)

(ON A NON-JUDICIAL STAMP PAPER OF RS. 100.00) TO:

PUNJAB & SIND BANK,

H.O. IT Department,


21, Rajendra Place,


WHEREAS ____________________ (hereinafter called “the Bidder”) has submitted

its bid dated _________ (date of submission of bid) for providing services of IS

Audit ) (hereinafter called “the ________________________ ( name and/or description

of goods/Services Bid”).

KNOW ALL PEOPLE by these presents that WE __________ ( name of bank) of

________ (name of country)having our registered office at ____________________

(address of bank) (hereinafter called “the Bank”) are bound unto PUNJAB & SIND

BANK (hereinafter called “the Purchaser”) in the sum of ________________ for which

payment well and truly to be made to the said Purchaser, the Bank binds itself, its

successors and assigns by these presents. Sealed with the common seal of the said Bank

this _______ day of __________, 20___.

THE CONDITONS of this obligation are:

If the Bidder withdraws its Bid during the period of bid validity specified by the

Bidder on the Bid Form; or

If the Bidder, having been notified of the acceptance of its bid by the Purchaser

during the period of bid validity fails or refuses to execute the Contract Form if

required;

We undertake to pay the Purchaser up to the above amount upon receipt of its first

written demand, without the Purchaser having to substantiate its demand, provided

that in its demand the Purchaser will note that the amount claimed by it is due to

it owing to the occurrence of one or both of the two conditions, specifying the

occurred condition or conditions.




This guarantee will remain in force up to the last date of submission of the bid i.e.

_________, and any demand in respect thereof should reach the Bank not later than the

above date.

Place:

SEAL Code No. SIGNATURE

NOTE: 1 BIDDER SHOULD ENSURE THAT THE SEAL & CODENO. OF THE

SIGNATORY IS PUT BY THE BANKERS, BEFORE SUBMISSION OF BG.

2 STAMP PAPER IS REQUIRED FOR THE BG ISSUED BY THE BANKS

LOCATED IN INDIA.




Annexure XIII: - PERFORMANCE SECURITY FORM

(SAMPLE FORMAT OF BANK GUARANTEE (BG) FOR EMPANELMENT SECURITY)

(ON A NON-JUDICIAL STAMP PAPER OF RS. 100.00)

TO:

PUNJAB & SIND BANK,

H.O. IT Department,


21, Rajendra Place,


WHEREAS ____________________ (hereinafter called “the Bidder”) has submitted

its bid dated _________ (date of submission of bid ) for providing services of IS

Audit ________________________ ( name and/or description of goods ) (hereinafter

called “the Bid”).

KNOW ALL PEOPLE by these presents that WE __________ ( name of bank ) of

________ (name of country) having our registered office at ____________________

(address of bank) (hereinafter called “the Bank”) are bound unto PUNJAB & SIND

BANK (hereinafter called “the Purchaser”) in the sum of ________________ for which

payment well and truly to be made to the said Purchaser, the Bank binds itself, its

successors and assigns by these presents. Sealed with the common seal of the said Bank

this _______ day of __________, 20___.

THE CONDITONS of this obligation are:

1. If the Bidder, having been notified as selected for providing IS AUDIT SERVICES to

the Purchaser, during the period of contract fails to perform obligations as bidder and fulfill

requirements as specified in the contract up to the desired level.

We undertake to pay the Purchaser up to the above amount upon receipt of its first

written demand, without the Purchaser having to substantiate its demand, provided

that in its demand the Purchaser will note that the amount claimed by it is due to

it owing to the occurrence of one or both of the two conditions, specifying the

occurred condition or conditions.

This guarantee will remain valid for a period of 12 months from the date of signing

of the contract i.e. from _________ to _________, and any demand in respect thereof

should reach the Bank not later than the above date.

Place:

SEAL Code No. SIGNATURE




NOTE:

1. THE BIDDER SHOULD ENSURE THAT THE SEAL & CODENO. OF THE

SIGNATORY IS PUT BY THE BANKERS, BEFORE SUBMISSION OF BG.

2. STAMP PAPER IS REQUIRED FOR THE BG ISSUED BY THE BANKS

LOCATED IN INDIA.




Annexure XIV: - CONTRACT FORM (SAMPLE)

(Non-Judicial Stamp Paper of appropriate value)

RFP REF. NO.

CONTRACT NUMBER:

THIS AGREEMENT made the _________ day of ______, 20___ Between PUNJAB

& SIND BANK (hereinafter “the Purchaser”) of one part and __________ (Name of

Selected Bidder) of ____________ (City and Country of Bidder) (hereinafter “the Bidder”)

of the other part:

WHEREAS the Purchaser is desirous that certain services should be provided by

the Bidder, viz. ________________ ________________ (Brief description of Services)

and has accepted a bid by the Bidder for supply of software and services to meet

its requirement from time to time.

NOW THIS AGREEMENT WITNESSETH AS FOLLOWS:

1. In this Agreement words and expressions shall have the same meanings as are

respectively assigned to them in the Conditions of Contract referred to.

2. The following documents shall be deemed to form and be read and construed as part

of this Agreement, viz. :

(a) RFP No. PSB/HOIT/RFP/106/2017-18 dated 21.12.2017 and all its

addendums/modifications.

(b) The Bid form and price schedule submitted by the bidder and subsequent

amendments made into it as accepted by the bank.

(c) the Scope of works, deliverables

(d) all terms & conditions as per RFP, Annexure-A & Annexure-B

3. In consideration of the payments to be made by the Purchaser to the Bidder in terms of

Purchase Order for IS AUDIT services placed by Head Office of the Purchaser, the

bidder hereby covenants with the Purchaser to provide the services therein in

conformity in all respects with the provisions of the contract.

4. The Purchaser hereby covenants to pay the bidder in consideration of the provision

of services , the Purchase order Price or such other sum as may become payable under the

provisions of the Contract at the times and in the manner prescribed by the Contract.




IN WITNESS whereof the parties hereto have caused this Agreement to be executed

in accordance with their respective laws the day and year first above written.

Signed, sealed and Delivered by the Said ________________________ (For the Bidder) in

presence of _______________________

Signed, sealed and Delivered by the Said ________________________ (For the Purchaser)

in presence of ______________________




Annexure XV :- (Technical Bid)


TECHNICAL DEVIATION STATEMENT

The following are the particulars of deviations from the requirements of the tender/ bid:-

CLAUSE DEVIATION REMARKS

(Including justification)

Whether it has any

commercial implications

(Reply in yes*/ no)

The eligibility criterion & offered IS AUDIT services furnished in the bidding document

shall prevail over those of any other documents forming a part of our bid except only to the

extent of deviations furnished in this statement.

Dated ________________ Signature and seal of the Bidder

Note: Where there is no deviation, the statement should be returned duly signed with

an endorsement indicating “No Deviations”.

* If reply is yes, it must be specified in Annexure- XVI (Commercial Deviation

Statement Form), else the commercial implication will be treated as NIL.




Annexure XVI :- (Commercial Bid)


COMMERCIAL DEVIATION STATEMENT FORM

The following are the particulars of deviations from the requirements of the tender/ bid:

CLAUSE DEVIATION REMARKS

(Including justification)

The cost of offered IS AUDIT services furnished in the bidding document (Annexure- X)

shall prevail over those of any others document forming a part of our bid except only to the

extent of deviations furnished in this statement.

Dated ________________ Signature and seal of the Bidder

NOTE: Where there is no deviation, the statement should be returned duly signed

with an endorsement indicating “No Deviations”.




Annexure XVII (Technical Bid)

LETTER OF CONFIRMATION

The Asstt. General Manager,

PUNJAB & SIND BANK,

H.O. IT Department,


21, Rajendra Place,


Dear Sir,

We confirm that we will abide by the conditions mentioned in the Tender Document

(RFP and annexure) in full and without any deviation subject to Annexure- XV

& XVI. We shall observe confidentiality of all the information passed on to us in

course of the IS Audit process and shall not use the information for any other purpose

than the current tender.

We confirm that we have not been blacklisted by any Govt. Department /PSU / PSE

or Banks or otherwise not involved in any such incident with any concern

whatsoever, where the job undertaken / performed and conduct has been

questioned by any authority, which may lead to legal action.

We also confirm that we are not a bidder /consultant to the bank involved in

either supply/installation of Hardware/Software, implementation of

Security/Network Infrastructure of the Bank or providing services excluding IS

Audit services, in the past three years directly or indirectly through a consortium.

Place :

Date:

(Authorized Signatory)

SEAL




ANNEXURE “C”

A. Systems/ Applications and its Locations (tentative)

1.1 Information Systems Audit should cover entire Information Systems

Infrastructure which includes Servers & other hardware items, Operating Systems,

Databases, Application Systems, Technologies, Networks, Facilities, Process & People

of the under noted locations :

Sr.

No.

Particulars DC DR NLDC

1. CBS Servers,

Interfaces, Network &

Other Devices

Navi Mumbai Greater

Noida

Navi Mumbai

2. ATM Switch & Back

Office

Chennai Mumbai N.A.

3. Financial Inclusion,

Centralized FI gateway

Application solution

Navi Mumbai -- N.A.

4. E-KYC (Biometrics) Navi Mumbai -- N.A.

5. Internet Banking

Application

Navi Mumbai Greater

Noida

Navi Mumbai

6. Mobile Banking

Application

Navi Mumbai Greater

Noida

Navi Mumbai

7. Mail Messaging

Solution

Navi Mumbai Greater

Noida

Navi Mumbai

8. Intranet of the bank Navi Mumbai Greater

Noida

Navi Mumbai

9. SMS Alert System Mumbai pune

10. RTGS/NEFT etc. HO.IT Deptt.

Rajendra Place

Greater

Noida

11. Cheque Truncation

System (CTS) -

Northern Grid

RCC,Delhi,C.P. (Soon wil shift to Ranjit

Nagar)

Greater

Noida


System (CTS) -

Southern Grid

RCC,Mumbai

(Opex Model)


System (CTS) -

Western Grid

RCC Chennai

(Opex Model)

14. Treasury Solution Navi Mumbai Greater

Noida

N.A.

15. UPI Mumbai New Delhi N.A.

16. BBPS Mumbai Chennai --




17. POS Mumbai Banglore --

18. Bharat QR Code Mumbai Banglore --

19. Aadhar Enable

Payment System

(AEPS)

20. Merchant Aadhar

Payment System

21. Accumen Pro Connect

(Liquidity

Management System)

HO.IT Deptt.

Rajendra Place

Greater

Noida

22. Call Centre Noida Noida

23. GST Navi Mumbai Greater

Noida

24. SWIFT Navi Mumbai HO.Fex

Deptt.

N.D.

(To be soon

shifted to

Greater

Noida)

--

25. Card Management Chennai Pune --

26. CCIL Server HO.IT Deptt.

Rajendra Place

Greater

Noida

--

27. ALM Greater Noida Vashi

Mumbai

--

28. AML Navi Mumbai Greater

Noida

--

29. Data Archival

Retrieval (DAR)

Navi Mumbai Greater

Noida

--

B. IS AUDIT OF INTERNET BANKING (WWW.PSBONLINE.CO.IN),

MOBILE BANKING

(HTTPS://WWW.PSBMOBILE.COM/MPAYPSBWAP/PSB),

INTRANET.PSB.CO.IN, WEBMAIL.PSB.CO.IN, UPI, BHIM, FI AND

CORPORATE WEBSITE (WWW.PSBINDIA.COM) OF THE BANK

While conducting the IS Audit, the guidelines/ recommendations issued by CERT-In

and Reserve Bank of India should be strictly complied with. C. Vulnerability Assessment & Penetration Testing (Internal and External) The Bidder is expected to conduct a VA/PT of the deployed solution at the Data

Centre and the Disaster Recovery Site and ensure compliance of the security gaps. A

list of a minimum set of activities to be performed as detailed in scope of work.

https://www.psbmobile.com/MPAYPSBWAP/PSB




D. Application Review and Testing The bidder is to carry out an application review covering the functionality, security,

and controls within the applications. A list of a minimum set of activities to be

performed as detailed in scope of work.




ANNEXURE ‘D’

LIST OF SERVERS/DEVICES IN DIFFERENT AUDITEE LOCATIONS

(It may vary in actual scenario)

Sr.

no. Purpose Model

Quantity

DC DR NLDC

Servers , Storage & Tape Library

1

CBS Servers

(Database +

Application)

Oracle T4-4 2 2 NA

2

CBS Servers

(Database +

Application)

Oracle T4-1 6 6 NA

3 SASCL Server Oracle T3-1 1 NA NA

4 Storage EMC VNX 5500 in DC & DR and

EMC VNX 5300 in near site 1 1 1

5 Storage EMC VNXe 3100 1 NA NA

6 SAN Switch Cisco SAN Switch 2 2 2

7 Tape Drive Tandberg T40+ Tape library 1 1 NA

8 Blade Chassis Cisco UCS chassis 6 4 NA

9 Windows

Servers Cisco UCS Blade server 42 28 NA

Networks equipment

1 MPLS Routers ASR1002-10G-SEC/K9 2 2 2

2 IPSec Routers ASR1002-10G-VPN/K9 2 2 NA

3 Routers CISCO2921-SEC/K9 4 2 NA

4 Routers CISCO2921-SEC/K9 2 1 NA

5 Core Switches N7K-C7009-BUN2-R 2 2 NA

6 Server Farm WS-C3750X-24T-S 3 2 2

7 Uplink Switches WS-C3750X-24T-S 4 4 NA

8 DMZ Switches WS-C2960G-24TC-L 2 2 NA

9 Web Zone ACE-4710-04-K9 4 4 NA

10 ISE SLB ACE-4710-04-K9 4 4 NA

11 Internet Section APV 2600 2 2 NA

12 Replication APV 2600 2 2

NA




Sr. no. Purpose Model Quantity

DC DR NLDC

Security Equipments

1 Intranet

Firewall ASA5585-S20P20XK9 2 2 NA

2 RA VPN

Firewall ASA5545-K9 2 2 NA

3 Internet

Firewall CP4200 2 2 NA

4 CP Security

Mgmt Smart-1 1 NA NA

5 CP Smart

Event SM503-EVNT 1 NA NA

6 Access Control CSACS-1121-K9 1 1 NA

7 Admission

Control ISE-3395-K9 8 8 NA

8 Web Gateway MFE Web Gateway 5500

Appl-B 2 1 NA

9 Email Gateway MFE Email Gateway 5500

Appl-C 2 1 NA

Sr. no. Purpose Model Quantity

DC DR NLDC

Other

1 Network

Monitoring LMS-4.1-2.5K-K9 1 1 NA

2 Security

Monitoring L-CSMPR250-4.2-K9 1 1 NA

3 NAC Cisco L-ISE-ADV5Y-5K= 4 3 NA