IBF Examination Management System RFP.Exam.2021. 1202

of 49

PUBLIC DOCUMENT

REQUEST FOR PROPOSAL

Project Name:

IBF Examination Management System RFP.Exam.2021. 1202

The Institute of Banking & Finance 10 Shenton Way

#13-07/08 MAS Building Singapore 079117

Tel: 62208566 Fax: 62244947

Email: [email protected]

of 49

Table of Contents

1. INTRODUCTION.......................................................................................... 4

2. BACKGROUND ........................................................................................... 4

3. PROJECT OBJECTIVES ................................................................................. 4

4. SCOPE OF WORK ........................................................................................ 5

5. FUNCTIONAL SPECIFICATIONS .................................................................... 5

6. SERVICE LEVEL REQUIREMENT .................................................................. 10

7. LIQUIDATED DAMAGES ............................................................................ 12

8. GENERAL REQUIREMENTS ........................................................................ 12

9. TECHNICAL REQUIREMENTS ..................................................................... 13

10. SYSTEM DELIVERY AND ACCEPTANCE BY IBF ............................................. 17

11. PROJECT DELIVERABLES & SCHEDULE ....................................................... 19

12. EVALUATION CRITERIA ............................................................................. 20

13. SUBMISSION DETAILS ............................................................................... 21

14. RIGHTS TO THE PROJECT DELIVERABLES ................................................... 21

15. EXPENSES ................................................................................................ 22

16. PAYMENT ................................................................................................ 22

17. LIMITATION OF LIABILITY ......................................................................... 22

18. CONTENTS OF PROPOSAL ......................................................................... 23

19. CONFIDENTIALITY .................................................................................... 23

20. INDEMNITY AGAINST A THIRD PARTY ....................................................... 23

21. ACCEPTANCE OR NON-ACCEPTANCE OF PROPOSAL .................................. 23

22. NOTIFICATION OF UNSUCCESSFUL BID ..................................................... 24

of 49

23. ENQUIRIES ............................................................................................... 24

ANNEX A: DOCUMENTATION ................................................................................... 25

ANNEX B: PROPOSAL ............................................................................................... 28

ANNEX C: SERVICE PROVIDER CHECKLIST ................................................................. 35

ANNEX D: PROJECT COSTS AND FEES ........................................................................ 46

of 49

1. INTRODUCTION

1.1. The Institute of Banking and Finance (“IBF”) is issuing this Request for Proposal (“RFP”) to identify suitable entity (hereinafter referred to as the “Service Provider”) to submit proposals for the development of an IBF Examination Management System (“IBF Exam System”).

1.2. The IBF Exam System is expected to incorporate the following functionalities to support IBF’s on premise and remote/online examinations and be hosted in IBF’s local server or on cloud:

(i) Examinations content development and secure storage in respect of creation, editing and publishing of examination questions based on configurable parameters and structure (hereinafter referred to as “exams authoring”);

(ii) Examination delivery platform for conducting examinations;

(iii) Examination administration and management to facilitate examination registration, authentication, and results notification; and

(iv) Examination data analytics, candidate surveys and reports to support ongoing quality and irregularity reviews.

2. BACKGROUND

2.1 The IBF was established in 1974 as a not-for-profit industry association to foster and develop the professional competencies of the financial industry in Singapore. IBF represents the interests of close to 200 financial institutions including banks, insurance companies, securities brokerages, and asset management firms. In partnership with the financial industry, government agencies, training providers and the trade union, IBF is committed to equip practitioners with capabilities to support the growth of Singapore’s financial industry. IBF administers industry and licensing examinations for various sectors in the financial industry.

3. PROJECT OBJECTIVES

3.1 The IBF Exam System aims to achieve the following objectives:

(a) User-friendly and customisable process and workflow in exams authoring;

(b) Multi-level user access management to provide flexibility for users to hold different roles for different examinations while protecting confidentiality of the examination questions and data;

(c) Examination data analytics (including psychometric analysis) on the quality and performance of the examination modules, examination questions and examination candidates;

of 49

(d) Secure connectivity between IBF Exam System and IBF Portal for data transfer in relation to candidates’ registration details and examination results and other data to be determined from time to time. IBF Portal is a proprietary system that handles all IBF e-services for external users, that include both corporate members and individual users who register and/or, pay for their examinations.

(e) High level of system security, reliability, and availability, with robust data protection policies and processes;

(f) Good user interface that offers positive user experience, including seamless and user-friendly delivery platform for candidates, easy to use/navigate browser for exams authoring, administration, management and data analytics.

(g) Proven remote invigilation capabilities for online examinations;

(h) Reliable management of data migration from the current IBF Exam System to the new IBF Exam System; and

(i) Easily retrievable records and audit trails to capture key/sensitive activities of privilege user access, such as changes to examination contents and candidates’ details or exporting questions to downloadable formats.

4. SCOPE OF WORK

4.1 Service Providers are invited to quote for the design, development, delivery, installation, testing and support of the IBF Exam System as per the stated objectives above.

4.2 The Service Provider is required to submit a proposal to indicate the extent of compliance or variation with the Specifications/Compliance Statements detailed in Section 5 – Functional Specifications.

5. FUNCTIONAL SPECIFICATIONS

5.1 All Service Providers are required to take note of the following specifications, complete the compliance statements, and submit them as part of the RFP documentation.

5.2 Mandatory Requirements

S/N No. Specifications Ability to Deliver

(Yes / No)

State Variations, if

any 1. Data transfer between IBF Portal and proposed IBF

Exam System

1.1 Facilitate data transfer between IBF Portal and

of 49


(Yes / No)


any proposed IBF Exam System.

2. Examination Session Creation

2.1 Allow concurrent delivery of multiple examination sessions.

2.2 Allow flexibility to amend the number of vacancies available for any examination session and/or create private examination sessions for selected candidates/ financial institutions by invitation.

3. Exam System Access and Management

3.1 Creation of users with multiple access levels (e.g. question setters, reviewers, approvers and administrative staff). Remote access for question setters to input questions directly into the system for review. Secure login for question setters with 2 Factor Authentication (2FA). Allow selection of a subset of examination questions in one examination paper to be reviewed by multiple reviewers concurrently.

3.2 Provision of concurrent sign-in by different users but disallow multiple concurrent logins from same user account.

3.3 Password settings to conform to industry best practices. System login with unique user ID and password. Allow for password change at users’ discretion.

4. Exams Authoring – Features 4.1 Able to add examination questions singly and in bulk

into the question bank using excel spreadsheets, XML import templates and/or word documents.

4.2 Able to work on examination questions development during examination sessions.

4.3 Able to metatag and search for examination questions via question number / difficulty level / section number / topic/ key words.

4.4 Able to export selected or all unpublished examination questions into word or excel template for further review by exams authoring users. Flexibility for privileged users to export questions based on selected criteria (e.g. questions attempted by selected candidates, difficulty level).

4.5 Provision for privilege users to pre-select examination

of 49


(Yes / No)


any questions for selected candidates/examination sessions; and print the examination paper in hardcopy.

4.6 For Case Study examination questions, system to allow: - Easy linking of the case study description to the

questions; - Option of vertical or horizontal layout

presentation.

4.7 Provision for privilege users to delete/archive examination questions from question set.

4.8 Allow examination questions to be moved/shared across examination modules/papers/question folders.

4.9 Allow default setting for font type and font size for examination questions and answer options. Able to insert standard phrase “Select all options that apply” automatically for all Multiple Response Questions.

4. 10 Able to revert to original examination questions after every upload of new or edited examination questions.

4.11 Able to randomise examination questions in the examination papers and randomise answer options for each examination question (no repeated questions for the same candidate).

5. Examination Delivery/ Candidate Interface 5.1 Single sign-on for examination candidates for both on

premise and online examinations.

5.2 Navigational tutorial for candidates to familiarise themselves with the interface.

5.3 Able to conduct both online examinations with remote live proctoring and on premise examinations. Feature to save after every answer keyed in by candidates.

5.4 User-friendly navigation controls and features for examination candidates during the examination session (e.g. formula sheets, instructions, calculator, note pad).

5.5 At end of examination, candidates to complete examination survey before release of results on-screen. To display candidates’ results in selected % range (e.g. 50%-60%, 70%-80%) and provide feedback on areas of weakness for candidates.

5.6 Allow candidates to bookmark questions for review before ending the examination. System to prompt candidates on unanswered questions when

of 49


(Yes / No)


any candidates choose to end an examination.

6. Remote Examination - Integrity Features 6.1 Support concurrent examination sessions (on premise

and remote/online). Acceptable candidates to invigilator ratio (taking into consideration examination security, integrity, handling of exam irregularities, etc).

6.2 Arrangement for candidates to conduct system compatibility checks and try out sample test before actual examination.

6.3 Full recording from start to finish for all examination sessions, including candidate checks, such as candidate ID or biometric checks.

6.4 Secured remote test environment (secured browser lockdown) with measures to ensure integrity and security of examination location and space.

6.5 AI/human proctoring. For human proctoring, same invigilator throughout duration of examination (Experienced and trained invigilators).

6.6 Anti-cheating features or technologies with high accuracy in detecting cheating or other examination irregularities. All examination irregularities / violations of examination rules are flagged and audited. All flagged cases to be reported to IBF within 24 hours and evidence should be escalated to IBF within 48 hours.

6.7 Audio and video recordings for online examination sessions should be retained for

(a) At least 30 days; and (b) Additional 60 days for all flagged cases. Option for IBF to download video for flagged cases.

6.8 Reasonable time for candidates to re-connect back to continue examination in cases of disconnection.

6.9 Able to suspend or withhold the awarding of result slips/certifications if examination irregularities are detected.

7. Examination Analytics and Psychometrics 7.1 Dashboard interface for report selection / report

fields selection /query report, e.g. a) to identify questions that are correctly

answered/wrongly answered by most candidates and to provide detailed analysis on the type of questions e.g. by difficulty level/section/etc;

b) to generate report for examination questions

of 49


(Yes / No)


any bank (by examination modules) by date, etc for review.

8. Audit Trail and Requirements 8.1 Able to retain all records for 6 months for audit trail. 8.2 Full audit trail - system enables full traceability for all

activities in relation to deleting, editing and publishing of examination questions. All access to the system is logged and users can view the entire history of a question.

8.3 Full audit trail of all candidates’ activities. 9. Support Teams 9.1 Customer support for telephone and email. Point of

contact for day-to-day operational issues and enquiries based on SG timing. To provide Client Dedicated Account Manager.

9.2 Business assurance – reliable support for managing audits, business continuity management, fraud prevention, regulatory compliance and risk management.

9.3 Online Examinations – a) Telephone and chat enquiries responded within

60 seconds with real-time trouble shooting with candidates.

b) Low candidate connection wait-time of less than 30 seconds.

c) All candidate technical support issues are tracked.

d) Complete incident report for each test session provided within 24 hours of the examination.

e) Average authentication initiation time of 2 minutes as system assigns candidates to invigilators on "first come first served" basis.

10. User Acceptance Test (“UAT”) Platform 10.1 UAT platform for testing.

of 49

5.3 Optional Requirements

Service Provider to quote the following items listed below separately from the items listed in 5.2. If any of the items is included in the system costing, Service Provider to indicate as well.


(Yes / No)

State Variations,

if any 1. Stand-alone Examination Registration System

1.1 Examination registration for both on premise examinations and remote/online examinations. Examination registration restriction to bar candidates from registering multiple sessions of the same examination or blacklisted candidates from registering for examinations during their debarment period.

1.2 Examination registration acknowledgement /rescheduling/reminder emails to candidates on real time basis.

1.3 Creation/ updating of examination candidates’ profiles.

2. Exams Authoring – Features 2.1 Able to change question structure (e.g. from MRS to

MCQ or case study to single question during development.

2.2 System to prompt when duplicated examination questions are in the examination question bank.

2.3 In-built spell checks and grammar checks. 2.4 Able to keep track of the timelines and send

reminders to question setters, reviewers or publishers for tasks that are outstanding.

6. SERVICE LEVEL REQUIREMENT

6.1 Service Provider to provide service level response time and resolution time for support based on the following:

Category Response Time Resolution Time A- Fatal Problem causes a live deployed application to stop, crash or cease to function. Work cannot resume and requires immediate attention

of 49

towards resolution. B- Major Problem severely restricts the functionality provided by the live deployed production application.

C – Minor Problem significantly restricts the functionality provided by the live deployed production application, degradation of reliability of performance or limited access to function provided by the live deployed production application.

6.2 System Performance Availability Standard

Performance 6.2.1 The maximum response time of the System to navigate from one screen to another after user had

clicked on the button or other input device shall not exceed 5 seconds for 95% of the time. This requirement shall be tested during the User Acceptance Test with IBF provided network. Availability

6.2.2 The System shall be available on a 24 hours per day, 7 days per week, 365 days per year basis except for scheduled routine system maintenance or downtime in which IBF is to be notified at least 1 week in advance to inform users. Reliability

6.2.3 The System shall be able to recover all data stored up to the last successfully completed transaction before a failure occurs without manual intervention by the users.

6.2.4 Failure of any single transaction shall not affect the integrity of the existing data and the failed transaction shall not be captured in the database.

6.2.5 The System shall be designed to prevent a single point of failure in bringing down the whole System. 6.2.6 The Service Provider shall propose an automated performance monitoring tool to ensure that the

System meets the requirements set out in the Service Level Agreements (“SLAs”) and to proactively identify problem areas and take corrective actions before services are affected.

6.2.7 The proposed automated performance monitoring tool shall alert the Duty or assigned Facilities

Management Engineer/ System Administrator at the external Data Centre when the System reaches 70% minimum and 85% maximum threshold of breaching capacity thresholds such as CPU, database disk space, RAM etc. and any service unavailability. The Service Provider shall ensure that the alerts are sent to IBF appointed personnel and maintain the list of IBF appointed personnel in the alert list.

6.2.8 The System shall be load tested with the proposed automated performance monitoring tool

periodically to ensure minimally the following:

of 49

(a) Optimal performance to meet the requirements set out in the SLAs; (b) Scalability (i.e. large increase in the number of concurrent users during peak period in the production (‘PROD”) environment);

(c) The System shall be available on a 24 hours per day, 7 days per week, 365 days per year.

7. LIQUIDATED DAMAGES

7.1 For failure to meet the project deliverables and schedule for implementation, the imposed liquidated damages shall be at the rate of 0.5% of the total contract price for the project implementation for each day (including Sundays and public holidays) or part thereof up to the total contract price for project implementation for the entire duration of the Agreement.

7.2 If the Service Provider is unable to meet the system performance availability and service level set

out in the SLAs, the liquidated damages will be S$4,000 per failure to meet an SLA, up to a maximum of S$8,000 per month for all SLA failures. Total cap of liquidated damages and any penalty thereof to not exceed the total contract value.

7.3 The liquidated damages apply to SLAs for all categories for the full contract period.

8. GENERAL REQUIREMENTS

8.1. The Service Provider shall propose a secure network structure design that can meet the following:

(a) The IBF Exam System can be hosted in virtual environment within IBF network with proper network segmentation, or on cloud infrastructure.

(b) Allow examination question setters outside of IBF to input/upload questions, and external question reviewers to review/comment/edit/approve examination questions, in the IBF Exam System.

8.2 The IBF Exam System shall incorporate solutions to ensure connectivity with the IBF Portal and any other management systems hosted within IBF.

8.3 The Service Provider shall provide the following Project Management services:

(a) Appoint a coordinator who would be responsible for ensuring the smooth delivery and support of the project over the entire contract period;

(b) Develop a project plan, schedule and processes;

(c) Deliver the list of tests and documentations as listed in Annex A; and

of 49

(d) Inform IBF immediately of all issues encountered that could affect the progress of the project which would result in failure to meet the agreed timeline and initiate ad-hoc meetings to propose alternative solutions for IBF’s approval.

9. TECHNICAL REQUIREMENTS

9.1 Data Transformation and Migration (DTM)

9.1.1 All historical and current data on examination questions and decommissioned examination questions that reside in the current IBF Exam System will need to be migrated to provide a consolidated view of all relevant up to date data, including historical data through the new IBF Exam System. The Service Provider shall propose feasible technical solution to achieve this objective.

9.1.2 All data migration must be approved by IBF. 9.1.3 If the proposal is to perform a one-time DTM of historical data through automation and subsequent

consolidation of data through scheduled daily batch jobs, the following rules apply:

Before one-time DTM

The Service Provider shall perform detailed technical studies of the existing systems listed in Section 5.2 before doing DTM of all data including historical data residing in the current IBF Exam System to the new IBF Exam System in both UAT and PROD environments with no data loss or corruption.

After analysing the end users’ requirements and performing a detailed technical analysis, the Service Provider shall propose a detailed DTM Plan for IBF’s approval.

During one-time DTM

During the actual DTM process, the Service Provider shall ensure that the PROD environment of the current IBF Exam System does not disrupt the business operations. In the event that the process is conducted after office hours as requested by IBF, the Service Provider shall bear all costs incurred. The Service Provider shall work together with all parties including third party hosting partner to ensure a successful data migration at no costs to IBF.

After one-time DTM

After the DTM exercise had been completed, the Service Provider shall submit a detailed report for IBF’s review.

of 49

9.2. Current System Environment

9.2.1 The following are the current system environment for the current IBF Exam System:

Database SQL 2012

Operating System OS – Windows Server 2012

Exam Workstations Windows 10

9.3. Security Requirements

9.3.1 The Service Provider shall ensure it has sufficient security controls in place to align with ISO 27001,

SOC2, NIST or any other relevant security framework. The Service Provider shall ensure that data in transit and at rest is protected/encrypted. Latest version of the Transport Layer Security (TLS) shall be implemented for secure transmission of data online via major browsers.

9.3.2 Ensure that certificates used are of minimum AES 256 algorithm. The Service Provider shall enable

IBF to keep complete control over the encryption key management. 9.3.3 The Service Provider shall conduct configuration management review on an annual basis and

validated by external auditor. A copy of the audit report shall be provided to IBF for review.

9.3.4 The IBF Exam System shall be protected against all known security vulnerabilities inclusive of OWASP (Open Web Application Security Project). The vulnerabilities shall include, minimally the following:

(a) Non-validated input and data; (b) Injection flaws such as SQL, OS ,LDAP, XPath, Command, Code, Hibernate injections etc; (c) Broken authentication and session management; (d) Cross-Site Scripting (XSS); (e) Insecure Direct Object References; (f) Security misconfiguration; (g) Sensitive data exposure; (h) Missing function level access control; (i) Cross-Site Request Forgery (CSRF); (j) Phishing; (k) Buffer overflows; (l) Race conditions; (m) Improper error or exception handling; (n) Denial of service or distributed denial of service; (o) Using components such as libraries, frameworks, other software modules etc. with known

vulnerabilities; and

of 49

(p) Unvalidated redirects and forwards.

9.3.5 The Service Provider shall submit the following reports to IBF:

(a) Vulnerability assessments conducted for IBF Exam System; (b) Security penetration testing by a CREST Certified - third party Service Provider appointed by

IBF or by the appointed Service Provider to identify all security gaps; and (c) Rectification of all identified security gaps.

9.3.6 The Service Provider is responsible for ensuring that the IBF Exam System is protected from all security loopholes before releasing to both the UAT and PROD environments.

9.3.7 All items (including third party libraries, software updates or patches etc) provided or installed must be scanned/patched against virus/security loopholes. In the event that this due diligence was not performed, the Service Provider shall recover all lost or corrupted data, removing the virus from all infected items and applying security patches as a result of this incident at no costs to IBF.

9.3.8 The Service Provider shall ensure that all information pertaining to IBF’s environment shall not be divulged to any party without authorization from IBF. The Service Provider shall take all necessary security measures to ensure the integrity, confidentially, availability and traceability of data. All security related incidents should be reported to IBF on the same working day.

9.4 Audit Requirements

9.4.1 The Service Provider shall ensure that audit logs are generated for the following areas:

(a) Operating System; (b) Application; and (c) Database.

9.4.2 The audit trails for all interactions in the IBF Exam System including unauthorized access to data or systems’ functions, staff’s activities shall be logged by the systems.

The audit trails information shall cover minimally the following:

(a) User account information; (b) Date and time of all interactions; and (c) Information that is amended including updates to configurable parameters.

9.4.3 The Service Provider shall ensure that the audit trail cannot be amended by anyone and shall provide details on the fulfilment of this requirement.

of 49

9.4.4 The IBF Exam System shall allow generation of account administration reports that should include at the minimal, the following:

(a) All user accounts; (b) Changes in access rights; (c) Status of user accounts (i.e. inactive, active, terminated); (d) List of users with designated access privileges; and (e) Audit Trail Report.

9.5 Technical and User Support Requirements

9.5.1 The Service Provider shall provide Helpdesk support for the System conforming to all IBF business

hours and exam session hours (Singapore Time). For all issues reported by the users or by IBF, the Service Provider should adhere to the response time as prescribed by IBF.

9.5.2 An issue or incident is deemed resolved when the reporting party is notified and satisfied with the

resolution steps taken by the Service Provider. 9.6 Backup Management

The Service Provider shall propose appropriate backup measures and frequency to ensure minimum data loss to business operations.

9.7 Configuration Management

9.7.1 All changes to the configurations of the proposed system shall be tracked and documented for easy reference and audit purposes.

9.7.2 The Service Provider shall be responsible to implement contingency plans and fallback procedures to roll back the changes should there be any occurrence of errors or issues.

9.8 Data Governance

9.8.1 IBF has full ownership of all data and examination materials in the System. All data disclosure to third parties, retention and disposal by the Service Provider shall be subject to IBF’s approval.

9.8.2 The Service Provider shall ensure that the data is protected against loss, corruption, unauthorised

access, use, amendments etc. and only authorised staff has access to the data in both UAT and PROD environments. All data migration must be approved by IBF.

9.8.3 The Service Provider shall ensure that all staff signed the Confidentiality and Non-Disclosure Agreement (CNDA) not to access, use, share, divulge or retain data unless this is required in discharging their duties during their employment. The CNDA is binding even if the staff has resigned

of 49

or is transferred to another project team or after the termination or expiry of the Contract. Non-compliance could result in legal action being taken against the Service Provider by IBF.

9.9 System Warranty, Maintenance and Support Services

99.1 The Service Provider shall propose the following in the tender document for IBF consideration:

(a) the SLA; (b) the Warranty Contract; and (c) the Maintenance Contract.

9.9.2 The SLA should include all critical and non-critical issues handling of the IBF Exam System in the PROD environment run and during business continuity.

9.9.3 The Warranty Period shall commence on the date of Acceptance of the IBF Exam System by IBF. 9.9.4 The criterion for passing the Warranty Period is that there are no known bugs and issues

encountered. IBF has the discretion to extend the Warranty Period if the defects or issues are not satisfactorily resolved by the end of the Warranty Period.

9.9.5 The Maintenance contract, if exercised by IBF, shall commence after the expiry of the 1-year System

Warranty Period.

9.9.6 IBF shall reserve the rights to renew the maintenance contract annually.

10. SYSTEM DELIVERY AND ACCEPTANCE BY IBF

10.1 Testing of System Before Delivery

10.1.1 The Service Provider shall conduct UAT with IBF before the implementation of the IBF Exam System.

10.1.2 The Service Provider is responsible to set up on-site development and testing environments within IBF premises.

10.1.3 The Service Provider shall allow the testers to test off-site for authorized offsite users and track all issues or bugs reported during the testing. The Service Provider shall rectify all issues or bugs promptly and report the status to IBF regularly.

of 49

10.1.4 The Service Provider shall recommend and propose UAT testing, including rectifications period for the IBF Exam System. This shall be subject to IBF’s approval.

10.2 Acceptance of System by IBF

10.2.1 The IBF Exam System is deemed accepted by IBF only when the System is successfully tested by the testers with no outstanding defects or bugs.

10.2.2 Penetration test is to be conducted and all findings to be closed and made known to IBF before the acceptance of the system by IBF.

10.2.3 The new IBF Exam System shall run in parallel with the current IBF Exam System for a period of 2 months before cutting over to the new system.

10.2.4 The Service Provider shall submit all documentation for IBF’s approval.

10.3 Termination

10.3.1 IBF may terminate the contract fully or partially by giving 30 days advance notice in writing to the Service Provider without providing any reasons.

10.3.2 The appointment of the Service Provider shall be subjected to a review and recommendation for re-appointment by IBF.

10.3.3 Access rights granted to the replaced staff shall be terminated after the replacement exercise is completed, all the relevant documents shall be returned by the replaced staff and confidentiality is to be maintained.

10.4 Exit Management

10.4.1 The Service Provider shall complete all outstanding tasks and activities required of the Service Provider, including rectification of all unresolved UAT or PROD issues. For outstanding tasks that may extend beyond the Contract Period, IBF shall decide if such tasks should be handed over to the new Service Provider.

10.4.2 The Service Provider shall complete defect management and corrective maintenance for all defects discovered during the Contract Period before handing over to the new Service Provider.

of 49

10.4.3 The Service Provider shall also perform an end-of-contract baseline update, which shall contain all the changes to the System that have been made during the Contract Period. The Service Provider shall in accordance with the requirements of configuration management ensure completeness and proper configuration management of this baseline and submit it to IBF for auditing and acceptance.

10.4.4 The Service Provider shall be responsible to conduct a detailed hand-over, inclusive of briefing and training sessions, of the complete system to IBF. The hand-over shall be conducted concurrently with the ongoing support required of the Service Provider without affecting the Service Levels. Any cost incurred during the period of hand-over will be borne by the Service Provider.

10.4.5 The Service Provider shall ensure that all expected deliverables and documentation are properly handed over to IBF.

10.5 Documentation

10.5.1 All documents produced by the Service Provider in fulfilling this Contract, shall become the property of IBF. IBF reserves the right to reproduce, at no cost whatsoever, any documentation supplied with the proposed IBF Exam System for its own use. Prior approval must be obtained from IBF for any reproduction and distribution of documents produced by the Service Provider.

10.5.2 Please refer to Annex B for the list of required documentations to be submitted to IBF for review by the Service Provider at a mutually agreed date between the Service Provider and IBF. All documentation shall be accepted by IBF as a criterion for System Commissioning.

10.6 Training

10.6.1 The Service Provider shall provide at least 3 hands-on training of the System to IBF’s internal users and all senior management.

10.6.2 The Service Provide shall conduct training and/or briefing to IBF’s internal users whenever there are changes to the System.

11. PROJECT DELIVERABLES & SCHEDULE

11.1 The Service Provider shall deliver the following modules as a fulfilment of its appointment. However, the appointment shall be subject to review and recommendation for re-appointment by IBF.

of 49

Project Deliverables / Modules Timeline from Date of Appointment

Phase 1 – Specifications Gathering by Service Provider

1. Understudy current IBF Exam System 3 weeks

Phase 2 – Exam System Development

2. IBF Exam System Content Development

5 months 3. User Access Creation and Management

4. Data Analytics

Phase 3 – User Acceptance Test (UAT)

5. UAT 4 weeks

Phase 4 – Migration of Data from current to new IBF Exam System

6. Implementation

Migration of data Testing on migrated data

2 weeks

Phase 5 – Pilot Test

7. Pilot Trial with examination candidates

2 weeks

Phase 6 – Parallel Run

8. Parallel run with existing system 8 weeks

Phase 7 – Cut Over

9. Cut over to the new IBF Exam System 1 week

12. EVALUATION CRITERIA

12.1 The following are the criteria used for the evaluation of all proposals received by IBF for this RFP:

(a) Ability to propose a secure solution that achieves project objectives and requirements (25%);

of 49

(b) System security, access controls, risk management and scalability plans (25%); (c) Service Provider’s experience and track record (10%); (d) Ability to meet project timeline (10%); (e) Cost effectiveness (30%).

12.2 As part of the evaluation process, shortlisted Service Providers may be required to present their proposed solutions including prototypes to IBF. The presentation is to be conducted by the proposed Coordinator for this project. IBF may at its discretion interview all or key members of the proposed project team including the Sub- Service Provider.

12.3 IBF may evaluate based on the proposal submitted by the Service Provider and any other information provided by the Service Provider at meeting(s) that IBF may request pursuant to the submission of the proposal.

12.4 In the event that IBF seeks clarification upon any aspect of the proposal, the Service Provider shall provide full and comprehensive responses within 1 day of notification.

13. SUBMISSION DETAILS

13.1 All Service Provider are required to complete the proposal form “PROPOSAL – IBF Exam System” found in Annex B and the Service Provider Checklist found in Annex C.

13.2 The soft copy (PDF format) of the quotation shall reach IBF no later than 31st JANUARY 2022, 5 PM (SG Time). All proposals must be clearly marked as “PROPOSAL – IBF Examination Management System, RFP Exam 2021.1202”, and sent via email to: [email protected]

13.3 The IBF reserves the right not to accept late submissions.

13.4 The IBF reserves the right to cancel, or modify in any form, this RFP for any reason, without any liability to IBF.

13.5 All proposals submitted will remain confidential.

14. RIGHTS TO THE PROJECT DELIVERABLES

14.1 Materials, findings, studies and reports arising from work on the various tasks in this Project are strictly and solely the properties and rights of IBF. Reproduction, in whole or in part, of any of these materials, findings, studies and reports by the successful Service Provider, its associates,

of 49

representatives or any third party deemed to be connected to the successful Service Provider, in any context is strictly prohibited and liable to legal action by IBF.

14.2 In the event of any breach of the agreement by the successful Service Provider resulting in the termination of the contract, IBF shall reserve the right to use the materials and work developed by the successful Service Provider with another appointed agent, so as to ensure there is no disruption to the project.

15. EXPENSES

15.1 The Service Provider shall bear all out-of-pocket expenses incurred.

15.2 Withholding tax or taxes of any nature, if any, shall be borne by the successful Service Provider.

16. PAYMENT

16.1 IBF shall work out the payment schedule for the development of the IBF Exam System after the appointment of the Service Provider.

17. LIMITATION OF LIABILITY

17.1 In any event and notwithstanding anything contained in this Request for Proposal (RFP), neither party shall under any circumstances be liable for any damages or losses that are not a direct result of breach of contract or negligence on its part in connection with or arising out of this Project or for any consequential or special losses or loss of profits of whatsoever nature.

17.2 In any event and notwithstanding anything else contained in the Contract, except in the case of death or personal injury caused by negligence or where liability may not be excluded or limited by law,

(a) IBF’s total aggregate liability in contract, negligence or otherwise arising by reason of or in connection with this Project shall in no circumstances exceed the Project Fees; and

(b) Service Provider’s total aggregate liability in contract, negligence or otherwise arising by reason of or in connection with this Project (including pursuant to any indemnities given in relation to this Project, in the Contract or in any declarations) shall in no circumstances exceed three times the Project Fees.

of 49

18. CONTENTS OF PROPOSAL

18.1 The Service Provider shall satisfy itself on the contents of all documents provided by IBF. There are 49 pages in this RFP.

19. CONFIDENTIALITY

19.1 The Service Provider shall ensure the absolute confidentiality of the data and information provided by IBF (or any other organization identified by IBF) for this project and shall not, under any circumstances, release or communicate through any means, in whole or in part, any information to any third parties. All correspondence and communication with all external parties, pertaining to matters relating to this Project, shall be made only through IBF.

19.2 IBF may require an unsuccessful Service Provider to return all materials that IBF provided during the period between the issuance of the RFP and the acceptance of the successful proposal.

19.3 All Service Providers shall submit, together with their proposals, an undertaking to safeguard the confidentiality of any and all information revealed to them.

20. INDEMNITY AGAINST A THIRD PARTY

20.1 The Service Provider shall indemnify and hold harmless IBF and its partners and employees from and against any foreseeable loss, expense, damage or liabilities (or actions that may be asserted by any third party) that may result from any third party, claims arising out of or in connection with the project or any use by the Service Provider of any deliverable item under this project and will reimburse IBF for all costs and expenses (including legal fees) reasonably incurred by IBF in connection with any such action or claim.

21. ACCEPTANCE OR NON-ACCEPTANCE OF PROPOSAL

21.1 IBF shall be under no obligation to accept the lowest or any proposal received. It does not normally enter into correspondence with any Service Provider regarding the reasons for non-acceptance of a proposal.

21.2 IBF reserves the right to award the contract in parts or in full.

21.3 IBF reserves the right, unless the Service Provider expressly stipulates to the contrary in its proposal, to accept such portion of each contract as IBF may decide.

of 49

21.4 The appointment of the Service Provider shall be subject to a review for re-appointment at the end of each phase.

21.5 The issue by IBF of a Letter of Acceptance accepting the proposal or part of the proposal submitted by a Service Provider shall create a binding contract on the part of the Service Provider to supply to the IBF the specified deliverables in the proposal.

22. NOTIFICATION OF UNSUCCESSFUL BID

22.1 Notification will not be sent to unsuccessful Service Providers by IBF.

23. ENQUIRIES

23.1 All enquiries pertaining to this RFP may be directed to:

Christina Ng

Senior Manager

[email protected]

of 49

ANNEX A: DOCUMENTATION

1 Project Management Plan (PMP)

The plan shall, at a minimum, include the following items for both Software Development Life Cycle (SDLC) and application maintenance and support phases.

(a) Project Description;

(b) Work Breakdown Structure;

(c) Project Schedule;

(d) Progress Report;

(e) Problem Resolution including Escalation Matrix for reporting of issues;

(f) Project Communication Plan; and

(g) Project Assumptions, Constraints and Risks (internal and external).

2 Risk Management (RMP) and Business Continuity (BCP) Plan

The plan shall, at a minimum, include the following:

(a) Approach to managing risks and crisis due to human errors or natural disasters;

(b) Measures taken for access control and to meet audit requirements;

(c) Measures taken to mitigate all identified risks;

(d) Procedure to restore from backups in the event of system failure;

(e) Tools and procedures used to identify, assess, mitigate and report risks throughout the project duration; and

(f) Risk priority assessment.

3 Functional Requirements Specification

The specification shall, at a minimum, include the following:

(a) All the use cases documented to show how the users interact with the IBF Exam System and potential error messages. To include at a minimum a description of every input (stimulus) into the IBF Exam System, every output (response) from the IBF Exam System including potential error messages and reports and all functions performed by the IBF Exam System in response to an input or in support of an output:

(i) Descriptions of data to be entered into the IBF Exam System;

(ii) Capture of all screen shots in the IBF Exam System;

(iii) Descriptions of operations performed by each screen;

(iv) Descriptions of workflows performed by the IBF Exam System;

of 49

(v) Descriptions of system reports or other outputs; and

(vi) IBF Exam System access rights.

(b) Compliance with applicable regulatory requirements such as the Personal Data Protection Act (PDPA).

(c) The Functional Requirements Specification is designed to be read and understood by IBF staff with no particular technical knowledge.

4 Technical Design Specification

The specification shall, at a minimum, include the following:

(a) Technologies used;

(b) Enterprise Architecture inclusive of business, data/information, application (software) and technical (network) architecture. For technical architecture, detailed physical and logical network diagrams are required;

(c) Database design with primary and foreign keys and data model, dictionary inclusive of entity relationship diagrams; and

(d) Interfaces with other existing Systems.

5 Security Vulnerabilities Assessment, Penetration and Test Reports

The reports shall, at a minimum, include:

(a) Vulnerability Assessment Report;

(b) Security Penetration Test Report of all the known vulnerabilities; and

(c) Test report to ensure that all the defects or gaps identified in the Security Penetration Test Report have been rectified.

6 Performance Test Plan (PTP)

The plan shall, at a minimum, include testing to ensure that the following technical requirements are met:

(a) Systems Performance;

(b) Systems Availability; and

(c) Systems Reliability.

7 Software Inventory List (SIL)

The list shall, at a minimum, include:

of 49

(a) All the software used for the IBF Exam System including third party libraries, packages etc.; and

(b) To identify all the software that required licences.

8 User Guide

The guide shall, at a minimum, include the following:

(a) Summary of the IBF Exam System;

(b) Glossary (Definitions/Acronyms);

(c) Step by step instructions on using the IBF Exam System;

(d) Trouble-shooting steps;

(e) Generation and printing of reports;

(f) How to use Help; and

(g) How to access the IBF Exam System.

9 Deployment Plan

The plan for both UAT and PROD environments shall, at a minimum, include the following:

(a) Time and duration of deployment;

(b) Database design for new or amended existing database tables;

(c) All the deployment steps in sequential order; and

(d) Testers’ involvement for verification after the deployments.

10 Maintenance and Operations Manual

The manual shall, at a minimum, include the following:

(a) New System configurations, changes made and reasons for changes are documented for easy references in the future and for audit purposes;

(b) Handling of batch job failures;

(c) Housekeeping, archival and restoration approach; and

(d) Troubleshooting procedures.

of 49

ANNEX B: PROPOSAL

Project Name:

IBF Examination Management System RFP.Exam.2021. 1202

Name of Corporate Entity / Individual:

_____________________________

For Internal (IBF) Use only

Date Received:

Officer-in-charge:

of 49

USEFUL NOTES

(A) Submission of Proposal

To assist us in reviewing your proposal in the shortest time possible, please provide the requested information completely and accurately. If the space provided is insufficient, a separate sheet may be used. Where information is not yet available or not applicable, please indicate accordingly.

You are advised to contact us should you have any difficulties in completing the form or if you need any further information.

(B) Structure of the Proposal

The complete proposal consists of 5 parts:

Part I – Company / Individual Data

Part II – Details of Proposed Project

Part III – Project Costs & Fees

Part IV – References / Other Considerations

Part V – Declaration

(C) IBF reserves the right to conduct interviews and on-site visits during the review of the proposal.

(D) The Company or individual submitting this proposal undertakes not to divulge or communicate to any person or party any confidential information, including but not limited to any documents that may be forwarded from IBF to it/you subsequently, without having first obtained the written consent of IBF.

of 49

PART I – COMPANY / INDIVIDUAL DATA

1. GENERAL

(a) Company / Individual Name: ___________________________________

(b) Mailing Address: _____________________________________________

2. OWNERSHIP: Information on Paid-Up Share Capital & Shareholders

3. MAJOR RELATED COMPANIES OWNED IN SINGAPORE AND (if applicable) OVERSEAS

(Corporate share ≥ 20%)

Company Name Business Activity % Share

4. CLIENTELE LIST

Please provide a list of your company’s key clients.

5. SIGNICANT ACHIEVEMENTS, AWARDS & CERTIFICATIONS (where applicable)

Please indicate significant achievements, awards and certifications received by company or staff.

6. SUPPORTING DOCUMENTS REQUIRED

A copy of the latest updated company business registration document.

Full set of the latest audited financial / management report for the last 3 years.

Any other relevant reports or information available.

of 49

PART II – DETAILS OF PROPOSED PROJECT

1. PROJECT DESCRIPTION

1.1 Project Methodology & Approach

a. Describe the proposed project methodology and how it would cater for iterations, prototyping and user / pilot testing by stakeholders (IBF Exam Administrators, IBF Exam Managers, Exam Question Setters, Reviewers and Approvers).

b. Describe the proposed solutions, including enterprise architecture and network diagrams and how the proposed solution would achieve the project deliverables and requirements. This shall include a list of test requirements during UAT for IBF assigned users.

c. Provide detailed plans on how the following would be achieved:

(i) System Security and Access Controls;

(ii) Risk Management; and

(iii) Business Continuity.

d. For the Data Analytics and Mining (DMA) module, the following are required:

(i) Hardware requirements

This includes application, reporting and database servers etc. The number and specifications of servers, disk space and memory etc. are to be documented in detail.

(ii) Software requirements

Definitions of the database and operating platforms for the underlying database software.

Rrequirements for scalability of the database.

Specifications of whether the software will need to be procured separately or included in this proposal.

Identify items that are proprietary and the number of software licences required.

of 49

1.2 Critical Success Factors for the Project

Describe the critical success factors and the assumptions made to achieve successful implementation of this project. Highlight the actions or steps the company intends to take to mitigate any risk factors.

2. PROJECT TEAM

Outline the composition of the project team including sub-Service Providers s, if any. At least one of the persons listed must be a full-time project manager. Please also attach detailed curriculum vitae of all team members servicing this account stating their work history, relevant experience as well as qualifications and certifications attained. In describing each team members’ role in the project, please provide clarity as to the relative amount of time that the team member will be dedicating to this project in relation to their other projects / work commitment.

Name Company Job Title Role in Project

Relevant

Experience

Time Involvement

(%)

3. PROJECT MILESTONES & SCHEDULE

Please indicate a project commencement date and provide a detailed schedule of all activities, including milestones, project meetings and reporting required to achieve the deliverables for this project.

Date of Commencement (preliminary): _____________________________

4. POST PROJECT PLANS & STRATEGIES

Describe the following post developmental support that will be provided:

(i) System Warranty Period.

(ii) Application Maintenance and Support Services.

of 49

PART III – PROJECT FEES

5. Please provide information on fees in Singapore dollars (SGD) (including breakdown of items listed in Section 11 on Project Deliverables and Schedule, cost of warranty, cost of maintenance cost and cost of system customisation where applicable) and payment schedule expected for the completion of this project.

Service Provider to complete Annex D : Project Costs & Fees (Mandatory to quote)

PART IV – REFERENCES / OTHER CONSIDERATIONS

6. Please indicate reference or highlight any other useful factors you would like us to consider in reviewing your proposal.

PART V – DECLARATIONS

1. I declare that the information provided by me in this proposal and the accompanying documents are true and accurate to the best of my knowledge, and that the company is free from any litigation pertaining to the project in Singapore or overseas.

2. I agree that IBF shall have the absolute discretion to accept or reject the proposal made without being liable to give any reason thereof.

3. I agree to indemnify and hold harmless IBF and its partners and employees from and against any foreseeable loss, expense, damage, or liabilities (or actions that may be asserted by any third party) that may result from any third party, claims arising out of or in connection with the submission of this proposal.

4. I undertake to safeguard the confidentiality of all information provided or revealed to me by IBF in relation to this RFP or project.

__________________________________________

Signature (CEO / MD or equivalent for corporate Entity) #

_______________________________

Name (IN BLOCK LETTERS) and designation

_______________________________ ___________________

Company Stamp Date

of 49

CONTACT PERSON

Name: ______________________________Designation: _________________________

Telephone No.: _______________________

Email: _______________________________ # Please delete / indicate accordingly

of 49

ANNEX C: SERVICE PROVIDER CHECKLIST

Name of Service Provider

Date Completed

Name of Respondent

Designation / Title

Contact Number

Email Address

Signature

Company Stamp

For The Institute of Banking and Finance (“IBF”) use only:

Name of Reviewer

Designation / Title

Contact Number

Email Address

Instructions 1. This security checklist should be completed by senior officers who have direct knowledge of the information systems and operations. The information provided in this checklist should be reviewed by their superiors.

2. For each guideline description, place an “X” in the appropriate column to indicate whether the Service Provider is fully compliant, partially compliant, or not compliant. Otherwise, place an “X” in the N.A. column.

of 49

3. If full compliance has not been achieved, explain in the Comments column why, and how and when remedial action would be made.

4. Evidence of Vulnerability Assessment and Penetration Testing, Configuration assessment for cloud system and Incident management plan to be attached together with this submission.

5. System and Organization Controls Report (preferably SOC 2) and Outsourced Service Provider Audit Report (OSPAR) will have to be attached together with this submission.

S/N Risk Category Full

Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

1. Usage Risk 1.1 TLS 1.2 or latest version is implemented to

provide communication security.

1.2 Application and database are physically hosted in Singapore.

1.3 Service Provider has established a disaster recovery contingency framework which defines its roles and responsibilities for documenting, maintaining, and testing its contingency plans and recovery procedures.

1.4 A data backup strategy is developed for the storage of critical information on a regular basis.

1.5 Periodic testing and validation of the recovery capability of backup media is carried out.

1.6 Service Provider to provide audit trails and made available to IBF via download or through a web application for:

User to role/privilege mapping; User activity; Administrative activity.

1.7 Service Provider has achieved compliance certifications. (please indicate certification, e.g. PCI Compliance, STAR, SAS70/SSAE16-3).

1.8 Service Provider has completed the Cloud Security Alliance (CSA) self-assessment or Consensus Assessments Initiative Questionnaire (CAIQ).

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

1.9 Service Provider conforms to a specific industry standard security framework, e.g. NIST Cyber Security Framework or ISO 27001.

1.10 Service Provider has a dedicated Information Security office or staff.

1.11 Service Provider has not suffered any significant breaches in the last 5 years.

1.12 All components of the disaster recovery plan are reviewed at least annually and updated as needed.

1.13 Service Provider has a formal incident response plan.

2. Application Risk 2.1 Mobile and Desktop application do not store

data on devices. (e.g. PII, confidential data)

2.2 Service Provider complies with GDPR and PDPA.

2.3 Annual Vulnerability Assessment and Penetration Test (VAPT) is performed.

2.4 Penetration testing is conducted prior to the commissioning of new modules/ enhancements which offer internet accessibility and open network interfaces.

2.5 Application supports role-based access control (RBAC) for end-users.

2.6 Application and infrastructure support role-based access control (RBAC) for system administrators.

2.7 Application and infrastructure support password/passphrase aging.

2.8 Audit logs minimally include the following: login, logout, actions performed, and source IP address.

2.9 Service Provider has existing policies and/or procedures guiding how security risks are mitigated until patches can be applied.

2.10 Vulnerabilities discovered in the systems or applications are remediated prior to release.

3. Data Security Risk 3.1 Data resides physically in Singapore. 3.2 Service Provider to promptly remove or

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

destroy data stored at the service provider’s systems and backups in the event of contract termination and provide a certification.

3.3 The data loss prevention strategy and encryption take into consideration the following:

a) Data at endpoint - Data which resides in notebooks, personal computers, portable storage devices and mobile devices;

b) Data in motion - Data that traverses a network or that is transported between sites; and

c) Data at rest - Data in computer storage which includes files stored on servers, databases, back-up media and storage platforms.

3.4 Service Provider do not have access to IBF’s data (unless specifically authorised by IBF Management on a case-by-case basis).

3.5 Service Provider is able to isolate and clearly identify IBF's data and other information system assets for protection.

3.6 Measures are implemented to protect sensitive or confidential information such as personal, account and transaction data which are stored and processed in systems.

3.7 IBF is properly authenticated before access to online transaction functions and sensitive personal or account information is permitted.

3.8 Only encryption algorithms which are of well-established international standards are adopted.

3.9 Monitoring or surveillance systems are implemented so that the organization can be alerted of any abnormal system activities, transmission errors or unusual online transactions.

3.10 Service Provider has a data privacy policy. 3.11 Sensitive data is encrypted in transit (e.g.

system to client).

3.12 Sensitive data is encrypted in storage (i.e. at rest).

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

3.13 The database supports encryption of specified data elements in storage.

3.14 Service Provider has an existing documented media handling process covering, but not limited to, end-of-life, repurposing, and data sanitisation procedures.

3.15 Service Provider owns the physical hosting location (e.g. data centre) where IBF’s data will reside.

3.16 Service Provider has obtained Systems and Organization Controls (SOC) 2 Type II certification for the hosting location.

3.17 Service Provider has implemented a physical barrier in the hosting location to fully enclose the physical space preventing unauthorised physical contact with any of the devices inside.

3.18 Service Provider has physical security controls and policies in place to protect the hosting location.

3.19 Employees of Service Provider are not allowed or able to take home any assets in any form (including any hardware, software or data) belonging to IBF.

4. Data Hosting on Cloud 4.1 Inventory and Control of Hardware Assets

Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory. Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all assets, whether connected to the organization's network or not.

4.2 Inventory and Control of Software Assets The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. Unsupported software should be tagged as unsupported in the inventory.

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

4.3 Continuous Vulnerability Management Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested (Peas, IaaS). Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities

4.4 Controlled Use of Administrative Privileges Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. Change all default passwords to have values consistent with administrative level accounts. Use multi-factor authentication and encrypted channels for all administrative account access. Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

4.5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Maintain documented security configuration standards for all authorized operating systems and software. E.g. AWs container/EC2 Instance. Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalogue approved exceptions, and alert when unauthorized changes occur.

4.6 Maintenance, Monitoring, and Analysis of Audit Logs Ensure that audit tracking has been enabled on all systems and networking devices & available for review. Monitor attempts to access deactivated accounts through audit logging or access at

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

odd times. 4.7 Email and Web Browser Protections

To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standard.

4.8 Malware Defences Ensure Antimalware is enabled on the underlying host that supports Cloud services. Use Cloud Services built-in malware scanners to monitor and defend cloud resources. For Linux, use third party antimalware solution. Ensure that anti-malware software updates its scanning engine and signature database on a regular basis. Ensure that antimalware is working, and regular scans are conducted.

4.9 Limitation and Control of Network Ports, Protocols, and Services Ensure only approved ports, protocols and services are running. Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.

4.10 Data Recovery Capabilities Ensure that all system data is automatically backed up on a regular basis. Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.

4.11 Secure Configuration for Devices, such as Firewalls, Routers, and Switches. Establish, implement, and actively manage (track, report on, correct) the security configuration of cloud environment to

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

prevent attackers. Maintain & review documented security configuration baseline for all cloud network devices & servers e.g. secure configuration baseline for Azure resources. All network devices using multi-factor authentication and encrypted sessions.

4.12 Boundary Defence Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. Conduct port scan and deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries.

4.13 Data Protection Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located onsite or at a remote service provider. Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. Monitor all traffic leaving the organization and detect any unauthorized use of encryption. Utilize approved cryptographic mechanisms to protect enterprise data stored on all

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

mobile devices. Service Provider to validate crypto mechanisms are in place.

4.14 Controlled Access on Need- to-Know Basis Segment the network based on the label or classification level of the information stored on the servers. Encrypt all sensitive information in transit. Ensure that any clients connecting to cloud platform /resources are able to negotiate TLS 1.2 or greater. Encrypt all sensitive information at rest, e.g. use encryption at rest for all Azure/AWS resources. Link admin accounts to dedicated IP and location with two FA. The encryption keys should be stored with IBF team or hardware based managed by IBF IT team.

4.15 Account Monitoring and Control Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a remote service provider especially critical system Service Provider. Require multi-factor authentication for all IT Admin accounts, on all systems, whether managed onsite or by a third party provider for critical systems or systems with sensitive data. Disable any account that cannot be associated with a business process or business owner. Monitor attempts to access deactivated accounts through audit logging. Alert when users deviate from normal login behaviour, such as time-of-day, workstation location, and duration.

4.16 Security Awareness and Training Program Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviours and skills to help ensure the security of the organization.

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

4.17 Application Software Security Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. All systems that are part of critical business processes should also be tested. Any Service Provider provided APIs or custom-built APIs should be scanned and reviewed. Any Service Provider-provided APIs or custom-built APIs should be scanned and reviewed.

4.18 Incident Response and Management Ensure that Service Providerhas written incident response plans that define roles of personnel as well as phases of incident handling/management. Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real-world threats for critical service Service Providers. Service Provider to provide written agreement for incident notification & investigation to comply with PDPA requirements.

4.19 Penetration Tests Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.

5. IT Service Management 5.1 Service Provider provides Service Level

Agreements (SLA).

5.2 Service Provider to support and assist in audit activity by providing necessary documents upon request.

5.3 Service Provider is required to employ a high standard of care and diligence in its security policies, procedures and controls to protect the confidentiality and security of IBF's sensitive or confidential information, such as

of 49


Com

plia

nce

Part

ial

Com

plia

nce

Non

- co

mpl

ianc

e

N.A. Comments

personal data, computer files, records, object programs and source codes.

5.4 IBF is kept informed of any major incident. 5.5 IBF is kept informed of any enhancement to

the system.

5.6 A root-cause and impact analysis is performed for major incidents which result in severe disruption of IT services.

5.7 Employees of Service Provider are subjected to close supervision, monitoring and access restrictions.

5.8 Service Provider’s access privileges to support/maintain the system are regularly reviewed to verify that privileges are granted appropriately and according to the “least privilege” principle.

5.9 Service Provider has a documented and currently followed change management process (CMP).

5.10 Service Provider has monitoring in place for Next-Generation Persistent Threats (NGPT).

5.11 Service Provider monitors for intrusions on a 24x7x365 basis.

5.12 A separate management network is used for the administration of the system or service.

of 49

ANNEX D: PROJECT COSTS AND FEES Project Costs & Fees (Mandatory to quote)

1. Costing to be based on the following assumptions:

a. Total number of exam modules run per day – 20 b. Total number of candidates taking exam at IBF Office – 10,000 per annum c. Exam Duration

i. 1 hr – 5 modules (28 % of total candidates) ii. 2 hrs – 8 modules (62% of total candidates) iii. 2.5 hrs – 7 modules (10 % of total candidates)

d. Total number of candidates taking remote exam (outside IBF office) – 200 per annum 2. Costing to be listed in readable Excel Format 3. Costing to be in Singapore Dollars excluding GST 4. The quotation provided to be categorised as below: A. On Premise System (Data stored in Server residing in IBF) 1. Hardware Costing S/No Item

Description Qty (a)

Unit Price (b)

Amount (a) x (b) = (c)

Discount (d)

Net Price (c) – (d) = (e)

Assumptions/ Comments, if any

Total 2. Software/Licence Costing S/No Item

Description Qty (a)

Unit Price (b)


Discount (d)


Assumptions/Comments, if any

Total 3. Hosting Costing S/No Item

Description Qty (a)

Unit Price (b)


Discount (d)



Total

of 49

4. Professional Services Costing S/No Item

Description Man Days (a)

Per Man-Day Costing (b)


Discount (d)



Total 5. Support and Maintenance Costing S/No Item

Description Year 1 Maintenance Cost

Year 2 Maintenance Cost


Assumptions/Comments if any

Total 6. Add-on/Optional/All other Costing S/No Item

Description Qty (a)

Unit Price (b)


Discount (d)



Total 7. Optional Change Request/Service Request Costing S/No Item

Description Man-Days (a)



Discount (d)



Total

of 49

B. On Cloud Solution (Data stored on cloud) 1. Hardware Costing S/No Item

Description Qty (a)

Unit Price (b)


Discount (d)


Any Assumptions/ Comments

Total 2. Software/Licence Costing S/No Item

Description Qty (a)

Unit Price (b)


Discount (d)


Any Assumptions/Comments

Total 3. Hosting Costing (Proctoring)

Service Provider to provide breakdown of proctoring cost based on proctoring type i.e.AI proctoring, Live proctoring or IBF to provide own proctoring

S/No Item

Description Qty (a)

Unit Price (b)


Discount (d)



Total 4. Professional Services Costing S/No Item

Description Man Days (a)



Discount (d)



Total

of 49

5. Support and Maintenance Costing

S/No Item

Description Year 1 Maintenance Cost




Total 6. Add-on/Optional/All other Costing S/No Item

Description Qty* (a)

Unit Price (b)


Discount (d)



Total 7. Optional Change Request/Service Request Costing S/No Item

Description Man-Days (a)



Discount (d)



Total

IBF Examination Management System RFP.Exam.2021. 1202

Documents

Transcript of IBF Examination Management System RFP.Exam.2021. 1202