request for proposal for selection of security system ... · across india. bank envisages as one of...
TRANSCRIPT
Request for Proposal for Selection of Security System Integrator to set up
Security Operation Centre (SOC) for Bank
Tender No:
Head office Information
Bank House, 21, Rajendra Place
Page 1 of 118
Request for Proposal for Selection of Security System Integrator to set up
Security Operation Centre (SOC) for Bank
Tender No: PSB/HOIT/RFP/94/2017-18
Dated: 21.08.2017
PUNJAB & SIND BANK
(A Govt. of India Undertaking)
Head office Information Technology Department
Bank House, 21, Rajendra Place
New Delhi-110008
https://www.psbindia.com
Request for Proposal for Selection of Security System Integrator to set up
Page 2 of 118
INDEX
S. No. Detail Page No.
From To
1
Introduction
3 3
2
Disclaimer
4 4
3
Key Information
5 5
4
Chapter 1 – Instructions to Bidders
6 12
5
Chapter 2 – Terms and Conditions
13 33
6
Chapter 3 – Scope of Work
34 54
7
Chapter 4 – Service Level Agreement And Penalties
55 61
8
Chapter 5 – Project Team Structure
62 63
9
Chapter 6 – Project Timelines
64 64
10
Chapter 7 – Evaluation Methodology
65 65
11
Annexure and Formats
66 118
Page 3 of 118
INTRODUCTION
About this Request for Proposal (RFP)
Considering the fast paced threats in the IT environment, Punjab & Sind Bank (therein after referred as
“Bank”) has decided to strengthen its Information Security set up as per the guidelines in the G.
Gopalakrishna Committee Report & Recommendations on Information Security, Electronic Banking,
Technology Risk Management and Cyber Frauds, released in January, 2011 and RBI Circular on Cyber
Security Framework in Banks dated 02 June 2016.
This RFP should not be considered as a statement of intent for procurement unless a Purchase Order or
Letter of Intent is issued by the Bank, as an end result of this RFP process.
This RFP document is meant for the exclusive purpose to set up Security Operation Centre (SOC) at
Punjab & Sind Bank as per the terms, conditions, and specifications indicated in this RFP and shall not
be transferred, reproduced or otherwise used for purposes other than for which it is specifically issued.
About Punjab & Sind Bank
Punjab & Sind Bank, a body constituted under Banking Companies Acquisition and Transfer of
Undertakings Act, 1980 has its Head Office at 21, Bank House, Rajendra Place, New Delhi-110008.
The Bank has three-tier administrative architecture having Head Office (H.O.) at 21, Bank House,
Rajendra Place, New Delhi – 110008, Zonal Offices (ZOs) at 24 locations and more than 1450 branches
across India. Bank envisages as one of the leading commercial Banks in the country. All the branches of
the Bank are CBS enabled. Bank has deployed Finacle as a Core Banking Solution (CBS) for all its
Branches.
Apart from Finacle Core Banking System (CBS), Bank has implementation following delivery channels:
1. ATM – Debit Card
2. Internet Banking – For Retail & Corporate Customers
3. Mobile Banking
4. UPI (Unified Payments Interface)
5. BBPS (Bharat Bill Payment System)
Page 4 of 118
DISCLAIMER
� The information contained in this RFP document or any information provided subsequently to
Bidder(s) whether verbally or in documentary form by or on behalf of the Bank, is provided to the
Bidder(s) on the terms and conditions set out in this RFP document and all other terms and
conditions subject to which such information is provided.
� This RFP is neither an agreement nor an offer and is only an invitation by Bank to the interested
parties for submission of bids. The purpose of this RFP is to provide the Bidder(s) with information
to assist the formulation of their proposals. This RFP does not claim to contain all the information
each bidder may require. Each Bidder should conduct its own investigations and analysis and should
check the accuracy, reliability and completeness of the information in this RFP and obtain
independent advice, wherever necessary. Bank makes no representation or warranty and shall incur
no liability under any law, statute, rules or regulations as to the accuracy, reliability or completeness
of this RFP. Bank may in its absolute discretion, but without being under any obligation to do so,
update, amend or supplement the information in this RFP.
� This is not an offer by the Bank but only an invitation to bid in the selection process initiated by the
Bank. No contractual obligation whatsoever shall arise from the RFP process until a formal contract
is executed by the duly authorized signatory of the Bank and the Bidder.
Page 5 of 118
KEY INFORMATION
Particulars Details
Tender Number PSB/HOIT/RFP/94/2017-18
Tender Title Request for Proposal for Selection of Security System
Integrator to set up Security Operation Centre (SOC)
for Bank.
Participation Fee (Non Refundable) Rs. 20,000/- (Rs. Twenty Thousand Only)
Bid Security (EMD) Rs. 25,00,000/- (Rs. Twenty Five Lakhs only)
(In the form of Bank guarantee from Schedule
Commercial Bank)
Bid Validity 180 Days
Date of Publishing the tender on
Bank’s Website 21.08.2017 11:00 Hrs
Last Date for submission of Pre-Bid
Query 28.08.2017
(Queries must be e-mailed to [email protected]
only as per Annexure VIII in MS-Excel format quoting
Tender Number in the subject field of the email.)
Date and Time for Pre Bid Meeting 30.08.2017 15:00 Hrs
Last Date and time for submission of
Bids 15.09.2017 15:00 Hrs
Date and Time of Opening of
Technical Bids 15.09.2017 15:30 Hrs
Date and Time of Commercial Bids
Opening
To be notified later to the qualifying bidders only.
Place of Opening of Bids Punjab & Sind Bank
HO IT Dept., 2nd Floor, 21 Bank House, Rajendra
Place, New Delhi - 110008
Contact Person for any clarifications/
Submission of Bids
Santosh Neeraj – DGM(CISO)
Contact Number 7840053500
If any of the dates given above happens to be Holiday in Delhi, the related activity shall be undertaken
on the next working day at the same time.
Page 6 of 118
CHAPTER 1 – INSTRUCTIONS TO BIDDERS
1.1 Minimum eligibility Criteria for the Bidders
Bidders are required to provide factually correct responses to this RFP. Adequate justification and
documents for the response (including the technical and other requirements) should be provided as part
of the response. In case the Bank finds any response to be inadequate, the Bank has the right to ask for
additional explanation/ justification/ documentations. In the event of any discrepancy in the response
submitted by the bidder, the Bank reserves the right to disqualify and/or blacklist the bidders.
The Bank reserves the right to verify/ evaluate the claims made by the Bidders independently. Any
deliberate misrepresentation will entail rejection of the bid.
The Minimum Eligibility Criteria for the bidder (the “bidder” herein after called as “Security Integrator”
or “vendor” or “SI”) shall be as under:-
Sr.
No.
Eligibility Clause Documents Required
EC-1 The Bidder should be a Company/ firm in
India registered under the Companies Act,
1956 for a period of minimum five (05)
years.
Certificate of Incorporation &
Commencement of Business (applicable
for Public Ltd. Companies). A certified
copy of the same is required to be
submitted with the Bid.
EC-2 The Bidder should have made an annual
turnover of Rs. 100 Crore per annum in the
last three Financial Years (i.e. FY 2014-15,
2015-16, and 2016-17).
Audited Financial Statements for the last
three Financial Years, viz. 2014-15,
2015-16, and 2016-17 needs to be
furnished. CA certificate needs to be
furnished.
EC-3 The Bidder should have positive net worth in
the last 3 financial years (i.e. FY 2014-15,
2015-16, and 2016-17)
Audited Financial Statements for the last
three Financial Years, viz. 2014-15,
2015-16, and 2016-17 needs to be
furnished. CA certificate needs to be
furnished.
EC-4 The Bidder should have an annual turnover
of at least Rs.10 Crores in providing security
services in each of the last three Financial
Years (i.e. FY 2014-15, 2015-16, and 2016-
17.)
CA Certificate/ Customer PO/ CA
Declaration
EC-5 The Bidder should have experience of at
least 1 BFSI (Banking, Financial services
and Insurance) or Govt. Sector client in
implementing/supporting a Security
Operations Centre (SOC) in last 5 years in
India.
Copies of purchase orders showing SOC
experience to clients.
Page 7 of 118
EC-6 The Bidder should have implemented or
provided/be providing SOC Security
Services, including log monitoring and co-
relation, for minimum 1000 EPS to at least
one (01) BFSI or Govt. Sector client in India.
Letter from client on client letter Head/
commissioning report along with name
and designation and Landline telephone
contact details.
EC-7 The Bidder’s organization should have ISO
27001 certification.
ISO 27001 certification copy.
EC-8 The Bidder should not be existing System
Integrator (for Network Infrastructure/
Facility Management) for the Punjab & Sind
Bank to avoid conflict of interest.
Bidder under taking should be submitted
in this regard.
EC-9 The proposed solutions (i.e. SIEM, WAF,
PIM, and Anti-APT) should be successfully
implemented in any BFSI or Govt. Sector
client(s) in India.
OEM Letter with client name.
EC-10 The Bidder should deploy industry standard
license tools.
Undertaking letter from Bidder
EC-11 The SIEM deployed must be in the Leader or
Challenger Quadrant of latest published
Gartner’s Report for SIEM.
Gartner Report
EC-12 The bidder should not have been put in the
negative list or Blacklist by any Public
Sector Bank/ Government Organization for
breach of applicable laws or violation of
regulatory prescriptions or breach of
agreement for providing the SOC services at
the time of bid submission.
Undertaking letter from the bidder
EC-13 Bidder/OEM should have successfully
implemented SIEM in integration with Core
Banking System (Finacle). In case of OEM’s
experience, the OEM shall own the complete
implementation responsibility of SIEM.
An undertaking letter from OEM.
EC-14 Bidder/OEM should have successfully
implemented WAF, PIM, and Anti-APT. In
case of OEM’s experience, the OEM shall
own the complete implementation
responsibility for the solution whose proof
submitted by OEM (WAF, PIM, and Anti-
APT).
An undertaking letter from OEM.
EC-15 The proposed solutions should be certified/
benchmarked by an independent third party/
OEM for performance, security.
Enclose certificate/ benchmark report for
security, performance from independent
third party OR OEM letter for
performance, security.
EC-16 The proposed WAF solution must be in the Latest Gartner’s Report
Page 8 of 118
Leader or Challenger Quadrant of latest
published Gartner’s Report.
Photocopies of relevant documents/ certificates, duly stamped and signed must be submitted as proof in
support of the claims made. The Bank reserves the right to verify/ evaluate the claims made by the
Bidder independently. The decision of the Bank in this regard shall be final, conclusive and binding
upon the Bidder.
1.2 Language of the Bid
The bid as well as all correspondence and documents relating to the bid exchanged by the Bidder and the
Bank shall be in English language only.
1.3 No commitment to accept lowest or any bid
The Bank shall be under no obligation to accept the lowest or any other offer received in response to this
tender notice and shall be entitled to reject any or all offers including those received late or incomplete.
Bank will be under no obligation to have discussions with any bidder, and/or entertain any
representation.
1.4 Right To Accept Any Bid And To Reject Any Or All Bids
PUNJAB & SIND BANK reserves the right to accept or reject in part or full any or all offers without
assigning any reason thereof even after issuance of letter of Intent. Any decision of Punjab & Sind Bank
in this regard shall be final, conclusive and binding upon the bidders. The Bank reserves the right to
accept or reject any Bid in part or in full, and to annul the Bidding process and reject all Bids at any time
prior to contract award, without thereby incurring any liability to the affected Bidder or Bidders or any
obligation to inform the affected Bidder or Bidders of the grounds for Bank’s action. During any stage
of evaluation process, if it is found that the bidder does not meet the eligibility criteria or has submitted
false /incorrect information the bid will be summarily rejected by the Bank and no further
correspondence would be entertained in this regard. Bank further reserves the right to amend, rescind,
reissue or cancel this RFP and all amendments will be advised to the Bidder and such amendments will
be binding upon them. The Bank also reserves its right to accept, reject or cancel any or all responses to
this RFP without assigning any reason whatsoever. Further please note that the bank would be under no
obligation to acquire any or all the items proposed. No contractual obligation whatsoever shall arise
from the RFP process unless and until a formal contract is signed and executed by duly authorized
officials of Punjab & Sind Bank and the bidder.
1.5 Correction of Errors
Bidders are advised to exercise greatest care in entering the pricing figures. No corrigenda or requests
for prices to be corrected will be entertained after the bids are opened. If there are any corrections in the
bid document, the authorized signatory should initial them all, failing which the figures for such item
shall not be considered. Discrepancies in bids will be corrected as follows:
Page 9 of 118
• Where there is a discrepancy between the amounts in figures and in words, the amount in words
shall prevail.
• Where there is a discrepancy between the unit rate and the line item total resulting from
multiplying the unit rate by the quantity, the unit rate will govern unless, in the opinion of Bank,
there is an obvious error such as a misplacement of a decimal point, in which case the line item
total will prevail
• Where there is a discrepancy between the amount mentioned in the bid and the line item total
present in the schedule of prices, the amount obtained on totaling the line items in the Bill of
Materials will prevail
The amount stated in the correction form, adjusted in accordance with the above procedure, shall be
considered as binding, unless it causes the overall price to rise, in which case the bid price shall prevail.
Based on the Bank’s requirements as listed in this document, the bidder should identify and offer the
best-suited solution / bill of material for the product that would meet the Bank’s requirements and quote
for the same.
1.6 Bid Validity Period
Bids shall remain valid for 180 (one hundred eighty) days from the date of opening of the technical bid.
The Bank holds the rights to reject a bid valid for a period shorter than 180 days as non-responsive,
without any correspondence. In exceptional circumstances, The Bank may solicit the Bidder’s consent to
an extension of the validity period. The request and the response thereto shall be made in writing.
Extension of validity period by the Bidder should be unconditional and irrevocable. The Bid Security
provided shall also be suitably extended.
A Bidder acceding to the request will neither be required nor be permitted to modify its bid. A Bidder
may refuse the request without forfeiting its bid security. In any case the bid security of the Bidders will
be returned after completion of the process.
1.7 Pre-bid meeting
For clarification of doubts of the bidders on issues related to this RFP, the Bank intends to hold a Pre-
Bid Meeting on the date and time as indicated in the RFP in Key-Information.
For any clarification with respect to this RFP, the bidder may send an email to [email protected]
by last date of submission of queries as defined in Key-Information in this document. The format to be
used for seeking clarification is mentioned in Pre-bid Query Format. It may be noted that all queries,
clarifications, questions etc., relating to this RFP, technical or otherwise, must be in writing only and
should be sent to the email-id as stated earlier.
Only two (i.e. maximum) authorized representatives of the bidders will be allowed to attend the meeting.
Page 10 of 118
1.8 Signing of contract
The successful bidder shall be required to enter into a contract with Bank, within thirty (30) days of the
award of the work or within such extended period, as may be specified by Bank. This contract shall be
based on this RFP document (read with addendums/Corrigendum/Clarifications), LOI, Purchase order
and such other terms and conditions necessary for the due performance of the work, as envisaged herein
and in accordance with the bid.
However the terms and conditions of purchase order and RFP shall constitute a binding contract till such
a contract is executed.
1.9 Cost of Preparation and Submission of Bid
The Bidder shall bear all costs associated with the preparation and submission of its Bid and the Bank
will in no case be responsible or liable for these costs, regardless of the conduct or outcome of the
Bidding process.
1.10 Bid Security - Earnest Money Deposit (EMD)
Non-submission of Earnest Money Deposit as mentioned in Key-Information will lead to outright
rejection of the Offer. The EMD is to be submitted in the shape of Financial Bank Guarantee from any
scheduled commercial Bank valid for minimum 225 Days from the date of Bid Submission Date.
EMD of unsuccessful Bidders will be returned to them on completion of the tender process. The EMD
of successful Bidder will be returned within 30 days on submission of Performance Bank Guarantee.
The Earnest Money Deposit may be forfeited under the following circumstances:
a. If the Bidder withdraws its bid during the period of bid validity (180 days from the date of
opening of the technical bid).
b. If the Bidder makes any statement or encloses any form which turns out to be false, incorrect
and/or misleading at any time prior to signing of contract and/or conceals or suppresses material
information; and / or
c. In case of the successful Bidder, if the Bidder fails:
• To honor submitted bid
• To sign the contract in the form and manner to the satisfaction of the Bank.
• To furnish performance Bank Guarantee in the form and manner to the satisfaction of the
Bank.
1.11 Formation of Technical Bid
The Technical offer/ Technical bid must be made in an organized and structured manner. The Technical
Bid shall contain the following documents and should be properly sealed and marked as “Bid for
Page 11 of 118
Security Operation Centre”, Tender Reference Number, Bidder’s name and Address in the following
forms:-
1. ANNEXURE - I Tender Covering Letter duly signed & stamped by the authorized signatory
2. ANNEXURE - II Compliance to Minimum Eligibility Criteria
3. ANNEXURE - III Bidder’s Information
4. ANNEXURE - IV Performa for the Bank Guarantee for Earnest Money Deposit
5. ANNEXURE - V Acceptance of Scope of Work
6. ANNEXURE - VI Acceptance/ Compliance Certificate
7. ANNEXURE - VII Format of Performance Guarantee
8. ANNEXURE - VIII Pre-bid Query Format
9. ANNEXURE - IX Technical Requirements/ Specifications
10. ANNEXURE - X Commercial Bill of Materials
11. ANNEXURE - XI Non-Disclosure Agreement
12. ANNEXURE - XII Resource Plan Matrix
13. ANNEXURE - XIII Check – List For Bid Submission
14. FORMAT - 1 Bidder’s Undertaking Letter 1
15. FORMAT - 2 Channel Partner/ Dealership/ Experience letter from OEM
16. FORMAT - 3 Confirmation of Soft Copy
17. FORMAT - 4 Compliance Statement
18. FORMAT - 5 Bidder’s Undertaking Letter 2
19. FORMAT - 6 Undertaking of Authenticity for Solution and Server Supplies
20. Quality/ Performance/ Benchmark Certifications for the products offered
21. Any other documents, forms, letters etc supporting above information.
Note: All Claims made by the Bidder will have to be backed by documentary evidence. The bidder is
expected to examine all instructions, forms, terms and specifications in the RFP. Failure to furnish all
information required or to submit a Bid not substantially responsive to the in every respect will be at the
Bidder’s risk and may result in the rejection of the Bid.
1.12 Evaluation Process of the Bids
The Evaluation will be a two-stage process:
1. Technical Evaluation
a. Compliance to Minimum eligibility Criterion
b. Acceptance to all terms and conditions of RFP
c. Completeness of Bid as per RFP requirement
d. Acceptance to Scope of RFP
e. Technical Evaluation
2. Commercial Evaluation
Page 12 of 118
The evaluation by the Bank will be undertaken by a committee of internal which would have Bank
officials and may include Consultants. The decision of the committee shall be considered final.
1.13 Preliminary Scrutiny
1. The Bank will examine the Bids to determine whether they are complete, required formats have
been furnished, the documents have been properly signed, and the Bids are generally in order.
2. The Bank may, at its discretion, waive any minor infirmity, non-conformity, or irregularity in a
Bid, which does not constitute a material deviation.
3. The Bank will first examine whether the Bid and the Bidder is eligible in terms of Eligibility
Criteria. The bids not meeting the Minimum Eligibility Criteria shall not be considered for
further evaluation.
4. Prior to technical evaluation, the Bank will determine the responsiveness of each Bid to the
Bidding Document. For purposes of these Clauses, a responsive Bid is one, which conforms to
all the terms and conditions of the Bidding Document without material deviations. Deviations
from, or objections or reservations to critical provisions, such as those concerning Bid Security,
Applicable Law, Bank Guarantee, Eligibility Criteria, will be deemed to be a material deviation.
5. The Bank’s determination of a Bid’s responsiveness will be based on the contents of the Bid
itself, without recourse to extrinsic evidence.
6. If a Bid is not responsive, it will be rejected by the Bank and may not subsequently be made
responsive by the Bidder by correction of the non-conformity.
Page 13 of 118
CHAPTER 2 - TERMS AND CONDITIONS
2.1 Two Bid System
a) The offer should be submitted in two separate sealed covers, but at the same time, containing
Technical (“Technical Bid” or TB) and Commercial (“Commercial Bid” or CB). Proposals super
scribed with “Technical Offer for RFP for SOC” and “Commercial Bid for RFP for SOC”.
The sealed covers containing the Technical Bid and the Commercial Bid should in turn be put in a
sealed outer envelope to be super-scribed as “Technical and Commercial Bids for RFP for SOC”.
The sealed outer envelope should be submitted in person to the below address before the stipulated
date and time as per the Bid Schedule (Key Information):
Asstt General Manager (IT)
Punjab & Sind Bank, HO IT Dept.
2nd Floor, 21 Bank House, Rajendra Place
New Delhi 110008
The Bids shall be submitted with following documents in the same sequence without which the bid
will be summarily rejected. All the pages in the respective bids should be serially numbered and
signed by the authorized person.
The Technical and Commercial Bids should be submitted in “Hard copy” and “Soft copy”. The soft
copy should be in a CD with the name of the System Integrator and the type (“Technical Bid”,
“Commercial Bid”) clearly indicted on the CD. The CD should be included in the respective sealed
cover.
In case of any discrepancy between the “Hard Copy” and the “Soft Copy” documents, the signed
“Hard Copy” shall be considered as final.
b) The TB should cover all items asked for in the Technical Requirements/ Specifications Annexure IX
and should not contain any price information.
c) The CB should give all relevant price information and should not contradict the Technical Bid (TB)
in any manner and should be submitted in the format given in “Annexure X Commercial Bill of
Material”.
d) Opening of the CB will be subject to the Bidders getting short-listed on the basis of technical
evaluation. (The CB of bidders not short listed will not be opened.)
e) The TB will be opened in the presence of only one authorized representatives of the bidders on the
date specified. The representative of the bidder shall produce an authorization letter from the bidder
to represent them at the time of opening of TB. Irrespective of the presence of such representatives,
the TB will still be opened at the scheduled time at the sole discretion of the Bank, in the presence of
Bank’s Tender Committee Members.
Page 14 of 118
f) The original bids shall be typed or printed in a clear typeface and signed & stamped by authorized
representatives of the Bidder. The Copies of bids if any submitted may be good quality photocopies
of the original. An accompanying letter is required, signed by an authorized signatory of the Bidder,
committing the bidder to the contents of the original response.
g) The CB should give prices /costs in INR (Indian Rupees) only and bids in currencies other than INR
would be disqualified.
h) All costs should be for door delivery and should be exclusive of all taxes, duties, charges and levies
of State or Central Governments, as applicable and subject to deduction of all statutory deductions
applicable, if any. The benefits realized by Bidder due to lower rates of taxes, duties, charges and
levies shall be passed on to Bank.
i) The Bidder has to submit masked Commercial Bid along with the technical bid document.
2.2 Pro-forma for Technical Details
a) The bank expect point to point reply (For Technical Requirements/ Specifications in Annexure IX)
with clearly stating the response requested by the bank in the column provided and additional
information in Remarks/ Explanation column. If any additional data sheets/ Reports/ Screen shots
are to be attached label them as annexure and refer the number in the remarks column. Please note
that product brochures/ webpage printouts covering broadly the technical requirements/
specifications are not acceptable & liable for rejection.
b) Point wise compliance of the terms and conditions enumerated in Tender Document. Any technical/
commercial deviation with the Tender Document should be clearly stated with the reasons thereof.
c) The detailed specifications, make and versions of various components (H/W, S/W, Network) and
tools proposed by the Bidder to be provided.
d) The Bank reserves the right not to allow/ permit changes in the technical specifications and not to
evaluate the offer in case of non-submission or partial submission of technical details.
e) The Bank may at their discretion waive any minor non-conformity or ask for clarifications in any
offer and the same shall be binding on all bidders and the Bank reserve the right for such waivers or
accepting such clarifications at a later date, before the date of opening of commercial bids.
f) If the Bank is not satisfied with the compliance to technical specifications in the bid and observes
major deviations, the technical bids of such bidders will not be short-listed and the CB of such
bidders will not be opened. No further discussions shall be entertained with such bidders in this
regard /matter.
g) The Bank reserves the right to reject this Tender Notice in part or full, or cancel the entire process at
any stage without assigning any reason. The bank shall not be obliged to inform the affected
bidder(s) of the grounds for the Bank’s rejection.
h) The bank reserves the right to change or relax the eligibility criteria to ensure inclusivity and fair
play.
i) The bank reserves the right to re-tender and the Bank shall not incur any liability to the affected
bidder(s) on account of such rejection. The Bank shall not be obliged to inform the affected bidder(s)
Page 15 of 118
of the grounds for the Bank’s rejection. The bank reserves the right to modify any technical
requirements specifications within the overall scope of the RFP before accepting the bids from the
bidders and the same will be communicated with the bidder through an Addendum/Corrigendum.
j) The Bank reserves the right to modify any technical requirements specifications within the overall
scope of this Tender and the Bank reserves the right to obtain revised CB from the bidders with
regard to changes in clauses/terms & Conditions or if the Bank is not satisfied with the prices
offered.
k) Notwithstanding anything contained herein above, in case of any dispute, claim and legal action
arising out of this tender, the parties shall be subject to the jurisdiction of courts at New Delhi i.e.
where Bank’s Head Office is located.
2.3 Modification and withdrawal of offers
a) The bidder may modify or withdraw its offer after submission, provided that a written notice of the
modification or withdrawal is received by the Bank prior to the closing date and time prescribed for
submission of offers.
b) No offer can be modified or withdrawn by the bidder subsequent to the closing date and time for
submission of the offers without the risk of the bid security being forfeited.
2.4 Erasure or Alterations
a) The offers should not contain hand written material, erasures, corrections or alterations. Technical
details must be completely filled up. Correct technical information of the product being offered must
be filled in.
b) Filling up of the forms using terms such as “OK”, “complied”, “noted”, “as given in the
brochure/manual”, etc. are not acceptable and needs to be filled with as requested by the Bank and
additional details in Remarks/Explanation columns. If supporting documents screens shots etc. are
attached should be properly labeled and reference should be provided in the remarks/ explanation
column.
c) The Bank may treat the offers as unacceptable if they do not adhere to these guidelines.
2.5 No Commitment to Accept Lowest or Any Tender
a) The bank shall be under no obligation to accept the lowest or any other offer received in respect of
this tender and shall be entitled to reject any or all offers without assigning any reason whatsoever.
b) The bank reserves the right to ‘call off’/ cancel the tender proceedings or cancel the Tender at any
point of time.
2.6 Delivery Locations
Page 16 of 118
a) The proposed solutions need to be delivered & installed at locations specified in the Scope of Work.
2.7 Bid Price & Bid Security
a) RFP document can be purchased against payment of Participation Fee (Non Refundable), mentioned
in the Key Information section of this RFP, in the form of a Demand Draft issued by a Scheduled
Commercial Bank favoring Punjab & Sind Bank, payable at New Delhi.
b) Alternatively the RFP document can be downloaded from the Bank's website www.psbindia.com.
However, bidder will have to submit the Demand Draft along with the TB in the sealed cover.
c) In the event of non-submission of Participation Fee towards the Tender Document the Technical Bid
will not be considered and the bidder would in effect be disqualified.
d) Bidders are required to give a Bid Security (EMD) as mentioned in the Key Information section in
the form of Bank Guarantee along with Technical Bid. Offers made without the Bid Security (EMD)
will be rejected.
e) The Bid Security will be refunded to the unsuccessful bidders only after completion of the bid
process. No interest will be payable on the Bid Security amount.
f) The Bid security amount will be forfeited if the selected bidder refuses to accept assignment or
having accepted the assignment, fails to carry out his obligations mentioned therein.
2.8 Software drivers & manuals
a) All software and required drivers of the Solution/appliances/Servers are to be delivered along with
the appliance/Server.
2.9 Transport and Insurance Costs
a) The price bid will be inclusive of transportation to locations specified in the Tender, insurance till
installation, supervision of commissioning, and acceptance.
b) Any delay in installation of the hardware for whatsoever reason should not entail in expiry of
insurance and the same should be continued to be extended up to the date of installation,
commissioning, and acceptance of the Hardware by the bank.
2.10 Fixed Price
a) The rates quoted by the bidders in the CB are exclusive of taxes prevailing at the time of submission
of bid. Bank will pay the taxes on actual on production of necessary documents by the bidder to the
Bank.
b) The prices indicated in the CB should address all requirements in the technical bill of material. No
other cost apart from that mentioned in the final commercial bill of material shall be considered.
Page 17 of 118
c) Where there is a discrepancy between the amounts in figures and in words, the amount in words
shall govern.
d) Where there is a discrepancy between the unit rate and the line item total resulting from multiplying
the unit rate by the quantity, the unit rate will govern unless, in the opinion of the Bank, there is
obviously a gross error such as a misplacement of a decimal point, in which case the line item total
will govern.
e) If any bidder fails to quote or kept ‘blank’ against any of the services or line item in the CB sought
by the Bank, it will be presumed by the Bank, that the cost of such items is included in the overall
cost and will not accept any plea or excuse from the bidders later. Such solution/ services have to be
provided to the Bank without any extra cost along with all other solution/ services. However, for the
purpose of evaluation the highest value quoted for such line item(s) by any of the bidders will be
taken into consideration.
f) The Price offer shall be on a fixed price basis. The rate quoted by the Bidder should necessarily
include the following:
- Cost of the equipment, solution, service
- Warranty for First Three (3) years & AMC for next two (2) years in the case of Hardware being
supplied and Licensing cost of Procuring the software in the first year & Software Technical
support along with product updates/upgrades for the next four (4) years.
- Transportation, forwarding and freight charges to the site.
- Comprehensive Insurance to cover equipment during transit period and until installation,
commissioning, and acceptance of equipment by the Bank.
g) Local entry taxes/octroi, if any, will be paid by the Bank on production of relative payment
receipts/documents.
h) Terms of payment as indicated in the Purchase Contract will be final and binding on the Bidder and
no interest will be payable by the Bank under any circumstances.
2.11 Performance Guarantee
a) The Bank will require the selected Bidder to provide a Performance Bank Guarantee, within 15 days
from the date of acceptance of the order or signing of the contract whichever is earlier, for a value
equivalent to 10% of the total contract value with validity of 63 months (or extended period, if any).
The selected Bidder shall be responsible for extending the validity date and claim period of the
Performance Guarantee as and when it is due. In case the selected Bidder fails to submit
performance guarantee within the time stipulated, The Bank, at its discretion, may cancel the order
placed on the selected Bidder without giving any notice. Bank shall invoke the performance
guarantee in case the selected Bidder fails to discharge their contractual obligations during the period
or Bank incurs any loss due to Bidder’s negligence in carrying out the project implementation as per
the agreed terms & conditions.
b) Until the Performance Guarantee is provided, the validity of Bid Security shall continue.
Page 18 of 118
2.12 Vicarious Liability
a) The bidder is responsible for managing the activities of its personnel or the personnel of its
consortium partners and will be accountable for both.
b) The bidder shall be vicariously liable for any acts, deeds or things done by their employees, agents,
contractors, subcontractors etc. which is outside the scope of power vested or instructions issued by
the Bank.
c) Bidder shall be the principal employer of the employees, agents, contractors, subcontractors etc.
engaged by BIDDER and shall be vicariously liable for all the acts, deeds or things, whether the
same is within the scope of power or outside the scope of power, vested under the purchase contract
to be issued for this tender.
d) No right of any employment shall accrue or arise, by virtue of engagement of employees, agents,
contractors, subcontractors etc. by the BIDDER, for any assignment under the purchase contract to
be issued for this tender.
e) All remuneration, claims, wages, dues etc. of such employees, agents, contractors, subcontractors
etc. of BIDDER shall be paid by BIDDER alone and the Bank shall not have any direct or indirect
liability or obligation, to pay any charges, claims or wages of any of BIDDER’s employee, agents,
contractors, and subcontractors.
f) The BIDDER agrees to hold the Bank, their successors, Assigns and Administrators fully
indemnified and harmless against loss or liability, claims actions or proceedings, if any, that may
arise from whatsoever nature caused to the Bank through the action of its employees, agents,
contractors, subcontractors etc.
2.13 Delivery, Installation, Commissioning and Completeness
a) The Bidder shall be responsible for delivery, installation, commissioning, and completeness of the
solutions as mentioned in the Scope of the RFP.
b) If the Bidder fails to deliver, install and / or supervise commissioning the solutions within the
stipulated timelines as defined in the section Project Timelines of this RFP, it shall be considered as
a breach of contract. In such cases, Penalties shall be charged as per service levels defined for the
Implementation Phase in the Service Level Agreements Section of this RFP.
c) The project shall be considered as completed only after commissioning of the solutions in scope with
full fledged features mentioned in the Scope of Work/ Technical Requirements. The necessary
customization, integration, policy/ rules development and configuration, report generation, for all
solutions in scope have to be completed.
d) The project period will start from the date of signoff (the date on which the bidder completes entire
installation/configuration/starting of services for all the items under the scope of work.)
Page 19 of 118
2.14 Payment Terms
a) The SI must accept the payment terms proposed by the Bank. The sealed commercial bid submitted
by the SI must be in conformity with the payment terms proposed by the Bank. Any deviation from
the proposed payment terms would not be accepted. The Bank shall have the right to withhold any
payment due to the SI, in case of delays or defaults on the part of the SI. Such withholding of
payment shall not amount to a default on the part of the Bank.
b) The payment terms for the project are as follows:
Activities and deliverables % of the Total payout for SIEM from
Final Commercial bill of material
Implementation Phase for SIEM
On Delivery of SIEM Solution as per
scope
50%
Installation & Configuration of SIEM
Solution as per scope
20%
Implementation Closure - which includes
integration with devices, servers, and
applications mentioned in the Scope of
the RFP, and also integration with the
other solutions procured in this RFP, i.e.
making the SOC operational (as per
scope of RFP), UAT, and receiving sign
off from the bank
20%
6 months post sign off 10%
Activities and deliverables % of the Total payout for WAF from
Final Commercial Bill of material
Implementation Phase for Web Application firewall (WAF)
On Delivery of WAF Solution as per
scope
50%
Installation & Configuration of WAF
Solution as per scope
20%
Implementation Closure - which includes
integration with devices/ applications in
scope (including integration with SIEM)
and receiving sign off from Bank
20%
6 months post sign off 10%
Activities and deliverables % of the Total payout for PIM from
final commercial bill of material
Implementation Phase for PIM Solution
On Delivery of PIM Solution as per
scope
50%
Installation & Configuration of PIM 20%
Page 20 of 118
Solution as per scope
Implementation Closure - which includes
integration with devices/ applications in
scope (including integration with SIEM)
and receiving sign off from Bank
20%
6 months post sign off 10%
Activities and deliverables % of the Total payout for ANTI-APT
Protection from final commercial
material
Implementation Phase for ANTI-APT Protection Solution
On Delivery of ANTI-APT Protection
Solution as per scope
50%
Installation & Configuration of ANTI-
APT Protection Solution as per scope
20%
Implementation Closure including
integration with existing devices
(including with SIEM) and receiving sign
off from Bank
20%
6 months post sign off 10%
Payment for SOC Resource Cost, SOC Maintenance Charges, Anti-Phishing Service Charges, &
Risk Assessment Services:-
SOC Resource Cost: Quarterly (at the end of quarter) from the date of sign-off of the project.
SOC Maintenance Charges: Quarterly (at the end of quarter).
Anti-Phishing Service Charges: Quarterly (at the end of quarter) from the date of sign-off of the Anti-
Phishing Service.
Other Implementation Charges (For LED, Racks, Network Cables, & Others): Payment shall be
made after Implementation Closure phase of SIEM.
Other Security Services (As per Sr No 1 of Other Security Services Table of CB): Quarterly at the
end of quarter/ as and when Bank avails the services.
Risk Assessment Services: On completion of the Risk Assessment Activity and submission of report to
the satisfaction of the Bank. The bidder shall provide the rate for the Risk Assessment Services in the
CB and payment shall be made as per the rate.
Payment will be made to the Security System Integrator quarterly in arrears on submission of invoice
and other supporting documents.
Page 21 of 118
The payments as per the Payment Schedule covered shall be paid by HO IT Department, Punjab & Sind
Bank, 2nd Floor, 21 Bank House, Rajendra Place, New Delhi - 110008.
2.15 Penalty
a) The bidder must strictly adhere to the schedules for completing the assignments. Failure to meet
these delivery dates, unless it is due to reasons entirely attributable to the bank, may constitute a
material breach of the bidder's performance. In the event that the Bank is forced to cancel an
awarded contract (relative to this RFP) due to the bidder's inability to meet the established delivery
dates, the bank may take suitable penal actions as mentioned below.
b) [ As per clause 4.1 ] The bank will consider the inability of the SI to deliver or install or implement
the equipment/ solution within the specified time limit, as a breach of contract and would entail the
payment of Liquidation Damages on the part of the SI. Notwithstanding the Bank’s right to cancel
the order, Liquidated Damages at 1% of the Total Implementation Cost of the delayed solution/
service per week will be charged for every week's delay in the implementation of the proposed
solution/ service beyond the specified delivery/ commissioning/ installation/ implementation period
subject to a maximum of 20% of the value of total Implementation Cost of the delayed solution/
service. The Bank reserves the right to recover these amounts by any mode such as adjusting from
any payments to be made by the Bank to the company and invoking the Bank guarantee.
The liquidation damages represent an estimate of the loss or damage that the Bank may have
suffered due to delay in performance of the obligations (relating to delivery, installation,
Operationalization, implementation, training, acceptance, warranty, maintenance etc. of the Security
Operations Center) by the SI.
Installation will be treated as incomplete in one/all of the following situations:
� Non-delivery of any component or services/solution mentioned in the RFP.
� Non-delivery of supporting documentation
� Delivery/Availability, but no installation of the components and/or software/ solution
� No Integration
� System operational, but unsatisfactory to the Bank
c) Part of week will be treated as a week for this purpose.
d) However, liquidated damages will not be levied in case the delay cannot be attributed to the bidder.
e) Penalties will be calculated as per the SLA section of this RFP.
f) The SI shall provide uninterrupted services for ensuring implementation and maintenance of the
Security Operations Center as per the requirements of the RFP. Inability of the SI to either ensure
deliverables as per specifications within defined timelines or to meet the service levels as specified
in this RFP shall be treated as breach of contract and would invoke the penalty clause.
Page 22 of 118
g) Notwithstanding anything contained above, no such penalty will be chargeable on the SI for the
inability occasioned, if such inability is due to reasons entirely attributable to the Bank.
h) If at any time during performance of the Contract, the SI should encounter conditions impeding
timely delivery of the Goods and performance of the Services, the SI shall promptly notify the Bank
in writing of the fact of the delay, it’s likely duration and its cause(s). As soon as practicable after
receipt of the SI’s notice, the Bank shall evaluate the situation and may at its discretion extend the
SI’s time for performance, with or without liquidated damages, in which case the extension shall be
ratified by the parties by amendment of the Contract.
i) Any delay by the SI in the performance of its delivery obligations shall render the SI liable to the
imposition of liquidated damages, unless extension of time is agreed upon without the application of
liquidated damages.
j) The maximum total overall penalty levied during entire tenure of the contract shall not exceed 10%
of Total SOC Project Cost of the Contract.
2.16 Contract Cancellation
a) The Bank reserves the right to cancel the contract and invoke the Bank Guarantee in the event of
happening of one or more of the following Conditions:
i. Failure of the successful bidder to accept the contract/ LOI and furnish the Performance
Guarantee within 15 days of receipt of purchase contract.
ii. Delay in delivery beyond the specified period.
iii. Delay in completing installation, implementation, and acceptance tests/checks beyond the
specified period.
iv. Delay in project sign off beyond specified time.
b) In addition to the cancellation of purchase contract, the Bank reserves the right to appropriate the
damages through encashment of Bid Security/ Performance Guarantee or security given by the
Bidder.
2.17 Indemnity
a) Bidder should ensure that the hardware/Solution delivered to the Bank are licensed and legally
obtained with the valid documentation made available to the Bank.
b) Bidder should ensure that the hardware delivered to the Bank including all components and
attachments are brand new.
c) Bidder shall indemnify, protect and save the Bank against all claims, losses, costs, damages,
expenses, action, suits and other proceedings, resulting from infringement of any patent, trademarks,
copyrights etc or such other statutory infringements under the Copy Rights Act, 1957 or IT Act 2000
Page 23 of 118
and its subsequent amendments in respect of all the hardware, software and network equipments or
other systems supplied by them to the Banks from whatsoever source.
d) The Bidder shall, at their own cost and expenses, defend and indemnify the Bank against all third-
party claims including those of the infringement of Intellectual Property Rights, including patent,
trademark, copyright, trade secret or industrial design rights, arising from use of the Products or any
part thereof in India.
e) The Bidder shall expeditiously meet any such claims and shall have full rights to defend itself there
from. If the Bank is required to pay compensation to a third party resulting from such infringement,
the Bidder shall be fully responsible therefore, including all expenses and court and legal fees.
f) The Bidder shall also be liable to indemnify the Bank, at its own cost and expenses, against all
losses/damages, which the Bank may suffer on account of violation by the Bidder of any or all
national/international trade laws, norms, standards, procedures etc.
g) The bidder shall always keep indemnified and hold the Bank harmless from and against any and all
damages, losses, liabilities, claims, actions, costs and expenses (including attorneys' fees) relating to,
resulting directly or indirectly from or in any way arising out of any claim, suit or proceeding
brought against the Bank by a third party as a result of non-compliance with Laws in force default in
obtaining consents, permissions, approvals, licenses, etc as may be necessary or required for this
project or for the conduct of their own business under any applicable Law, Government
Regulation/Guidelines.
h) In the event of third-party software products being incorporated in or forming part of the Solution,
either as its main engine or under a run-time or other subsidiary license, the bidder(s) shall warrant
that the software has been procured by the bidder(s) under valid licenses from the relevant
intellectual property right owners of such software.
The bidder(s) further warrants that they possess a legal right to use the software under such licenses,
in terms set out under any relevant license or sub-license agreement. The bidder(s) will indemnify
the Bank for any and all costs that may arise out of the use of software, in which it is alleged that any
rights of the owners of such software have been infringed.
2.18 Manufacturer’s Authorization Form
a) The Bidder should furnish a letter from original equipment manufacturer authorizing the bidder to
quote for OEM’s product in response to the RFP.
b) The said letter should also offer to extend the required warranty from the OEM in respect of the
items stipulated in the tender for contract period. The Proforma of the letter is given in Format 3
OEM Letter.
c) The Bidder should furnish undertaking of authenticity as prescribed in Format 6 Solution
Authentication Letter along with Bid documents.
2.19 Publicity
Page 24 of 118
a) Any publicity by the Bidder in which the name of the Bank is to be associated should not be carried
out without the explicit written approval of the Bank.
b) In case the Bidder desires to show any of the services to their customers at Bank's sites, prior
approval of the Bank will have to be obtained by them.
2.20 Confidentiality of Banks data
a) Bidder agrees that all information gathered during the course of RFP or contract from the Bank
including oral enquires, letters, documents, emails, presentations, interactions, technical
documentation and other information are confidential information of the Bank. Unauthorized
disclosure of any such confidential information will amount to breach of contractual terms and in
such cases Bank may pre-maturely terminate the contract and initiate any legal action as deemed fit.
b) The Bidder will treat as confidential all data and information about the Bank obtained in the process
of execution of their responsibilities, in strict confidence, and will not reveal such information to any
other party without the written approval of the Bank.
2.21 Force Majeure
a) The Bidder shall not be liable to the Bank if, and to the extent, that the undertaking or performance
of any of its activities, duties, obligations or functions under the Agreement is prevented, restricted,
delayed or interfered with, due to circumstances beyond the Bidder’s control which is not involving
the Bidder’s fault and negligence.
b) Such event may include acts of god or public enemy, acts of Government of India in their sovereign
capacity and acts of war.
c) The Bidder claiming an event of force majeure shall promptly notify the bank within fifteen calendar
days in writing of such delay or failure in performance, the reasons there of, the expected duration
thereof and its anticipated effect and also keep the Bank informed of the further developments.
d) The Bidder shall use its best efforts to remedy such a cause of non-performance.
e) Unless otherwise directed by the bank in writing, the Bidder affected by force majeure shall continue
to perform the obligations under this agreement, which are not affected by the force majeure event
and shall take such steps as are reasonably necessary to remove the causes resulting in force majeure
and to mitigate the effect thereof.
f) As soon as the cause of force majeure has been removed, the Bidder shall notify the Bank and
resume the affected activity without delay.
g) Notwithstanding the above, the decision of the bank shall be final and binding on the Bidder in the
event of force majeure.
2.22 Amendments/Supplements to Bidding Documents and Right to alter Quantities
Page 25 of 118
a) The Bank reserves the right to alter the quantities specified in the tender and to delete/substitute
items/add from the ones specified in the tender.
b) At any time prior to the deadline for submission of bids, the bank may, for any reason, modify the
RFP Document by amendments/ corrigendum at the sole discretion of the bank. All amendments/
corrigendum will be in writing and shall be posted on Bank’s website. In order to provide,
prospective bidders, reasonable time to take the amendment into account in preparing their bid, the
bank may, at its discretion, extend the deadline for submission of bids.
2.23 Technical Inspection and Performance Evaluation
a) Bank may choose to carry out a technical inspection and performance evaluation of the solutions by
the third party.
2.24 Review of the Agreement
a) The bank reserves the right to review the performance of the bidder, which shall be reviewed after
every year and the bank reserves the right to terminate the contract at any point of time after giving 3
month notice without assigning any reasons.
2.25 Mean Time between Failures (MTBF)
a) If during warranty and AMC period, any equipment has a hardware failure on three or more
occasions in a period of less than three months or five times in a period of less than twelve months, it
shall be replaced by equivalent or higher-level new equipment by the Bidder at no cost to the Bank.
b) However, if the new equipment supplied is priced lower than the price at which the original item was
supplied, the differential cost should be refunded to the Bank.
c) Non adherence to the above stipulations will entail in levy of penalty as SLA section of this RFP
2.26 General Instructions
a) Bank is looking for well-proven solutions, which are being used in Banking and Financial
environment. The capabilities, operating characteristics and other technical details on architecture of
the hardware items offered should be furnished together with product brochures, literature and
technical specifications etc.
b) The technical literature explaining the special features of the solution being offered should be
furnished.
c) If the detail of solution offered by the Bidder is available on any website, the address thereof should
be indicated. The review details of the product/solution by third party industry survey agencies like
Gartner, Frost & Sullivan, IDC and Forrester should also be provided.
Page 26 of 118
d) The Bidder shall be responsible for extending the validity date and claim period of all the bank
guarantees as and when it is due on account of incompletion of work under guarantees.
e) Bank shall invoke the guarantee before expiry of validity if work is not completed and the guarantee
is not extended, accordingly.
f) In case of non-submission or partial submission of details sought in this tender, the Bank reserves
their right not to evaluate the offer.
g) The technical Bid must be submitted in an organized and structured manner. No brochures / leaflets
etc. should be submitted in loose form. Point wise explanation is to be provided in the column
Remarks/explanation. Supporting documents shall be labeled properly and reference of the same is
to be provided under Remarks column.
h) Each page of the tender document issued by the Bank shall be signed and returned by the Bidder.
i) Bank reserves the right to disqualify any or all Bidder’s either on the basis of their responses to all or
some of the response sheets or even any part thereof without assigning any reasons whatsoever
j) Bank reserves the right to issue amendments, seek any details / clarifications from the bidders at any
stage of the RFP.
k) It is absolutely essential for the bidders to quote the lowest price at the time of making the offer in
their own interest. No Bidder shall contact the Bank on any matter relating to its offer from the time
of offer opening to the time the Contract is awarded. Any effort by a bidder to influence the Bank in
its decision on offer evaluation, comparison or contract award decisions may result in the rejection
of the Bidder’s offer.
2.27 Warranty/ AMC
a) Hardware:
The offer must include a minimum comprehensive on-site free warranty of 3 years from the date of
installation and acceptance of the solution by the Bank including all parts and labour. No parts,
accessories of the systems should be excluded from such warranty.
Also the offer includes AMC of 2 years from expiry of the warranty period. During the AMC period,
the services rendered by the bidder should be the same as those extended during the Warranty
period.
All the hardware to be delivered for the SOC Project should be sized at 70% CPU and RAM peak
utilization.
Software:
All software updates/upgrades during the period of contract have to be provided at no cost to the
Bank. All technical support issues related to software like bugs, problems with the product software
causing the service disruptions have to be attended as per the SLA terms mentioned in this RFP. It is
Page 27 of 118
responsibility of the bidder/ OEM that the software solution shall function at satisfactory level
during the period of contract.
All software supplied will carry warranty including Patches and software/product/solution updates
and upgrades for 5 years.
b) Bidder shall be fully responsible for the manufacturer's warranty in respect of proper design, quality
and workmanship of all equipment, accessories etc. covered by the tender.
c) Bidder must warrant all equipment, accessories, spare parts etc. against any manufacturing defects
during the warranty and AMC period.
d) During the warranty period of contract bidder shall maintain the systems and repair/replace at the
installed site, at no charge to the Bank, all defective components that are brought to the Bidder's
notice.
e) The Bidder shall carry out Preventive Maintenance (PM), including cleaning of interior and exterior,
of all hardware and testing for performance once in a calendar quarter and should maintain proper
records of the same.
f) As far as possible, the equipment should be repaired at site and where the equipment is taken for
repairs outside the Bank, a substitute of the similar or higher configuration/ capacity equipment
should be provided and data should be transferred to the substitute machine besides creating back-
up.
g) The selected bidder shall deploy latest version of all software/ hardware/ licenses/ solutions/ devices
for the SOC Project.
h) The selected bidder shall be liable for not meeting security standards and/or cyber security aspect for
SOC Solutions.
2.28 Resolution of Disputes
a) The Purchaser (Bank) and the supplier (Bidder) shall make every effort to resolve amicably, by
direct informal negotiation any disagreement or dispute arising between them under or in connection
with the contract.
b) If after thirty days from the commencement of such informal negotiations, the Bank and the bidder
are unable to resolve amicably a contract dispute; either party may require that the dispute be
referred for resolution through formal arbitration.
c) All questions, disputes or differences arising under and out of, or in connection with the contract or
carrying out of the work whether during the progress of the work or after the completion and
whether before or after the determination, abandonment or breach of the contract shall be referred to
arbitration by two Arbitrators: one Arbitrator to be nominated by the Purchaser and the other to be
nominated by the Supplier.
d) In the case of the said Arbitrators not agreeing, then the matter will be referred to an umpire to be
appointed by the Arbitrators in writing before proceeding with the reference.
Page 28 of 118
e) Work under the Contract shall be continued by the selected bidder during the arbitration proceedings
unless otherwise directed in writing by the Bank unless the matter is such that the works cannot
possibly be continued until the decision of the arbitrator or of the umpire, as the case may be is
obtained and save as those which are otherwise explicitly provided in the Contract, no payment due
or payable by the Bank, to the selected bidder shall be withheld on account of the ongoing
proceedings, if any, unless it is the subject matter or one of the subject matter thereof.
2.29 Ownership and Retention of Documents
The Bank shall own the documents, prepared by or for the selected Bidder arising out of or in
connection with the Contract.
Forthwith upon expiry or earlier termination of the Contract and at any other time on demand by The
Bank, the Bidder shall deliver to The Bank all documents provided by or originating from The Bank/
Purchaser and all documents produced by or from or for the Bidder in the course of performing the
Service(s), unless otherwise directed in writing by The Bank at no additional cost.
The selected Bidder shall not, without the prior written consent of The Bank/ Purchaser, store, copy,
distribute or retain any such Documents.
The selected Bidder shall preserve all documents provided by or originating from The Bank / Purchaser
and all documents produced by or from or for the Bidder in the course of performing the Service(s) in
accordance with the legal, statutory, regulatory obligations of The Bank /Purchaser in this regard.
2.30 Conflict of Interest
The Bidder shall disclose to the Bank in writing all actual and potential conflicts of interest that exist,
arise or may arise (either for the Bidder or the Bidder’s team) in the course of performing the
Service(s)as soon as practical after it becomes aware of that conflict.
2.31 Compliance with Laws
The bidder should adhere to laws of land and rules, regulations and guidelines prescribed by various
regulatory, statutory and Government authorities. Bidder is to ensure that all the proposed solutions are
compliant to all existing regulatory guidelines of GOI/RBI and also adheres to requirements of the IT
Act 2000 (including amendments in IT Act 2008) and Payment and Settlement Systems Act 2007 and
amendments thereof. A self-declaration to this effect is to be submitted by the bidder.
The Vendor shall undertake to observe, adhere to, abide by, comply with all applicable laws in force or
as are or as made applicable in future, pertaining to or applicable to them, their business, their
employees or their obligations towards them and all purposes of this Tender and shall indemnify, keep
indemnified, hold harmless, defend and protect the Bank and its employees/ officers/ staff/ personnel/
representatives /agents from any failure or omission resulting from Vendor’s non-compliance to
applicable laws on its part to do so and against all third party claims or demands of liability and all
Page 29 of 118
consequences that may occur or arise for any default or failure on its part to conform or comply with the
above and all other statutory obligations arising there from.
Compliance in obtaining approvals/permissions/licenses: The Vendor shall promptly and timely obtain
all such consents, permissions, approvals, licenses, etc, as may be necessary or required for any of the
purposes of this project or for the conduct of their own business under any applicable Law, Government
Regulation/Guidelines and shall keep the same valid and in force during the term of the project, and in
the event of any failure or omission resulting from Vendor’s non-compliance to do so, Vendor shall
indemnify, keep indemnified, hold harmless, defend, protect and fully compensate the Bank and its
employees/ officers/ staff/ personnel/ representatives/agents from and against all third party claims or
demands of liability and all consequences that may occur or arise for any default or failure on its part to
conform or comply with the above and all other statutory obligations arising there from and the Bank
will give notice of any such claim or demand of liability within reasonable time to the Vendor.
This indemnification is only a remedy for the Bank. The Vendor is not absolved from its responsibility
of complying with the statutory obligations as specified above. Indemnity would be limited to court and
arbitration awarded damages and shall exclude indirect, consequential and incidental damages. However
indemnity would cover direct damages, loss or liabilities suffered by the Bank arising out of claims
made by its customers and/or regulatory authorities.
2.32 Legal Compliance
The successful bidder hereto agrees that it shall comply with all applicable union, state and local laws,
ordinances, regulations and codes in performing its obligations hereunder, including the procurement of
licenses, permits and certificates and payment of taxes where required. If at any time during the term of
this agreement, the Bank is informed or information comes to the Bank's attention that the Successful
bidder is or may be in violation of any law, ordinance, regulation, or code (or if it is so decreed or
adjudged by any court, tribunal or other authority), the Bank shall be entitled to terminate this agreement
with immediate effect.
The Successful bidder shall maintain all proper records, particularly but without limitation accounting
records, required by any law, code, practice or corporate policy applicable to it from time to time
including records, returns and applicable documents under the Labour Legislation.
The Successful bidder shall ensure payment of minimum wages to persons engaged by it as fixed from
time to time under the Minimum Wages Act, 1948. In case the same is not paid, the liability under the
act shall solely rest with the successful bidder.
2.33 Contract Termination/Order Cancellation
The Bank reserves the right to terminate the contract/ cancel the order placed with a reasonable notice
to the selected Bidder and recover expenditure incurred by the Bank under the following circumstances:-
Page 30 of 118
a. The selected Bidder commits a breach of any of the terms and conditions of the bid that has
adverse impact on Bank.
b. The Bidder goes into liquidation, voluntarily or otherwise.
c. If the selected Bidder fails to complete the assignment as per the time lines prescribed in the RFP
and the extension if any allowed and maximum amount recoverable under liquidated damage is
reached, it will be a breach of contract. The Bank reserves its right to cancel the order in the
event of delay and forfeit the bid security as liquidated damages for the delay.
d. If deductions of account of liquidated damages exceeds more than 10% of the total contract
value.
e. In case the selected Bidder fails to deliver the services as stipulated in the schedule, The Bank
reserves the right to procure the same or similar product from alternate sources at the risk, cost
and responsibility of the selected Bidder.
f. The Bank reserves the right to recover any dues payable by the selected bidder from any amount
outstanding to the credit of the selected Bidder, including the pending bills and/or invoking The
Bank guarantee under this contract.
g. The Bank reserve its right to cancel the order in the event of one or more of the following
situations, that are not occasioned due to reasons solely and directly attributable to the bidder:
a. Delay in customization/ implementation/ takeover of services beyond the specified period
that is agreed in the contract that will be signed with the successful vendor.
b. Serious discrepancy in the quality of services.
h. The Bank reserve its right to terminate the contract in the event of change in bank policy/
administrative exigency after providing notice period of six months and payment of all
outstanding dues of the services availed by the Bank.
2.34 Exit option and Reverse transition
a) The Bank reserves its right to cancel the order in the event of happening of one or more of the
situations as mentioned in the contract termination/Order Cancellation clause.
b) Notwithstanding the existence of a dispute, and/or the commencement of arbitration
proceedings, the bidder should continue to provide the facilities to the Bank.
c) Reverse transition mechanism would be activated in the event of cancellation of the contract or
exit by the parties or 6 months prior to expiry of the contract. The bidder should perform a
reverse transition mechanism to the Bank or its selected vendor. The reverse transition
mechanism would facilitate an orderly transfer of services to the Bank or to an alternative 3rd
party/ vendor nominated by the Bank. Where the Bank elects to transfer the responsibility for
service delivery to a number of vendor’s, Bank will nominate a service provider who will be
responsible for all dealings with the bidder regarding \the delivery of the reverse transition
services.
d) Knowledge Transfer: The bidder shall provide such necessary information, documentation to
the Bank or its designee, for the effective management and maintenance of the Deliverables
Page 31 of 118
under this contract. Bidder shall provide documentation (in English) in electronic form
where available or otherwise a single hardcopy of all existing procedures, policies and
programs required to support the Services. Such documentation will be subject to the
limitations imposed by bidder’s Intellectual Property Rights of this Agreement.
e) The parties shall return confidential information, Data and will sign off and
acknowledge the return of such confidential information.
f) The bidder shall provide all other services as may be agreed by the parties in connection with the
reverse transition services. However, in case any other services, in addition to the above are
needed, the same shall be scoped and priced.
g) The bidder recognizes that considering the enormity of the assignment, the transition
services listed herein are only indicative in nature and the bidder agrees to provide all
requisite assistance and services for period of six months required for fully and effectively
transitioning the services provided by the bidder under the scope, upon termination or
expiration thereof, for any reason whatsoever.
h) The cost for reverse transition if any should be part of the commercial offer.
i) During which the existing bidder would transfer all knowledge, knowhow and other things
necessary for the Bank or new bidder to take over and continue to manage the services. The
bidder agrees that the reverse transition mechanism and support during reverse transition will
not be compromised or affected for reasons whatsoever be for cancellation or exist of the
parties.
j) The Bank shall have the sole and absolute discretion to decide whether proper reverse transition
mechanism over a period of 6 months, has been complied with. In the event of the conflict not
being resolved, the conflict will be resolved through Arbitration.
k) The Bank and the bidder shall together prepare the Reverse Transition Plan. However, the
Bank shall have the sole decision to ascertain whether such Plan has been complied with.
l) The bidder agrees that in the event of cancellation or exit or expiry of the contract it would
extend all necessary support to the Bank or its selected vendors as would be required in the event
of the shifting of the site during the six month period of reverse transition.
m) The bidder shall handover the complete data to bank after termination of contract/expiry of
contract.
2.35 Effects of Terminations
a) The bidder agrees that it shall not be relieved of its obligations under the reverse transition
mechanism notwithstanding the termination of the assignment.
b) Same terms (including payment terms) which were applicable during the term of the contract
should be applicable for reverse transition services.
c) The bidder agrees that after completion of the Term or upon earlier termination of the
assignment the bidder shall, if required by the Bank, continue to provide facility to the Bank at
no less favorable terms than those contained in this tender document. In case the bank wants to
Page 32 of 118
continue with the bidder's facility after the completion of this contract then the bidder shall
offer the same or better terms to the bank. Unless mutually agreed, the rates shall remain
firm.
d) The Bank shall make such prorated payment for services rendered by the bidder and
accepted by the Bank at the sole discretion of the Bank in the event of termination,
provided that the bidder is in compliance with its obligations till such date. However, no
payment for “costs incurred, or irrevocably committed to, up to the effective date of such
termination” will be admissible.
e) Termination shall not absolve the liability of the Bank to make payments of undisputed
amounts to the bidder for services rendered till the effective date of termination.
Termination shall be without prejudice to any other rights or remedies a party may be entitled to
hereunder or at law and shall not affect any accrued rights or liabilities or either party nor the
coming into force or continuation in force of any provision hereof which is expressly
intended to come into force or continue in force on or after such termination.
f) Upon cancellation of contract/completion of period of service, the bidder should handover
the peaceful legal possession of all the assets provided and obtains discharge from the Bank. The
Bank also reserves the right to assign or allot or award the contract to any third party upon
cancellation of the availed services.
2.36 Limitation of Liability
Neither party shall be liable to the other for any special, indirect, incidental, consequential (including
loss of profit or revenue), exemplary or punitive damages whether in contract, tort or other theories of
law, even if such party has been advised of the possibility of such damages.
The total cumulative liability of Bidder arising from or relating to the Agreement shall not exceed the
amount paid to the successful Bidder by the Bank during the preceding six (6) months period (as of the
date the liability arose).
The successful Bidder shall be excused and not be liable or responsible for any delay or failure to
perform the services or failure of the services or a deliverable or plant under the Agreement to the extent
that such delay or failure has arisen as a result of any delay or failure by the Bank or its employees or
agents or third party service providers to perform any of its duties and obligations. In the event that the
successful Bidder is delayed or prevented from performing its obligations due to such failure or delay on
the part of or on behalf of the Bank, then the successful Bidder shall be allowed an additional period of
time to perform its obligations and unless otherwise agreed the additional period shall be equal to the
amount of time for which the successful Bidder is delayed or prevented from performing its obligations
due to such failure or delay on the part of or on behalf of the Bank. Such failures or delays shall be
brought to the notice of the Bank and subject to mutual agreement (including on commercials) with the
Bank, the successful Bidder shall take such actions as may be necessary to correct or remedy the failures
or delays on mutually agreeable terms.”
Page 33 of 118
2.37 Bidder Employees’ Verification
The selected bidder shall submit employee verification report to the Bank for all employees onboarded
for the project. The bidder shall also submit the Non-disclosure Agreement (NDA) executed by the
bidder with the resources on-boarded for the SOC Project.
2.38 OEM Recommendation for Hardware, Software, Licenses
The bidder shall submit an OEM recommendation letter confirming the sufficiency of all deliverables
like- hardware, software (including licenses), services, and other tools etc. supplied by the bidder for the
project as per the scope of the RFP.
2.39 Security Certificate
The bidders shall submit security certificate of respective proposed solutions from OEM/ third party
auditor.
Page 34 of 118
CHAPTER 3 - SCOPE OF WORK
3.1 Intended Principles of the SOC
The Architectural principles that form the underlying platform for the SOC implementation at the Bank
are as follows. The solutions and their deployment architecture follow from these principles. The
“bidder” herein after called as “Security Integrator” or “vendor” or “SI”, is expected to adhere to these
principles while submitting their response:
3.1.1 Functional Principles:
The Intent for implementing a SOC in the Bank is covered in the below functional principles:
• Identification & Prevention of Information Security Vulnerabilities: The SOC should be able to
identify information security vulnerabilities in the bank’s environment and prevent these
vulnerabilities through implementation of adequate security solutions.
• Incident Management: Reporting and logging of information security incidents through the use
of appropriate ticketing tools. Track and monitor the closure of these information security
incidents and Escalation of these incidents to appropriate teams/ individuals in the bank if
required.
• Continuous Improvement: Continuously improve SOC operations.
3.1.2 Scalability Principles
The solutions deployed should be modular, scalable and should be able to address the Bank’s
requirements during contract period, with the deployed hardware.
3.1.3 Availability Principles
The solutions and services in scope should be designed with adequate redundancy and fault tolerance to
ensure compliance with SLAs for uptime as outlined in this RFP.
3.1.4 Performance Principles
The solutions should not have any significant impact on the existing infrastructure of the Bank either
during installation/ implementation or during operation of SOC.
Page 35 of 118
Based on the architectural principles, the following solutions/ services have been identified to enhance
the security posture of the Bank and to enable security operations monitoring:
- Security Operations Center (SOC) with Security Information and Event Management solution
(SIEM).
- Web Application Firewall (WAF)
- Privilege Identity Management Solution (PIM)
- Anti-Advanced Persistent Threat Protection(Anti-APT)
- Anti-Phishing, Anti-Trojan, Anti-Malware, and Anti-rouge (for Mobile App) Services
- Risk Assessment
The Bidder who wishes to take up the project shall be responsible for the following at Bank’s Data
Centre (DC) and Disaster Recovery Site (DR) both:
• Procurement of the necessary solutions and the corresponding hardware, software, database etc
required for implementing the solutions for the Bank.
• Implementation of the respective solutions in Bank including configuration, customization of the
solutions as per the requirement.
• Integration of the solutions to provide a comprehensive single dashboard view of the security
risks/ incidents for the Bank.
• Work/ Liaison with the existing System Integrator(s) and other vendors of the Bank to integrate
the SOC solutions with applications, devices mentioned in the scope of the RFP.
• Providing adequate resources for on-going operations of the Security Operations Center (SOC).
• Development of operating procedures in adherence with the Bank’s policies.
• Adherence to agreed Service Level Agreements (SLA) and periodic monitoring and reporting of
the same to the Bank.
• Providing of appropriate ticketing tools for Reporting and logging of information security
incidents.
• Procurement of secured links (with necessary bandwidth) between Bank’s DC and DR, along
with servers, software, database, storage solution, and networking & security equipments etc.
required for implementation of SOC.
• The integration cost of SIEM with all devices, servers, and applications will be completely borne
by the Bidder. M/s Wipro Ltd is Bank’s system integrator. Similarly, WAF, PIM, Anti-Phishing,
and Anti-APT integration cost with devices, applications, & SIEM will also be borne by the
bidder.
Page 36 of 118
3.1.5 Compliance to RBI Circular (RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16
Date: June 2, 2016 (Reg. Cyber Security Framework in Banks)
The selected bidder is required to fully comply with the RBI Circular RBI/2015-16/418
DBS.CO/CSITE/BC.11/33.01.001/2015-16 Date: June 2, 2016 (Reg. Cyber Security Framework in
Banks). Some of the indicative requirements of the circular are as below:-
• Putting in place an adaptive Incident Response, Management and Recovery framework to deal
with adverse incidents/disruptions.
• Performing Risk Assessment Activity in line with the RBI Circular and also in line with Cyber
Security Policy of the Bank, on half-yearly basis (or as directed by regulatory authority, statutory
authority, or GoI Ministry/Dept/Agency).
• Development and implementation of minimum Baseline Cyber Security and Resilience
Framework, as mentioned in the above mentioned RBI Circular.
• The SOC to be implemented should fully comply with the configuration guidelines as given in
the RBI Circular to ensure continuous surveillance.
• Sharing of information on Cyber Security incidents with RBI, as per template provided in the
RBI Circular.
• Development of Cyber security preparedness indicators.
• Formulation and implementation of Cyber Crisis Management Plan (CCMP) in line with the RBI
Circular and Cyber Security Policy of the Bank.
Page 37 of 118
3.2 General Scope of Work for Each Solution
3.2.1 Security Information & Event Management (SIEM)
The SIEM solution is expected to collect logs from various security and network devices, servers and
applications. In addition, the logs being generated by the other solutions deployed as part of the SOC
implementation need to be collected by the SIEM. The bidder is expected to perform the following as
part of the SIEM implementation for Bank:
Solution Implementation:
• Implement the SIEM tool to collect logs from the identified devices, applications, databases etc.
• Develop parsing rules for non-standard logs
• Implement correlation rules based on out-of-box functionality of the SIEM solution and also
based on the use-cases to be provided by the vendor.
• The SIEM tool should be integrated to VAPT Tool to provide a comprehensive dashboard for
VAPT reports. (Bank already has VAPT Tool deployed of corporate license.)
• 24X7 log monitoring
• Rapid real-time response to incidents
• Evaluation of incidents
• Forensics to identify the origin of threats, mitigation thereof, initiation of measures to prevent
recurrence.
Training:
• Provide training to the identified bank personnel/ SOC team on the product architecture,
functionality and the solution design – to be provided before the implementation of solution.
• Provide hands-on training to the bank personnel/ SOC team on SIEM policy configuration, alert
monitoring, etc - post implementation.
Ongoing Operations:
• Monitor the SIEM alerts and suggest/ take appropriate action as per the SLA defined in the RFP.
• Perform on-going optimization, performance tuning, and maintenance, configure additional use-
cases, and suggest improvements as a continuous improvement process.
• Perform log backup and archival as per Bank’s policy requirements, and applicable legal/
statutory requirements.
• Ensure that SLA’s are maintained as defined in the RFP.
SOC Monitoring:
The SIEM should be able to collate logs from the devices, applications, and databases etc. mentioned in
the scope, including the other solutions deployed as part of this RFP at the Bank. The configured
Page 38 of 118
correlation alerts should be displayed on LED display maintained at the SOC. The bidder should also
quote for one 40” LED display screens at the SOC.
Integration:
The SIEM tool should be integrated with incident management/ ticketing tool to generate automated
tickets for the alert events generated by the SIEM tool. All the security devices and solutions being
proposed as part of the current RFP need to be included for monitoring by SIEM solution.
Replication:
The logs collected by the SIEM log collector should be replicated across primary Data Canter and
Disaster Recovery location. The bidder needs to provide an estimate of the bandwidth required for the
replication process after due analysis of the existing setup of the Bank.
Storage:
The SIEM should be able to maintain 3 months of logs online. In addition, the bidder should provide for
near line secondary storage for archiving logs for up to 1 years and offline storage for storage of logs for
up to 9 years. The bidder is responsible for sizing the storage adequately based on the EPS estimate
given for bank in the detailed scope of work.
The bidders should provide details of the calculations used to arrive at the sizing as part of the response.
The bidder is responsible for automated online replication of logs from DC to DR for redundancy.
The solution should be capable of automatically moving the logs from device to archival storage based
on the ageing of the logs. The logs should also be available online to the device for easy correlation and
auditing should provide detailed auditing to easily detect files deletes, add changes as and when asked
by Bank. The complete SIEM Storage Solution should have Write Once Read Many (WORM),
Encryption, Advance Indexing and Searching, Retention and Disposal capabilities in Online, Near Line
and External Storage Types. The storage should have the option to support backup on tape library. The
solution should have Encryption & Data protection capabilities by allowing more than one copy of the
data/ objects using Data/ Object level mirroring or parity.
The storage solution should be tamper proof from outside access/ intrusion and there should not be root
level permission.
The solution should provide Compression and De-duplication functionalities on archival system.
The solution should provide data replication over IP to a different site for disaster recovery and data
protection with support for Unidirectional, Bi-directional, one-to-many and many-to-one replication
topologies, Retention and Disposal functionality, and no single point of failure in the solution. Should
provide industry leading data integrity protection to include proactive self-healing measures.
Page 39 of 118
The expected storage requirements at a minimum are mentioned below. However, the bidder is expected
to size the storage as per the requirements mentioned in the Scope of Work in this RFP. The bidder’s
response should include the calculations/ logic used to arrive at the sizing.
Minimum Storage Requirements at DC & DR for SEIM
Tier Type Disk RPM RAID* 5,000-10,000 EPS
Tier-I On-device/
SAN/ Object
(3 Months of Data)
15000
SAS
5 At least 2 TB.
Tier-II Near Line
SAN/ Object
(1 Year)
10000
SAS/NL-SAS
5 Minimum of 3TB and
Expandable to 8TB
Tier-III External
NAS/SAN/Object
(9 Years)
7200
NL-SAS
5 Minimum of 10 TB and
Expandable to 70 TB
* Storage solution should be configured in Raid 5 or advanced RAID for zero data loss.
The solution should also be scalable to expand storage based on the peak EPS requirement of Bank.
The Bidder shall deliver minimum Disk size while additional disk may be procured by the bank as per
rate card in the BOM.
Locations in Scope
The locations which the SIEM solution shall cover are mentioned below:
S.
No.
Coverage Log
Correlation
Engine
Log Storage
Server
Storage Log
Collection
Device
SIEM
Management
Console and SOC
Operation/Facility
1 Data Center Yes in HA Yes in HA Yes Yes in HA NA
2 Disaster Recovery
Site
NA Yes Yes Yes in HA NA
3 Core Banking
Cell, Naraina,
New Delhi
NA NA NA NA Yes
Security & Network Devices to be monitored
Security & Network devices to be monitored by SIEM include but are not limited to the following:
S. No Device Type Count
DC DR Project Office,
Naraina
Head Office, New
Delhi
Page 40 of 118
1 Firewalls 6 6 2 1
2 Routers 6 5 2 2
3 Layer 2 Switches 2 2 5 5
4 Layer 3 Switches 7 6 2 2
5 IPS/ IDS/ NIPS/ HIPS 2 2 - -
6 NAC (Network Access
Control)
8 8 - -
8 Access Control Devices 1 1 - -
9 Antivirus 1 1 - -
10 DB Log Management 1 1 - -
11 Security Solutions for Email 2 1 - -
12 Security Solutions for Web 2 1 - -
13 Integrated Security Manager 1 1 - -
15 LAN Management System 1 1 -
Servers
The following servers need to be monitored by SIEM include but not limited to:
S. No Device Type Count
DC DR CBS HO
1 Load Balancer 4 4 - -
2 Web servers 10 10 - -
3 Application Servers 11 11 - -
4 Database Servers 19 16 - -
Key Applications: Applications to be monitored by SIEM include but not limited to:
S. No Key Applications Vendor
1 Finacle – CBS Infosys
2 Internet Banking Infosys
3 Web Proxy Gateway McAfee
4 Database Activity Monitoring McAfee
5 Biometric Application SmartChip Ltd
6 Integrated Treasury M/s Polaris (Lasersoft)
7 Financial Inclusion Gateway TCS
8 Mobile Banking FSS
9 Email Microsoft
10 Directory Services Microsoft
11 GBM Accel Frontline
12 DAR Veermati
13 ADF – MIS Nelito
14 AML Infrasoft
15 Enterprise Management System IBM Tivoli
Page 41 of 118
16 HRMS -
17 Risk Management/ ALM BALM Suryasoft
18 Locker Wipro
19 CPSMS Intelliswift
20 SWIFT Globsyn
Sizing
The EPS count for the Bank should be as below:
At the time of delivery
(to be delivered)
5000 sustained and 7000 peak EPS
Scalability Up to 10000 sustained and 12000 peak EPS
Bidder needs to quote additional cost in buckets of 1000 sustained EPS if the Bank wants to upgrade the
SIEM solution.
3.2.2 Web Application Firewall (WAF)
The bidder is required to perform the following activities:
Solution Implementation:
• Deploy the WAF for the in-scope web applications
• Develop and Configure the policies
Training:
• Provide training to the identified Bank personnel/ SOC team on the product architecture,
functionality and the solution design – to be provided before the implementation of solution.
• Provide hands-on training to the Bank personnel/ SOC team on WAF policy configuration, alert
monitoring, and etc. - post implementation.
Solution Integration:
• Integrate WAF with SIEM solution to provide a single dashboard view of events generated.
Monitoring:
• Monitor events from WAF and suggest/ take appropriate action on an on-going basis.
• Develop new policies and improve the policies configured on an on-going basis to reduce the
occurrence of false positives.
Page 42 of 118
Below is a list of applications to be covered by the WAF and the deployment locations. The WAF
should be scalable to handle up to 4000 https transactions per second and 100Mbps of performance
throughput.
Sr.
No.
Application Vendor Deployment Locations for
WAF
1. Internet Banking Infosys
DC – Yes in HA Mode
DR – Yes in HA Mode
2. Mobile Banking FSS
3. Email Messaging Microsoft
4. Intranet Portal Wipro
5. Financial Inclusion (FI) Web
Application
TCS
3.2.3 Privilege Identity Management (PIM)
The bidder is expected to perform the following activities:
Solution Implementation:
• Implement the solution for the identified devices/ administrators.
Training:
• Provide training to the identified bank personnel/ SOC team on the product architecture,
functionality and the solution design – to be provided before the implementation of solution.
• Provide hands-on training to the bank personnel/ SOC team on PIM operations – post
implementation.
Solution Integration:
• Integrate the PIM with SIEM to generate alerts for any PIM violations.
Monitoring:
• Monitor events from PIM and suggest/ take appropriate action on an on-going basis.
• Develop new policies and improve the policies configured on an on-going basis to reduce the
occurrence of false positives.
• The PIM Solution should be deployed in standalone mode at DC and DR. The devices in scope
for PIM solution are same as that mentioned in SIEM Scope section. The total number of
administrators for these devices is around 100. The solution should scalable up to 200
administrators. The bidder should provide cost for per 10 administrators.
Page 43 of 118
3.2.4 Anti-Phishing, Anti-Trojan, Anti-Malware, and Anti-rouge (for Mobile App) Services
The bidder is required to perform the following activities:
• 24x7 scanning of critical websites (identified by the Bank) for anti-phishing, anti-Trojan, and
anti-malware service.
• Integrate with Bank’s SOC.
• Continuous update to Bank as per SLA section of this RFP.
• Initiate response as per Bank’s request.
• Perform forensics analysis as and when required.
• Takedown of websites and Mobile App as per Bank’s request.
• A dashboard view of the risks and threats identified through the Anti-Phishing and threat
intelligence services is presented to the Bank. The Bank should be provided with online access to
the dashboards.
• Monitoring all major mobile app marketplaces for counterfeit, copycat apps, or apps infringing
trademarks, linking to pirated content, attempting phishing attacks or distributing malware.
• Prompt submission of enforcement notices and for the removal of rogue or infringing apps.
• Forensics to identify the origin of threats, mitigation thereof, initiation of measures to prevent
recurrence.
Below is a list of websites and Mobile App for which the Bank requires anti-phishing, anti-malware and
anti- Trojan services as per the technical requirements:
S No Website/ Mobile App
1 www.psbindia.com
2 www.psbonline.co.in
3 https://psbmobile.com
4 PSB Mobile Banking App
5 PSB UPI App
The vendor shall proactively monitor Bank’s websites for any phishing attempts and advise the Bank
about the incident with details. Services shall include the following:
- To protect Websites from “Phishing” and alert the Bank authorities’ concerned, immediately if
Bank’s Brand/ logo is targeted in Phishing attacks. Upon detection, the vendor shall work to shut
down the phishing site and submit the report.
- Rapid response to phishing attacks
- Track hosting of phishing websites through digital watermark.
- Tracking new Domain Name Registrations to detect any spoofed or similar site being registered,
this will include brand abuses too.
- Monitoring anti-phishing forums.
- Initiating takedown of the phishing sites.
Page 44 of 118
- Analyzing web server logs and application logs to track the Phisher’s identity.
- Analyzing application logs to identify Phisher-initiated transaction.
- Benchmarking Bank’s website and suggesting controls required to minimize impact from
phishing attacks.
- Assisting the Bank for coordination with law enforcement, regulatory, statutory and other
agencies like CERT-IN, Banking Ombudsman, RBI, NPCI, MoF, IBA, and UIDAI etc.
- Providing alerts on detection of phishing sites, daily status report on the phishing site detected
and the action taken.
- Providing Anti-Rogue services detects and shuts down rogue mobile apps on mobile stores and
internet.
- Online Dashboard to be provided for Anti-phishing and Anti-rogue services.
- Forensics to identify the origin of threats, mitigation thereof, initiation of measures to prevent
recurrence.
Phishing Site Takedown Services
The bidder shall bring down the detected phishing site and deactivate the site at the earliest.
• Keep track of the site brought down for reactivation for at least 2 months. The reactivated sites
are to be brought down without any additional charges during this period of 2 months.
• Provide Reports on the takedown activities and the status of the phishing site on daily basis.
• Report on phishing trend in India and across the globe.
3.2.5 Anti Advanced Persistent Threat System (Anti-APT)
The bidder is expected to perform the following activities:
Solution Implementation:
• Implement the solution for the identified devices.
Training:
• Provide training to the identified bank personnel/ SOC team on the product architecture,
functionality and the solution design – to be provided before the implementation of solution.
• Provide hands-on training to the bank personnel/ SOC team on anti-APT operations – post
implementation.
Solution Integration:
• Integrate anti-APT with SIEM to generate alerts for any Anti - APT violations.
Monitoring:
Page 45 of 118
• Monitor events from anti-APT and suggest & take appropriate action on an on-going basis.
• Develop and improve the policies configured on an on-going basis to reduce the occurrence of
false positives.
The solution should be sized for 50Mbps performance throughput. The solution should be deployed in
HA mode at DC and DR. The device should have at least 2 Nos. of GBIC Ports.
3.2.6 Risk Assessment Services
• The vendor shall conduct periodic (annually) IT Risk Assessment and ensure adequate, effective,
and tested controls for people, processes, and technology to enhance Information Security. The
first Risk Assessment should be conducted within 4 months of issuance of Purchase Order.
• The vendor shall conduct IT Risk Assessment of new products and services.
• The vendor shall review the change management requests related to IT Infrastructure Activities/
Access Permission and report to the Bank the resulting threat perception in Bank environment.
• The vendor shall review the information security incidents and activities across the Bank.
• The Risk Assessment services should be undertaken to assess Bank’s security threats and risks.
• Provide risk assessment and recommendations on a periodic basis as required to mitigate risks
and to strengthen the overall security posture of the Bank.
• Provide risk assessment and mitigating measures in respect of-
o integrating various systems & applications in Bank’s environment
o integrating third parties system/ applications through extranets
o outsourcing arrangements
• Design and update Risk Assessment templates on platforms, infrastructure integration,
application security assessment, vulnerability assessment, outsourcing, processes, people etc.
• Vendor should devise Risk Assessment methodology covering Value of Asset, threat, probability
of occurring of threat, impact of the threat etc. in consultation with the Bank.
• Provide Bank with a root cause analysis of downtime due to faults, security events including
preventive measures being taken to prevent future similar incidents and outages.
• Participate in technical and business planning sessions to establish security standards,
Architecture and project initiatives to improvise the design from information security standpoint
and provide recommendations.
• Vendor shall ensure continuous training and best practice updates to Bank Team.
3.2.7 Other Security Services
3.2.7.1 Security Intelligence Services
• The Bidder shall regularly track and advise the Bank about new global security threats and
vulnerabilities. The advisories shall be customized to suit the Bank’s information security
Page 46 of 118
infrastructure. The Bidder shall advise upgrades/ changes in the security infrastructure of the
Bank against evolving threats and responsibilities. Onsite team shall track impact of new
vulnerabilities and threats on Bank’s assets.
• The Bidder shall advise and coordinate in implementation of controls to mitigate new threats.
• The Bidder shall ensure adequacy, appropriateness and concurrency of various policies and
guidelines in place in the Bank and shall provide Information Security consultancy for newer
technology deployment for new and existing applications and products.
• The Bidder shall guide and recommend the Bank w.r.t. any change required in the existing
infrastructure of the Bank for deployment of new application and services, which can have
security implication to Bank, like- changing of rule in Firewall, Router, IPS, IDS, and
application/ server configurations etc.
• The bidder shall facilitate the Bank to participate in the Cyber Security Mock Drill and Cyber
Security Assessment conducted by Ministry of Finance/ CERT-In as and when required by them,
with no extra cost to the Bank. The Bidder shall provide MOCK drill environment and also
implement the recommendations of such drills/ assessment to improve cyber security posture of
the Bank.
• The Bidder shall identify evolving vulnerabilities and threats to IT infrastructure assets deployed
in the bank. This includes-
o Top global attack sources
o Top global attack targets
o New Vulnerabilities and advisories
o New Attack vectors
o Worms & Virus outbreaks
• The Bidder shall have access to and track leading security databases such as- NIST, OEM sites,
CERT-IN, OWASP, OVAL, CVE, Anti-virus vendors, National Vulnerability Database, and
SANS etc.
• The Bidder shall provide countermeasures/ recommend workarounds to remediate vulnerabilities
as and when they are discovered.
3.2.7.2 Security Advisory Services
• The Bidder shall regularly track and advise the Bank about new global security threats and
vulnerabilities. The advisories should be customized to suit the Bank’s security infrastructure.
Advise upgrades/ changes in the security infrastructure of the Bank against evolving threats and
responsibilities.
• The bidder shall review and update the Bank’s Information Security Policy and all other policies
and procedures on an annual basis in line with ISO27001 standard. The Bank has various
Policies and Plans, like- IT Security Policy, BCP-DR Plan, Cyber Fraud Policy, Digital Evidence
Policy, Migration Policy, Biometric Policy, Hardening Policy, and IS Audit Policy etc.
Page 47 of 118
• The Bidder shall carry out vulnerability scanning before deployment of an application, module
and prepare a standard check list for compliance.
• The Bidder shall assess the current environment and setup a baseline security level for all
existing applications and new applications; and drive the implementation of the baseline security
level for all applications (existing and new). Ensure that the baseline security level is maintained
on an ongoing basis and hence applications are secured against all risks at any point in time.
• The Bidder shall review of Policies, Guidelines, Business Continuity Plan, Disaster Recovery
Plan, IS Audit Reports:
o Regular review of Information Security Policy and Information Security Guidelines,
Business Continuity Plan, Disaster Recovery Review Plan, and other related documents
like Data Centre Operations Manual and suggesting, vetting, incorporating necessary
changes commensurate with the security, operational, and technology risks.
o Evaluation of Information Security related audit observations of the bank and facilitating
the rectification thereof.
• The Bidder shall impart security awareness training (not certification training) to Bank
nominated staffs once in a quarter. The Bank will arrange the training facility, computers,
stationeries, projectors etc. This training program could be a classroom session and would cover
a pre-circulated training agenda on the security technology. The training can also be through
Video Conferencing and/or Webinar to cover all Branch, Zone, Other Office staffs/ vendors.
• The Bidder shall assist the Bank in planning, execution, and implementation of information
security related initiatives/projects/programs in the Bank.
• The Bidder shall participate in the periodic DR Drill activity of the Bank and suggest & assist in
implementation of enhancements in the DR Drill process.
• For new application rollout by the Bank, the Bidder shall give security advisory to the Bank.
• The bidder shall ensure compliance of ISO27001 Certification for the Bank’s DC and DR.
Bank’s DC and DR sites are ISO27001 certified.
3.2.7.3 Forensic Investigation
• The vendor shall address the challenges and risks of doing business in today's environment and
assist in dealing with complex issues of fraud, regulatory compliance as business disputes can
detract from efforts to achieve Bank’s Potential. Better management of fraud risk and
compliance exposure is a critical business priority.
• The vendor shall provide effective remedial solution of intricacies related to Forensic
Investigation of crime of any type and assist in proper dispensation of justice for at least 12
incidents in a year.
• The bidder shall have skill sets to provide fraud investigation on banks IT infrastructure and
banking related processes.
• Coordinate with IT team and help them Contain attack & restore services.
Page 48 of 118
• The vendor shall facilitate the Bank in investigation of IT frauds and mitigation measures on the
same.
• The Forensic analysis should comply with the RBI Circulars, Guideline, and Recommendations.
3.2.7.4 Infrastructure Development Guidelines and Minimum Baseline Security Standards
(MBSS)
• A detailed infrastructure guideline should be created for the secure deployment of the bank’s
infrastructure
• The guidelines should be based on international standards like ISO27001, ISO2000, TIA 942 etc.
• The guidelines should cater to all the IT and network infrastructure and all other supporting
infrastructure
• Minimum Baseline Security Standard (MBSS) should be created for all the different types of
assets (IT and Network components etc)
• A MBSS review should be done on regular intervals to ensure all IT and network components
are in compliance to the guidelines
3.2.7.5 Security Architecture Review
The bidder is required to conduct the security architecture review of the bank’s infrastructure on a
quarterly/ half yearly basis (or as directed by regulatory authority, statutory authority, or GoI
Ministry/Dept/Agency). The security architecture review will involve but not limited to:
• Doing an application security assessment of the bank’s applications
• Conducting secure code review
• Conducting a configuration review of the IT and network infrastructure
3.2.7.6 Configuration Review of Servers, Security, and Network Devices
The bidder should ensure that a detailed configuration review of all the servers, network and security
devices are done on a quarterly/ half yearly basis (or as directed by regulatory authority, statutory
authority, or GoI Ministry/ Dept/ Agency). The review should be automated and manual and should
check the following parameters:
• User management
• Account policies
• Parameter files
• System Privileges
• Object Privileges
• Backup/recovery
• Operating System configuration
Page 49 of 118
• Profiles information
• Operating System data file Information
• Auditing logging
• Rule base and ACL
3.2.7.7 Vulnerability Assessment and Penetration Testing(VAPT)
VA is being conducted by the Bank. The Vendor shall make assessment on the VA report. The vendor
shall follow-up for the closure of the pending observations. The Vendor shall perform risk based
profiling of the IPs to identify critical IPs. The vendor shall conduct PT of all web facing applications of
the Bank on quarterly/ half yearly basis (or as directed by regulatory authority, statutory authority, or
GoI Ministry/ Dept/ Agency)
3.2.7.8 Mobile Application Review
The bidder will perform a detailed application review of the bank’s mobile applications (like- Mobile
Banking App, UPI App, and Bharat Bill Payment App) on a quarterly/ half yearly basis (or as directed
by regulatory authority, statutory authority, or GoI Ministry/ Dept/ Agency). The assessment will
include (but not limited to):
• Prepare test cases based on the mobile application platform
• Vulnerability assessment of the mobile app.
• Automated and manual Penetration testing of the mobile app.
3.2.7.9 Other Requirements
• Monitoring 24x7 logs and audit trails for the security events - To detect known as well as
unknown attacks and raising alerts on any suspicious events that may lead to security breach into
Bank’s environment.
• Monitoring of 24x7 performance and service availability so that the desired state and integrity of
the devices/ solutions and services levels are maintained.
• To provide scalability for any additions/ modifications or integration of applications, services,
devices and networks with the existing architecture of SOC.
• Providing initial review (Level 1) of security incidents and its determination, if escalation to
Level 2, 3 supports is warranted.
• Carrying out event analysis with the statistical events correlation rules. This should include the
correlation of the events from the devices/ solutions under scope.
• Creation and adding custom correlation rules for the Bank’s devices under scope. SOC will
review and fine-tune rules as and when required.
• Providing online secured portal (web-based Dashboard) for viewing real-time monitoring data of
all the security devices/ solutions in scope.
Page 50 of 118
• To Develop & recommend improvement plans for the SOC monitored Bank’s facilities as needed
to maintain an effective and secure computing environment. The activity to be carried out as
when required by the Bank.
• Monitoring alerts and events reported by devices under the SOC scope; to record the incidents,
classify, and recommend remedial action. All types of incidents will have to be reported
immediately as per the escalation matrix which will be prepared during go live.
• Initiation of prompt corrective countermeasures to stop/ prevent attacks as per predetermined
procedures.
• Complete analysis and correlation of logs from all the devices/solutions/applications under scope.
• Carrying out due forensic activities to identify the origin of threat, mitigation steps and measures
to prevent recurrence.
• Preparation of the daily, weekly, monthly reports to summarize the list of incidents, security
advisories, vulnerability management, and other security recommendations. It should include the
operations trend analysis with the reports correlation of the present and past data.
3.2.7.10 Monitoring, Reporting and Security Dashboard:
The Bidder must provide an application/online portal to maintain an online repository that lists the
existing and emerging risks with respect to IT infrastructure assets of the Bank and should have at least
following features:
• Security dashboard should provide the status of security across the IT infrastructure.
• Security dashboard also contain comprehensive baseline of risks across IT infrastructure
- Security Advisories.
- Proactive alerts and alarms.
- Unified HTTPS portal for Trouble Ticket Management & Escalation Workflow.
- Unified HTTPS portal for the security events reports, device reports and Monthly Analysis
Reports
• Security dashboard should provide various reports such as following which Bank needs to
submit/ report to the regulatory, statutory, and other relevant agencies on periodic basis:-
- Information security events report which occur during the period. An information security
event is an identified occurrence of a system, service or network state, indicating a possible
breach of information security policy or failure of safeguards, or a previously unknown
situation that may be security relevant.
- Frequency of Information Security Incidents:- Total number of information security incidents
during the period. An information security incident is indicated by a single or a series of
unwanted or unexpected information security events that have a significant probability of
compromising business operations and threatening information security.
- Number of information security incidents pertaining to RBI-owned payment and settlement
systems (RTGS, NEFT) during the period. An information security incident is indicated by a
single or a series of unwanted or unexpected information security events that have a
Page 51 of 118
significant probability of compromising business operations and threatening information
security.
- Number of instances during the period where banks systems were subject to unauthorized
access, including the instances of password sharing, (successful or unsuccessful) by banks
employees and contractors, from within the bank or outside bank premises.
Note: The vendor shall provide new reports and customize existing reports as per RBI, MoF,
NPCI, IBA, UIDAI, GOI, Bank’s etc. requirements, without any cost to the Bank.
Since the bank is looking to obtain many solutions/services, it will be difficult to track the activities
and important alerts and reports from all these solutions/ services. Moreover, since most of these
solutions/ services are interrelated, correlated information will help the bank in taking important
decisions. The Bidder shall provide a unified portal that will meet this requirement.
Service Desk System
Service desk should be configured, maintained and updated to record all agreed upon SLA breaches.
Bank should be able to generate reports to validate the service availability through comprehensive
web-based portal (dashboard). The portal shall be accessed by Bank users with individual login
credentials
3.3 General Responsibilities of the SI
3.3.1 Training
• Pre-Implementation: Provide training to the identified bank personnel/ SOC team on the product
architecture, functionality and the design for each solution under the scope of this RFP.
• Post Implementation: Provide hands-on training to the bank personnel/ SOC team on SIEM
operations, alert monitoring, policy configuration for all solutions etc.
• The bidder and OEM are required to provide training jointly as per the below table for personnel/
team nominated by the bank for each solution specified in the scope of work.
• The bidder is required to provide all trainees with detailed training material. This training
material should cover installation, operation, integration, maintenance, troubleshooting and other
necessary areas for each solution.
Training Requirements
Solution Training Type Days
Pre-implementation Post-implementation
SIEM Yes 2
Yes 5
WAF Yes 1
Yes 2
Page 52 of 118
PIM Yes 1
Yes 2
Anti-APT Yes 1
Yes 1
3.3.2 Implementation and Integration
• Implementation of the specified solutions as per the technical requirement of the solutions which are
detailed in Annexure –IX (Technical Requirements/ Specifications).
• 10 days before delivery of the solutions, the bidder is required to review the bank environment and
specify any additional requirements that the banks may need to provide for the implementation of
the solutions.
• The bidder is responsible to ensure that the SOC solutions and operations comply with bank’s
information security policies and industry leading standards (such as ISO 27001 etc) and any
applicable laws and regulations.
• In addition, the bidder is responsible for impact assessment and modification of SOC operations at
no extra cost, on account of any changes to applicable information security policies, procedures,
standards, regulations.
• The support for all the solutions proposed should be provided for contract period. Whereas free
upgrade should be provided for all solutions if the end of life occurs within the period of contract.
• Integrate each solution with SIEM solution to provide a single dashboard view of events generated.
• Any interfaces required with existing applications, servers, network & security devices,
infrastructure within the bank should be developed by the bidder (without extra cost to the Bank) for
successful implementation of the SOC as per the defined scope of work.
• Bidder shall be responsible for timely compliance of all Device level audit (DLA) and Vulnerability
Assessment (VA) audit observations as and when shared by the bank.
• The bidder is responsible for integrating any additional logs that the bank may wish to monitor with
the SIEM solution at no additional cost to the bank.
• Development and implementation of processes for management and operation of the SOC including
(but not limited to) the following processes:
o Configuration and Change Management
o Incident and Escalation management processes
o Daily standard operating procedures
o Training procedures and material
o Reporting metrics and continuous improvement procedures
o Data retention and disposal procedures
o BCP and DR plan and procedures for SOC
o Security Patch management procedure
Page 53 of 118
The technical bid should include an overview of the processes mentioned above.
• Implement necessary security measures for ensuring the information security of the proposed SOC.
• Develop Escalation Matrix in order to handle Information Security Incidents efficiently.
• Provide necessary documentation for the operation, integration, customization, and training of each
of the solutions in scope.
3.3.3 Monitoring
The bidder is required to provide the resource count for the operations of the SOC as a part of the
response to this RFP and specify the same in the Annexure XII Resource plan matrix. The bidder shall
monitor SOC activities and events on a 24x7x365 basis and suggest & take appropriate action on an on-
going basis.
3.3.4 Continuous Improvement
Improve the policies configured on an on-going basis to reduce the occurrence of false positives
3.3.5 Solution Acceptance
The Bank in coordination with the bidder and OEM shall conduct an Acceptance Test wherein the
bidder has to demonstrate the implementation of the solution as per the requirements of the bank. The
bidder shall submit the detailed reports of the test outcomes to the bank (also refer clause 4.3
Responsibility Matrix).
3.3.6 SLA Compliance
The bidder shall ensure compliance with SLAs as defined in the RFP.
3.3.7 Business continuity
The bidder is responsible for defining a DR/ BCP plan for the SOC operations and also ensures that
periodic tests are conducted as per the testing calendar agreed with the bank.
3.3.8 Period of Contract
• Bidder is required to provide the SOC services for a period of 5 years.
• Post completion of the contract or in the event of early termination, the bidder is expected to
provide support for transition of the solutions/ services to the nominated members of the bank
(or) to a third party nominated by the banks.
• The Bidder is required to provide the warranty/ AMC services at Bank’s DC/DR/HOIT and other
locations for which tools are procured or where tools are deployed, directly or through their
OEM representatives at all locations for the bank.
Page 54 of 118
The bidders are expected to provide technical and commercial proposals in accordance with the terms
and conditions contained herein. Evaluation criteria, evaluation of the responses to the RFP and
subsequent selection of the successful bidder will be based entirely on bank’s discretion. Bank’s
decision shall be final and no correspondence about the decision shall be entertained.
Note: In addition to the above points, during the contract period the vendor shall be responsible for
implementing and complying with future recommendations, guidelines, and directions of regulatory &
statutory, and other bodies (viz. RBI, IBA, NCIIPC, CERT-In, MoF, IDRBT etc.) to an existing
functionality of the deliverables provided under this RFP, without extra cost to the Bank.
3.3.9 IS Audit of SOC Solution
The selected bidder shall conduct the IS Audit of the complete SOC Solution through a CERT-In
empanelled auditor agency within one year of issuance of Purchase Order.
Page 55 of 118
Chapter 4 – Service Level Agreement And Penalties
4.1 Service Levels during Implementation Phase
• The Bidder is expected to complete the responsibilities that have been assigned as per the
implementation timelines mentioned in Section: Project Timelines (Chapter-6).
• One percent of the total implementation fees would be levied as a penalty for every one week delay
as per implementation timelines per product/service.
• A maximum penalty of 20% of the value of total Implementation Cost of the delayed solution/
service would be levied for implementation delays.
4.2 Service Levels during Operations Phase
The bidder is required to adhere to the Service Level Agreements as mentioned below for the operations
phase.
SLAs for Solution Uptime
Sr
No
Service Area Service Level Penalty
1 SIEM Solution Uptime Uptime % calculated on monthly
basis for SIEM.
In case of any hardware problems,
the SI should ensure that
replacement devices are made
available to meet the SLAs.
Penalty as XX% (as
mentioned below) of
overall quarterly SOC
operation charges
(Quarterly Resource Cost +
Quarterly Maintenance
Cost).
99.9% and above NA
98% to 99.9% 5%
95% to 97.99% 8%
90% to 94.99% 15%
80% to 89.99% 30%
70% to 79.99% 50%
Less than 70% 100%
2 Other Solution Uptime Uptime % calculated on monthly
basis for each solution.
In case of any hardware problems,
the SI should ensure that
replacement devices are made
available to meet the SLAs.
Penalty as XX% (as
mentioned above) of the
individual quarterly
maintenance charges. The
SLA percentage remains
same as above.
Page 56 of 118
SOC Operations Charges/ Cost includes: AMC, Resource costs for SOC monitoring and maintenance.
Maintenance Charges/ Cost includes: AMC for the specific solution
Service levels during SOC Operations
Sr
No
Service Area Service Level Penalty
1 Event Response 24x7 monitoring of all in-scope
devices
Categorization of events into Critical,
High, Medium and Low priority shall
be carried out in consultation with the
selected bidder during the contracting
phase.
All Critical, High and
Medium priority events
should be logged as
incident tickets and
responded as per below
SLAs:
Events along with action
plan/ mitigation steps
should be alerted to
designated bank personnel
as per the below SLA:
• Critical events within
15 minutes of the event
identification. Update
should be provided
every 15 minutes till
the closure of the
incident
• High priority events
within 30 minutes of
the event identification.
Update should be
provided every 1 hour
till the closure of the
incident
• Medium priority events
within 60 minutes of
the event identification.
Update should be
provided every 4 hours
till the closure of the
incident.
SLA is measured on a
monthly basis and the
penalty is as follows:
Page 57 of 118
Critical Events:
• 95-99%: 10% of the
Operations Cost for the
Month
• 90-95%: 15% of the
Operations Cost for the
Month
• <90%: 20% of the
Operations Cost for the
Month
High Priority Events:
• 95-99%: 5% of the
Operations Cost for the
Month
• 90-95%: 10% of the
Operations Cost for the
Month
• <90%: 15% of the
Operations Cost for the
Month
Medium Priority Events:
• 95-99%: 1% of the
Operations Cost for the
Month
• 90-95%: 2% of the
Operations Cost for the
Month
• <90%: 5% of the
Operations Cost for the
Month
Low Priority/ Operational
Events need to be logged
and maintained for
reference. An incident
ticket need not be raised
for such incidents.
However these need to be
included in the daily
reports.
2 Incident
Resolution
The timelines required for
resolution of Critical, High
and Medium priority
mentioned below:
Page 58 of 118
• Critical incidents within
60 minutes of the event
identification. Update
should be provided
every 15 minutes till the
closure of the incident
• High priority incidents
within 90 minutes of the
event identification.
Update should be
provided every 1 hour
till the closure of the
incident
• Medium priority
incidents within 120
minutes of the event
identification. Update
should be provided
every 4 hours till the
closure of the incident.
The required success rates
for the incident resolution
are outlined below:
Critical Incidents:
• 90-95%: 10% of the
Operations Cost for the
Month
• 85-90%: 15% of the
Operations Cost for the
Month
• <85%: 20% of the
Operations Cost for the
Month
High Priority Incidents:
• 90-95%: 5% of the
Operations Cost for the
Month
• 85-90%: 10% of the
Operations Cost for the
Month
• <85%: 15% of the
Operations Cost for the
Month
Page 59 of 118
Medium Priority Incidents:
• 90-95%: 1% of the
Operations Cost for the
Month
• 85-90%: 2% of the
Operations Cost for the
Month
• <85%: 5% of the
Operations Cost for the
Month
Low Priority/ Operational
incidents need to be logged
and maintained for
reference. These need to be
included in the daily
reports.
3 Report and
Dashboard
Periodic reports to be provided to
banks as defined in the General
Requirement section of Annexure IX
Technical Requirements/
Specifications
Daily Reports: Critical
reports should be submitted
twice a day. (First report at
10 am and second report at
5pm everyday).
• Delay in reporting for
daily report for more
than 2 hours shall incur
a penalty of 3% of
Operations Cost for the
Month
Weekly Reports: By 10:00
AM, Monday
Monthly Reports: 5th of
each month
• Delay in reporting by
more than 3 days for
both weekly and
monthly reports shall
incur a penalty of 10%
of Operations Cost for
the Month
4 Anti Phishing and
Anti Malware
Service along
with taking down
The SI is expected to provide this
service on a 24/7 basis.
Incidents need to be logged and the
• Take down of malicious
sites within 24 hours of
identification if
confirmed by the bank.
Page 60 of 118
Phishing sites/
Mobile App
resolution SLA is as per the incident
resolution section. • For a delay of 4 hours in
takedown of such sites a
penalty of 0.5 % of
quarterly cost for the
service will be levied
• For a delay of more than
one week in takedown
of such sites a penalty
of 2% of quarterly costs
will be levied
• For more than one
month delay in
takedown of such site,
the service shall be
discontinued
• In the event that a new
site is identified which
shares the same Home
URL of a site already
taken down, additional
payment for the take
down of such sites shall
not be made.
• Re-occurrence within a
month of a site already
taken down by the SI
shall no be considered
as a new site and no
additional payment shall
be made for the
takedown of such a site.
• Daily report of new
phishing sites , action
taken , instances of
reactivation etc to be
shared with bank
5 Continual
Improvement
The SI is expected to improve the
operations on an on-going basis.
The SI is expected to provide a
quarterly report of the new
improvements suggested, action plans,
and the status of these improvements
to the bank.
• Quarterly reports need
to be provided by the
5th day of each quarter
beginning
• Delay in providing
quarterly reports shall
lead to 2% of the
monthly SOC operation
charges
Page 61 of 118
Improvement areas could include:
process changes/ training resulting in
efficiency/ SLA improvement, new
correlation rules to identify threat
patterns etc
• Reduction by 2% in the
time for event response,
quarter on quarter.
6 Periodic Review The SOC project sponsor or locational
delegate from the SI is expected to
conduct a monthly review meeting
with Bank officials resulting in a
report covering details about current
SOC SLAs, status of operations, key
threats and new threats identified,
issues and challenges etc.
• Monthly meeting for
next five years to be
conducted on the 25th
(tentatively) of each
month during the
operations phase.
• A delay of more than
three days will incur a
penalty of 1% of SOC
operations cost for that
quarter.
4.3 Responsibility Matrix
• The following table describes the responsibilities of the System Integrator (SI) selected through this
RFP, Bank, and Original Equipment Manufacturer (OEM) for problem management and issue
resolution related to the applications and tools hosted on the hardware and software proposed by the
SI.
• The Bank or consultant appointed by the bank shall conduct the acceptance test for the hardware and
software proposed by the Bidder.
Table: Responsibility Matrix
Sr No Activity Bank Selected
Bidder
OEM
1 SOC Solutions Design S P V and M
2 Installation of the proposed solutions,
hardware and software including
configuration as per the solution
design and scope of work
- P V and M
3 Acceptance of the solutions S P V
4 SOC Operations – Ongoing - P -
5 SOC Operations Review S - P and V
6 SLA Reports S P V
7 Incident Management - P P
“V” - Validated (Responsible for Validating the activity)
“P” - Performed (Primary responsibility for executing the activity)
“S” – Signed Off (Responsible for providing the go-ahead)
“M”- Monitoring (Responsible for continuous monitoring of activity)
Page 62 of 118
Chapter 5 – Project Team Structure
All team resources included in both the implementation and operation of SOC should be on the payroll
of SI or OEM.
OEMs shall provide on-site resources at each deployment location for their respective solutions during
the implementation phase in case the bidder is not able to resolve bank’s queries/ delays in
implementation or as necessitated by the Bank.
5.1 Implementation Phase
The bidder is required to deploy necessary resources at Bank locations for complete implementation of
various solutions keeping in view meeting the Project Timelines.
5.2 Subcontracting
The bidder shall not subcontract or permit anyone other than its personnel to perform any of the work,
service or other performance required of the bidder under the contract.
5.3 Roles & Responsibilities
5.3.1 SI Project Sponsor
A senior management member from the SI shall be identified as the project sponsor; her or his
responsibilities are outlined below:
• Primarily responsible for successful implementation of the project in bank.
• Act to remove critical project bottlenecks.
• Identification of working team members, project management office members and team leads.
• Single point of contact for bank senior management.
5.3.2 Project Management Office (PMO)
• Ensure implementation timelines are met to achieve desired result.
• Monitor Change management activities.
• Monitor Quality and risk related activities.
• Identify and implement best practices.
• Periodic reporting to banks on the status, issues/ challenges faced and how these are resolved by
the vendor.
5.3.3 Team Lead
• Lead daily implementation effort.
Page 63 of 118
• Report on progress to bank.
• Seek advice from the PMO on mitigation measures and deploy these at the bank.
5.3.4 Working Team
• Implementation of all device/solutions in scope.
• Customize device/solutions as per requirements.
• Perform acceptance testing for each device/solution.
5.3.5 OEM Team
OEMs shall provide on-site resources at each deployment location for their respective solutions during
the implementation phase for:
• Validation of solution design and architecture
• Continuous monitoring of implementation at each location.
• Provide support to working teams.
• Ensure customization is in line with bank’s requirements.
5.4 Operations Phase
Bidders need to provide approximate number of on-site resources in order to meet the service level
agreements mentioned in this RFP. Bidders should mention number of resources required for managing
the SOC in the format as per Annexure XII Resource Plan Matrix for the Bank.
The proportion in which resources should be deployed in operations phase shall be- L1 : L2 : L3 = 6:2:1.
This deployment should ensure a 24/7 operational SOC.
The cost of the resources as provided in the Final commercial bill of materials shall be considered as
fixed for the term of the project and the bank may procure additional resources at the cost not
necessarily as per the above mentioned ratio.
Page 64 of 118
Chapter 6 – Project Timelines
Bidders are requested to keep the following timelines in regard to the implementation of solutions in the
Bank.
T denotes the date of release of PO to the Bidder. For example: T+3 represents that the solution needs to
be implemented within 3 months of the release of the PO.
Time
Activity T T+2 months T+3 months T+4 months T+6 months
T+9
months
Purchase order
Anti-Phishing
ANTI-APT
WAF
PIM
SIEM
Delivery Period
The delivery timelines for hardware as per BOM for each solution is as below:
Anti-APT : T+2 Months
WAF : T+3 Months
PIM : T+4 Months
SIEM : T+4 Months
Page 65 of 118
Chapter 7 – Evaluation Methodology
Bank will open the technical bids on the stipulated day in the presence of authorized representatives of
the bidders. The technical bid will be opened first and evaluated for technical requirements as per the
stipulations.
(a) Technical Evaluation
The Bank will adopt bidder evaluation processes as detailed hereunder:
The technical response to the RFP and bidder’s compliance to the required terms & condition and scope
of specifications as specified in Annexure-IX will be evaluated. The technical response to the RFP need
to be substantiated by necessary documents, proofs, certificate, records etc.
(b) Commercial Evaluation
The Commercial Bid evaluation will be carried out through sealed commercial bidding. Commercial
Bids of only technically qualified bidders will be opened in the presence of the technically qualified
bidder’s representatives on date and time to be communicated to the qualified Bidders.
L1 bidder will be selected on the basis of the lowest Total Cost of Ownership (TCO) criteria.
Page 66 of 118
ANNEXURE I - TENDER COVERING LETTER
(Duly signed & stamped by the authorized signatory)
The Assistant General Manager - IT
Punjab & Sind Bank,
Bank House, 21, Rajendra Place,
New Delhi -110008
Dear Sir,
Sub: Request for Proposal for “Selection of Security System Integrator to set up Security
Operation Centre (SOC) for Bank” - Tender Ref No.________________________________ dated
_________________
With reference to the above RFP, having examined and understood the instructions including all
annexure, terms and conditions forming part of the Bid, we hereby enclose our offer for RFP for
‘Selection of Security System Integrator to set up Security Operation Centre (SOC) for Bank’ in the
RFP document forming Technical as well as Commercial Bids being parts of the above referred Bid.
In the event of our selection by the Bank for Selection of Security System Integrator to set up Security
Operation Centre (SOC) for Bank, we will submit a Performance Guarantee for a sum equivalent to
10% of the total contract value with validity of 63 months (or extended period, if any) in favour of
Punjab & Sind Bank.
Further we agree to abide by the terms and conditions of this tender and our offer shall remain valid for
180 days from the date of technical bid opening and our offer shall remain binding upon us which may
be accepted by the Bank any time before expiry of 180 days.
Until a formal contract is executed, this tender offer, together with the Bank’s written acceptance thereof
and Bank’s notification of award, shall constitute a binding contract between us.
We understand that The Bank is not bound to accept the lowest or any offer the Bank may receive.
Dated this ____day of __________, 2017
Signature: (In the Capacity of)
Page 67 of 118
Annexure II - COMPLIANCE TO MINIMUM ELIGIBILITY CRITERIA
Sr. No. Eligibility Clause Compliance (Yes/ No) (Mention Document reference, wherever
applicable)
EC-1 The Bidder should be a Company/ firm
in India registered under the Companies
Act, 1956 for a period of minimum five
(05) years.
Certificate of Incorporation &
Commencement of Business (applicable
for Public Ltd. Companies). A certified
copy of the same is required to be
submitted with the Bid.
EC-2 The Bidder should have made an annual
turnover of Rs. 100 Crore per annum in
the last three Financial Years (i.e. FY
2014-15, 2015-16, and 2016-17).
Audited Financial Statements for the last
three Financial Years, viz. 2014-15, 2015-
16, and 2016-17 needs to be furnished.
CA certificate needs to be furnished.
EC-3 The Bidder should have positive net
worth in the last 3 financial years (i.e.
FY 2014-15, 2015-16, and 2016-17)
Audited Financial Statements for the last
three Financial Years, viz. 2014-15, 2015-
16, and 2016-17 needs to be furnished.
CA certificate needs to be furnished.
EC-4 The Bidder should have an annual
turnover of at least Rs.10 Crores in
providing security services in each of
the last three Financial Years (i.e. FY
2014-15, 2015-16, and 2016-17.)
CA Certificate/ Customer PO/ CA
Declaration
EC-5 The Bidder should have experience of
at least 1 BFSI (Banking, Financial
services and Insurance) or Govt. Sector
client in implementing/supporting a
Security Operations Centre (SOC) in
last 5 years in India.
Copies of purchase orders showing SOC
experience to clients.
EC-6 The Bidder should have implemented
or provided/be providing SOC Security
Services, including log monitoring and
co-relation, for minimum 1000 EPS to
at least one (01) BFSI or Govt. Sector
client in India.
Letter from client on client letter Head/
commissioning report along with name
and designation and Landline telephone
contact details.
EC-7 The Bidder’s organization should have
ISO 27001 certification.
ISO 27001 certification copy.
EC-8 The Bidder should not be existing
System Integrator (for Network
Infrastructure/ Facility Management)
for the Punjab & Sind Bank to avoid
conflict of interest.
Bidder under taking should be submitted
in this regard.
EC-9 The proposed solutions (i.e. SIEM,
WAF, PIM, and Anti-APT) should be
successfully implemented in any BFSI
or Govt. Sector client(s) in India.
OEM Letter with client name.
Page 68 of 118
EC-10 The Bidder should deploy industry
standard license tools.
Undertaking letter from Bidder
EC-11 The SIEM deployed must be in the
Leader or Challenger Quadrant of latest
published Gartner’s Report for SIEM.
Gartner Report
EC-12 The bidder should not have been put in
the negative list or Blacklist by any
Public Sector Bank/ Government
Organization for breach of applicable
laws or violation of regulatory
prescriptions or breach of agreement for
providing the SOC services at the time
of bid submission.
Undertaking letter from the bidder
EC-13 Bidder/OEM should have successfully
implemented SIEM in integration with
Core Banking System (Finacle). In case
of OEM’s experience, the OEM shall
own the complete implementation
responsibility of SIEM.
An undertaking letter from OEM.
EC-14 Bidder/OEM should have successfully
implemented WAF, PIM, and Anti-
APT. In case of OEM’s experience, the
OEM shall own the complete
implementation responsibility for the
solution whose proof submitted by
OEM (WAF, PIM, and Anti-APT).
An undertaking letter from OEM.
EC-15 The proposed solutions should be
certified/ benchmarked by an
independent third party/ OEM for
performance, security.
Enclose certificate/ benchmark report for
security, performance from independent
third party OR OEM letter for
performance, security.
EC-16 The proposed WAF solution must be in
the Leader or Challenger Quadrant of
latest published Gartner’s Report.
Latest Gartner’s Report
Signature/ Seal of Company
(Duly signed & stamped by the authorized signatory)
Page 69 of 118
ANNEXURE III - BIDDER’S INFORMATION
The Assistant General Manager (IT)
Punjab & Sind Bank, HO Information Technology Department,
Bank House, 2nd Floor, 21, Rajendra Place
New Delhi -110008
Sir,
Reg: RFP for Selection of Security System Integrator to set up Security Operation Centre (SOC)
for Bank.
With reference to RFP No _________________________________dated: ________________ (Read
with its Addendums/ Corrigendum/ Amendments), we hereby submit necessary information hereunder:-
1. Name & address of the Company with direct phone
numbers
2. Registration No. and date of establishment
3. Website Address
4. Email Address:
5. Detail of Tender Fee and Earnest Money Deposited:
6. Figures for last 3 years (in Crores with two
decimal):-
Annual Turnover
Annual turnover in providing security services in
2014-15 2015-16 2016-17
7. Income Tax PAN and GSTIN number
DECLARATION
1. I/We hereby declare that the terms and conditions of the tender stated herein and as may be modified/
mutually agreed upon are acceptable and biding to me/us. We understand and agree and undertake that:-
Page 70 of 118
1. The Bank is not bound to accept the lowest bid or may reject all or any bid at any stage at its sole
discretion without assigning any reason therefore.
2. If our Bid for the above job is accepted, we undertake to enter into and execute at our cost, when
called upon by the Bank to do so, a contract in the prescribed form. Unless and until a formal
contract is prepared and executed, this bid together with your written acceptance thereof shall
constitute a binding contract between us.
3. We have read and understood all the terms and conditions and contents of the RFP and also
undertake that our bid conform to all the terms and conditions and do not contain any deviation and
misrepresentation. We understand that bank reserve the right to reject our bid on account of any
misrepresentation/deviations contained in the bid.
4. Bank may accept or entrust the entire work to one Bidder or divide the work to more than one
bidder without assigning any reason or giving any explanation whatsoever and the Bank’s decision
in this regard shall be final and binding on us.
5. If our bid is accepted, we are to be jointly and severally responsible for the due performance of the
contract.
6. Bidder means the vendor who is decided and declared so after examination of commercial bids.
Name of person Authorized to sign:
Mobile No.
Email:
Date:
Place: SIGNATURE & STAMP OF AUTHORISED SIGNATORY
Page 71 of 118
ANNEXURE IV – SAMPLE PERFORMA FOR THE BANK GUARANTEE FOR EARNEST
MONEY DEPOSIT
(To be stamped in accordance with stamp act)
Ref: Bank Guarantee # Date: __________
Punjab & Sind Bank
Information Technology Department
21, Rajendra Place, Bank House,
New Delhi 110008
Dear Sir,
In accordance with your bid reference No. ______________________ Dated:
_______________M/s______________________________________ having its registered office at
______________________________________________ (herein after Called bidder) wishes to
participate in the said bid for ‘Selection of Security System Integrator to set up Security Operation
Centre (SOC) for Bank’. An irrevocable Financial Bank Guarantee (issued by a nationalized/ scheduled
commercial Bank) against Earnest Money Deposit amounting to
Rs.____________(Rs._____________________________) valid up to ___________ is required to be
submitted by the bidder, as a condition for participation in the said bid, which amount is liable to be
forfeited on happening of any contingencies mentioned in the bid document.
M/s_________________________________ having its registered office at
__________________________ has undertaken in pursuance of their offer to Punjab & Sind Bank
(hereinafter called as the beneficiary) dated __________ has expressed its intention to participate in the
said bid and in terms thereof has approached us and requested us___________________________
(Name of Bank) ________________________ (Address of Bank) to issue an irrevocable financial Bank
Guarantee against Earnest Money Deposit (EMD) amounting to Rs
___________(Rupees_______________________) valid up to__________. We, the
___________________________ (Name of Bank)________________________ (Address of Bank)
having our Head office at ______________________ therefore Guarantee and undertake to pay
immediately on first written demand by Punjab & Sind, the amount Rs.
________________(Rupees__________________________) without any reservation, protest, demur
and recourse in case the bidder fails to Comply with any condition of the bid or any violation against the
terms of the bid, Without the beneficiary needing to prove or demonstrate reasons for its such demand.
Any Such demand made by said beneficiary shall be conclusive and binding on us irrespective of any
dispute or difference raised by the bidder. This guarantee shall be irrevocable and shall remain valid up
to ____________. If any further extension of this Guarantee is required, the same shall be extended to
such required period on receiving instructions in writing, from Punjab & Sind Bank, on whose behalf
guarantee is issued. "Not withstanding anything contained herein above our liability under this bank
guarantee shall not exceed Rs.____________ (Rupees__________________________).
Page 72 of 118
This bank guarantee shall be valid up to ___________________. We are liable to pay the guaranteed
amount or any part thereof under this bank guarantee only if you serve upon us a written claim or
demand, on or before _____________ before 14.30 hours (Indian Standard Time) where after it ceases
to be in effect in all respects whether or not the original bank guarantee is returned to us. In witness
whereof the Bank, through its authorized officer has set its hand stamped on this _____________ Day of
______________2017 at __________________
Name of signatory Designation Bank Common Seal
Page 73 of 118
ANNEXURE - V - Acceptance of Scope of Work
(On Bidder’s letter head duly stamped and signed by Authorized Signatory)
RFP Reference No____________ Date: _______________
The Assistant General Manager-IT
Punjab & Sind Bank, Bank House
21, Rajendra Place
New Delhi - 110008
Dear Sir,
Reg: Request for Proposal for “Selection of Security System Integrator to set up Security
Operation Centre (SOC) for Bank”.
We hereby undertake that we have read and understood the complete scope of work mentioned in the
Section Scope of Work and elsewhere in the said Tender Document (Read with Addendums
/Corrigendum and response to queries).
We further undertake the Cost includes all the cost of solutions/ services mentioned in the document and
bank shall not be liable to pay any other/ additional cost except whatever quoted by us due to any
omission of factoring the cost of any solution/ services whatsoever mentioned in the document.
I further undertake that all desired clarifications, if any, have been obtained by us as to interpretations of
the Scope of work. We undertake to comply with the complete Scope of work mentioned in the tender
document.
Yours faithfully,
(Signatures & Stamp)
Authorized Signatory
Page 74 of 118
ANNEXURE – VI - ACCEPTANCE/COMPLIANCE CERTIFICATE
All Terms and Conditions including scope of work
We hereby undertake and agree to abide by all the terms and conditions stipulated by the Bank in this
RFP including all addendum, corrigendum etc. Any deviation may result in disqualification of bid.
Signature:
Seal of company:
Deviations in Submitted Bids
We certify that the solutions/ services offered by us for tender conform to all the clauses/ specifications
stipulated by Bank with the following deviations:
List if deviations:
1) _______________________________________________
2) _______________________________________________
3) _______________________________________________
(Any deviations in Bid submission may be subject to rejection. If left blank it will be construed that
there is no deviation from any clauses/ specifications given in RFP.)
Signature:
Seal of company:
Page 75 of 118
ANNEXURE-VII – Sample Format of Performance Guarantee
Tender Reference No: ______________________ Date _________________
The Assistant General Manager -IT
Punjab & Sind Bank, HO IT Department
21, Rajendra Place
New Delhi – 110008
Dear Sir,
1. WHEREAS pursuant to a Request for Proposal dated…………….. (hereinafter referred to as RFP,
issued by Punjab & Sind Bank, Bank House, 21, Rajendra Place, New Delhi in response of (Vendor /
Service Provider), a Company registered under the Companies Act, 1956 and having its Registered /
Corporate Office at …………………………………has awarded the Contract valued
Rs………………………………….and appointed…………………….as Vendor/ Service Provider for
Selection of Security System Integrator to set up Security Operation Centre (SOC) for Bank vide
Appointment letter / Purchase Order No…………………………………dated……………..on the terms
and conditions as set out inter-alia in the said RFP and in the Appointment Letter / Purchase Order.
2. WHEREAS you have in terms of the said Appointment letter / Purchase Order called upon (Vendor /
Service Provider to furnish a Performance Guarantee, for Rs…………………………….Rupees only),
equivalent to…………………..of the Contract value, to be issued by a Bank in your favour towards due
performance of the Contract in accordance with the specifications, terms and conditions of the said
Appointment letter / Purchase Order and an Agreement entered / to be entered into in this behalf.
3. WHEREAS (Vendor / Service Provider) has approached us for issuing in your favour a performance
Guarantee for the sum of Rs…………………………….. (Rupees…………………………………….).
NOW THEREFORE in consideration of you having awarded the Contract to…..…………….inter-alia
on the terms & conditions that provides a performance guarantee for due performance of the terms and
conditions thereof. We,………………….Bank,…………………… a body corporate constituted under
……………………………………having its Head office
at………………………………………………(give full address) and a branch inter-alia
at………………………………. India at the request of…………do hereby expressly, irrevocably and
unconditionally undertake to pay merely on demand from you and without any demur without referring
to any other source, Rs………………………….(Rupees……………………………only) against any
loss or damage caused to or suffered by or that may be caused to or suffered by you on account of any
breach or breaches on the part of ………………of any of the terms and conditions of the Contract and in
the event of………………committing any default or defaults in carrying out any of the work or
discharging any obligation under the said Contract or otherwise in the observance and performance of
any of the terms and conditions relating thereto including non-execution of the Agreement as may be
Page 76 of 118
claimed by you on account of breach on the part of …………….of their obligations or default in terms
of the said Appointment letter / Purchase Order.
4. Notwithstanding anything to the contrary contained herein or elsewhere, we agree that your decision
as to whether the ……………..has committed any such breach / default or defaults and the amount or
amounts to which you are entitled by reasons thereof will be binding on us and we shall not be entitled
to ask you to establish its claim or claims under this Guarantee, but will pay the same forthwith on
demand without any protest or demur. Any such demand made by you shall be conclusive as regards the
amount due and payable by us to you.
5. This Guarantee shall be valid up to ……….. plus 3 (three) months of the Claim period from the
expiry of said guarantee period. Without prejudice to your claim or claims arisen and demanded from or
otherwise notified to us in writing before the expiry of the said date which will be enforceable against us
notwithstanding that the same is or are enforced after the said date.
6. You will have the fullest liberty without our consent and without affecting our liabilities under this
Guarantee from time to time to vary any of the terms and conditions of the said appointment letter or the
Contract to be made pursuant thereto or extend the time of performance of the Contract or to postpone
for any time or from time to time any of your rights or powers against the ………and either to enforce or
forbear to enforce any of the terms and conditions of the said appointment letter or the Contract and we
shall not be released from our liability under Guarantee by exercise of your liberty with reference to
matters aforesaid or by reason of anytime being given to or any other forbearance, act or omission on
your part or any indulgence by you or any other act, matter or things whatsoever which under law
relating to sureties, would but for the provisions hereof have the effect of releasing us from our liability
hereunder provided always that nothing herein contained will enlarge our liability hereunder beyond the
limit of Rs…………………….. (Rupees…………………………………only) as aforesaid or extend the
period of the guarantee beyond ………………….(date) unless expressly agreed to by us in writing.
7. This Guarantee shall not in any way be affected by you are taking or giving up any securities from
……………or any other person, firm or company on its behalf or by the winding up, dissolution,
insolvency as the case may be of ……….
8. In order to give full effect to the Guarantee herein contained, you shall be entitled to act as if we were
your principal debtors in respect of all your claims against ……….hereby guaranteed by us as aforesaid
and we hereby expressly waive all our rights of suretyship and other rights, if any, which are in any way
inconsistent with any of the provisions of Guarantee.
9. Subject to the maximum limit of our liability as aforesaid, this Guarantee will cover all your claim or
claims against ………from time to time arising out of or in relation to the said appointment letter /
Contract and in respect of which your claim in writing is lodged on us before expiry of Guarantee.
Page 77 of 118
10. Any Notice by way of demand or otherwise hereunder may be sent by special courier, telex, fax, e-
mail or registered post to our Head Office / Local address as aforesaid and if sent accordingly it shall be
deemed to have been given when the same has been posted.
11. This Guarantee shall not be affected by any change in the constitution of ___________or nor shall it
be affected by any change in your constitution or by any amalgamation or absorption thereof or
therewith but will ensure to the benefit of and be available to and be enforceable by the absorbing or
amalgamated company or concern.
12. This Guarantee shall come into force from the date of its execution and shall not be revoked by us
any time during its currency without your previous consent in writing.
13. We further agree and undertake to pay you the amount demanded in writing irrespective of any
dispute or controversy between you and ________________ in any suit or proceeding pending before
any court, Tribunal or Arbitrator relating thereto, our liability under these presents being absolute and
unequivocal. The payments so made by us shall be a valid discharge of our liability for payment
hereunder and ____________shall have no claim against us for making such payment.
14. We have the power to issue this Bank Guarantee in your bank’s favour as the undersigned has full
power to execute this Bank Guarantee under the Power of Attorney issued by our Bank.
15. Our authority to issue this guarantee may be verified with our Controlling Office situated at
________________________________(full details of persons to be contacted address and phone
Numbers etc).
16. Notwithstanding anything contained herein above;
i) Our liability under this Guarantee shall not exceed Rs_______________ (Rupees
___________________________________________only)
ii) This Guarantee shall be valid and remain in force up to_________________ plus the Claim period of
6 (Six) months and including the date ______________________ and
iii) We are liable to pay the guaranteed amount or any part thereof under this Guarantee only and only if
you serves upon us a written claim or demand for payment on or before the expiry of this Guarantee.
Dated this the __________________ day of ______________ 2017.
Signature and Seal of Guarantors
Vendor’s Bank
Page 78 of 118
ANNEXURE-VIII SAMPLE PREBID QUIRY FORMAT
Sr.
No
Page No. Clause Number RFP clause Bidders remark
Page 79 of 118
ANNEXURE – IX Technical Requirements/ Specifications
<<< Enclosed Separately. >>>
Page 80 of 118
ANNEXURE - X - Commercial Bill (CB) of Materials - TCO
Total SOC Solutions/ Services Cost for 5 Years as per Scope Total SOC
Project Cost
(for 5 Years)
- TCO SIEM WAF PIM
Anti-
APT
Anti-
Phishing
SOC
Resource
Cost
SOC
Maintenance
Charges
Other
Implementation
Charges
Other
Security
Services
TOTAL Cost
for Bank
(INR)
Note:
* The bidder to quote total price excluding taxes. Taxes shall be payable extra on actual basis
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 81 of 118
SIEM Solution Implementation Cost (In INR)
Module Security Information & Event
Management (SIEM)
Data Center Disaster Recovery Center Total Cost
including
DC & DR No of
Units
Unit
Price
in INR
Total
Cost in
INR
No of
Units
Unit
Price
in INR
Total
Cost in
INR
SIEM Solution
Cost (Includes
Hardware +
Software)
Log Collection Device (HA in DC
& HA in DR)
Log Storage Server (HA in DC &
Standalone in DR)
Log Correlation Engine (HA in DC)
SIEM Storage Cost
Tier II Storage - 1 Year Near-Line
Logs (Minimum of 3TB
and Expandable to 8TB)
Tier III Storage - 9 Year Offline
Logs (Minimum of 10
TB and Expandable to 70 TB)
Additional Disk Cost per TB (10000
rpm)
Additional Disk Cost per TB (7200
rpm)
SIEM OS License
(If required)
OS License
(Use additional Rows if required)
SIEM DB License
(If required)
DB License
(Use additional Rows if required)
SIEM tools (Any
other tools if
required)
Other Tools (Mention Tool Details)
(Use additional Rows if required)
Page 82 of 118
Any other hardware
required
Other Hardware (if required)
(Use additional Rows if required)
Any other Cost
(Specify)
Optional Items
Additional cost per 1000 EPS
TOTAL COST FOR SIEM =
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 83 of 118
WAF Implementation Cost (In INR)
Module Web Application
Firewall (WAF)
Data Center Disaster Recovery Center Total Cost
including
DC &
DRC
No of
Units
Unit
Price
in INR
Total
Cost in
INR
No of
Units
Unit
Price in
INR
Total Cost
in INR
WAF Solution Cost
(Includes Hardware +
Software)
Solution Cost (HA in
DC & HA in DR)
(Use additional Rows if
required)
WAF tools (Any other
tools if required)
Other Tools (Mention
Tool Details)
(Use additional Rows if
required)
Any other Cost
(Specify)
TOTAL COST FOR
WAF =
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 84 of 118
Privilege Identity Management (PIM) Solution Implementation Cost (INR)
Module Privilege Identity
Management (PIM)
Data Center Disaster Recovery Center Total
Cost
including
DC &
DRC
No of
Units
Unit
Price in
INR
Total
Cost in
INR
No of
Units
Unit
Price in
INR
Total Cost
in INR
PIM Solution Cost
(Includes Hardware +
Software)
Solution Cost (Standalone
Mode at DC and DR)
(Use additional Rows if
required)
Optional Items
Additional cost per 10
Administrators
(Use additional Rows if
required)
PIM tools (Any other
tools if required)
Other Tools (Mention Tool
Details)
(Use additional Rows if
required)
Any other Cost
(Specify)
TOTAL COST FOR
PIM =
Signature:
Seal of company: (Duly signed & stamped by the authorized signatory)
Page 85 of 118
Anti-Advanced Persistent Threat Protection (Anti-APT) Implementation Cost(INR)
Module
Anti-Advanced Persistent
Threat Protection (Anti-
APT)
Data Center Disaster Recovery Center Total
Cost
including
DC &
DRC
No of
Units
Unit
Price in
INR
Total
Cost in
INR
No of
Units
Unit
Price in
INR
Total Cost
in INR
Anti-APT Solution
Cost (Software +
Hardware)
Solution Cost (HA in DC &
HA in DR)
(Use additional Rows if
required)
Other tools (Any
other tools if
required)
Other Tools (Mention Tool
Details)
(Use additional Rows if
required)
Any other Cost
(Specify)
TOTAL COST FOR Anti-APT
=
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 86 of 118
Anti Phishing Services Implementation Cost(In INR)
Module Anti Phishing Services
Data Center Disaster Recovery Center Total Cost
including DC &
DRC No of
Units
Unit
Price in
INR
Total Cost
in INR
No of
Units
Unit
Price in
INR
Total
Cost in
INR
Service Fee
Service Fee (For Website/
Mobile App mentioned in
RFP)
5 5
(Use additional Rows if
required)
Any other
cost
(specify)
(Use additional Rows if
required)
Optional
Items
Additional cost per website 1 1
(Use additional Rows if
required)
Optional
Items
Additional cost per Mobile
App 1 1
(Use additional Rows if
required)
TOTAL COST FOR ANTI-PHISHING =
Page 87 of 118
SOC Resource Cost (INR)
Resource
SOC Operations Location
Total Cost for 5 years No of Units for
Bank
Unit Price in INR
(per Annum) Total Cost in INR per Annum
L1 Resource Cost 6
L2 Resource Cost 2
L3 Resource Cost 1
TOTAL SOC Resource Cost =
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 88 of 118
SOC Maintenance Charges (INR)
Module
Total Cost Solutions/ Services
Year
1
Year
2 Year 3 Year 4 Year 5
Hardware
SIEM X X X
WAF X X X
PIM X X X
Anti-Phishing NA NA NA NA NA NA
Anti-APT X X X
(Use additional Rows if
required) X X X
Software Support
(including licenses)
SIEM X
WAF X
PIM X
Anti-Phishing NA NA NA NA NA NA
Anti-APT X
(Use additional Rows if
required) X
TOTAL SOC Maintenance Charges =
Note: In case of Hardware appliance, please place the charges in Software section only.
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 89 of 118
Other Implementation Charges (INR)
Module Details At SOC Operations Location
No of Units Unit Price in INR Total Cost in INR
Display Devices LED Screen for SOC Monitoring 1
Others
Racks for deploying the Solutions/
Appliances at DC, DR, CBS Cell, & Other
Locations
Network Cables at DC, DR, CBS Cell, &
Other Locations
(Use additional Rows if required)
TOTAL =
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 90 of 118
Other Security Services (in INR)
Sr
No Description of Solution Quantity Total Cost for five years
Cost for one Year Total Cost for 5 years
1
OTHER SECURITY SERVICES
(Like- Security Intelligence Services, Security Advisory
Services, Security Architecture Review, Minimum
Baseline Security Standards (MBSS), Configuration
Review, VAPT, Mobile Applications Review, Other
Requirements, & Monitoring, Reporting, & Security
Dashboard etc. as per the scope in the RFP.)
5 A = A x 5
2 Risk Assessment Services 5 A = A x 5
3 FORENSIC INVESTIGATION (Per man day Cost Rs.
_________) [A] (Optional Item) 200 NA = A x 200
TOTAL =
Note:
(1) The quantity mentioned under FORENSIC INVESTIGATION (200) is taken for the purpose
of calculation of TCO; however actual payment shall be on per incident basis @ unit rate/per
man day cost.
Signature:
Seal of company:
(Duly signed & stamped by the authorized signatory)
Page 91 of 118
Annexure – XI – Sample Non-Disclosure Agreement
This Non-Disclosure Agreement made and entered into at ___________ on this XXXX day of XXXXX
______.
BY AND BETWEEN
XXXXXXX, a company incorporated under the _______ Act, XXXX having its registered office at
XXXXXXX (hereinafter referred to as the firm / Company which expression unless repugnant to the
context or meaning thereof be deemed to include its permitted successors) of the ONE PART;
AND
Punjab & Sind Bank, a body corporate, established under the Banking Companies (Acquisition and
Transfer of Undertakings) Act 1970 and having its Head Office at 21, Rajendra Place, New Delhi
110008 (Hereinafter referred to as “Bank” which expression shall unless it be repugnant to the subject,
meaning Or context thereof, be deemed to mean and include its successors and assigns) of the OTHER
PART.
The Firm / Company and Punjab & Sind Bank are hereinafter collectively referred to as “the Parties”
and individually as “the Party”
WHEREAS:
1. Punjab & Sind Bank is engaged in the business of providing financial services to its customers and
intends to engage an independent entity for Managed Security Services for Security Operation Centre
for the Bank.
2. In the course of such assignment, it is anticipated that Punjab & Sind Bank or any of its officers,
employees, officials, representatives or agents may disclose, or deliver, to the Firm / Company some
Confidential Information (as hereinafter defined), to enable the Firm / Company to carry out the
aforesaid professional services assignment ( hereinafter referred to as " the Purpose").
3. The Firm / Company is aware and confirms that all information, data and other documents made
available in the RFP/Bid Documents/Agreement /Contract or in connection with the Services rendered
by the Firm / Company are confidential information and are privileged and strictly confidential and or
proprietary of Punjab & Sind Bank. The firm / Company undertake to safeguard and protect such
confidential information as may be received from Punjab & Sind Bank.
NOW, THEREFORE THIS AGREEMENT WITNESSED THAT in consideration of the above
premises and the Punjab & Sind Bank granting the firm / Company and or his agents, representatives to
have specific access to Punjab & Sind Bank property / information and other data it is hereby agreed by
and between the parties hereto as follows:
1. Confidential Information:
Page 92 of 118
(i)“Confidential Information” means all information disclosed/furnished by Punjab & Sind Bank to the
firm / Company whether orally, in writing or in electronic, magnetic or other form for the limited
purpose of enabling the Firm / Company to carry out the proposed assignment, and shall mean and
include data, documents and information or any copy, abstract, extract, sample, note or module thereof,
explicitly designated as "Confidential"; Provided the oral information is set forth in writing and marked
"Confidential" within seven (7) days of such oral disclosure.
(ii) The firm / Company may use the Confidential Information solely for and in connection with the
Purpose and shall not use the Confidential Information or any part thereof for any reason other than the
Purpose stated above.
Confidential Information in oral form must be identified as confidential at the time of disclosure and
confirmed as such in writing within seven (7) days of such disclosure. Confidential Information does not
include information which:
(a) Is or subsequently becomes legally and publicly available without breach of this Agreement by either
party,
(b) Was rightfully in the possession of the firm / Company without any obligation of confidentiality
prior to receiving it from Punjab & Sind Bank,
(c) Was rightfully obtained by the firm / Company from a source other than Punjab & Sind Bank
without any obligation of confidentiality,
(d) Was developed by for the firm / Company independently and without reference to any Confidential
Information and such independent development can be shown by documentary evidence, or is/was
disclosed pursuant to an order of a court or governmental agency as so required by such order, provided
that the firm / Company shall, unless prohibited by law or regulation, promptly notify Punjab & Sind
Bank of such order and afford Punjab & Sind Bank the opportunity to seek appropriate protective order
relating to such disclosure.
(e) The recipient knew or had in its possession, prior to disclosure, without limitation on its
confidentiality;
(f) Is released from confidentiality with the prior written consent of the other party.
The recipient shall have the burden of proving hereinabove are applicable to the information in the
possession of the recipient.
Confidential Information shall at all times remain the sole and exclusive property of the disclosing party.
Upon termination of this Agreement, Confidential Information shall be returned to the disclosing party
or destroyed, if incapable of return. The destruction shall be witnessed and so recorded, in writing, by an
authorized representative of each of the parties.
Page 93 of 118
Nothing contained herein shall in any manner impair or affect rights of Punjab & Sind Bank in respect
of the Confidential Information.
In the event that any of the Parties hereto becomes legally compelled to disclose any Confidential
Information, such Party shall give sufficient notice to the other party to enable the other Party to prevent
or minimize to the extent possible, such disclosure. Neither party shall disclose to a third party any
Confidential Information or the contents of this Agreement without the prior written consent of the other
party. The obligations of this Clause shall be satisfied by handling Confidential Information with the
same degree of care, which the receiving party applies to its own similar confidential information but in
no event less than reasonable care. The obligations of this clause shall survive the expiration,
cancellation or termination of this Agreement
2. Non-disclosure:
The firm / Company shall not commercially use or disclose any Confidential Information or any
materials derived there from to any other person or entity other than persons in the direct employment of
the Firm / Company who have a need to have access to and knowledge of the Confidential Information
solely for the Purpose authorized above. The firm / Company shall take appropriate measures by
instruction and written agreement prior to disclosure to such employees to assure against unauthorized
use or disclosure. The Firm / Company may disclose Confidential Information to others only if the Firm
/ Company has executed a Non-Disclosure Agreement with the other party to whom it is disclosed that
contains terms and conditions that are no less restrictive than these presents and the Firm / Company
agrees to notify Punjab & Sind Bank immediately if it learns of any use or disclosure of the Confidential
Information in violation of terms of this Agreement. Notwithstanding the marking and identification
requirements above, the following categories of Information shall be treated as Confidential Information
under this Agreement irrespective of whether it is marked or identified as confidential:
a) Information regarding Punjab & Sind Bank and any of its Affiliates, customers and their accounts
(“Customer Information”). For purposes of this Agreement, Affiliate means a business entity now or
hereafter controlled by, controlling or under common control. Control exists when an entity owns or
controls more than 10% of the outstanding shares or securities representing the right to vote for the
election of directors or other managing authority of another entity; or
b) Any aspect of Punjab & Sind Bank's business that is protected by patent, copyright, trademark, trade
secret or other similar intellectual property right; or
c) Business processes and procedures; or
d) Current and future business plans; or
e) Personnel information; or
f) Financial information.
Page 94 of 118
3. Publications:
The Firm / Company shall not make news releases, public announcements, give interviews, issue or
publish advertisements or publicize in any other manner whatsoever in connection with this Agreement,
the contents / provisions thereof, other information relating to this Agreement, the Purpose, the
Confidential Information or other matter of this Agreement, without the prior written approval of Punjab
& Sind Bank.
4. Term:
This Agreement shall be effective from the date hereof and shall continue till expiration of the Purpose
or termination of this Agreement by Punjab & Sind Bank, whichever is earlier. The Firm /Company
hereby agrees and undertakes to Punjab & Sind Bank that immediately on termination of this Agreement
it would forthwith cease using the Confidential Information and further promptly return or destroy,
under information to Punjab & Sind Bank, all information received by it from Punjab & Sind Bank for
the Purpose, whether marked Confidential or otherwise, and whether in written, graphic or other
tangible form and all copies, abstracts, extracts, samples, notes or modules thereof. The Firm /Company
further agree and undertake to Punjab & Sind Bank to certify in writing upon request of Punjab & Sind
Bank that the obligations set forth in this Agreement have been complied with any provisions of this
Agreement which by their nature extend beyond its termination shall continue to be binding and
applicable without limit in point in time except and until such information enters the public domain.
5. Title and Proprietary Rights:
Notwithstanding the disclosure of any Confidential Information by Punjab & Sind Bank to the Firm /
Company, the title and all intellectual property and proprietary rights in the Confidential Information
shall remain with Punjab & Sind Bank.
6. Remedies:
The Firm / Company acknowledges the confidential nature of Confidential Information and that damage
could result to Punjab & Sind Bank if the Firm / Company breaches any provision of this Agreement
and agrees that, if it or any of its directors, officers or employees should engage or cause or permit any
other person to engage in any act in violation of any provision hereof, Punjab & Sind Bank may suffer
immediate irreparable loss for which monetary compensation may not be adequate. Punjab & Sind Bank
shall be entitled, in addition to other remedies for damages & relief as may be available to it, to an
injunction or similar relief prohibiting the Firm / Company, its directors, officers etc. from engaging in
any such act which constitutes or results in breach of any of the covenants of this Agreement.
Any claim for relief to Punjab & Sind Bank shall include Punjab & Sind Bank's costs and expenses of
enforcement (including the attorney's fees).
Page 95 of 118
7. Entire Agreement, Amendment and Assignment:
This Agreement constitutes the entire agreement between the Parties relating to the matters discussed
herein and supersedes any and all prior oral discussions and / or written correspondence or agreements
between the Parties. This Agreement may be amended or modified only with the mutual written consent
of the Parties. Neither this Agreement nor any right granted hereunder shall be assignable or otherwise
transferable.
8. Governing Law:
The provisions of this Agreement shall be governed by the laws of India and the competent court at
Bangalore shall have exclusive jurisdiction in relation thereto even though other
Courts in India may also have similar jurisdictions.
9. Indemnity:
The Firm/ Company shall defend, indemnify and hold harmless Punjab & Sind Bank, its affiliates,
subsidiaries, successors, assigns, and their respective officers, directors and employees, at all times,
from and against any and all claims, demands, damages, assertions of liability whether civil, criminal,
tortuous or of any nature whatsoever, arising out of or pertaining to or resulting from any breach of
representations and warranties made by the Firm / Company and/or breach of any provisions of this
Agreement, including but not limited to any claim from third party pursuant to any act or omission of
the Firm / Company, in the course of discharge of its obligations under this Agreement.
10. General:
The Firm / Company shall not reverse - engineer, decompile, disassemble or otherwise interfere with
any software disclosed hereunder.
All Confidential Information is provided “as is”. In no event shall the Punjab & Sind Bank be liable for
the inaccuracy or incompleteness of the Confidential Information. None of the Confidential Information
disclosed by Punjab & Sind Bank constitutes any representation, warranty, assurance, guarantee or
inducement with respect to the fitness of such Confidential Information for any particular purpose.
Punjab & Sind Bank discloses the Confidential Information without any representation or warranty,
whether express, implied or otherwise, on truthfulness, accuracy, completeness, lawfulness, and
merchantability, fitness for a particular purpose, title, non-infringement, or anything else.
11. Waiver:
A waiver (whether express or implied) by Punjab & Sind Bank of any of the provisions of this
Agreement, or of any breach or default by the Firm / Company in performing any of the provisions
hereof, shall not constitute a continuing waiver and such waiver shall not prevent Punjab & Sind Bank
Page 96 of 118
from subsequently enforcing any of the subsequent breach or default by the Firm / Company under any
of the provisions of this Agreement.
In witness whereof, the Parties hereto have executed these presents the day, month and year first herein
above written.
For and on behalf of XXXXX For and on behalf of Punjab & Sind Bank
XXXXXXX _________________________
XXXXX (Designation)
Page 97 of 118
ANNEXURE - XII Resource Plan Matrix – SOC Operations
Type Role Total
(Yrs)
IT
Security
(Yrs)
Academics Certification
s
Number of
Resources
required for
operating
SOC for the
bank
L1 Monitoring &
Tracking
Incidents/Alert
s 24x7,
Reporting &
Escalation,
Regular SIEM
Administration
2 1 BE/ B.Tech/
MCA
CCNA/
CCNP/ CEH/
any global
security
certifications
and any
SIEM
Technical
certification
L2 Incident
Validation,
Incident
Analysis,
Solution
Recommendati
on, Resolve
Escalations,
VA Tool
admin,
Maintain
Knowledge
base,
Escalation
point for
device issue
resolution,
Patch
implementatio
n, Rule base
Management,
General SOC
Administration
,
Scheduling/Per
forming VA
Scans,
Submission
Scan reports,
3 2 BE/ B.Tech/
MCA
CCNA/
CCNP/ CEH/
any global
security
certifications
and any
SIEM
Technical
certification
Page 98 of 118
Resolve user
queries.
L3 Security
Advisory,
Overall Design
& analysis,
Exp. In SIEM,
PIM, WAF,
ANTI-APT
tools. Large
scale security
operations
&Thorough
understanding
of TCP/IP,
networking
concepts,
Administration
of Windows,
Linux
platforms,
Incident
Closure,
Ensuring SLAs
are met,
Responsible
for closing
incidents
6 4 BE/ B.Tech/
MCA
CISSP/
CISA/ and
Any SIEM
Technical
certification
Terms & Conditions:
1. In case of absence of a lower level resource, a higher level resource should perform the job of the
absentee but the payment will be made as per the payment structure of lower level resource only.
2. If any resource is absent, standby resources should be available. Bank may reject such manpower
if Bank is not satisfied with his/her performance and payment will be made to bidder as per
actual manpower support provided subject to adherence to SLA conditions.
3. For SIEM Technical Certification, L1/L2/L3 resources may get it within 3 months from entering
into the contract or issue of purchase order (whichever is earlier), if not possessing at the time of
bid submission.
(Signatures & Stamp)
Authorized Signatory
Page 99 of 118
ANNEXURE XIII - CHECK – LIST FOR BID SUBMISSION
Sr.
No.
Document Attached with
Bid (Y/N)
Page Number
1 Tender Covering Letter as per Annexure –I From To
2 Compliance to Minimum Eligibility Criteria as per
Annexure II (please ensure that all related documents to
Minimum Eligibility criteria have been attached)
3 Bidders Information as per Annexure III
Bid Earnest Money in the form of Demand Draft/ Pay
order/ Bank Guarantee as per Annexure IV.
4 Acceptance of Scope of Work as per Annexure-V
5 Acceptance/ Compliance certificate as per Annexure – VI
6 Acceptance/ Compliance to Technical Requirements/
Specifications of RFP as per Annexure – IX
7 Commercial Bill of Materials as per Annexure – X
8 Resource Plan Matrix as per Annexure – XII
9 Other Formats as mentioned in the RFP.
10 DD/ Pay Order of Rs. 20,000/- payable to Punjab & Sind
Bank toward cost of Tender Document (Please mention
the tender name with year and company name at the back
of DD/Pay order.)
11 Copy of Power of Attorney authorizing official for
signing the Bid
12 Any other document indicating the feature of the product.
13 An undertaking from OEM(s) to carry out its
responsibilities as mentioned in clause 4.3 Responsibility
Matrix of the RFP. (Table: Responsibility Matrix)
14 OEM Recommendation letter for Hardware,
Software, Licenses – as per clause 2.38
15 Use cases for the proposed solutions
16 Security certificate of respective proposed solutions
from OEM/ third party auditor. (as per clause 2.39)
Page 100 of 118
Annexure XIV - Indicative List of Use Cases
No Type Use Case/ Likely Outcome (Subject to change during UAT)
A Internet Banking(IB)
1 Same username login request from
multiple IP within defined time span. ISP IP address with locations.
2 IB_AMOUNT_DEBITED_BUT_TRA
NSACTION_FAILED
If Amount is debited but transaction fails Alert
will be generated.
3 BENEFICIARY_ADDED_SUBSEQU
ENT_TRANS_12AM_TO_6AM
Within 5 minutes if a user added beneficiary and
then subsequently performed transactions should
be alerted.
4 CONNECTION_FAILED_BETWEEN
_CONNECT24_AND_IB
If any connection failure happens between
Connect24 and IB server, the same should be
alerted to respective Bank Teams (like- Internet
Banking, Security Team, etc.) immediately
5 IB_HOST_COREBANKING_SERVE
R_NOT_RESPONDING
If any connection failure happens between CBS
and IB server as Host not available, same should
be logged/ alerted.
6 INSUFFICENT_FUND
If any transaction is refused due to insufficient
funds, same should be alerted to respective Bank
Teams (like- Internet Banking, Security Team,
etc) immediately.
7 TAX_PAYMENTS_TRANSACTION
_FAILED
If any transaction related to tax payments is
refused or failed, same should be alerted to
respective Bank Teams (like- Internet Banking,
Security Team, etc.) immediately.
8 TRANS_MORE_THAN_50K_2TIME
_SAMEUSER_IN_5M
If a specific user has performed a transaction of
more than Rs. 50000 (parametrised) and within 5
minutes (parameterised) same user is performing
another transaction > 50000 same needs to be
alerted.
9 IB_TRANSACTION_NOT_ALLOWE
D
If Amount is debited but transaction fails Alert
will be generated.
10
Number of Front Page Access requests
within set time from same ip and for
multiple userid
11
Maximum connections from a single
unique IP address over a specific
period of time
12 Report on Distinct Browser access
13 POTENTIAL_PHISHING_ATTACKS
14 WEBPAGE_UNAVAILABILITY
15 Internet Banking Failed Logins
Page 101 of 118
B Mail Messaging
1 Spam mail
2 Top 'n' Email Accounts Sending
Messages
3 Top 'n' Email Accounts Receiving
Messages
4 Top 'n' Email Accounts Mailing Most
Outside the Organization
5 Email Send with BCC
6 Mail messaging is not sending mails
from last X hours/Service stop
7 Mails with maximum attachment limit
within time span (parameterized).
C Antiv
irus
1 Top 'n' infected Machine
2 McAfee Antivirus Top 'n' Left alone
System
3 McAfee Antivirus Top 'n' Left alone
System in Tabular
4 McAfee_VIRUS_NOT_DELETED
5 McAfee_FAILED_LIVE_UPDATE
6 McAfee Antivirus Top 'n'
Quarantined System
D Database Auditing (Like- Oracle, Sql,
MySql etc.)
1 Audit Details by User - Delete
Activity
Database Delete activity on all DB instances
needs to be alerted.
2 Audit Details by User - Insert
Activity
Database Insert activity on all DB instances
needs to be alerted.
3 Audit Details by User User audit log monitoring for any other activities
than DML.
4 DATABASE_ACTIVITY Database Insert and Delete activity on all DB
instances needs to be alerted.
5 DB_SHUTDOWN Database Instances shutdown, reboot and startup
to be alerted.
E NEFT/RTGS Transactions
1
Fund transferred through
NEFT/RTGS not credited to
beneficiary account but account
debits.
Page 102 of 118
2 Transaction request for amount
greater than 50000 (parameterized)
3
'n' no of unsuccessful attempt at
Internet Banking followed by add
payee followed by transaction of fund
transfer of 'x' amount.
4
Consecutive greater amount of money
transferred from an account through
NEFT/RTGS within 'x' time
In 'x' minutes if more than 'n' transactions of
amount greater than 'x' are done to same of
different accounts same needs to be alerted. Any
subsequent transaction has to be reported and
highlighted.
5 RTGS_AND_NEFT_DATABASE_A
CTIVITY
Any changes made in DML of RTGS/NEFT DB
needs to be alerted
6 NEFT_AND_RTGS_DB_INSTANC
E_SHUTDOWN DB shutdown for NEFT/ RTGS DB instance
F VSA
T
1 Alert for specific traffic/IP which is
not permitted in VSAT network
2 VSAT router link up and down
G SMS
Alerts
1 Cash withdraw from ATM but SMS
alert not received.
2 Delay in SMS after input from
payment system
3 Load on SMS Gateway hence SMS
are not flowing.
4 Alert when SMS flow above threshold
value
H Payment Aggregator (e.g. Bill Desk, PayU,
Atom, Citrus etc.)
1
Payment Aggregator gateway sends
the request for payment but account
not debited
2 Payment gateway sends the request
for bill account debited but no receipt
Amount debited but confirmation not sent. Any
failures in receipt delivery to be tracked
I Network Connectivity
1 Max bandwidth utilized by source Source utilising the maximum bandwidth
2 Router-Denied Packet Per Hour Denied packet per hour threshold >
1500(parametrised)
3 Router- Top 'n' Denied Packets by
Address
Report showing top 'n' sources utilising
bandwidth
Page 103 of 118
4 TOP 'n' utilization resources
5 POSSIBLE_SPOOFING_ATTACK_
ACTIVIY_DETECTED
This alert shows any spoofing pattern activity
detected. It may contain activity of duplicate IP's
on a network or other network conflicts
If 'n'% increase in any of the identified event
messages minute baseline is detected in logs alert
will be triggered.
6 ROUTER_LINK_AND_LINEPROT
O_UP
7 ROUTER_LINK_AND_LINEPROT
O_DOWN
J CBS
1
Transactions made from multiple
inoperative accounts to single
operative account
2 ABNORMAL_SESSION
3 INVALID_PASSWORD
4 TRANSACTION_MORE_THAN_1_
CRORE
5 UNSUCCESSFUL_LOGIN
6 CBS_AND_IB_DB_INSTANCE_SH
UTDOWN
7 CBS_AND_IB_DB_ACTIVITY If any DB admin activity like Delete, Insert &
Alter is being issues in CBS DB.
8 High amount transactions to same
account within certain time span.
9
High value Transactions made from
CBS users after raising the privilege
within x time
10
Transaction made in bank facilated
account such as bill payment account
and then followed by transactions in
personal account from CBS user
11 Abnormal user session like SACK
actions to be monitored and reported
K Cisco Firewall (FW)
1 FW DEVICE CONFIGURATION
CHANGES
2 FW_LINK_UP_DOWN FW Link up and Down alert
3 SUCCESSFUL_DENIAL_OF_SERV
ICE_ATTACK
4 HIGH_NUMBER_OF_DOS_ATTAC
Page 104 of 118
KS_ALERTS
5 FW_LOST_FAILOVER_COMMUNI
CATION
Alert message to monitor the failover
communication
6 FW_DEVICE_CONFIGURATION_
CHANGE
7 EXCESSIVE_INBOUND_CONNEC
TIONS_DENIED_BY_FIREWALLS
8 FW_LINK_UP_DOWN
L IDS/
IPS
1 SUSPICIOUS_BOTNET_TYPE_AC
TIVITY_DETECTED
2 SUCCESSFUL_BACKDOOR_ATT
ACK
3 POSSIBLE_SUCCESSFUL_BRUTE
_FORCE_ATTACK_DETECTED
4
INCREASE_IN_P2P_TRAFFIC_DE
TECTED_WITHIN_ENVIRONMEN
T
5
BACKDOOR_TYPE_ACTIVTY_OB
SERVED_WITHIN_INTERNEL_NE
TWORKS
6 Traffic_from_BlacklistIP
7 POSSIBLE_SPOOFING_ATTACK_
ACTIVIY_DETECTED
8 PORT_SCAN_HAS_BEEN_DETEC
TED_BY_A_DEVICE
9 PORT_SCAN_DETECTED
10 WORM_ACTIVITY_ORIGINATIIN
G_ON_INTERNEL_ACTIVITY
Any activity matching worm pattern will get
detected from IDS logs
M Web Proxy Gateway
1 Maximum used websites with source
2 Internet connectivity down
3 Max bandwidth utilized by any
particular source
4
Maximum number of connections
from outside source destination to
inside within specified time.
5 Alert on specific Proxy errors
N External Traffic Monitoring
1 Brute force attack from outside
Page 105 of 118
2 Port scanning from particular IP
within x time.
3 Access request from multiple hosts in
minimum defined threshold
O
Web
Serve
r
1 Webserver error event monitoring
2 Webserver Alerts
3 Total Requests per client
4 Top User agents accessing the
Internet banking Web application
P SIEM Config Monitoring
1
DROP_CONNECTIONS_FROM_IN
TEGRATED_DEVICES_TOWARD
S_ENVISION
Network Denied Connections on Firewall
monitoring integrated devices traffic
2 NEWDEVICE_DISCOVERY New device should be discovered in SIEM.
3 HARDWARE_FAILURE_ALL_DE
VICES
Q HRM
S
1
HRMS_FAILED_LOGIN_TO_A_SI
NGLE_HOST_FROM_MULTIPLE_
SOURCE_DETECTED
If several machines are trying to log into one
source with the same username several times in a
row very quickly this could indicate that a local
BotNet is trying to brute force its way into a
targeted machine. Monitor the sources of the
events and potentially block their
communications.
2 HRMS_Server_Hardware_failure
3 HRMS_GROUP_DELETION
4 HRMS_USER_DELETION
5 HRMS_USER_PASSWORD_MODI
FIY
6 HRMS_SERVER_SHUTDOWN_AN
D_REBOOT
R Wind
ows
1 WINDOWS ACCOUNT CREATED
AND DELETED WITHIN 24HRS
2 WINDOWS_DISK_AT_NEAR_CAP
ACITY
3
PASSWORD_CHANGE_ON_A_KN
OWN_PRIVILEGED_USER_ACCO
UNT_DETECTED
Password change on a known Privileged account
observed on a particular event source. If such
changes are not planned or approved, it could be
Page 106 of 118
an indication of potential unusual or malicious
behavior.
4
FAILED_LOGIN_TO_A_SINGLE_
HOST_FROM_MULTIPLE_SOURC
E_DETECTED
5 WINDOWS_ACCOUNT_ADDED_T
O_PRIVILEGE_LEVEL
S Checkpoint Firewall
1 CHECKPOINT-
FW_CLUSTER_BREAK
2
EXCESSIVE_INBOUND_CONNEC
TIONS_DENIED_BY_FIREWALLS
_FROM_A_SINGLE_IP_ADDRESS
T MISC
1 HARDWARE_FAILURE_ALL_DE
VICES
2
INCREASE_IN_P2P_TRAFFIC_DE
TECTED_WITHIN_ENVIRONMEN
T__WITHIN_THE_PAST_5_MINU
TES
3
LARGE_NUMBER_OF_ATTACK_
EVENTS_FROM_INTERNEL_IP_A
DDRESS_DETECTED_BY_IDS
4
P2P_SOFTWARE_RUNING_AS_A
N_ACTIVE_PROCESS_ON_EVEN
T_SOURCE
5 PORT_SCAN_DETECTED
6 SERVICE_OR_DRIVER_FAILURE
7 SYSLOG_SERVICE_RESTART
U Active Directory
1
user account created with no
accompany account record in the
main account management app logs
2
if a service account was used with an
interactive logon, alert or report on
that action
3 domain accounts used from the
outside over the VPN
4 AD authenticated VPN logins from a
foreign country
Page 107 of 118
5
user with many logon failures with
wrong password and non working
hours
6 user at vacation and fired user with
unlocked credentials
7 files operations (access, modification,
delete etc) in some sensitive folders
Category Use Case
Business Use Cases
Access/
Authentication
Identity Management Monitor for use of disabled usernames
Password Guessing Possible successful brute force attack
detected on devices/ servers.
Perimeter & Network Security Increase in failed remote login attempts
detected
Enterprise Services Access
Management
Unusual number of failed/ successful
vendor/default user login attempts
Perimeter & Network Security Password change on a known privileged
account detected
Audit Trail System Health Tampering of system audit logs detected
Policy Violation Network Security
Server access from unauthorized IP Address
Internet access by unauthorized server
Policy Violation - Internet access from
authorized server
Reverse Proxy bypass - Application
accessed externally
Insecure application access - non https
Operational/
Functional
System Health
Device Stopped Sending logs
Log source stopped sending logs after
reboot
Disk Array capacity approaching threshold
Possible system instability state detected
System shutdown
Backup and recovery: failed
Backup and recovery: cancelled
Perimeter & Network Security Network performance degradation detected
System Metrics
Operating System service state change
Successful or Failed Installation/ Updating
any package
EPS Warning – EPS approaching limit
Log Source added/deleted
Page 108 of 118
User added to “remote user group” AD
group
User added as part of “domain
administrator“ & “local administrator”
group
New Operating System service installation
User added to VPN administrative group
Integrity
Integrity Monitoring Changes to databases holding customer data
by unauthorized users
Perimeter & Network Security
Configuration change on network & security
device intercepted
Host checker configuration changed on
VPN device
Privilege Access Enterprise Services Access
Management
Elevation of account privilege followed by
restoration of previous state within a period
of 24 hrs.
Revocation of user privileges detected
Usage Activity
Data transfer Large files transfer to 3rd Party Sites
Perimeter & Network Security
Monitoring over ports not permitted by
policy on Internet-facing firewalls, non-
compliant traffic activity.
Use of clear-text confidential information
detected
Excessive inbound denied connections
Increase in file transfer activity using instant
messaging detected
Active syn flood attack detected by network
& security devices
Possible arp poisoning or spoofing activity
detected
Remote data harvesting
High Volume of TCP Resets
Threat
Intelligence Perimeter & Network Security
Communication between internal hosts and
known malware distribution site
A connection from a server with a known
spam sending host
Malicious
Activity
Monitoring
Perimeter & Network Security Increase in peer to peer traffic detected
Network Security
Unintended download of computer software
from internet
Successful backdoor attack
Worm propagation in the internal network
SQL injection attack detection
Page 109 of 118
Attack exploiting Microsoft Directory
service vulnerability detected
Streaming Media detected
Possible intruder trying to gain unauthorized
access to network
Successful Connections after Denied
Attempts from same external source
Aggressive database scan
Virus deletions failed on system
System getting infected by same virus
High number of Denial of Service (DoS)
attack detected
Vulnerability correlation alerts
Malicious Activity - VPN access
Malicious Activity - Deviation of network
utilization of resources
Processes/services
Active Directory Active directory schema change
Active directory policy modified
Microsoft Exchange
Increase in the number of non-delivery
report messages collected from Microsoft
Exchange
System Health Patch & update failures
Attack Life Cycle based Use Cases
Initial Recon Port Scan from outside
Horizontal port Scan
Horizontal port scan on well known
vulnerable ports
Horizontal port scan on critical assets
Horizontal port scan on existing vulnerable
ports on critical assets
Vertical Port Scan
Vertical port scan on well known vulnerable
ports
Vertical port scan on critical assets
Vertical port scan on existing vulnerable
ports on critical assets
IDS/IPS port scan on well known vulnerable
ports
IDS/IPS port scan on critical assets
IDS/IPS port scan on well known vulnerable
ports
Vulnerability Scan from outside Vulnerability Scan
Page 110 of 118
Vulnerability Scan on critical assets
Communication traffic that is from
an unusual geo location source.
Communication traffic observed from an
unusual geo location source.
Communication traffic that is
known to be from bad or blacklisted
source host addresses.
Communication traffic observed from bad
or blacklisted source host addresses.
Slow Scans
Slow Horizontal Scan
Slow Vertical Scan
Slow Box Scan (Combination of horizontal
and Vertical Scan)
Initial
Compromise
Spear phishing Malware downloaded
Weaponized document Malware downloaded
Watering Hole attack Malware downloaded
System Exploit C&C communication attempts
Establish
Foothold
install backdoor malware Malware has been installed
create command and control
infrastructure
C&C communication denied by
firewall/proxy.
Successful C&C communication
install keyloggers Unauthorized software installed - Key
loggers.
Dump password hashes
Privilege escalation alerts
Unauthorized software installed - password
hash dumping tool.
Rootkits Successful Privilege escalation alerts
Rootkits installed
Escalate
Privileges
Retrieve password hashes Password hash transport detected
traffic sniffing Network adaptor going in promiscus mode
(white list for apps like Symantec HIDS)
keylogging Unauthorized software installed - Key
loggers.
Internal Recon Gather system information, network
information, hardware info
Inside - Horizontal port Scan
Inside - Horizontal port scan on well known
vulnerable ports
Inside - Horizontal port scan on critical
assets
Inside - Horizontal port scan on existing
vulnerable ports on critical assets
Inside - Vertical Port Scan
Inside - Vertical port scan on well known
vulnerable ports
Inside - Vertical port scan on critical assets
Page 111 of 118
Inside - Vertical port scan on existing
vulnerable ports on critical assets
Inside - HIDS/HIPS port scan on well
known vulnerable ports
Inside - HIDS/HIPS port scan on critical
assets
Inside - HIDS/HIPS port scan on well
known vulnerable ports
Inside - Vulnerability Scan
Inside - Vulnerability Scan on critical assets
Inside - ARP broadcast Detected
Looks at files and documents,
explore file shares
Work station to work station communication
User behavior anomaly detected
Move Laterally Use of valid credentials over SMB
or RDP
Anomaly detection using event logs
Desktop to Desktop communication
observed
Maintain
Presence
Backdoor malware Malware has been installed
VPN access
Detailed analysis of host check failure alerts
Anomaly detection for VPN users (user
profiling)
Executable detected in http/https traffic
Password encoded zip or RAR files Password encoded Outbound file transfer
detected
FTP Detected File transfer over FTP (white list
for FTP allowed Ips)
smb Connection established over port SMB ports
(139, 445) towards known bad IP
Note: - An indicative (not exhaustive) list of Use Cases for some applications/ devices/ servers/ software are
given above. Bank during implementation and operation phases shall ask for additional uses cases to be
implemented as per Bank's Business requirements. The solutions should be completely parameterized
w.r.t. Amount, Time, Number, O/S & DB Instances, etc.
Page 112 of 118
FORMAT - 1
Bidder’s Undertaking Letter 1
Date:
To
Asstt General Manager (IT)
HO IT Dept
Punjab & Sind Bank
Rajendra Place, New Delhi
Dear Sir,
We, the undersigned, as prime bidder, confirm the below:
• Neither we nor our Promoters / Directors are defaulters to any financial institution.
• We have not been reported against by any Public Sector Bank or Indian Banks Association for any
malpractice, fraud, poor service, etc.
• We have not been blacklisted by any Government authority or Public Sector Undertaking (PSU) as
on date of submission of the tender
• We have not been put in the negative list or Blacklist by any Public Sector Bank/ Government
Organization for breach of applicable laws or violation of regulatory prescriptions or breach of
agreement for providing the SOC services at the time of bid submission..
Yours faithfully,
(Authorized Signatory)
In the capacity of ______________
Duly authorized to sign the Bid for and on behalf of _________________
Note: This letter should be on the letterhead of the Prime Bidder duly signed by an authorized signatory.
Page 113 of 118
FORMAT - 2
Sample Channel Partner/ Dealership/ Experience letter from OEM
Place: ____________
Date: ____________
To,
Asstt General Manager (IT)
HO IT Dept, Punjab & Sind Bank
Rajendra Place, New Delhi
Dear Sir,
We hereby certify that M/S …………………………… (Name & Address) is an Authorised Channel
Partner/ Authorised Dealer/ System Integrator (Strike out the not applicable) for Supply, Installation,
Implementation, and Maintenance of ……………. ………………………… (Equipment/ Solution
details) of …………….. (Specify Make) manufactured by our company for the last …… (Specify)
years. Further, we certify that the Authorised Channel Partner/ Authorised Dealership/ System Integrator
agreement with M/S ……………………… is in force and is valid up to …………. (Specify Period).
Further, we hereby certify that M/S …………………… is authorized to participate in the tender process
for “Request for Proposal for Selection of Security System Integrator to set up Security Operation
Centre (SOC) for Bank” on our behalf and submit bids. We undertake that the solution proposed in the
response to this RFP is a licensed version of the product and has enterprise support from our company.
We hereby undertake that the Model offered & empanelled will be available & supplied during the
tenure of contract. We also undertake that none of the proposed solution will open/ contact any
undeclared channel outside the respective bank’s environment. We further certify that application/
software /solution provided by us is free of malware at the time of sale, free of any obvious bugs, and
free of any covert channels in the code (of the version of the application being delivered as well as any
subsequent versions/modifications done). A violation of the above would be considered as a breach of
security and bank may proceed against us as they deem fit.
Also, we confirm that our solution is implemented by M/S _____________ in following organizations
1)
2)
3)
4)
Further, we confirm that the undersigned is authorized to issue this letter. We also undertake that we will
provide software patches for the solutions/ software provided by us for the duration of contract.
Yours Faithfully,
Page 114 of 118
(Name, Designation, Address, Phone Number of the
Authorised Signatory with Company Seal)
Note: This format has to be issued by Original Equipment Manufacturer on their Letter Head duly
signed by authorized signatory/signatories
Page 115 of 118
FORMAT - 3
Confirmation of Soft Copy
To
Asstt General Manager (IT)
HOIT Dept
Punjab & Sind Bank
Rajendra Place, New Delhi
Dear Sir,
Sub: Request for Proposal for Selection of Security System Integrator to set up Security
Operation Centre (SOC) for Bank.
Further to our proposal dated XX.XX.XXX, in response to the Request for Proposal (Bank’s tender
No.________________________ hereinafter referred to as “RFP”) issued by Punjab & Sind Bank
(“Bank”) we hereby covenant, warrant and confirm as follows:
The soft-copies of the proposal submitted by us in response to the RFP are identical with the hard-copies
of aforesaid proposal submitted by us, in all respects.
Yours faithfully,
Authorised Signatory
Designation
Bidders’ corporate name
Page 116 of 118
FORMAT - 4
Compliance Statement
Reg: Request for Proposal for Selection of Security System Integrator to set up Security
Operation Centre (SOC) for Bank.
We certify that except for the following deviations, we agree to abide by all clauses, terms, conditions
and specifications mentioned in the RFP, along with Addendums and Corrigendum.
Main RFP / Annexure
No.
Clause / Sub Clause No. Deviation Specific Page no. of the
Response
Place:
Date: Signature of Authorised signatory
(With seal)
Note: If there are no deviations the bidder has to give his response by writing ‘NIL’ in the statement.
Any deviations may lead to disqualification.
Page 117 of 118
FORMAT - 5
Bidder’s Undertaking Letter 2
Date: _________________
To
Asstt General Manager (IT)
HOIT Dept, Punjab & Sind Bank
Rajendra Place, New Delhi
Dear Sir,
We, the undersigned, as prime bidder, having examined the complete RFP document (along with its
annexure & addendums/ corrigendum), do hereby offer to supply, install, configure, implement and
provide maintenance support for all the solutions as per the Scope of Work in full conformity of your
requirements as elaborated in above said RFP for the amounts mentioned by us in the Commercial Bid
or such other sums as may be agreed to between us.
We hereby agree to all the terms and conditions stipulated in the RFP except for the variations and
deviations of requirements as mentioned by us in the Compliance Statement, submitted along with our
Technical Proposal.
We agree to implement the project in bank as per the conditions mentioned in the RFP.
We agree to abide by our Offer for a period of _______ days from the date of opening of the technical
bid and it shall remain binding on us for acceptance at any time before the expiration of this period.
We understand that you are not bound to accept the lowest or any bid you may receive.
We undertake, if our Bid is accepted, to provide Contract Performance Guarantee, ATS/AMC
Performance Guarantee in the form and in the amounts and within the times stipulated in the RFP.
Yours faithfully,
(Authorised Signatory)
In the capacity of ______________
Duly authorized to sign the Bid for and on behalf of _________________
Page 118 of 118
FORMAT – 6 - Undertaking of Authenticity for Solution and Server Supplies
To
Asstt General Manager (IT)
HOIT Dept, Punjab & Sind Bank
Rajendra Place, New Delhi
Dear Sir,
Sub: Request for Proposal for Selection of Security System Integrator to set up Security
Operation Centre (SOC) for Bank.
We hereby undertake that all the components/ parts/ assembly/ software used in the appliance/ server/
solution like Hard disk, Monitors, Memory etc. shall be original new components/ parts/ assembly/
software only, from respective OEMs of the products/ solution and that no refurbished/ duplicate second
hand components/ parts/ assembly/ software are being used or shall be used.
We also undertake that in respect of licensed operating system if asked for by you in the purchase order,
the same shall be supplied along with the authorized license certificate (e.g. Product Keys on
Certification of Authenticity in case of Microsoft Windows Operating System) and also that it shall be
sourced from the authorized source (e.g. Authorized Microsoft Channel in case of Microsoft Operating
System).
Should you require, we hereby undertake to produce the certificate from our OEM supplier in support of
above undertaking at the time of delivery/ installation. It will be our responsibility to produce such
letters from our OEM supplier's at the time of delivery or within a reasonable time.
In case of default and we are unable to comply with above at the time of delivery or during installation,
for the IT Hardware/ Software already billed, we agree to take back the appliance/ server/ solution
without demur, if already supplied and return the money if any paid to us by you in this regard.
We (system OEM name) also take full responsibility of both Parts & Service SLA as per the content
even if there is any defect by our authorized Service Centre/ Reseller/SI etc.
Authorised Signatory
Name:
Designation:
Place:
Date:
Essential (E) -
[Any Non-
Compliance of
(E) may lead to
Bid Rejection]
Compliance
Preferable (P) Yes/No
General
1The solution should support log collection, correlation and alerts for the number of devices, servers,
applications etc. mentioned in scope.E
2The solution should be able to conduct agent less collection of logs except for those which cannot publish
native audit logsE
3The solution should have connectors to support the listed devices/ applications, wherever required the
vendor should develop customized connectors at no extra cost.E
Log Collection and Management
4 All logs should be Authenticated (time-stamped), encrypted and compressed befor transmission. E
5The solution should be able to continue to collect log data during database backup, de-fragmentation and
other management scenarios, without any disruption to serviceE
6The solution should support log collection from all operating systems and their versions including but not
limited to Windows, AIX,Unix, Linux, Solaris servers etc.E
7
In case the connectivity with SIEM management system is lost, the collector should be able to store the
data in its own repository. The retention, deletion, synchronization with SIEM database should be
automatic but it should be possible to control the same manually.
P
8 The solution shall allow bandwidth management, rate limiting, at the log collector level. P
9 The solution should ensure that the overall load on the network bandwidth at DC, WAN level is minimal. E
10 The solution should provide store and forward feature at each log collection point. E
11The solution should have the capability to compress the logs by at least 70% for storage optimization.
The compression percentage capability should be parameterized.E
12It should be possible to configure event collectors to also send the event data in its original format to the
central correlation engine.P
13The data archival should be configured to store information in tamper proof format and should comply
with all the relevant regulations.E
14 Traceability of logs shall be maintained from the date of generation to the date of purging. P
15The system shall be able to capture all details in raw log, events and alerts and normalize them into a
standard format for easy comprehension.E
16It should be feasible to extract raw logs from the SIEM and transfer to other systems as and when
required.E
17
Should support the following log collection protocols: Syslog over UDP / TCP, Syslog NG, Secure POP3
/ Secure XML, SDEE, SNMP Version 2 & 3, ODBC, FTP), Windows Event Logging Protocol, XML,
NetBIOS, Netflow at a minimum
E
18 The solution should prevent tampering of any type of logs and log any attempts to tamper logs E
Correlation
S. No SIEM
Remarks. Please provide adequate reference to
product manuls/ documentation to substantiate
how the product confirms to each requirement.
ANNEXURE - IX - Technical Requirements/ Specifications - SIEM
Page 1 of 4
19 SIEM must allow the creation of an unlimited number of new correlation rules E
20
Solution should be able to perform the following correlations (but not limited to): Rule based,
Vulnerability based, Statistical based, Historical based, Heuristics based, Behavioral based etc. The
Solution should also provide User and Entity Bahavior Analysis capabilities.
E
21 The system/solution should have the ability to correlate all the fields in a log E
22 The solution should be able to parse and correlate multi line logs E
23
The Solution should gather information on real time threats and zero day attacks issued by anti-virus or
IDS/ IPS vendors or audit logs and add this information as intelligence feed in to the SIEM solution via
patches
E
24The solution should allow a wizard based interface for rule creation. The solution should support logical
operations and nested rules for creation of complex rulesE
25The central correlation engine database should be updated with real time security intelligence updates
from OEME
Dashboard and Reporting
26
The dashboard should be in the form of a unified portal that can show correlated alerts/ events from
multiple disparate sources such as security devices, network devices, enterprise management systems,
servers, applications, databases, etc
E
27Events should be presented in a manner that is independent of device specific syntax and easy to
understand for all usersE
28The dashboard should show the status of all the tools deployed as part of the SOC, including availability,
bandwidth consumed, system resources consumed (including database usage) E
29It should be possible to categorize events while archiving for example , events for network devices,
antivirus, servers etc.E
30
Any failures of the event collection infrastructure must be detected and operations personnel must be
notified as per SLA. The device Health monitoring must include the ability to validate that original event
sources are still sending events
E
31
The solution should generate the following reports (but not restricted to): User activity reports,
Configuration change reports, Incident tracking report, Attack source reports etc. In addition, the solution
should have a reporting writing tool for development of any ad-hoc reports.
E
32The Dashboard design for the solution should be editable on an ad hoc basis as per the individual user
needP
33The system should display all real time events. The solution should have drill down functionality to view
individual events from the dashboardE
34 The solution should allow applying filters and sorting to query results. E
35The solution should allow creating and saving of ad hoc log queries on archived and retained logs. These
queries should be able to use standard syntax such as wildcards and regular expressions.E
36 The solution should provide event playback for forensic analysis. P
37
The solution should allow for qualification of security events and incidents for reporting purpose. The
solution should be able to generate periodic reports (weekly, monthly basis) for such qualified security
events/ incidents.
E
38 Should provide summary of log stoppage alerts and automatic suppression of alerts. E
39 Should generate e-mail and SMS notifications for all critical/high risk alerts triggered from SIEM E
40The solution should allow users to initiate and track alert related mitigation action items. The portal
should allow reports to be generated on pending mitigation activitiesE
Page 2 of 4
41Solution should be able to provide asset details such as Asset owner, location, events & incidents,
vulnerabilities and issue mitigation tracking mapped to individual assets/usersP
42 Solution should provide knowledge base and best practices for various security vulnerabilities P
43Dashboard should display asset list and capture details including name, location, owner, value, business
unit, IP address, platform detailsP
44
Dashboard should capture the security status of assets and highlight risk level for each asset. This should
be used to capture security status of bank, status of different business units within the bank, status of key
locations etc.
P
45
Dashboard should support reporting for consolidated relevant compliance across all major standards and
regulatory requirements. This includes (but not limited to) ISO 27001, RBI regulations, IT ACT, PCI
DSS standards etc
E
46Dashboard should support different views relevant for different stake holders including top management,
operations team, and Information Security DepartmentE
47Dashboard should support export of data to multiple formats including CSV, XML, Excel, PDF, word
formatsE
48Dashboard views should be customizable as per user rights and access to individual components of the
application.E
49Administrators should be able to view correlated events, real-time raw logs and historical events through
the dashboard. E
50 Senior Management should be able to view compliance to SLA for all SOC operations and solutions E
51The system should permit setting up geographical maps/images on real time dashboards to identify
impacted areas and sources of alerts.E
52The solution should have the capability to identify which queries and indexes have been searched most to
improve the query response timeP
53Solution hould have the ability to perform free text searches for events, incidents, rules and other
parameters.E
Event and Incident Management
54 The system should identify the originating system and user details while capturing event data. E
55 It should be possible to automatically create incidents and track their closure E
56 The event should reach the SOC monitoring team within 30 seconds of the log being captured E
57 Parser should be readily available for Finacle. E
58The solutions should be able to collect and parse logs from Base24 ATM switches and any other ATM
switch logs.E
59 The solution should be able to conduct full packet capture for data E
60
The solution should offer a means of escalating alerts between various users of the solution, such that if
alerts are not acknowledged in a predetermined timeframe, that alert is escalated to ensure it is
investigated.
E
Storage
61
The vendor should provide for adequate storage to meet the EPS and retention requirements of the bank.
SI shall be responsible for upgrade of the storage to meet the bank's requirements as above at no
additional cost. The SI should provide adequate justification for the storage size proposed as part of the
response.
E
62 The solution should be able to store both normalized and RAW logs E
Page 3 of 4
63The platform should provide tiered storage for the online, archival, and backup and restoration of event
log information.E
64The Tier I and II storage should have the capability to authenticate logs on the basis of time, integrity and
OriginE
65 The storage solution should have the capability to encrypt the logs in storage E
66System should have capacity to maintain the logs for 90 days on Tier I storage and older logs should be
archived on Tier II storage and Tier 3 storageE
67Solution should be capable of retrieving the archived logs for analysis, correlation and reporting purpose
automatically.E
68Solution Should be able to part and filter logs before storage on the basis of type of logs; date etc. Also,
the solution should provide custom metadata tagging and search (not only general search).P
69 Solution should be capable to replicate logs in Synchronous as well as Asynchronous mode. E
70
It should be possible to define purging and retention rules for log storage. The storage solution should
provide data authenticity and guards against corruption and tampering. It should implement strict access
control with Microsoft AD, LDAP and third party directory support. Should provide ability to Audit.
E
71 The solution should come with built-in functionality for archiving data. E
Integration
72 Receive database alerts from DAM E
73 Integrate with NBA, IPS, IDS, Firewall, Proxy etc. to identify network security issues E
74 Integrate with DLP solutions to identify misuse of sensitive information. E
75 Integrate with PIM and other Directory solution to relate security events to user activities E
76 Integration with Vulnerability Assessment tools to identify security events E
77 Integrate with GRC solution to capture compliance against security policies E
78 Should be able to integrate with physical access control systems. P
79 Integrate with existing helpdesk/ incident management tools E
80Should be able to integrate with Internet Banking, Core Banking solution, RTGS/NEFT, ATM and credit
card etc. and address the use cases mentioned in the RFP at a minimum.P
81Connector Development tool/SDK availability for developing collection mechanism for home-grown or
any other unsupported applicationsE
82The system should have out of the box rules for listed IDS/IPS, firewalls routers, switches, VPN devices,
antivirus, operating systems, Databases and standard applications etc.E
Availability
83 The SI should prepare a DR plan for switch over in case the DC operations are down E
84
The solution should have high availability feature built in. There should be an automated switch over to
secondary collector in case of failure on the primary collector. No performance degradation is
permissible even in case of collector failure.
E
85 The storage solution should have adequate redundancy for handling disk failures E
Scalability
86 The solution should be scalable as per bank roadmap for expansion E
87 Solution should support integration with big data storage configuration such as Hadoop etc P
Page 4 of 4
Essential (E) -
[Any Non-
Compliance of
(E) may lead to
Bid Rejection]
Compliance
Preferable (P) Yes/No
1 The WAF Solution should be deployed in HA Mode in DC and DR. E
2
The Web application firewall should address Open Web Application
Security Project (OWASP) Top Ten security vulnerabilities such as SQL
Injection, Cross-Site Scripting (XSS), Broken Authentication and Session
Management.
E
The solution should prevent the following attacks (but not limited to):
Brute force
Access to predictable resource locations
Unauthorized navigation
Web server reconnaissance
HTTP request format and limitation violations (size, unknown method, etc.)
Use of revoked or expired client certificate
File Upload Violation & scanning for malicious content in Uploads.
4Should have DLP features to identify and block sensitive information such
as credit card numbers, PAN Numbers, Aadhar Numbers E
5 Should support positive and negative security model E
6Should have the ability of caching, compression of web content and SSL
acceleration.P
ANNEXURE - IX - Technical Requirements/ Specifications - WAF
Remarks. Please provide adequate reference to product
manuls/ documentation to substantiate how the product
confirms to each requirement.
S. No Web Application Firewall (WAF)
3 E
Page 1 of 5
7
Should have integrated SSL Offloading capabilities, further the solution
should support SSL and/or TLS termination, or be positioned such that
encrypted transmissions are decrypted before being inspected by the WAF.
E
8 Should have integrated basic server load balancing capabilities P
9
Should meet all applicable PCI DSS requirements pertaining to system
components in the cardholder data environment, should also monitor traffic
carrying personal information
P
10
Should have the ability to inspect web application output and respond
(allow, block, mask and/or alert) based on the active policy or rules, and log
actions taken.
E
12WAF should support dynamic source IP blocking and should be able to
block attacks based on IP sourceP
13
Should inspect Simple Object Access Protocol (SOAP) and extensible
Markup Language (XML), both document- and RPC-oriented models, in
addition to HTTP (HTTP headers, form fields, and the HTTP body).
E
14
Inspect sockets or data construct (proprietary or standardized) that is used to
transmit data to or from a web application, when such protocols or data are
not otherwise inspected at another point in the message flow.
E
15 WAF should support inline bridge or proxy mode of deployment. E
16 WAF should have an option to configure in Reverse proxy mode as well. E
17
Actions taken by WAF to prevent malicious activity should include the
ability to drop requests and responses, block the TCP session, block the
application user, or block the IP address.
E
11
Should inspect both web page content, such as Hypertext Markup Language
(HTML), Dynamic HTML (DHTML), and Cascading Style Sheets (CSS),
and the underlying protocols that deliver content, such as Hypertext
Transport Protocol (HTTP) and Hypertext Transport Protocol over SSL
(HTTPS). (In addition to SSL, HTTPS includes Hypertext Transport
Protocol over TLS.)
E
Page 2 of 5
18Transactions with content matching known attack signatures and heuristics
based should be blocked.E
19The WAF database should include a preconfigured comprehensive and
accurate list of attack signatures.E
20The Web application firewall should allow signatures to be modified or
added by the administrator.E
21
The Web application firewall should support automatic updates (if required)
to the signature database, ensuring complete protection against the latest
application threats.
E
22 WAF should be able to restrict the number of files in a request. P
WAF support the following normalization methods:
URL-decoding (e.g. %XX)
Null byte string termination
Self-referencing paths (i.e. use of /. / and encoded equivalents)
Path back-references (i.e. use of /.../ and encoded equivalents)
Mixed case
Excessive use of whitespace
Comment removal (e.g. convert DELETE/**/FROM to DELETE FROM)
Conversion of (Windows-supported) backslash characters into forward slash
characters.
Conversion of IIS-specific Unicode encoding (%uXXYY)
Decode HTML entities (e.g. c, ", ª)
Escaped characters (e.g. \t, \001, \xAA, \uAABB)
24 WAF should support different policies for different application sections P
25The Web application firewall should automatically learn the Web
application structure and elements.P
26The Web application firewall learning mode should be able to recognize
application changes as and when they are conductedP
27
The WAF should have the ability to perform behavioral learning to examine
traffic and highlight anomalies and provide recommendations that can be
turned into actions such as apply, change and apply, ignore etc.
E
23 E
Page 3 of 5
28The Web application firewall should support line speed throughput and sub-
millisecond latency so as not to impact Web application performance.E
29
For SSL-enabled Web applications, the certificates and private/public key
pairs for the Web servers being protected need to be up loadable to the Web
application firewall.
E
30
The solution should be capable to identify and mitigate automated layer 7
attacks by issuing challenges like- javascript, captcha, etc. to protect from
advanced BOT and L7 DDoS attacks.
E
31 The Web application firewall should have an out-of band management port. E
32The Web application firewall should support web based centralized
management and reporting for multiple appliances.E
33
Bank should be able to deploy the Web application firewall and remove the
Web application firewall from the network with minimal impact on the
existing Web applications or the network architecture.
E
34The Web application firewall should be able to integrate with web
application vulnerability assessment tools (Web application scanners)P
35 WAF should be able to integrate with the existing/ proposed SIEM solution. E
36The Web application firewall should be able to generate custom or pre-
defined graphical reports on demand or scheduled.E
37The Web application firewall should provide a high level dashboard of
system status and Web activity.E
Should be able to generate comprehensive event reports with filters:
a. Date or time ranges
b. IP address ranges
c. Types of incidents
d. Geo Location of attack source
d. Other (please specify).
39The following report formats are deemed of relevance: Word, RTF, HTML,
PDF, XML, etc.E
40
Unique transaction ID should be assigned to every HTTP transaction (a
transaction being a request and response pair), and included with every log
message.
E
38 E
Page 4 of 5
41Access logs can periodically be uploaded to the logging server (e.g. via FTP,
SFTP, WebDAV, or SCP).E
42Web application firewall should provide notifications through Email,
Syslog, SNMP Trap, Notification via HTTP(S) push etc.E
43WAF should be able to log full session data once a suspicious transaction is
detected.E
44 Should be simple to relax automatically-built policies E
45 The solution should provide the admin to manually accept false positives E
46 Should be able to recognize trusted hosts E
47The WAF in passive mode should be able to provide impact of rule changes
as if they were actively enforcedP
48The solution should be capable of performing or integrating with third party
vulnerability scanners to provide virtual patching capabilities E
49Should support clustered deployment of multiple WAFs sharing the same
policy.P
50 The solution should support virtual environments E
51The solution should support all operating systems and their versions
including but not limited to Windows, AIX,Unix, Linux, Solaris, HP UnixE
52
The solution should provide following capabilities:
- URL Encryption
- DDoS Protection
- GeoIP Tracking with Domain and IP reputation also have TOR network
database to block threats.
- Protection from OWASP Top 10 Threats.
- Protection from zero-day attacks.
- Protection from BOT Attacks.
E
Page 5 of 5
Essential (E) - [Any
Non-Compliance of
(E) may lead to Bid
Rejection]
Compliance
Preferable (P) Yes/No
1 Should control commands the privileged user is authorized to perform E
2 Should provide the feature of keystroke logging for privileged users E
3 Should support multi factor authentication for privileged users E
4 Solution should be able to conduct session log capture for privileged users E
5 Solution should be able to conduct session video recording for privileged users E
6The video recorded should be of minimal size and the recording should not impact
user work and system performanceE
7 Solution should be able to provide time based sessions for privilege users E
8Support delegation by identity administrator to another person for a specific period
of timeE
9Support for reminders to identity administrators who are required to perform
workflow tasksE
10System should support denial of access protection by blocking repeated password
failures on multiple administrator accounts in the directory. E
11 Should be able to delegate privileged access to commands or applications. E
12 System should enforce segregation of duties as defined by the bank. E
13
System should provide audit information on where privileged accounts are
enabled, which users have access to these and if this access is as per bank policies
including password requirements.
E
14 System should include an encrypted vault for privileged user credentials. E
15System should ensure tamper proof storage of password, credentials, recordings,
and logs.E
16System should be able to develop privileged identity management audit reports for
PCI DSS, RBI guidelines etc.E
ANNEXURE - IX - Technical Requirements/ Specifications - PIM
Remarks. Please provide adequate
reference to product manuls/
documentation to substantiate how the
product confirms to each requirement.
S. No Priviledge Identity Manaement (PIM)
Page 1 of 5
17Should include a software development kit to facilitate integration with home-
grown/ in-house applicationsE
18Should be able to integrate with existing AAA authentication devices, directory
services etc.E
19 Support for database-maintained change log for event triggered updates P
20Solution should identify what information has changed and synchronize only that
informationP
21Solution should have template-based workflows for user account creation,
management, group assignments, de-activation and deletion E
22Changes to template should be configurable to effect changes to all users created
based upon templateE
23Support for event-driven and request driven account de-activation (i.e., not
deletion) with or without workflow approval E
24Support both workflow for disabling and deletion of accounts in separate steps as
per Bank's requirements.E
25Support event-driven and request-driven account re-activation with or without
workflow approvalE
26Support removal of accounts from target system groups upon deletion of user
accountE
27Should have the capability to support retry of failed creation, failure reporting
mechanism, commit and rollback capabilitiesE
28Solution should be able to trigger additional workflows based from a single initial
workflow P
29The system should ensure that the dependencies for a given workflow are satisfied
during the spawning process P
30 System should ensure that workflow access is in congruence with user roles E
31 System should allow user to initiate multiple workflow requests at one time E
32System should ensure that an overriding workflow that can be used to cancel the
effects of a workflowE
33 System should have a web based GUI for designing workflows E
Page 2 of 5
34Automated creation, pending workflow approval(s) of user and group accounts
based on attribute informationP
35 Should be able to handle access to mobile devices and applications E
Should have a set of out-of-the-box reports to satisfy compliance requirements
which should include:(But not limited)
· User logins and account details.
· Periodicity of access to specific accounts
· Periodicity of changes to user details including passwords
37 System should support scheduled report generation E
38 System should support integration with external GRC, SIEM and HRMS E
39 Provide a built-in query tool for ad-hoc reporting E
40Support for password push to selectable target systems (i.e., the user or
administrator is allowed to specify which systems have the same passwordP
41Delegated Administrators (e.g., Help Desk, Data Center, administrators) can
escalate to 2nd level support (e.g., IT Security)P
42
Should control the following: Systems the user can access, methods of access such
as local, remote, SSH, Telnet etc, sources of access such as workstation, IP
address, VPN etc.
E
43Approver should be able to authenticate to the identity management system to
access the workflow inbox and perform the workflow activity E
Should be able to authenticate users on the basis of the following:
User name and password, Digital certificates ,One-time passwords,
Biometrics(such as fingerprints, iris scans etc.), Smart cards and tokens etc.
45Support for bulk password updates or resets based upon administrator-defined
groups of users E
36 E
44 E
Page 3 of 5
46 System should imbibe password controls as per Bank's requirements. E
47System should support user maintenance auditing (identity updates, password
changes, self administration, etc.)P
The following events should be registered for audit purposes(but not limited to ):
· Authentication events
· Authorization events
· Directory object modification
49Should support historical reporting that includes tracking of changes to user
objects over a period of timeE
50The auditing solution within PIM should correlate events to a particular identity
even if the name of the object representing that identity has changedE
51Audit dashboard should list issues such as unauthorized access provisioning,
bypasses of workflows, list of users deactivated post due date etc.E
52System should have a password check-in and check-out feature for privileged
users. This should be based on appropriate workflows.E
53System should enforce automatic change in password on first time sign in to
prevent the admin to reuse the same password again.E
54 System should have the ability to control periodic password changes. E
55System should have the ability to control where a privileged user can access a
device/application on the basis of IP addresses.P
56System should be able to control the number of users who can access
common/shared privileged IDs at any point of time.E
57If the privileged users attempt to block session recordings, system should have the
ability to raise appropriate alerts.E
58
System should be able to automatically change privileged passwords for critical
applications/ databases on a periodic basis. The system should then be able to
provide access to applications that require to connect to these critical systems.
P
59The solution should not act as a single point of failure for privilege access to
systems and it should be possible to recover passwords during outages.E
60
The solution should have capability of Command control on any SSH
connections (Unix Systems, Network Devices, Security devices & any SSH based
target systems)
E
48 E
Page 4 of 5
61The solution should cater for live monitoring of sessions and manual termination
of sessions when necessary. E
62The solution should use built-in FIPS 140-2 validated cryptography for all data
encryption.E
63The solution should have the capability to provide intelligence-driven analytics to
identify suspicious and malicious privileged user & privilege account behaviour.E
64
The solution should detect & Block the credentials theft from computers. Like
Windows credentials theft (SAM, LSASS Harvesting) & Browser credential theft
(IE, Firefox, Chrome) & Third party credentials theft (Win SCP, VNC).
E
65The solution should record all commands along with- Source IP, Login Terminal
details, Timestamp.E
66
The solution should have capability for Targeted Alerting indicating problem such
as mismanaged privileged accounts, out-of-policy passwords, orphaned SSH keys
etc.
E
Page 5 of 5
S. No Anti-Phishing
Essential (E) -
[Any Non-
Compliance of
(E) may lead to
Bid Rejection]
Compliance
Preferable (P) Yes/No
1The vendor should have the capability for 24x7x365 monitoring of phishing attacks
targeting the Bank (Logo, URLs, Domain, digital watermark, Mobile App etc.)E
2The vendor should have the ability to detect, monitor and shutdown all kinds of
incidents such as Phishing, Pharming, Brand Abuse, Fraudulent Emails,etc.E
3The vendor should report the activation/reactivation of phishing site and Mobile App
as per SLAs defined in the RFP.E
4The vendor should assist the Bank (as per the SLAs') on remedial measures in case of
identification of phishing sites and Mobile App.E
5 The vendor should monitor and review Web-server referrer logs. P
6The vendor should track new domain name registrations to detect any spoofed site
being registered.E
7
The vendor should review web server logs and application logs to identify phisher
identity and transactions initiated by phisher and time of initiating attack, possible
users/customers impacted.
E
8 The vendor and system should monitor and log all pharming and phishing attempts. E
9Identify email addresses that are being used for sending spoofed emails to the Bank
customers & employees. E
10The vendor should review Bank's websites and Mobile Apps on a periodic basis and
suggest anti phishing measures to be taken.E
11The vendor should assist the Bank for coordination with law enforcement agencies
like CERT-IN, Cyber Crime Cells, RBI, Third Party Auditors etc.E
12 The vendor should support forensic investigation for phishing incidents. E
ANNEXURE - IX - Technical Requirements/ Specifications - Anti-Phishing
Remarks. Please provide adequate reference
to product manuls/ documentation to
substantiate how the product confirms to each
requirement.
Page 1 of 3
Data sources monitored by the Vendor should include (but not be limited to):
- Domain Names Databases
- Monitor Hacker Forums
- Junk E-mail messages
- Abuse Mailbox
- Internet Relay Chat
- Usenet Data
- Web server logs
- Internet Banking Consumer reported sites
14The Vendor should maintain or have direct access to data from Honey-pots or
network of sensors to collect data on TrojansP
15
The vendor should monitor networks known to be source of attacks and/or points of
collection of compromised data, compromised devices, Malicious URL’s, malicious
command and control sites.
P
16The vendor should monitor Trojans that are specifically targeted at the Banking
sector E
17The vendor should identify compromised areas in the Bank's network and inform the
Bank as per defined SLAs.E
18In case of an attack, vendor should identify and report the extent of damage that has
been done to Bank's environment.E
19
The forensic data to be collected for the Trojans should include but not limited to the
following Tools used in attacks, Compromised data, Account Information,
Compromised credit cards/debit cards issued by Bank, Email addresses, Customer
profiles etc.
E
20The vendor should be able to shutting down of Trojans, malware, phishing sites, and
phishing Mobile App irrespective of region of origin or browsers or ISPs.E
21 The vendor should monitor similar domain name registrations. E
22 The vendor should monitor spam traps to detect phishing mails. E
23 The vendor should also support scanning of static as well as dynamic links/pages. P
Vendor should be able to take counter measures including (but not limited to)
A) Bring websites and Mobile App down that are capable of causing phishing
attacks.
B) Baiting
C) Automated Dummy responses to Phishing site.
13 E
24 E
Page 2 of 3
D) Notify various internet browsers about detected sites for blocking these at browser
level.
25The vendor should have a DR set up to ensure continuity of services in case of failure
of main site.E
26Vendor should conduct periodic training for Bank's staff on Best practices to avoid
phishing attacks.E
27Vendor should be able to identify and report to the bank if access to blocked ports on
a webserver is sought by an external userP
28
Monitoring all major mobile app marketplaces for counterfeit, copycat apps, or apps
infringing trademarks, linking to pirated content, attempting phishing attacks or
distributing malware. Prompt submission of enforcement notices and for the removal
of rogue or infringing apps.
E
Page 3 of 3
S. No Anti - Advanced Persistent Threat (Anti-APT)
Essential (E) - [Any
Non-Compliance of
(E) may lead to Bid
Rejection]
Compliance
Preferable (P) Yes/No
1
The solution should be able to inspect and block all network sessions
regardless of protocols for suspicious activities or files at various
entry/exit sources to the Bank's network.
E
2
The solution should be able to protect against Advanced Malware, zero-
day web exploits and targeted threats without relying on signature
database.
E
3
The solution should be able to identify malware present in network file
shares and web objects (QuickTime, MP3 and ZIP/RAR/7ZIP/TNEF
archives, 3gp, asf, chm, com, dll,ico, jar, jpeg, jpg, mov.) and able to
quarantine them.
P
4
The solution should be able to identify zero-day malware present in file
and web objects (Adobe Flash File, Java, Microsoft Office Files .doc
.docx .ppt .pptx .xls .xlsx, .pdf, rar, dll, sys, tar, exe, zip, bzip, 7zip, ink,
chm, swf etc.) and should have ability to interrupt malicious
communication.
E
5
The proposed solution should support at least 100+ protocols (e.g.
HTTP, FTP, SMTP, SNMP, IM, IRC, DNS and P2P protocols SMB,
Database protocol MySQL, MSSQL, Oracle, etc.) for inspection and
should block suspicious communications of zero day malware detected
IP, URL and file.
E
6
Solution should identify spear fishing email, zero day malware and
ransomware attacks in email and should quarantine or block suspicious
email messages before reaching user/ mail server.
E
7The solution should support Sandbox test environment which can
analyse threats to various operating systems, browsers, databases etc. E
8 The solution should support both inline and out of the band mode. E
9The solution should be able to detect and prevent bot outbreaks
including identification of infected machinesE
ANNEXURE - IX - Technical Requirements/ Specifications - Anti-APT
Remarks. Please provide adequate reference to
product manuls/ documentation to substantiate
how the product confirms to each requirement.
Page 1 of 3
10
The solution should be appliance based with hardened OS. No
information should be sent to third party sytems for analysis of malware
automatically.
E
11The solution should be able to block the call back tunnel including fast
flux connections.E
12The solution should be able to share malware information/ zero day
attacks knowledge base with deployed appliances.P
13 The solution should be able to capture packets for deep dive analysis. P
13 The solution should be able to pinpoint the origin of attack, Threat
Description and help to understand the severity and stage of each attack.
E
14
In case there is no antivirus signature available for malware, solution
should have the ability to exfiltrate data about the malware and share it
with the antivirus solution providers.
P
15The solution should be able to conduct forensic analysis on historical
data.E
16
Dashboard should have the feature to report Malware type, file type,
CVE ID, Severity level, time of attack, source and target IPs, IP
protocol, Attacked ports, Source hosts etc.
E
17The solution should generate periodic reports on attacked ports, malware
types, types of vulnerabilities exploited etc.E
18The solution should be able to export event data to Bank’s existing
SIEM or Incident Management Systems E
19Solution should be able to monitor encrypted traffic
E
20The management console should be able to provide information about
the health of the appliance such as CPU usage, traffic flow etc.E
21The solution should display the geo-location of the remote command and
control server.P
22The solution should be able to integrate with Active Directory to enforce
user based policies.P
23
The Anti-APT Solution should have minimum 50 Sandboxes and should
be able to handle at least 25000 files in a day. E
24The solution should monitor Inter-VM traffic on a Port Mirror Session.
E
Page 2 of 3
25
Sandboxes must support multiple operating systems and for both 32-bits
and 64-bits OS.
Bank currently has: Solaris, Windows, & Redhat Linux operating
systems.
E
26
The solution should support Windows XP, Windows 7, Windows 8,
Windows 10 Microsoft 2003, Microsoft 2008, Solaris10, Redhat 5 &
above Linux operating environments for Sandboxing, this requirement
should be based on virtual execution and should not be Hardware or chip
based function.
E
27The solution should support open web Services API for 3rd party or
scripting integration. E
28
The solution should support windows XP, Windows 7, Windows 8,
windows 10 Microsoft 2003, Microsoft 2008 (32 bit & 64 bit OS),
Solaris10, and RedHat 5 & above Linux operating environments for
Sandbox file analysis. Solution should have option to upload custom
sandbox image running in Bank’s environment.
E
Page 3 of 3
S. No Other General Requirements
Essential (E) -
[Any Non-
Compliance of
(E) may lead to
Bid Rejection]Compliance
Remarks. Please provide adequate
reference to product manuls/
documentation to substantiate how the
product confirms to each requirement.
Preferable (P) Yes/No
Security
1All proposed solutions should be IPv6 compatible from Day 1. The bidder should
migrate to IPv6 as and when the bank decides to migrate to IPv6 for devices in scope.E
2 All solutions should support 256 bit or higher encryption for transfer of information E
3
All solutions should support User Authentication Mechanism such as Directory
Services and AAA as deployed in the banks environment. The systems should be able
to align to the bank's authentication requirements including password policy.
E
4
Any changes to the solutions deployed should be logged including changes to database
such as Update, insert, delete, select etc.(DML), Schema/Object changes(DDL),
Manipulation of accounts, roles and privileges (DCL), Query updates.
E
5The proposed solutions should maintain the audit trail for the management activities of
individual users and administrators accessing and using the applicationE
6
The systems should have a mechanism for protection of unauthorized access on the
Log Database by system administrator and should maintain an auditable chain of
custody.
E
7Solutions should provide for Discretionary Access Control (DAC) and Role-Based
Access Control (RBAC) and provide access based on the least privilege criteriaE
8 All devices should comply with FIPS-140-2 standard for cryptographic modules E
ANNEXURE - IX - Other General Requirements
Page 1 of 3
9All solutions deployed in inline mode should have built in bypass (fail open ) for inline
mode.E
10 All appliances should have dual power supply to ensure redundancy E
11 All devices/appliances should be rack mountable and 1U/2U type only E
12 All the proposed solutions should support external storage such as SAN storage E
13 The solutions should support virtual environments E
Support
14The bidder shall ensure that all deployed devices shall have the latest patches/ security
upgrades.E
The bidder should develop following processes for the operation of the SOC (but not
limited to)
1. Configuration and Change Management
2. Incident and Escalation management processes
3. Daily standard operating procedures
4. Training procedures and material
5. Reporting metrics and continuous improvement procedures
6. Data retention and disposal procedures
7. BCP and DR plan and procedures for SOC
8. Security Patch management procedure
16The bidder should ensure the SLAs are adhered to and should provide the bank with
periodic reports of the performance against the defined SLAsE
17The bidder should provide continuous threat updates from sources such as CERT,
ISAC, NIST, RBI etc.E
18The bidder should assist the bank in performing analysis and optimization of log
collection processE
19Technical Support should be available through OEM or the registered partners of
OEM and as per defined SLAsE
20The bidder should develop, update and maintain log baselines for all platforms at the
BankE
21 The bidder should maintain a knowledge base of alerts, incidents and mitigation steps E
15 E
Page 2 of 3
22Evidence for any security incident should be made available for legal and regulatory
purposesE
23The bidder should have a Comprehensive system documentation, user guides and
online help for devices.E
24The bidder should ensure that events occurring at any of the devices/ applications etc
are logged and displayed at the SIEM within 30 seconds of their occurrence.E
25 All solutions should be scaleable as per Banks fiture requirements. E
Bidder Resources
26
All the resources provided for monitoring of the product & administration of the
solution should be OEM certified. Certificates have to be submitted at the time of
bidding
E
27In case of exigencies even during off business hours / Bank holidays, the resources
may be required to be present onsiteE
28Personnel deployed in the Bank premises shall comply with the Bank’s Information
Security Requirements.E
29The SOC should be supported by 3 shifts for 24/7 operations, and the resources should
be able to support and analyze data receivedE
Page 3 of 3
S. No Requirement
Essential (E) - [Any Non-
Compliance of (E) may lead to
Bid Rejection]
Preferable (P)
Compliance
(Yes/ No) Remarks.
1
The tool should be customized with forms, fields, workflows corresponding to security
monitoring, incident management, infrastructure and application baseline security, secure
commissioning of new servers and applications.
E
2 The service desk should be configured with escalation workflows E
3 Service desk should be a web based portal with ready access to service requests E
4 Bank should be able to generate reports on demand from the service desk portal E
5 Service desk should support concurrent login for at least ten users E
6
Service request should contain at least the request Number, description of request, date & time
of opening, update and closure, asset details for which the service has been opened, action
taken
E
7 Service desk should have provision for escalation of incident by bank officials E
8Service desk should be configured, maintained and updated to record all agreed upon SLA
breachesE
9 Bank should be able to generate reports on demand from the service desk portal E
ANNEXURE - IX - Security Service Desk System
Page 1 of 1