LIMITED TENDER Request for Proposal from the empanelled ...

INFORMATION SYSTEM AUDIT OF DATA CENTRE, CRITICAL APPLICATIONS,

IT PROCESSES ETC. OF PUNJAB & SIND BANK

TENDER NO.: PSB/INSP/RFP/01/2021-22 DATED: 24.11.2021 of 62

LIMITED TENDER

Request for Proposal from the empanelled Auditors of Punjab &

Sind Bank, for Information System Audit of Data Centre, Critical

Applications, IT Processes etc. of the Bank

Tender No: PSB/INSP/RFP/01/2021-22 Dated: 24.11.2021

PUNJAB & SIND BANK

Head Office, Inspection Department,

2nd Floor, Plot No.151,

Institutional Area,

Sector 44, Gurugram- 122003




KEY INFORMATION

Particulars Details

Tender Number PSB/INSP/RFP/01/2021 Dated: 24.11.2021

Tender Title Request for Proposal from the Empaneled

Auditors of the Punjab & Sind Bank, for

Information System Audit of Data Centre, Critical

Applications, IT Processes etc. of the Bank.

Eligibility The Empaneled IS Auditors of Punjab & Sind Bank

Performance Bank Guarantee Equivalent to 3% of the Total contract value, for

the due performance of the contract, valid for 15

months from date of contract with 12 months of

claim period from the expiry of said Guarantee

Application Money Rs.10,000/- (Rupees Ten Thousand only) + GST

18%

To be deposited in the form of DD/ Pay Order, payable at New Delhi Favoring Punjab & Sind Bank.

Date of Publishing the tender 24.11.2021

Last Date for submission of Pre-Bid Query

01.12.2021 by 3:00 pm

(Queries must be mailed to [email protected]

Only in MS-excel format quoting tender reference

number in the subject)

Last Date and time for

submission Of Bids

08.12.2021 by 3:00 pm

Date and Time of

opening of Indicative

Commercial Bid

08.12.2021 by 5:00 pm

Place of submission and Opening of Bids

Punjab & Sind Bank

Head Office, 2nd Floor, Inspection Department,

Plot No.151, Institutional Area, Sector-44,

Gurugram - 122003

Contact Persons for any

clarifications/Submission of

Bids

T K Nazimudeen (AGM Inspection)/ Ajay

Kumar Bind(Sr. Mgr –IS Audit Cell)/

Deep Kumar (Officer-IS Audit Cell)

Contact Numbers T K Nazimudeen (AGM-Inspection)

7721860860/ Ajay Kumar Bind (Sr. Mgr

EDP) 9990995315/ Deep Kumar(Officer-IS

Audit) 9255591500 *If any of the dates given above happens to be Holiday in Gurugram, the related

activity shall be undertaken on the next working day at the same time.

mailto:[email protected]




Information for Online Participation

This Tender will follow e-Tendering process which will be conducted by Bank’s

authorized e-Tendering Service Provider M/s C1 India Pvt. Ltd. through website:

https://psb.eproc.in

Following activities will be conducted online through the above website:

1. Procurement of RFP document including all Annexures

2. Addendums to the RFP

3. Submission of Indicative Commercial Bid by the Bidder

4. Opening of Indicative Commercial Bid by the Bank

5. Reverse Auction

6. Announcement of results if any

Instructions:

1. Bidders who wish to participate will have to register with the website

(https://psb.eproc.in). Bidders will be required to create login id & password on their

own in registration process.

2. Bidder who wish to participate in this tender need to procure Class III Digital

Signature Certificate (With Both DSC Components, i.e. Signing & Encryption) from

any of the licensed Certifying Agency. Bidders can view the list of licensed CAs from

www.cca.gov.in.

[A] Important Clarifications:

Following terms are used in the document interchangeably to mean:

1. Bank, means ‘Punjab & Sind Bank’

2. BFSI means Banking, Financial services and Insurance

3. DC Means Data Centre

4. DR Means Data Recovery Centre

5. EMD means Earnest Money Deposit

6. MSP means Managed Service Provider of the Bank.

7. NDA means Non-Disclosure Agreement

8. NPV mean Net Present Value

9. OEM means Original Equipment Manufacturer it also refers to Original

Software Developer (OSD)

10. OTC means One Time Cost

11. Proposal, Bid means “Response to the RFP Document”

12. Recipient, Respondent, Bidder, means the respondent to the RFP document

13. RFP means the Request for Proposal document

14. SI Means System Integrator

15. SLA means Service Level Agreement

16. SOP means Standard Operating Procedure

17. SPOC means Single Point of Contact

18. Tender means RFP response documents prepared by the bidder and

submitted to Punjab & Sind Bank

19. TCO means Total Cost of Ownership

20. SP means Service Provider

http://www.cca.gov.in/




This document is meant for the specific use by the Company / person/s interested to participate in the current tendering

process. This document in its entirety is subject to Copyright Laws. Punjab & Sind Bank expects the bidders or any person

acting on behalf of the bidders to strictly adhere to the instructions given in the document and maintain confidentiality of

information. The bidders will be held responsible for any misuse of information contained in the document, and liable to be

prosecuted by the Bank In the event that such a circumstance is brought to the notice of the Bank. By downloading the

document, the interested party is subject to confidentiality clauses.

Contents

Sr. No.

Particulars Page No.

1. INTRODUCTION 5

2. SCOPE OF WORK- IS Audit 5

3. SCOPE OF WORK- VAPT 16

4. EXECUTION OF WORK 19

5. OTHER IMPORTANT TERMS & CONDITIONS 20

6. TERMS & CONDITION 21

7. RESOLUTION OF DISPUTE 27

8. CORRUPT or FRAUDULENT PRACTICES 28

9. NON-DISCLOSURE AGREEMENT 29 10. INDEMNITY 29

11. BIDDER`s OBLIGATION 29

12. INTELLECTUAL PROPERTY RIGHT 29 13. SIGNING OF CONTRACT 30

14. PUBLICITY 30

15. ANNEXURE A 31

16. ANNEXURE B 36

17. ANNEXURE C 53 18. ANNEXURE D 57

Following Annexures are required to be submitted before due date: 1. Profile of the Bidder (Annexure-I)

2. Profile of the proposed core audit team (Annexure-II)

3. Format for Indicative commercial Bid (Annexure-III)

4. BID Form (Annexure-IV)

5. Commercial Deviation (Annexure-VIII)

6. Letter of Confirmation (Annexure-IX)

7. Compliance for Reverse Auction (Annexure-X)

8. Letter of Authority for reverse Auction (Annexure -XI)

Confidentiality:




INTRODUCTION

1.1 About the Bank

PUNJAB & SIND BANK, a leading Public Sector Bank having its Head Office at New

Delhi is implementing many key technology solutions like Core Banking Solution

(CBS), Internet Banking (e-banking), Telebanking, Mobile Banking, onsite/offsite

ATMs, Integrated Treasury Systems, RTGS, SFMS, NEFT etc. The Bank has

chosen FINACLE Software of M/s. INFOSYS Ltd., as the Core Banking Solution and

implanted CBS in 100% branches and offices.

1.2 Present Status of the Bank

The Bank is using the financial software Finacle (7.0.25) for carrying out the Banking

operations. The bank has a widespread network of 1500 plus branches, 24 Zonal

Offices, more than 30 Departments in Head Office, 3 Regional Clearing Centres, 2

Training Centres and 9 Currency Chests, all networked under Centralized Banking

Solution. It also has a network of more than 1250 ATMs spread across the country

including onsite and offsite ATMs. The Bank’s CBS Project Office and HO

Information Technology Department are in New Delhi & Gurugram, respectively. The

Bank’s Data Centre (DC) is located in Mumbai and Disaster Recovery Centre at

Noida and both are managed by Bank’s CBS System Integrator M/s Wipro. The DC

is connected to the branches, Zonal Office and Head Office through Bank-wide Wide

Area Network. The entire network uses Leased Lines, RF, VSAT and Backup

connectivity through ISDN lines & RF etc. The ATMs, Mail Messaging System and

other applications also use the WAN. The Disaster Recovery Centre of the Bank has

similar setup as that of Data Centre of financial software setup.

1.3 Purpose of RFP:

This RFP seeks to engage a Service Provider who has the capability and experience

for conducting 1) Comprehensive Information Systems (IS) Audit, 2) Vulnerability

Assessment & 3) Penetration Testing.

The Service Provider to conduct Application audit of Core Banking Solution and IT

Infrastructure, other applications and to make appropriate recommendations, as

covered under the Scope of Work. Period of contract shall be one year which can be

further extended by one year at the discretion of the Bank as per the same terms

and conditions and commercial terms.

The aim of the RFP is to solicit proposals from Bank’s empanelled IS Auditors for

undertaking above detailed assignments.

2. SCOPE OF WORK:

2.1 Scope of Work Related to IS (Information Systems) Audit:

Punjab & Sind Bank intends to issue this RFP document for carrying out

Comprehensive Audit of the IT Infrastructure implemented at the Bank’s a. Data

Centre, b. Mumbai, Disaster Recovery Centre, Noida and c. NLDC, Mumbai.

a. Bidder is expected to carry out IS Audit activities including but not limited to

the points mentioned in the scope of this RFP. Further the Bidder has to

evaluate and comment on compliance by Bank as per RBI Circular on Cyber




Security Framework, Information/Cyber Security Policy/

Procedures/Processes of the Bank, ISO 27001:2017 standards, master

direction on digital payment security controls, other RBI guidelines and

Industry’s best practices etc.

b. Bidder has to comply with the guidelines issued by RBI, Govt. of India, NPCI,

UIDAI, Cert-In etc.

c. Bidder has to comply with Punjab & Sind Bank IS Audit Policy, Punjab & Sind

Bank’s IT Security Policies & Procedures and Punjab & Sind Bank Cyber

Security Policy.

d. Bidder has to comply with IT Act, 2000 as amended from time to time.

2.2 Review / IS Audit of:

a. IT Infrastructure (Data Centre, Disaster Recovery Centre and NLDC)

b. Business Continuity Plan & Disaster Recovery Planning

c. Security Operation Centre (SOC)

2.3 IS Audit of each of the systems shall broadly cover the following aspects:

a. Physical and Environmental controls

b. Logical access Controls

c. Operating System/Server/database/load balancer etc. review including

Vulnerability Assessment

d. Application Review

e. Business process Review

f. Network/Network devices and Security Review including Vulnerability

Assessment

g. Backup procedure Review

h. Business Continuity/Disaster Recovery plans/practices

i. Audit of Outsourcing services of IT/ATM/ADC etc.

j. Virus protection and Patch management.

k. Capacity utilization of servers and applications

l. Review of Basic minimum Configuration applicable for each system as per

best practice i.e., Baseline Secure Configuration review.

m. Application Security Life Cycle (ASLC) review.

n. Database Configuration Audit.

o. Adopt the principle of defence-in-depth to provide layered security mechanism

p. IT Governance framework

q. SWIFT Logs, Cyber frauds

r. Secure Code Practice Review

s. IT General Controls Review

t. General Process Controls Review.

u. Compliance of RBI’s master direction on digital payment security controls.

2.3.1 IT INFRASTRUCTURE

2.3.1(a) IT Infrastructure in DC, DR & NLDC




Service Provider shall carry out a review to ensure IT Infrastructure compliance with

IT / IS Policy of Bank. An indicative but not exhaustive list of activities are listed

below:

a. Data Centre/Disaster Recovery Centre civil and interiors as per submitted

layout

b. Adequacy of server space in view of future requirement

c. Access control facility

d. Fire detection and prevention

e. Fire protection system for server rooms

f. Very Early smoke detection systems for server rooms

g. Water leak detection systems for server rooms

h. Electrical subsystem (main panel, cables, Power Distribution Unit (PDU) and

earthing)

i. Review of Electrical Power requirement and availability.

j. UPS systems

k. DG sets and Control of fuel

l. Precision (computer room standard) Air-conditioning systems for server room

m. Air-conditioning system for other relevant areas of DC

n. Building management system software/hardware (should cover Access

controls for Passkeys, Compartmentalization, Creation and Review of Logs,

Identification and Escort Requirements, Use of Cages / Rooms etc.)

o. Closed circuit television system (CCTV) area for monitoring entry/exit points

and strategic locations within the server room

p. Structured cabling system for functional areas as per layout

q. Environmental threat protection (Air Purifier, Humidity Control etc)

r. Review of operator awareness of physical security breaches

s. Review of safeguards to mitigate risks associated with earthquake and water

related threats

t. Verification of Physical Security policy and review of authorization

documentation on file for each individual who has card access to the data

centre

u. Review of License verification of all hardware, Software etc on entry and exit

in DC/DR

v. Review of adequacy of physical Security (Guards, arms etc)

2.3.1(b) Review of outsource of IT Operation (DC & DR).

a. Review the segregation of duties

b. Review of Privileged Identity Management

c. Review of adequacy of staff

d. Review of reporting responsibility and periodicity of report

e. Review of information sharing by bank’s DC/DR team with outsourced service

provider

f. Review of work authorization system between outsourced service provider

and bank’s team

g. Access Control, Customer Data Privacy & Confidentiality.




2.3.1 (c) Management of Hardware in compliance with IT / IT Security Policy.

a. Acquisition in DC/DR, installation, Upgradation, Movement, usage and

disposal procedures

b. Server sizing processes - hard disk capacity, RAM, Processing power etc. as

per requirements

c. Review of procedures to proactively manage the servers, which would alert

the administrator as, and when service of the DC/DR reaches the defined

threshold before the failure occurs on the servers or devices to ensure uptime

of the Data Centre

d. Review of Preventive maintenance process

e. Review of Backup procedures

f. Study of Asset Management policy / Procedures

2.3.1(d) Management of System Software

a. Software acquisition, installation, maintenance, updation of patches/security

updates, development, storage, and change management is as per IT

Security Policy of the Bank.

b. Review of Setup and maintenance of operative system parameters.

Verification with Secured configuration documents.

c. To Review Setting of various parameters in Applications, updates thereof and

actual working of them as intended and accurately.

d. All the relevant security features available in the OS are enabled/ taken

advantage of as far as possible

e. Review of User Controls, Retention, Changes, Hard coded use of root /

administrative, generic and other Sensitive IDs and passwords. Finacle IDs of

all employees must be in their place of posting as per current Bank record.

IDs of Retired/deceased/staff left the Bank/suspended etc. must be

maintained in Finacle Core as per Bank’s policy for CBS User.

f. Vulnerabilities in OS are being taken care of Compensatory controls for

known vulnerabilities are in place

g. Review of Operating system and Database Hardening and document

verification of OS/DB Hardening.

h. OS patches are updated as and when released by vendor and control over

patch management.

i. Changes in system software are controlled in line with the organization’s

change management procedures. Proper record is maintained and

authenticated regarding installation, it’s up gradation, re-installation and

maintenance.

j. Review of change Management Process, reporting and measuring

effectiveness identifying areas of improvements

k. Use of sensitive system software utilities are in controlled manner and it is

monitored and logged

l. Review of compliance of existing change management process of updating

the document after Change Management process has compliance status.

m. Review of Performance monitoring (including Virtual Servers)

n. Review of file permission(s)




2.3.1 (e) Network Facility and Equipment Management

a. Review of NOC infrastructure and implementation as per RBI guidelines or

other regulators and industry’s best practices.

b. Review of NOC processes, SLA Management process for NOC and check for

the adherence of these SLAs

c. Review the configuration parameters and adequacy of staff working at NOC

d. Review of reporting responsibility and periodicity of report generated

e. Review of Integration between BANK and NPCI/IDRBT/RBI/UIDAI/e-sign

Vendor/Card Vendor/Bill Desk/ Master card/ RUPAY/ SWIFT etc.

f. Bidder should check configuration of Network and security devices at

DC/DR/NLDC and other locations.

g. Overall Network management

h. Firewall rule review and optimization

i. Review of Network device configurations and access control

j. Review of NAC

k. Network design- provides security, scalability, redundancy

l. Review of IPv6 implementation and further readiness

m. Network cabling is structured

n. Current network and security posture of the WAN/SDWAN architecture

o. IP addressing schemes and their allocations

p. Physical and logical separation of the networks

q. Network and security products and technologies deployed- Their usage and

physical security

r. Review of switches, routers configuration, scalability and port management.

s. Network bottlenecks and performance issues

t. Availability and quality of system documentation

u. IP Sec implementation / any other network level encryption.

v. Real-time monitoring of network traffic, which involves packet capture and

analysis.

w. Review of procedures adopted for:

• Secured transmission of data through dialup / leased line/ VPN/VSATs etc.

• Bandwidth management

• Uptime of network- it’s monitoring as per service level agreement

• Fault management

• Capacity planning

• Configuration Management

• Performance management etc.

x. Legal and Regulatory requirements

y. Audit log review and maintenance

z. Analyze the logs maintained for Network Incident

aa. Review of security architecture implementation

bb. Review of password management.

cc. Review of Network Information security administration.

dd. Review of Cryptography.

ee. Review of Policies and rule sets including ACLs (Access Control Lists).




ff. Review of Violation logging management.

gg. Review of Information storage & retrieval.

hh. Audit of PKI management.

ii. Audit of PIN management.

jj. Review access control documentation and configuration

kk. Network and Security Equipment

ll. Evaluate their installation, placement, configuration, security, policies defined

in respective equipment for meeting the security requirement of the

LAN/WAN/SDWAN and monitoring of their logs.

mm. Hardening of the equipment like Router, Network Switch, IPS, IDS,

Firewall. Ensure Router, Firewall, Proxy, Intrusion Prevention System, ATM

Switch, Network Switch, Modems etc. procured and installed are in line with

business strategy/IT Policy/Information/Cyber Security policy of BANK/

Industry best practice/Regulatory guidelines

nn. Network Vulnerabilities and Threat Management.

2.3.1 (f) Database Management System and Data security:

a. Review of Database Access & Data Security as per RBI guidelines or other

regulators and industry best practices.

b. Review of procedures to ensure that all data are classified in terms of

sensitivity and necessary safeguards for its confidentiality, integrity and

authenticity are taken as per Information/Cyber Security Policy

c. Review of controls procedures for sensitive DB passwords.

d. Review to ensure that patches and new versions are updated as and when

released by Bidder/ Research and Development team. If not done then

comment upon vulnerabilities and availability of services of existing version

being used.

e. Use of Data Recovery System, Data Definition Language, Data Manipulation

Language

f. Storage of duplicate copy of data definition and DRS at off-site

g. Monitoring of log of changes to the Data definitions

h. Procedures to ensure that all data are classified in terms of sensitivity by a

formal and explicit decision by the data owner and necessary safeguards for

its confidentiality, integrity and availability are taken as per IT Security Policy.

i. Ensure logical access controls so that the access to data is restricted to

authorized users only.

j. Review of confidentiality and privacy requirements are met

k. Authorization, authentication, and access control are in place, Review of

physical access and protection.

l. Segregation of duties is ensured for accessing data

m. Purging, Retention and archival of Data Files

n. Review of how the database integrity is ensured in case tables are not

properly updated by application software due to various reasons i.e. break in

link, bug in software etc. In case of direct Updation/modification of database is

done by opening the tables in live environment, evaluate the controls




o. Review of protection of sensitive Information during transmission and

transport.

p. Separation of duties

q. Rotation of duties

r. Impact of backend updates

s. Conduct an internal vulnerability assessment for reviewing the database

security setting

t. Auditability both at client side and server side including sufficiency and

accuracy of event logging, SQL prompt command usage, Database level

logging etc.

u. Recovery, rollback and restart procedures

v. Audit the data base systems security through automated security scans and

manual reviews.

w. To review table, partitioned and indexing etc. structures are as per application

software requirements.

2.3.1 (g) Help Desk and Call centre:

a. Helpdesk facility, which provides first-line support and advice

b. Prioritization of reported problems/calls

c. Timely resolution of reported problems

d. Problems and incidents are resolved, and the cause investigated to prevent

any recurrence

e. Incident handling

f. Trend analysis and reporting

g. Development of knowledge base

h. Root cause analysis

i. Problem tracking and escalation with proper documentation

j. Existence & maintenance of Audit trails of problems and solutions

k. Management/ operations of Help Desk for monitoring, managing and reporting

the faults, configuration, performance and accounting of the Bank’s Wide Area

Network, Servers installed in Data Centre and other locations across the

network.

l. Application support calls and its resolution

2.3.1 (h) Storage Management

a. Retention, purging/archival periods and storage terms are defined for:

• Documents

• Data

• Programs

• Reports

• Messages (incoming and outgoing)

• Keys, certificates used for their encryption and authentication

• Log files for various activities

• Policy and Procedures for purging of data

• Storage Technology Audit




2.3.1 (i) Media Storage

a. Responsibilities for media (magnetic tape, cartridge, disks and diskettes)

library management are assigned to specific members of the IT functionary

b. Housekeeping procedures are designed to protect media library contents

c. Standards are defined for the external identification of magnetic media and

the control of their physical movement and storage to support accountability

d. Procedures to assure that contents of its media library containing data are

inventoried systematically, that any discrepancies disclosed by a physical

inventory are remedied in a timely fashion and that measures are taken to

maintain the integrity of magnetic media stored in the library.

e. Review of media handling process and Media movement log

f. Review of periodic Media testing and Offsite backup

g. Review of labelling process of media storage

2.3.1 (j) Inventory Maintenance

a. Controls, which identify and record all IT assets and their physical location,

and a regular verification program which confirms their existence

b. IT assets classification

c. Checking for unauthorized software

d. Software storage controls

e. License management

f. Licenses for applications

g. Review of insurance, ESCROW

h. Disposal of obsolete inventory

i. Review of Antivirus

j. AMC of Hardware / Software

2.3.1 (k) Others

a. Review of console log activity during system shutdown and hardware/software

re- installation

b. Review of Operational procedure for Data center

c. Review of Documented processes related to Data Centre

d. Review of Day Begin and End process

e. Personnel scheduling- Shift hand-over process

f. Review of operator log to identify variances between schedules and actual

activity

g. Use of Internet/e-mail

h. Review of remote desk top Management/Net meeting/FTP/SFTP etc.

i. Review of antivirus/DLP Implementation

j. HIDS/ NIDS Log Monitoring

2.3.1 (l) Process Management Review

a. Review of Installation Procedure

b. Review of Maintenance Procedure

c. Review of Release Procedure

d. Review of User Management procedure




e. Review of Tracking Procedure

f. Review of Handover procedure

g. Review of Incident Management Procedure

h. Review of Change Management Procedure

i. Review of Anti Phishing Monitoring Process

j. Review of SLAs

2.3.1 (m) Domain Controller / AD

a. Review to ensure that all Windows Servers are under Domain

b. Review of USB Policy application

c. Review of Administrator ID being used by branches to login into Bank Domain

d. Review of Desktops not in AD in Branches.

2.3.1 (n) ATM Switch & ATM Facility Management, ATM Operations & ATM

Back Office

a. Review the compliance of RBI circular no. DoS.CO/

CSITE/BC.4084/31.01.015/2019-20 dated 31.12. 2019

b. Review of ATM Switch Operations including Audit of Outsourced Switch

Maintenance vendor & review of the outsourcing arrangement (SLA) in totality

vis-à-vis RFP terms.

c. Adequacy of Operational Security features through Access Control, User

Rights, Logging, Data integrity, Accountability, Auditability etc. at the ATM

Switch/Mobile Banking Services.

d. ATM Process Audit comprising ATM Operational Controls, Consortium issues,

Reconciliation, ATM Cash Management etc.

e. Analysis/Verification of Audit Logs /Audit Trails of Transactions, Exception

List, Incident management report etc.

f. Adequacy of contingency arrangement (fallback / fail over procedures,

Redundancy & Back-up) in the event of System Breakdown/Failure w.r.t

Recovery/Restart facilities, Diagnostics for identification, Protection of Data,

Backup facilities.

g. Verification of the detailed security procedures & processes of the ATM

Switch vendor.

h. Analysis of Incident Management/ATM Monitoring Database/Reports/Logs

etc. generated & their resolution.

i. Audit of the Reconciliation activities being carried out w.r.t transactions

involving various Acquirer, Issuer, Merchant, Interchange, other stakeholders

etc. found in the ATM switch files with the transactions found in Host,

Interchange & Partner Bank’s switch. Also, Chargeback processing including

VISA chargeback, NFS Chargeback etc. to be checked for appropriateness.

j. Arrangement for continuous surveillance - Setting up of Cyber Security

Operation Center (C-SOC)

2.3.1 (o) Reconciliation System & Process Audit

a. Review of reconciliation process of RTGS/NEFT,

IMPS/UPI/NACH/ECS/CTS/Internet Banking / Debit Card/ Prepaid




Card/Online ecommerce /AePS / ePDS/ mPAY/ Micro ATM /KIOSK-FI

Transactions /ATMs and m-Commerce transactions as per RBI/NPCI/CTS

etc., guidelines.

b. Adequacy of audit trail, history, dispute management mechanism.

2.3.1 (p) Business Continuity Plan & Disaster Recovery Planning:

Service Provider would be required to review Bank’s BCP and DRP to validate

BCP/DRP in terms of its adequacy, effectiveness, efficiency, activation ability and

reliability taking into consideration.

a. Review of DRP Process

b. Site Review (DRC/ Near Site)

c. Review Business Flows

d. Review of Resource priority for recovery and recovery time objectives

e. Review of Business Continuity Strategy

f. Review of adequacy Disaster Recovery Plan and Business Continuity Plan

g. Review of BCP & DRP for DC/DR

h. Review of achieved vs. projected result

i. Review of process of business continuity objective

j. Review of submission of test result to board

k. Identify Individual Point of failure

l. Doing assessment and providing observations on DR Drill conducted for all

four quarters.

2.3.1 (q) Security Operations Centre

a. Review of SOC infrastructure/implementation of Security Tools

b. Review of SOC processes.

c. Review of SOC charter document, SOC KPI and Metrics.

d. Management and Monitoring of logs (i.e. trace log, CDCI Logs, fatal logs,

archive logs, SU logs, Syslog, alert log, last log, application log, Security

log, System log, File retention logs, file replication service log, DNS Logs, IDS

log, AIPS Logs, event Log, access log, ISS log, AV Log etc)

e. Cyber SOC (CSOC) has to take in to account proactive monitoring and

management, capabilities with sophisticated tools for detection, quick

response and backed by data and tools for sound analytic.

f. Review of Manpower, Training and Knowledge Management.

g. People Management.

h. Review of Outsourcing services of SOC.

i. Review SLA Management process For SOC

j. Review the configuration parameters

k. Custom rule review and custom application integration.

l. Incident reporting and Management.

m. Security monitoring services.

n. Security analysis and forensics and Threat intelligence.

o. Review of reporting responsibility and periodicity of report

p. Review of work authorization system between outsource service provider and

bank’s team




q. Access Control, Customer Data Privacy & Confidentiality

r. Bidder has to identify hidden and disabled functionalities and remove them

from applications

s. Application security testing to be done.

t. DMZ demarcation and IP addresses present in DMZ must be identifiable.

Broad Details of the systems are given below :

Name Device Type

/Components

Quantity Platform

Punjab &

Sind Bank

Servers Microsoft Windows, Unix, Red Hat Linux,

Sun Solaris & Linux ETC

Data Bases Oracle / Microsoft SQL Server/Sybase

Network Devices

Cisco , HP, Radware, Big IPF5, Switch,

Router

Security Devices

Cisco , Checkpoint, Firewall, ATP

Others Tape Library, San Switch, Storage

Please note that the Application & Database servers are counted in both sections

Servers section & Database section.

Please note that the list provided above is the tentative list. There may be 10%

increase in list provided. Service Provider should keep provision for the same while

bidding.

2.3.1 (r) Policy, Process and Procedure review

a. Information Security Policy

b. Cyber Security Policy

c. Data Privacy Policy

d. Integrated Risk Management Policy

e. Fraud Risk Management Policy

f. Operational Risk Management Policy

g. Cyber Crisis Management Plan

h. IT Policy

i. Business Continuity Plan & Disaster Recovery Policy

j. Information/Cyber Security Processes, Procedures & Guidelines.

k. IT Processes, Procedures & Guidelines

l. Data archival & purging policy

2.3.2 Review of Information Security/Cyber Security vis-à-vis RBI Circular on

Cyber Security Framework/NCIIPC guideline/CERT-IN guidelines.

a. Review of compliance of RBI Circular on Cyber Security Framework

02.06.2016 in Bank.

b. Vetting of Self-assessment of gaps vis-à-vis Baseline Security & Resilience

Requirements.




c. Review of the Current Security Architecture and Security Technology of the

organization.

d. Incident Management review in which IS auditor should review whether

Incidents are managed, monitored and reported as per the RBI guidelines or

other regulators like Cert-in, NCIIPC etc.

e. Review Secure Configuration Documents adopting best practices for Servers

OS, Web application, Database, Security Devices, Network Devices,

Desktops, Laptops, Mobile devices etc.

f. Review of Network Security including various wireless technologies, Security

Design, Access Control, etc.

g. Review of the existing network topology/ Network Security Architecture and

deployment of the security controls within the organization like Firewalls,

IDS/IPS, network segmentation, WAF, Mail Gateway, Patch Management,

Active Directory (AD), AV, SIEM, PIM, DAM, Anti APT etc.

h. Review of access rules (ACLs) of network & security devices.

Deliverables

During the course of review, the SP will suggest the following in addition to other

critical observation/ methods/ improvements as deemed fit from the point of view of

the SP professional experience for each of the services mentioned above:

• Ways to secure the existing Networks & any new networks being merged

/created

• Provide re-designed network & security architecture along with technical

specifications of network & security solutions based on the operational and

business requirements of the Bank.

• All observations will be thoroughly discussed with process owners before

finalization of report.

• Entity wise separate report will be submitted for Infrastructure Audit of DC,

DR, NLDC and BCP.

• Reports will be published territory-wise & Entity-wise.

• A separate report for SOC will be submitted which should be further bifurcated

into territory wise / Entity Wise.

• Reports will be submitted as soft copy (password protected) in doc and pdf

format as well as in signed hard copy.

• All reports will be prepared with the following information:

• Gaps, deficiencies, vulnerabilities observed – specific observations should be

given with details

• Risk associated with Gaps; deficiencies vulnerabilities observed

• Category of Risk – Very High/High/Medium/Low

• Recommendations/Procedures for removing Gaps, deficiencies,

vulnerabilities observed

• Preparation of Final testing Report with areas of improvement

• Compliance testing report

3. Scope of Vulnerability Assessment and Penetration Testing:-




Vulnerability Assessment and Penetration Testing should cover the application and

its components including web server, app server, Operating systems, DB Server,

Thick client, Thin clients, Mobile applications, Networking systems, Security devices,

Security Infrastructure, load balancers, integration with other applications and APIs

etc. as listed in Annexure-C and all other assets listed in Annexure-D.

Selected bidder should carry out an assessment of Threat & Vulnerabilities

assessments and assess the risks in Bank’s Information Technology Infrastructure,

the security assessment should use the industry standard penetration test

methodologies and scanning techniques, and will focus on applications. The

application tests should cover but not limited to OWASP Top 10 attacks. Selected

bidder perform application security testing to identify security vulnerabilities in the

Banks applications that may be exploited by a user to obtain unauthorized access.

This will include identifying existing threats if any and suggest remedial solutions and

recommendations of the same to mitigate all identified risks, with the objective of

enhancing the security of Information Systems. In addition to the remote

Assessment, selected Bidder shall also perform the onsite assessment of the assets

under the Scope of the RFP and are expected to conduct the audit against the

standard configuration document that Bank has created, as also the latest global

standards and industry best practices.

After the VAPT assessment and submission of the report to the Bank, Bank may at

its discretion request in writing for Compliance verification on closure of

observations.

The frequency for conducting VAPT should be at half yearly. However, the Bank at

its own discretion can change the frequency.

3.1 VAPT activities: VAPT should be comprehensive but not limited to following

activities for the application and related infrastructure under audit:

• Network Scanning

• Port Scanning

• System Identification & Trusted System Scanning

• Vulnerability Scanning

• Malware Scanning

• Spoofing

• Scenario Analysis

• Application Security Testing & Code Review

• OS Fingerprinting

• Service Fingerprinting

• Access Control Mapping

• Denial Of Service (DOS) Attacks

• DDOS Attacks

• Authorization Testing

• Lockout Testing

• Password Cracking

• Cookie Security

• Functional validations

• Containment Measure Testing




• War Dialing

• DMZ Network Architecture Review

• Firewall Rule Base Review

• Server Assessment (OS Security Configuration)

• Security Device Assessment

• Network Device Assessment

• Database Assessment

• Website Assessment (Process)

• Vulnerability Research & Verification

• IDS/IPS review & Fine tuning of Signatures

• Man in the Middle attack

• Man in the browser attack

• Any other attacks

• Compliance of Regulatory guidelines/Advisories: Successful Bidder shall

perform VAPT and also ensure that regulatory guidelines issued by various

bodies such as Cert-In, NCIIPC, RBI-CSITE, NPCI etc. are followed.

3.2 Website/Web/Mobile Application Assessment:

Website/Web- Application/Mobile application assessment should be done as per

latest OWASP-MASVS, OWASP-ASVS, ISO 12812, ISO 27001:2017 and other

relevant OWASP standards & guidelines including but not limited to the following:

• Injection

• Broken Authentication and Session Management

• Cross-Site Scripting (XSS)

• Insecure Direct Object References

• Security misconfiguration

• Insecure Cryptographic Storage

• Sensitive Data Exposure

• Failure to Restrict URL Access

• Missing Function Level Access Control

• Cross-Site Request Forgery (CSRF)

• Using Known Vulnerable Components

• Un-validated Redirects and Forwards

• Insufficient Transport Layer Protection

• Any other attacks, which are vulnerable to the web sites and web Applications

Selected Bidder shall use automated and manual testing techniques to exploit the

weaknesses identified in the application logic, in areas like authentication,

authorization, information leakage, field variable control, session timeout & logout,

cache control, serve side logic, client-side logic, error handling, application

administration and encryption. The Scope for penetration testing should include but

not limited to list of internets facing websites/ applications. It is explicit that

penetration tester should conduct vulnerabilities assessment consulting with

concerned personnel and proper permission of the Bank.

Deliverables




The deliverables for VAPT activity are as follows: -

Execution of Vulnerability Assessment and Penetration Testing for the identified

network devices, security devices, servers, applications, websites, interfaces (part of

application), mobile applications, thick/thin clients etc. as per the Scope mentioned in

this RFP and Analysis of the findings and guidance for resolution of the same

• Verification of closure of critical vulnerability.

• Perform compliance verification of closure of findings.

• Draft VAPT Report followed by final report.

• Compliance verification (Optional)

The VAPT Report should contain the following: -

Identification of Auditee (Address & contact information)

• Dates and Locations of VAPT

• Terms of reference

• Standards followed including confirmation of testing as per International Best

practices and OWASP Web/Mobile application security guidelines.

• Summary of audit findings including identification tests, tools used and results

of tests performed (like vulnerability assessment, penetration testing,

application security assessment, website assessment, etc.)

• Tools used and methodology employed

• Positive security aspects identified

• List of vulnerabilities identified

• Description of vulnerability

• Risk rating or severity of vulnerability

• Category of Risk: Very High(Critical) / High / Medium / Low

• Test cases used for assessing the vulnerabilities

• Illustration of the test cases

• Applicable screenshots.

• Analysis of vulnerabilities and issues of concern

• Recommendations for corrective action

• Personnel involved in the audit

The Service Provider may further provide any other required information as per the

approach adopted by them and which they feel is relevant to the audit process. All

the gaps, deficiencies, vulnerabilities observed shall be thoroughly discussed with

respective bank officials before finalization of the report.

4. Execution of work:

4.1The successful bidder shall submit a detailed plan clearly indicating the tentative

dates and estimated time for IS Audit of all the systems.

4.2During the course of audit, if the bidder/ service provider observes any major

deficiencies, they shall immediately bring such observations, deficiencies, areas of

improvement and suggestions for improvement to the notice of the concerned

persons. The service provider shall also discuss with, guide/help the Bank staff in

implementation of the critical and important suggestions.




• At the end of IS Audit, the service provider shall submit a detailed report

containing all the observations, deficiencies, areas of improvement and

suggestions for improvement, for each system separately. An executive

summary should also form a part of the Final Report.

• Since it will take some time setting right the deficiencies of the Bank and

intimating Bank to do so, the service provider shall conduct a compliance

audit, to confirm setting right of the deficiencies and implementation of the

suggestions. The service provider shall submit a detailed report after

compliance audit.

• The assignment will be for conducting IS Audit for one time only. Bank, at its

option, will review and entrust the assignment either in full or in part

subsequently.

5. OTHER IMPORTANT TERMS & CONDITIONS:

Sr.

No.

Phase Objectives Time-

line

Deliverables Payment

Schedules

1. Phase-

I

Conduct of IS-

Audit as per scope,

evaluation, discussion

on the findings &

submission of final

reports.

6

weeks

ISA Report :-

1. Executive summary

2. ISA Report Core

findings along with Risk

Analysis.

3. ISA Report Detailed

findings /Checklists.

4. ISA Report:-Analysis

of reports/ Corrective

Measures & Suggestions

along with Risk Analysis.

5. Report should classify

the observations into

Critical/Non-Critical

category and asses the

category of Risk

Implication as Very High

(Critical) /High /Medium/

Low Risk based on the

impact.

1. 70% after

completion

of PHASE-I.




2. Phase-

II

Compliance Audit,

Review &

Certification.

2

weeks

Compliance

Report: -

1. Compliance Audit

report.

2. To provide the

BANK an ISA

compliance certificate

including certificate as

per RBI guidelines for

Internet Banking

2. 30%

after

completion

of

PHASE-II.

Documentation Format

• Soft copies of all the documents properly encrypted in MS Word /MS Excel

/PDF format also to be submitted in CDs/DVDs along with the hard copies.

• All documents shall be in plain English.

Note: The detail of Phase, deliverables, payment schedule is described in Annexure-

A to this RFP.

6. TERMS AND CONDITIONS:

a. The empanelment will be cancelled if the empanelled IS Auditor refuses to

accept purchase order or having accepted the purchase order, fails to carry

out his obligations mentioned therein.

6.1 CLARIFICATIONS ON THE RFP

a. Queries/clarifications shall not be entertained over phone.

b. All the queries and clarifications must be sought in writing to the email id:

[email protected].

c. Bidders are also requested to collate queries and submit them together

seeking clarifications/responses from the Bank. It shall be ensured that all the

queries and clarifications are communicated in writing on or before pre-bid

query date. Queries received thereafter will not be entertained.

d. Bank will email the clarifications/amendment (if any) to the empanelled IS

Auditors.

6.2 One Part Bid:

The bidder shall submit his response to the tender in ‘Indicative Commercial bid’.

Commercial bid will contain the pricing information.

a. All the envelopes must be super-scribed with the following information –

Type of Bid - Conducting IS Audit of Data Centre, Critical Applications, IT

Processes etc. (Indicative Commercial Bid)

Due Date:, Name of Bidder :, Name of the Authorized Person :, Contact Number :

b. All schedules, Formats and Annexure shall be stamped and signed by an

authorized official of the bidder`s company.

c. Submission of bids: The Bank expects the bidders to carefully examine all

instructions, terms and conditions mentioned in this RFP document before

mailto:[email protected]




submitting its unconditional compliance as part of the RFP. Failure to furnish

all information required or submission of an RFP not substantially responsive

to the RFP in every respect will be at the bidder’s risk and may result in the

rejection of its response.

d. Bids duly sealed shall be submitted, in person, on or before the last Date and

Time for bid submission at the address mentioned below. Bid also required to

be submitted electronically as mentioned in KEY-INFORMATION of this

document.

Punjab & Sind Bank, Second Floor

Inspection Department

Plot No 151, Institutional Area,

Sector 44, Gurugram, Pin 122003

Any other mode of submission, e.g., by courier, fax, e-mail etc. will not be accepted.

Bids will be opened in the presence of the bidder representatives who choose to

attend the opening of tender on the specified date, time and place of bid opening. All

bidders are advised to be present at the time of bid opening. No separate intimation

will be given in this regard.

6.3. No Erasers or Alterations:

a. The original bid (Commercial Bid) shall be prepared in indelible ink.

b. technical details must be completely filled up. All the hand-written details in

the bid must be initialled by the persons or person who sign(s) the bids.

c. All the pages of the bid must be initialled by an authorized representative with

a round stamp of the bidding firm.

6.4. Validity:

a. The bid shall remain valid for a period of 180 days from the last date of

submission of the bid.

b. At the option of the Bank, the bidder shall extend the validity of bid for such

required period (s), as the Bank may require during the evaluation process.

6.5. Indicative Commercial Bid:

The commercial bid evaluation will be carried out by opening sealed indicative

commercial bids. After that, based on the indicative commercial bids, reverse

auction will be conducted. Post reverse auction, the bidders with the lowest

commercial proposals will be designated as L1 Bidder.

6.6. A. Reverse Auction:

The Bank shall conduct the reverse auction on TOTAL COST OF IS AUDIT and

the price so obtained after closure of Reverse Auction shall be taken into account

for Commercial Evaluation. Bidders have to submit final price to the Bank within

48 hours of closure of Reverse Auction process.




The procedure of reverse auction will be notified to the shortlisted bidders

separately. The Reverse Auction process will be conducted online through

Bank’s authorized e-Tendering Service Provider M/s C1 India Pvt. Ltd through

website: https://psb.eproc.in.

In case of any clarification/ queries regarding Reverse Auction Process, Bidders

may reach out to: Email: [email protected] Ph: 0124-4302033/36/37.

6.6. B. Business Rules for Reverse Auctions:

Applicability

Reverse auctions are carried out under the framework of rules that are called

Business Rules.

1. All bidders participating in reverse auction shall understand/accept and give

an undertaking for compliance with the same to the Bank in the prescribed format

“Annexure X: Compliance for Reverse Auction”.

2. Any bidder not willing to submit such an undertaking shall be disqualified for

further participation in the e-procurement process in question.

6.6. C. Compliance/Confirmation from Bidder

The bidders participating in reverse auction shall submit the following documents

duly signed by the same Competent Authority who signs the offer document in

response to the RFP:

Acceptance of Business Rules for Reverse Auction and undertaking as per

format in Annexure X: Compliance for Reverse Auction.

6.6. D. Training to bidders:

1. The Bank may facilitate training for participation in reverse auction either on

its own or through the service provider for the reverse auction.

2. On request where necessary, the Bank/service provider may also conduct a

‘mock reverse auction’ to familiarize the bidders with reverse auction process.

3. Any bidder not participating in training and/or ‘mock reverse auction’ shall do

so at his own risk and it shall not be open for him to make any request / complaint

/ grievance later.

4. Each bidder shall participate in the training at his / their own cost.

5. The venue, date, time etc. for training in reverse auction shall be advised at

the appropriate time.

6. No request for postponement/fixing of training date/time shall be entertained

which is the sole view and discretion of the Bank, might result in any avoidable

delay to either the Reverse Auction or the whole process of selection of bidder.

6.6. E. Date/time of reverse auction

1. The date and time of commencement of reverse auction as also duration of

‘Reverse Auction Time’ shall be communicated at least 4 working Days prior to

such auction date.

2. Any force majeure or other condition leading to postponement of auction shall

entitle the Bank to postponement of auction even after communication, but the




Bank shall be obliged to communicate to all participating bidders the

‘postponement’ prior to commencement of such ‘Reverse Auction’.

6.6.F. Conduct of Reverse Auction

1. The reverse auction shall be conducted on a specific web portal meant for this

purpose.

2. The reverse auction may be conducted by the Bank itself or through a service

provider specifically identified/appointed/empanelled by the Bank.

6.6.G. Transparency in Bids

All bidders will be able to view during the auction time the current lowest price in

portal. Bidder shall be able to view not only the lowest bid but also the last bid

made by him at any point of time during the auction time.

6.6.H. Masking of Names

1. Names of bidders shall be masked in the Reverse Auction process and

bidders will be given suitable dummy names.

2. After completion of Reverse Auction, the service provider / auctioneer shall

submit a report to the Bank with all details of bid and the original names of the

bidders as also the L1 bidder with his original name.

6.6.I. Start Price

Reverse Auction process shall commence at and after electronically loading the

“START- UP PRICE” at Bank’s discretion.

6.6.J. Decremented Bid Value

1. The bidders shall be able to bid only at a specified decrement value or

multiple thereof and not at any other fractions. The Bid decrement value shall be

decided by the Competent Authority of the Bank.

6.6.K. Reverse Auction Process

1. The Bank shall, however, be entitled to cancel the Reverse Auction process, if

in its view procurement or Reverse Auction process cannot be conducted in a fair

manner and/ or in the interest of the Bank.

2. The successful bidder shall be obliged to provide a commercial bid

(ANNEXURE- III) as the last bid price at the close of auction.

6.6.L. Changes in Business Rules

1. Any change in Business Rules as may become emergent and based on the

experience gained may be made by the Bank.

2. Any/all changes made in Business Rules shall be uploaded on the Website of

the Bank https://www.punjabandsindbank.co.in/ immediately.

3. If any reverse auction process has commenced and a change is made in

Business Rules, it shall be informed immediately to each bidder participating in




the Reverse Auction and his concurrence to/ acceptance of the change shall be

obtained in writing by the Bank.

6.6.M. Doesn’t applicable to the Bidders

1. No bidder or any of its representatives shall involve itself in any price

manipulation directly or indirectly with other bidders. If any such practice comes

to the notice, Bank shall disqualify the bidders concerned from the process.

2. Bidder shall not disclose details of bids or any other details concerning

Reverse Auction process of the Bank to any other third party without specific

permission in writing from the Bank.

3. Neither Bank nor service provider/ auctioneer can be held responsible for

consequential damages such as no power supply, system problem, inability to

use the system, Loss of electronic information, power interruptions, UPS failure,

etc. at bidders’ place. (Bank shall, however, entertain any such issues of

interruptions, problems with open mind and fair degree of transparency in the

process before deciding to stop or extend the auction.)

6.6.N. Errors and omissions:

On any issue, not specifically dealt with in these Business Rules, the decision of

the bank shall be final and binding on all concerned.

6.6. O. The indicative Commercial Bid shall be submitted in separate sealed

envelope, super scribed as “Conducting IS Audit of Data Centre, Critical

Applications, IT Processes etc. (Indicative Commercial Bid)”.

1. The Commercial Bid should provide all relevant price information in Indian

Rupees only.

2. The responses shall be strictly as per the terms and conditions of this RFP.

Bidders are advised not to attach or specify any terms and conditions. The Bank

reserves its right to reject the bids received with any additional terms and

conditions specified by the Bidder.

3. The Commercial Bid shall comprise of Annexure-III (Format for Commercial

BID).

4. The prices mentioned in the commercial bid shall strictly be in conformity with

the price composition specified in Annexure-A clause 4.5 (Price Composition).

5. The Commercial Bid shall include all taxes, duties, fees, and other charges as

may be levied under the applicable law as on the date of submission of the bid.

However, the GST component of the prices shall be payable extra on actual

basis.

6. The total cost must be quoted in WORDS AND FIGURES. In case of

discrepancy between the words and figures, lower of the two would be

considered as the price quoted and the same will be binding on the bidder.

7. Indicative Commercial Bid of only those bidders, who qualify in Technical Bid

evaluation, will be opened.




6.7 Evaluation Procedure:

The Evaluation process will be:

1. Commercial Evaluation- (through Reverse Auction)

a. In the process of scrutiny of the bids, Bank may seek additional inputs and

clarifications as may be needed. The request for such clarifications and the

response will necessarily be in writing.

b. Bid found to be meeting the Bank`s requirements based on the commercial

evaluation.

c. The evaluation by the Bank will be undertaken by a Committee of internal

Bank officials and may include Consultant. The decision of Banks’ Committee

shall be considered final.

6.8 Right to Alter Quantities

The Bank reserves the right to alter quantities, revise/modify all or any of the

specifications, delete some items specified in this bid, when finalizing its

requirements or declare the RFP void, without assigning any reason, before or after

receiving the responses. That is, the Bank reserves its right to add or remove the

Information systems in respect of which the IS Audit is to be conducted.

6.9 No Commitment to Accept Lowest or Any Tender

The Bank shall be under no obligation to accept the lowest or any other bid received

in response to this tender notice and shall be entitled to reject any or all tenders

without assigning any reason whatsoever.

6.10 Rotation of Audit Team

If the selected Bidder has already carried out IS Audit of our bank, the Bidder shall

change the entire team and to depute a fresh team.

6.11 Price freezing and Contract Period

a. The final prices stated above, shall remain frozen for a minimum period of

upto two years from the date of the purchase order.

b. The Contract would be valid for one- year IS Audit/VAPT exercise which may

be further extended by one year at the discretion of Bank .

6.12 Cancellation of the assignment:

The Bank reserves its right to cancel the assignment in the event of one or more of

the following conditions:

a. Delay in commencement of the IS Audit beyond four weeks after the

assignment order or beyond the date given by the bank in the purchase order.

b. Delay in completion of all the phases of the IS Audits beyond the time

specified in the assignment letter.

6.13 Liquidated Damages:

6.13.A Notwithstanding the Bank's right to cancel the assignment, 0.5% of the

order value per week or part thereof would be payable to the Bank for delay in




the execution of this assignment order beyond specified schedule, subject to a

maximum of 10% of the value of the said phase.

6.13.B Bank reserves it's right to recover these amounts by any mode such as

adjusting from any payments to be made by the Bank to the bidder.

6.14.C The Bank however may review and consider waiving imposition of

liquidated damages for delays beyond the control of the Bidder.

6.14 RFP Ownership:

The RFP and all supporting documentation are the sole property of Punjab &

Sind Bank and shall not be redistributed without prior written consent of Punjab &

Sind Bank. Violation of this would be a breach of trust and may, inter-alia, cause

the bidders to be irrevocably disqualified. The aforementioned material must be

returned to Punjab & Sind Bank while submitting the bid, or upon request.

However, bidders can retain one copy for reference.

6.15 Bid Ownership:

The bid and all supporting documentation submitted by the bidders shall become

the property of the Bank. The bid and documentation may be retained, returned

or destroyed as the Bank decides.

6.16 Confidentiality:

This document contains information confidential and proprietary to the Bank.

Additionally, the bidders will be exposed by virtue of the contracted activities to

the internal business information of the Bank. Disclosures of receipt of this RFP

or any part of the aforementioned information to parties not directly involved in

providing the services requested could result in the disqualification of the bidders,

premature termination of the contract, or legal action against the bidders for

breach of trust.

6.17Non Transferable Tender:

This tender document is not transferable. Only the bidder, who has been

empanelled by the Bank will be eligible for participation in the evaluation process.

6.18 Language of BID:

The bid prepared by the Bidder, all correspondence and documents relating to

the bid exchanged by the Bidder & the Bank shall be written in English.

7. RESOLUTION OF DISPUTES:

7.1The Bank and the bidder shall make every effort to resolve amicably by direct

informal negotiation any disagreement or dispute arising out of or in connection with

the Contract.

7.2 If, after thirty (30) days from the commencement of such informal negotiations,

the Bank and the bidder have been unable to resolve amicably a Contract dispute,

either party may require that the dispute be referred for resolution to the formal




mechanisms. Such disputes or differences shall be settled in accordance with the

Arbitration and Conciliation Act, 1996. Where the value of contract is above Rs.1

crore, the arbitral tribunal shall consist of 3 arbitrators, one each to be appointed by

the Bank and the Bidder. The third arbitrator shall be chosen by mutual discussion

between the Bank and the Bidder.

7.3 The arbitration proceedings shall be held at New Delhi, India, and the language

of the arbitration proceedings shall be English. The arbitrators shall hold their sittings

at New Delhi. The arbitration proceedings shall be conducted in English language.

Subject to the above, the courts of law at New Delhi alone shall have the jurisdiction

in respect of all matters connected with the Contract/Agreement.

7.4 The decision of majority of arbitrators shall be final and binding upon both

parties. The cost and expenses of Arbitration Proceedings will be paid as determined

by arbitral tribunal. However, expenses incurred by each party in connection with the

preparation, presentation, etc., of its proceedings as also the fees and expenses

paid to the arbitrator appointed by such party or on its behalf shall be borne by each

party; and

7.5 Where the value of the contract is Rs.1 crore and below, the disputes or

differences arising shall be referred to the sole arbitrator. The sole Arbitrator shall be

appointed by agreement between the parties.

7.6 All disputes are subject to the exclusive jurisdiction of the Court at New Delhi.

7.7 To ensure transparency, equity, and competitiveness and in compliance with the

CVC guidelines, this tender shall be covered under the Integrity Pact (IP) policy of

the Bank.

Sh. Asha Ram Sihag & Sh. Aditya Prakash Mishra has been appointed as IEM

(Independent External Monitor) for the Bank.

IEM can be contacted at: -

1.Sh. Asha Ram Sihag,

Email: [email protected]

Mob: 9911558502

2. Sh. Aditya Prakash Mishra

Email: [email protected]

Mob: 9560625666

8 CORRUPT OR FRAUDULENT PRACTICES:

8.1As per CVC directives, it is required that Bidders/Suppliers/Contractors observe

the highest standard of ethics during the procurement and execution of such

contracts. In pursuance of this policy;

• “Corrupt practice” means the offering, giving, receiving or soliciting of anything

of value to influence the action of a public official in the procurement process

or in contract execution; And




• “Fraudulent practice” means a misrepresentation of facts in order to influence

a procurement process or the execution of contract to the detriment of the

Bank and includes collusive practice among Bidders (prior to or after bid

submission) designed to establish bid prices at artificial non-competitive levels

and to deprive the Bank of the benefits of free and open competition;

8.2 The Bank will reject a bid for award if it determines that the Bidder recommended

for award has engaged in corrupt or fraudulent practices in competing for the

contract in question;

8.3 The Bank will declare a firm ineligible, either indefinitely or for a stated period of

time, to be awarded a contract if at any time it determines that the firm has engaged

in corrupt or fraudulent practices in competing for, or in executing a contract.

9 NON-DISCLOSURE AGREEMENT :The bidder shall take all necessary

precautions to ensure that all confidential information is treated as confidential and

not disclosed or used other than for the purpose of project execution. Bidder shall

suitably defend, indemnify Bank for any loss/damage suffered by Bank on account of

and to the extent of any disclosure of the confidential information. The bidder shall

furnish an undertaking and have to sign Non-Disclosure Agreement as per

Annexure- VII on stamp paper. No media release, public announcement or any other

reference to the RFP or any programme there under shall be made without the

written consent from the Bank. Reproduction of this RFP, without the prior written

consent of the Bank, by photographic, electronic or other means is strictly prohibited.

10 INDEMNITY:

10.1 The bidder (Contractor) will indemnify the Bank against all actions,

proceedings, claims, suits, damages and any other expenses for causes attributable

to the bidder.

10.2 The total liability of the selected bidder under the contract will not exceed the

total cost of the project.

11 BIDDER’S OBLIGATIONS:

11.1 The bidder is obliged to work closely with the Bank`s staff, act within its own

authority and abide by directives issued by the Bank during the IS AUDIT activities.

11.2 The bidder is responsible for managing the activities of its personnel and will

hold itself responsible for any misdemeanours.

11.3 The bidder is under obligation to provide IS AUDIT services as per the

contract to various Offices of the Bank.

11.4 The bidder will treat as confidential all data and information about the Bank,

obtained in the execution of his responsibilities, in strict confidence and will not

reveal such information to any other party without the prior written approval of the

Bank.

12 INTELLECTUAL PROPERTY RIGHTS:

12.1The Bidders shall indemnify the Bank against all third party claims of

infringement of copyright, patent, trademark, industrial design or any other

intellectual property rights arising from use of the Software package or any part

thereof in India and abroad.

12.2 In the event of any claim asserted by the third party of infringement of

copyright, patent, trademark, or industrial design rights arising from the use of the




solution or any part thereof in India and abroad, the Bidder shall act expeditiously to

extinguish such claims. If the Bidder fails to comply and the Bank is required to pay

compensation to a third party resulting from such infringement, the Bidder shall be

responsible for the compensation including all expenses, court costs and lawyer

fees. The Bank will give notice to the Bidder of such claims, if it is made, without

delay.

12.3 Performance Bank Guarantee

The successful bidder has to submit the Performance Bank Guarantee Equivalent to

3% of the Total contract value, for the due performance of the contract, valid for 15

months from date of contract with 12 months of claim period from the expiry of said

Guarantee.

In case Auditor fails to perform the contract or fails to pay the due penalty, if any, as

demanded by bank, Bank shall invoke the Bank Performance Guarantee to recover

penalty/damages.

13 SIGNING OF CONTRACT:

13.1 At the time when the Bank notifies the Bidder that its bid has been accepted,

the Bank will send the Bidder the Contract Form (Annexure-VI) provided in the RFP,

incorporating all agreements between the parties.

13.2 Within 10(Ten) days of receiving the Contract Form, the successful bidder

shall sign the contract and return it to the Bank along with the required Performance

Bank Guarantee.

13.3 Bank reserves the right to select the next ranked bidder if the selected bidder

withdraws his bid after selection or at the time of finalization of the contract or

disqualified on detection of wrong or misleading information in the bid.

13.4 In case the bidder fails to comply with the terms & conditions mentioned in

RFP and/ or in case the bidder withdraws his bid after selection, the empanelment as

IS Auditor will be cancelled and such bidder’s name will be included in the list of

ineligible persons / firms for not considering for any future assignment.

13.5 Contract Amendment: No variation in or modification of the terms of the

Contract shall be made except by written amendment signed by the parties.

13.6 The bidder shall not assign, in whole or in part, its obligations to perform

under the Contract, except with the Bank`s prior written consent.

14 PUBLICITY:

Any publicity by the bidder in which the name of the Bank is to be used shall be done

only with the explicit written permission of the Bank.

Disclaimer

Subject to any law to the contrary, and to the maximum extent permitted by law,

Punjab & Sind Bank and its officers, employees, contractors, agents, and advisers

disclaim all liability from any loss or damage (whether foreseeable or not) suffered by

any person acting on or refraining from acting because of any information including

forecasts, statements, estimates, or projections contained in this RFP document or

conduct ancillary to it whether or not the loss or damage arises in connection with

any negligence, omission, default, lack of care or misrepresentation on the part of

Punjab & Sind Bank or any of its officers, employees, contractors, agents, or

advisers.




Annexure A

OTHER IMPORTANT TERMS & CONDITIONS

The bidder has to undertake IS audit in a phased manner as described below:-

PHASE I – CONDUCT OF IS AUDIT AS PER SCOPE, EVALUATION,

DISCUSSION ON THE FINDINGS AND SUBMISSION OF FINAL REPORTS

PHASE II – COMPLIANCE AUDIT, REVIEW & CERTIFICATION

The activities covered under each Phase are appended below:

1. PHASE I

1.1 Conduct of Information Systems Audit as per the SCOPE OF WORK as defined

in Clause 2.

1.2 The Bank will call upon the bidder, on placement of the order , to carry out

demonstration and/or walkthrough, and/or presentation and demonstration of all or

specific aspects of the IS AUDIT at the Bank s desired location or, for a walkthrough,

at a mutually agreed location. All the expenses for the above will be borne by the

concerned bidder.

1.3 Audit schedule to be provided 7 working days prior to the start of audit along with

the name of the auditors who will be conducting the audit. Resumes of the auditors

as assigned above for the project to be provided to the Bank beforehand and they

should be deputed to the assignment only after Bank s Consent.

1.4 Commencement of IS Audit of IT Setups / branches as per the scope of Work.

1.5 Execute Vulnerability Assessment/Penetration testing of the entire network

including Internet Banking, Mobile Banking, Tele Banking and Corporate Website as

per the scope of work and Annexure- C & D on the written permission of the Bank

and in the presence of Bank`s Officials, Analysis of the findings and Guidance for

Resolution of the same.

1.6 Detailing the Security Gaps

1.7 Document the security gaps i.e. vulnerability, security flaws, loopholes, etc.

observed during the course of the review of the CBS & other IT infrastructure of the

Bank as per the scope of Audit.

1.8 Document recommendations for addressing these security gaps and categorize

the identified security gaps based on their criticality, resource/effort requirement to

address them.

1.9 Chart a roadmap for the Bank to ensure compliance and address these Security

gaps.

1.10 Addressing the Security Gaps

1.11 Help in Fixing/ addressing the Security flaws, gaps, loopholes, shortfalls

Vulnerabilities in deployment of applications / systems which can be fixed

immediately. If recommendations for Risk Mitigation / Removal could not be

implemented as suggested, alternate solutions to be provided.

1.12 Recommend fixes for systems vulnerabilities in design or otherwise for

application systems and network infrastructure.




1.13 Suggest changes/modifications in the Security Policies and Security

Architecture including Network and Applications of PUNJAB & SIND BANK to

address the same.

1.14 Final Reports of ISA Findings :- Bidder has to discuss the preliminary report

findings / observations recommendations /suggestions with the Bank and subject to

the acceptance of the preliminary report by the bank, the bidder has to submit the

Final report.

1.15 The final reports of the ISA findings will be submitted in parts as

detailed under Deliverables Section:-

ISA Report: - Executive summary

ISA Report Core findings along with Risk Analysis ISA Report Detailed findings /

Checklists

ISA Report:-Analysis of reports /Corrective Measures & Suggestions along with Risk

Analysis

1.16 Acceptance of the Final Report.

2. PHASE II.

2.1 Compliance Review

An exercise to review the compliance with the findings and recommendations of ISA

had to be undertaken by the bidder. This exercise would be undertaken preferably

within 30 days from the date of completion of Phase I. However, the final date for the

start of Compliance Audit will be intimated by the bank suitably. This exercise would

encompass evaluation of the general/overall level of compliance undertaken by the

Bank against the shortcomings reported in the ISA Reports.

2.2Certification for compliance with the findings of the ISA & Final Sign Off On

completion of the compliance review and before final sign off, the bidder has to

provide the BANK an ISA compliance certificate including certificate as per RBI

guidelines for Internet Banking.

2.3Documentation Format:-All documents will be handed over in three copies,

signed, legible, neatly and robustly bound on A-4 size, good-quality paper Soft

copies of all the documents, properly encrypted in MS Word /MS Excel /PDF format

also to be submitted in CDs/DVDs along with the hard copies All documents will be

in plain English .

3. DELIVERY SCHEDULE:

3.1 The delivery of the Reports of Phase I should be effected within 8 weeks of

placement of purchase order.

4. TERMS OF PAYMENT:

4.1 The Bidder (s) request(s) for payment shall be made to the Bank in writing,

accompanied by an invoice describing, as appropriate and services performed and

by documents submitted and upon fulfilment of other obligations stipulated in the

Contract.

4.2 Payments shall be made promptly by the Bank on submission of an invoice/claim

supported by all required documents by the Bidder.




4.3 Payment will be made to the Bidder in Indian Rupees only.

4.4 Payment Schedule: -

Payment will be made on completion of following milestones:

70% after completion of PHASE-I 30% after completion of PHASE-II

** TDS would be deducted at source for any payment made by the BANK as

per the prevailing Rules of Government of India.

4.5 Price Composition: The price quoted should be inclusive of following:

a) Professional Charges

b) Travel and Halting expenses, including local conveyance

c) Out of pocket expenses

d) Excluding GST

4.6 Work Contract tax or any other tax, if any, applicable shall be borne by the

Bidder.

4.7 The commercial bid shall be on a fixed price basis and in Indian Rupees. No

price variation should be asked for relating to increases in customs duty, any taxes,

foreign currency price variation etc.

4.8 All costs and expenses incurred by bidder in any way associated with the

development, preparation, and submission of responses, including the attendance at

meetings, discussions, demonstrations, reference site visits etc. and providing any

additional information required by Punjab & Sind Bank, will be borne entirely and

exclusively by the bidder.

5. TAXES & DUTIES:

5.1 The bidder will be entirely responsible to pay all taxes including corporate tax,

income tax, license fees, duties etc. except GST in connection with delivery of the

services at site.

5.2 Wherever the laws and regulations require deduction of such taxes at the

source of payment, the Bank shall effect such deductions from the payment due to

the bidder. The remittance of amount so deducted and issue of certificate for such

deductions shall be made by the Bank as per the laws and regulations in force.

5.3 GST if any, which will be applicable, will be paid by the Bank on actual basis

on production of proof.

5.4 Nothing in the contract shall relieve the bidder from his responsibility to pay

any tax that may be levied in India on income and profits made by the bidder in

respect of this contract.

5.5 Payment of Other Expenses:

a.The selected bidder will have to visit various offices of the Bank, at various

locations like Mumbai, Chennai, Delhi, Noida etc. during the course of IS Audit. The

Bank will not pay any expenses towards travelling, lodging and boarding of the

members of IS Audit team of the selected bidder. They will have to make their own

travel and stay arrangements.

b.The bidder may perform a site inspection at its own cost to verify the

appropriateness of the sites/facilities before start of the Audit.




6. PROJECT SCHEDULE:

The selected bidder has to depute its officials at Information Systems Audit Cell, HO

Inspection Department, Gurugram within 10 days from the date of signing of the

contract, for holding a formal meeting. During the said meeting, the bidder has to

give a brief technical overview / presentation regarding the technical methodology

being adopted by them to conduct the said audit.

The bidder has to maintain the schedule time frame as mentioned below:-

The timeframe for completion for Phase I of the project would be maximum 6 weeks.

The time frame for completion for Phase II would be maximum 2 weeks.

An exercise to review the compliance with the findings and recommendations of IS

Audit had to be undertaken by the bidder (Phase-II). This exercise would be

undertaken preferably within 180 days from the date of completion of phase I.

However, Final date for the start of compliance Audit will be informed by the Bank in

due course of time. The Final ISA certificate is to be issued within a week of Audit

Compliance Review.

7. DELIVERABLES:-

The major deliverables in this project are noted below:-

7.1 Information Systems Audit as per the Scope of Work.

7.2 Vulnerability Assessment/Penetration testing of the entire network including

Internet Banking as per the scope of work and Annexure C & D, Analysis of the

findings and Guidance for Resolution of the same.

7.3 ISA Report (Type - Documentation)

7.3.1 Audit Report:-

Broadly the Audit Report shall contain and keep the undernoted points in view:-

-Gaps, Deficiencies, Vulnerabilities observed in audit. Specific observations will be

given indicating name and important address of equipment Risk associated with

Gaps, deficiencies, vulnerabilities observed Analysis of vulnerabilities and issues of

concern.

-Recommendations for corrective action.

-Category of Risk. (High/Medium/ Low)

-Summary of audit findings including identification tests, tools used and results of

test performed during IS Audit. Report on audit covering compliance status of the IS

Audit. All observations will be thoroughly discussed with process owners before

finalization of report. Audit report should be submitted in the following order:

-Location, Domain/Module, Hardware, Operating Systems.

-Detailed report of network audit including VAPT with recommendations and

suggestions.

-Detailed report of VAPT.

-Audit report shall incorporate a certificate that the report covers every area specified

in the scope of the BID.

The IS Audit Reports have to be submitted at the end of Phase I and the sets of

reports would comprise of the following sub reports:-




7.3.2 ISA Report: - Executive Summary:-

-An executive summary should form a part of the FINAL REPORT.

7.3.3 ISA Report: Core Findings along with Risk Analysis:

The bidder will submit a report bringing out the core findings of the IS Audit exercise

in the existing practices along with Risk Analysis of individual items, with reference to

the best practices & standards.

7.3.4 ISA Report: Detailed Findings/Checklists:

The detailed findings of the ISA would be brought out in this report which will cover in

details all aspects viz. identification of flaws / gaps /vulnerabilities in the systems (

specific to equipment/resources –indicating name and IP address of the equipment

with Office and Department name), identifications of threat sources, identification of

Risk, Identification of inherent weaknesses, Servers/Resources affected with IP

Addresses etc. Report should classify the observations into Critical /Non Critical

category and asses the category of Risk Implication as HIGH/MEDIUM/LOW RISK

based on the impact. The various checklist formats, designed and used for

conducting the IS Audit as per the scope, should also be included in the report

separately for Servers (different for different OS), RDBMS, Network equipment,

security equipment etc, so that they provide minimum domain wise baseline security

standard /practices to achieve a reasonably secure IT environment for technologies

deployed by Punjab & Sind Bank. The Reports should be substantiated with the help

of snap shots/evidences/documents etc. from where the observations were made.

7.3.5 ISA Report :- In Depth Analysis of findings /Corrective Measures &

Suggestions along with Risk Analysis :- The findings of the entire IS Audit Process

should be critically analyzed and controls should be suggested as corrective

/preventive measures for strengthening / safeguarding the IT assets of the Bank

against existing and future threats in the short /long term. Report should contain

suggestions/recommendations for improvement in the systems wherever required. If

recommendations for Risk Mitigation / Removal could not be implemented as

suggested, alternate solutions to be provided. Also, if the formal procedures are not

in place for any activity, evaluate the process & the associated risks and give

recommendations for improvement as per the best practices.

7.3.6 Provide Certification for the ISA (Type - Documentation & Service At the end

of IS Audit process, the bidder has to provide Bank certification for IS Audit including

a certificate as per RBI guidelines for Internet Banking.

7.3.7 Documentation Format:-All documents will be handed over in three copies,

signed, legible, neatly and robustly bound on A-4 size, good-quality paper Soft

copies of all the documents, properly encrypted in MS Word /MS Excel /PDF format

also to be submitted in CDs/DVDs along with the hard copies All documents will be

in plain English.

7.3.8 list of count of servers/devices in different auditee locations (It may vary in

actual scenario) is enclosed as Annexure ‘D’.

Note:- The list may vary in actual scenario. Any new addition/ up gradation in

hardware, software, new deliverables, change in architecture during the contract

period at Data Center, DRS etc will also be covered in the audit. Exact details of the




devices /equipments at the various auditee locations will be provided to the final

shortlisted bidder at the time of placing of order.

ANNEXURE B: SCHEDULE OF REQUIREMENTS INDEX

Sr.

No.

ANNEXURE

No.

SUBJECT PAGE

No.

1 ANNEXURE

–I

PROFILE OF THE BIDDER 37

2 ANNEXURE–

II PROFILE OF THE PROPOSED CORE

AUDIT TEAM

38

3 ANNEXURE

–III

FORMAT FOR INDICATIVE

COMMERCIAL BID

39

4 ANNEXURE–IV

BID FORM 40

5 ANNEXURE

–V

PERFORMANCE GAURANTEE FORM 41

6 ANNEXURE

–VI

CONTRACT FORM 44

7 ANNEXURE–VII

NON-DISCLOSURE AGREEMENT 45

8 ANNEXURE

–VIII

COMMERCIAL DEVIATION 49

9 ANNEXURE

–IX

LETTER OF CONFIRMATION 50

10 ANNEXURE

-X

COMPLIANCE FOR REVERSE

AUCTION

51

11 ANNEXURE

-XI

LETTER OF AUTHORITY FOR

PARTICIPATING IN REVERSE

AUCTION

52




ANNEXURE –I:- PROFILE OF THE BIDDER

RFP REF No:- PSB/INSP/RFP/01 /2021-22 Dt.24.11.2021

DESCRIPTION DETAILS

Registered address of the Bidder

Address:

Address for Correspondence of the

Bidder

STD- Phone:

e-mail Id:

FAX No:

Contact name of the official

who can commit on the

contractual terms and the name of

an alternate official who may be

contacted in the absence of the

former

Primary Contact:

Name:

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Name :

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Contact addresses if different from

above

Official Website Web Site URL :

Authorized Signatory with Seal

Date:

Place:




Annexure II :- PROFILE OF THE PROPOSED CORE AUDIT TEAM TO BE

ASSIGNED FOR THE PROJECT

S.N. NAME DESIG. PART

TIME/

FULL

TIME

ROLE IN

IS AUDIT

(TASK/

MODULE)

PROFESSIONAL

QUALIFICATION

YEARS

OF IS

AUDIT

EXP.

1

2

3

4

5

6

7

8

9

10


Date:

Place:




Annexure III :- (Indicative Commercial bid)

FORMAT FOR INDICATIVE COMMERCIAL BID

PARTICULARS AMOUNT (IN RS) INCLUDING ALL

TAXES OTHER THAN GST

Cost of IS Audit as per the scope

of work defined in the RFP

(Inclusive of all fees &

expenses)

TOTAL COST OF IS AUDIT

(Total Amount in Words: - Rupees )


Date:

Place:

Note:-

The Commercial Bid should contain the Total Cost of Audit, on a fixed cost

Basis. Punjab & Sind will neither provide nor reimburse any expenditure towards

any type of Accommodation, Travel Ticket, Airfares, Train fares, Halting

expenses, Transport, Lodging , Boarding etc.

The prices quoted above should be inclusive of all taxes & Duties as applicable

except GST. The commercial bid will be evaluated based on TOTAL COST OF IS

AUDIT i.e. Amount including all taxes but excluding GST.

GST shall be payable extra on actual basis.

Providing Indicative Commercial bid other than this format may lead to rejection of

the bid.




Annexure IV

RFP REF No:- PSB/INSP/RFP/01/2021-22 Dt. 24.11.2021

BID FORM

To Date:

PUNJAB & SIND BANK,

H.O. Inspection Department,

2nd floor, Plot No. 151,

Institutional Area Sector -44,

Gurugram – 122003

Having examined the RFP including all Annexures, the receipt of which is

hereby duly acknowledged, we the undersigned, offer to provide IS Audit

services in conformity with the said RFP in accordance with the Price

Composition indicated in the Commercial Bid and made part of the Bid.

We undertake, if our bid is accepted, to deliver the services in accordance with the

delivery schedule specified in Annexure A.

We agree to abide by this bid for the period of 180 days from the last date of

submission of the bid and it shall remain binding upon us and may be extended at

any time before the expiration of that period.

We undertake that, in competing for (and, if the award is made to us, in

executing) the above contract, we will strictly observe the laws against fraud

and corruption in force in India namely “Prevention of Corruption Act 1988”.

We understand that the Bank is not bound to accept the lowest of any bid the

Bank may receive.

Dated this ________________ day of _____________ 20 .

(Signature) (In the Capacity of)

Duly authorized to sign bid for and on behalf of

(Name & Address of Bidder) ________________________________

Business_________________________ Address________________




Annexure V: -PERFORMANCE BANK GUARANTEE

(Issued by a nationalized/scheduled commercial Bank)

(ON A NON-JUDICIAL STAMP PAPER OF RS.100.00)

Tender Reference No: Date

TO:

Punjab & Sind Bank

Head Office, 2nd Floor, Inspection Department,

Plot No.151, Institutional Area,

Sector-44, Gurugram – 122003

Bank Guarantee No. Bank Guarantee Amount Expiry Date

Claim Period Dear Sir,

GUARANTEE FOR PERFORMANCE OF CONTRACT/AGREEMENT

THIS GUARANTEE AGREEMENT is executed at day of Two Thousand BY: Bank,abodycorporateconstituted under

, having its Registered Office/Head Office at ,

and a Branch Office at (Here in after referred to as “the Guarantor”, which expression

shall, unless it be repugnant to the subject, meaning or context thereof, be deemed to mean

and include its successors and assigns)

INFAVOUROF:

Punjab & Sind Bank, a body corporate, established under the Banking

Companies(Acquisition and Transfer of Undertakings) Act 1980 and having its Registered

Office at 21, Rajendra Place, New Delhi 110008 (hereinafter referred to as “Bank” which

expression shall unless it be repugnant to the subject, meaning or context thereof, be

deemed to mean and include its successors and assigns),

WHEREAS Bank had called for the bids for Information System Audit of Data Centre,

Critical Applications ,IT Processes etc. of the Bank and for the purposes

M/s……………………… have been appointed as the Vendor (hereinafter referred

toas"Vendor")andaccordinglyhasenteredintoContract/Agreementon………..(Agreement)

with Bank subject to the terms and conditions contained in the said documents and the

Vendor has duly confirmed the same.

AND WHEREAS pursuant to the Bid Documents, the Agreement, and the other related

documents (hereinafter collectively referred to as “the said documents”, the Bank has

agreed to avail the service from M/s……………………. has agreed to provide to the Bank,

the Services Information System Audit of Data Centre, Critical Applications, IT Processes

etc. of the Bank, more particularly described in the Schedule/Annexure to the said

documents, subject to payment of the contract price as stated in the said documents and

also subject to the terms, conditions, covenants, provisions and stipulations contained the

said documents.

AND WHEREAS the Vendor has duly signed the said documents.




AND WHEREAS in terms of the said documents, inter alia, the Vendor is required to

procure an unconditional and irrevocable performance Bank guarantee, in favour of the

Bank, from a Bank acceptable to the Bank for a sum of Rs…………………

(Rupees……………………………………………………..Only) for the faith ful

observance and performance by the Vendor of the terms, conditions, covenants,

stipulations, provisions of the Agreement/the said documents.

ANDWHEREAS at their quest of the Vendor, the Guarantor has agreed to issue the

Guarantee in favour of the Bank for a sum of Rs. …………

(Rupees…………………………… Only).

AND WHEREAS at the request of the Vendor, the Guarantor has agreed to guarantee the

Bank that the Vendor shall faithfully observed and performed of the terms of the said

documents.

NOW THEREFORE THIS AGREEMENT WITNESSE AS FOLLOWS:

In consideration of the above premises, the Guarantor here by unconditionally, absolutely

and irrevocably guarantees to the Bank as follows:

(1) The guarantor here by agrees and guarantee that the Vendor shall faith fully observed

and performed all the terms and conditions stipulated in the Contract/Agreement and the

said documents.

(2) The Guarantor hereby guarantees and undertakes to pay, on demand and without demur,

reservation, contest, recourse or protest or without any reference to the Vendor, to the Bank

at its office at New Delhi forthwith, and all monies payable by the Vendor to the extent of

Rs.……………………………………….against any loss, costs, damages, etc. suffered by

the Bank on account of default of the Vendor in the faithful observance and performance of

the terms, conditions, covenants, stipulations, provisions of the Agreement/said documents,

without any demur, reservation, contest, recourse or protest or without any reference to the

Vendor. Any such demand or claim made by the Bank, on the Guarantor shall be final,

conclusive and binding notwithstanding any difference or any dispute between the Bank and

the Vendor or any dispute between the Bank and the Vendor pending before any Court,

Tribunal, Arbitrator, or any other authority.

(3) The Guarantor agrees and undertakes not to revoke this Guarantee during the currency

of these presents, without the previous written consent of the Bank and further agrees that

the Guarantee herein contained shall continue to be enforceable until and unless itis

discharged earlier by the Bank, in writing.

(4) The Bank shall be the sole judge to decide whether the Vendor has failed to perform

the terms of the Agreement / said documents for providing the Services by the Vendor to

the Bank, and on account of the said failure what amount has become payable by the

Vendor to the Bank under this Guarantee. The decision of the Bank in this behalf shall be

final, conclusive and binding on the Guarantor and the Guarantor shall not been titled to

demand the Bank to establish its claim under this Guarantee but shall pay the sums

demanded without any objection, whatsoever.

(5) To give effect to this guarantee, the Guarantor will be deemed to be the Principal

Debtor to the Bank.

(6) The liability of the Guarantor, under this Guarantee shall not be affected by:




(a) Any change in the constitution or winding up of the Vendor or any absorption, merger

or

(b) Amalgamation of the Vendor with any other company, corporation or concern; or

(c) Any change in the management of the Vendor or take over of the management of the

Vendor by the Government or by any other authority ;or

(d) acquisition or rationalization of the Vendor and/or of any of its undertaking(s)

pursuant to any law; or

(e) any change in the constitution of Bank /Vendor; or

(f) any change in the setup of the Guarantor which may be by way of change in the

constitution,

(g) winding up, voluntary or otherwise, absorption, merger or amalgamation or otherwise;

or the absence or deficiency of powers on the part of the Guarantor to give Guarantees and/

or Indemnities or any irregularity in the exercise of such powers.

(7) This guarantee will remain in force up to 15 months from the date of signing of the

contract.

(8) Notwithstanding any thing contained in this Guarantee, the Guarantor hereby agrees

and undertakes to extend the validity period of this guarantee for a further period as may be

requested by the Bank, from time to time.

(9) This guarantee shall be binding upon us and successors -in -interest and shall be

irrevocable.

(10) For all purposes connected with this Guarantee and in respect of all disputes and

differences under or in respect of these presents or arising there from the courts of New

Delhi where the Bank has its Head Office shall alone have jurisdiction to the exclusion of

all other courts.

(11) Not with standing anything contained herein above:

I. Our liability under this Bank Guarantee shall not exceed Rs

............................................................................................................................................... (

Rupees ……………………….. only)

II. This Bank Guarantee shall be valid up to…………….

III. We are liable to pay the guaranteed amount or any part thereof under this Bank Guarantee

only and only if you serve on us a written claim or demand on or before …………………

(mention validity period + claim period)

IN WITNESS WHERE OF the Guarantor has caused these presents to be executed on the day,

month and year first here in above written as here in after appearing.

SIGNED SEALED AND DELIVERED BY the within named Guarantor(Vendor Bank), by the

hand of Shri._______________ ,its authorised official.




Annexure VI: - CONTRACT FORM (SAMPLE)

(Non-Judicial Stamp Paper of appropriate value) RFP REF. NO.

CONTRACT NUMBER:

THIS AGREEMENT made the _________ day of ______, 20___ Between PUNJAB &

SIND BANK (hereinafter “the Purchaser”) of one part and __________ (Name of Selected

Bidder) of ____________ (City and Country of Bidder) (hereinafter “the Bidder”) of the other

part:

WHEREAS the Purchaser is desirous that certain services should be provided by the

Bidder, viz. ________________ ________________ (Brief description of Services) and

has accepted a bid by the Bidder for Information System Audit of Data Centre, Critical

Applications, IT Processes etc. of the Bank.

NOW THIS AGREEMENT WITNESSETH AS FOLLOWS:

1. In this Agreement words and expressions shall have the same meanings as are

respectively assigned to them in the Conditions of Contract referred to.

2. The following documents shall be deemed to form and be read and construed as part

of this Agreement, viz. :

(a) RFP No. PSB/INSP/RFP/01/2021-22 dated 24.11.2021 and all its

addendums/modifications.

(b) The Bid form and price schedule submitted by the bidder and subsequent amendments

made into it as accepted by the bank.

(c) the Scope of works, deliverables

(d) all terms & conditions as per RFP and Annexures.

3. In consideration of the payments to be made by the Purchaser to the Bidder in terms of

Purchase Order for IS AUDIT services placed by Head Office of the Purchaser, the

bidder hereby covenants with the Purchaser to provide the services therein in

conformity in all respects with the provisions of the contract.

4. The Purchaser hereby covenants to pay the bidder in consideration of the provision of

services , the Purchase order Price or such other sum as may become payable under the

provisions of the Contract at the times and in the manner prescribed by the Contract.

IN WITNESS whereof the parties hereto have caused this Agreement to be executed

in accordance with their respective laws the day and year first above written.

Signed, sealed and Delivered by the Said ________________________ (For the Bidder) in

presence of _______________________

Signed, sealed and Delivered by the Said ________________________ (For the Purchaser) in

presence of ______________________




Annexure VII NON-DISCLOSURE AGREEMENT

(Non-Judicial Stamp Paper of appropriate value)

Tender No: RFP REF. NO.: HO/INSP/RFP/01/21-22

This Non-Disclosure Agreement is made and entered into at…………………. on This …………………..day

of…………..2021

BY AND BETWEEN ……………………………………………………….., a company incorporated under the

Companies Act, 1956 having its registered office at ….………. (Hereinafter referred to as the Vendor

which expression unless repugnant to the context or meaning thereof be deemed to include its

permitted successors) of the ONE PART;

AND

Punjab & Sind Bank, a body corporate, established under the Banking Companies (Acquisition and

Transfer of Undertakings) Act 1980 and having its Head Office at 21, Rajendra Place, New Delhi

110008 (hereinafter referred to as “Bank” which expression shall unless it be repugnant to the

subject, meaning or context thereof, be deemed to mean and include its successors and assigns) of

the OTHER PART.

The Vendor and Punjab & Sind Bank are hereinafter collectively referred to as “the Parties” and

individually as “the Party”

WHEREAS:

1. Punjab & Sind Bank is engaged in the business of providing financial services to its customers

and intends to engage service provider for supply, installation & maintenance of Hardware and Operating System under contract for five years.

2. In the course of such assignment, it is anticipated that Punjab & Sind Bank or any of its officers,

employees, officials, representatives or agents may disclose, or deliver, to the Vendor some

Confidential Information (as hereinafter defined), to enable the Vendor to carry out the

aforesaid Implementation assignment (hereinafter referred to as " the Purpose").

3. The Vendor is aware and confirms that all information, data, and other documents made

available in the RFP/Bid Documents/Agreement /Contract or in connection with the Services rendered by the Vendor are confidential information and are privileged and strictly confidential

and or proprietary of Punjab & Sind Bank. The Vendor undertakes to safeguard and protect

such confidential information as may be received from Punjab & Sind Bank.

NOW, THEREFORE THIS AGREEMENT WITNESSED THAT in consideration of the above premises and

the Punjab & Sind Bank granting the Vendor and or his agents, representatives to have specific

access to Punjab & Sind Bank property / information and other data it is hereby agreed by and

between the parties hereto as follows:

1. Confidential Information:

(i) “Confidential Information” means all information disclosed/furnished by Punjab & Sind Bank

to the Vendor whether orally, in writing or in electronic, magnetic or other form for the limited

purpose of enabling the Vendor to carry out the proposed Implementation assignment, and shall mean and include data, documents and information or any copy, abstract, extract, sample, note or

module thereof, explicitly designated as "Confidential"; Provided the oral information is set forth in

writing and marked "Confidential" within seven (7) days of such oral disclosure.

(ii) The Vendor may use the Confidential Information solely for and in connection with the Purpose and shall not use the Confidential Information or any part thereof for any reason other than

the Purpose stated above.




Confidential Information in oral form must be identified as confidential at the time of disclosure and

confirmed as such in writing within seven (7) days of such disclosure. Confidential Information does

not include information which:

(a) is or subsequently becomes legally and publicly available without breach of this Agreement by

either party,

(b) was rightfully in the possession of the Vendor without any obligation of confidentiality prior to receiving it from Punjab & Sind Bank,

(c) was rightfully obtained by the Vendor from a source other than Punjab & Sind Bank without any obligation of confidentiality,

(d) was developed by for the Vendor independently and without reference to any Confidential

Information and such independent development can be shown by documentary evidence, or is/was disclosed pursuant to an order of a court or governmental agency as so required by such

order, provided that the Vendor shall, unless prohibited by law or regulation, promptly notify

Punjab & Sind Bank of such order and afford Punjab & Sind Bank the opportunity to seek appropriate protective order relating to such disclosure.

(e) the recipient knew or had in its possession, prior to disclosure, without limitation on its

confidentiality. (f) is released from confidentiality with the prior written consent of the other party.

The recipient shall have the burden of proving hereinabove are applicable to the information in the

possession of the recipient. Confidential Information shall at all times remain the sole and exclusive

property of the disclosing party. Upon termination of this Agreement, Confidential Information shall

be returned to the disclosing party or destroyed, if incapable of return. The destruction shall be

witnessed and so recorded, in writing, by an authorized representative of each of the parties.

Nothing contained herein shall in any manner impair or affect rights of Punjab & Sind Bank in

respect of the Confidential Information.

In the event that any of the Parties hereto becomes legally compelled to disclose any Confidential

Information, such Party shall give sufficient notice to the other party to enable the other Party to

prevent or minimize to the extent possible, such disclosure. Neither party shall disclose to a third

party any Confidential Information or the contents of this Agreement without the prior written

consent of the other party. The obligations of this Clause shall be satisfied by handling Confidential

Information with the same degree of care, which the receiving party applies to its own similar

confidential information but in no event less than reasonable care.

The obligations of this clause shall survive the expiration, cancellation or termination of this

Agreement

2. Non-disclosure: The Vendor shall not commercially use or disclose any Confidential Information or

any materials derived there from to any other person or entity other than persons in the direct

employment of the Vendor who have a need to have access to and knowledge of the Confidential

Information solely for the Purpose authorized above. The Vendor shall take appropriate measures by

instruction and written agreement prior to disclosure to such employees to assure against

unauthorized use or disclosure. The Vendor may disclose Confidential Information to others only if

the Vendor has executed a Non-Disclosure Agreement with the other party to whom it is disclosed

that contains terms and conditions that are no less restrictive than these presents and the Vendor

agrees to notify Punjab & Sind Bank immediately if it learns of any use or disclosure of the

Confidential Information in violation of terms of this Agreement.

Notwithstanding the marking and identification requirements above, the following categories of

information shall be treated as Confidential Information under this Agreement irrespective of

whether it is marked or identified as confidential:




a) Information regarding Punjab & Sind Bank and any of its Affiliates, customers and their accounts

(“Customer Information”). For purposes of this Agreement, Affiliate means a business entity now

or hereafter controlled by, controlling or under common control. Control exists when an entity

owns or controls more than 10% of the outstanding shares or securities representing the right to

vote for the election of directors or other managing authority of another entity; or

b) any aspect of Punjab & Sind Bank's business that is protected by patent, copyright, trademark,

trade secret or other similar intellectual property right; or

c) business processes and procedures; or

d) current and future business plans; or

e) personnel information; or

f) Financial information.

3. Publications: The Vendor shall not make news releases, public announcements, give interviews, issue or publish advertisements or publicize in any other manner whatsoever in

connection with this Agreement, the contents / provisions thereof, other information relating to this Agreement, the Purpose, the Confidential Information or other matter of this Agreement, without

the prior written approval of Punjab & Sind Bank.

4. Term: This Agreement shall be effective from the date hereof and shall continue till expiration of the Purpose or termination of this Agreement by Punjab & Sind Bank, whichever is

earlier. The Vendor hereby agrees and undertakes to Punjab & Sind Bank that immediately on

termination of this Agreement it would forthwith cease using the Confidential Information and

further promptly return or destroy, under information to Punjab & Sind Bank, all information

received by it from Punjab & Sind Bank for the Purpose, whether marked Confidential or otherwise, and whether in written, graphic or other tangible form and all copies, abstracts,

extracts, samples, notes or modules thereof. The Vendor further agree and undertake to Punjab &

Sind Bank to certify in writing upon request of Punjab & Sind Bank that the obligations set forth in this Agreement have been complied with.

Any provisions of this Agreement which by their nature extend beyond its termination shall continue

to be binding and applicable without limit in point in time except and until such information enters

the public domain

5. Title and Proprietary Rights: Notwithstanding the disclosure of any Confidential Information

by Punjab & Sind Bank to the Vendor, the title and all intellectual property and proprietary rights in the Confidential Information shall remain with Punjab & Sind Bank.

6. Remedies: The Vendor acknowledges the confidential nature of Confidential Information

and that damage could result to Punjab & Sind Bank if the Vendor breaches any provision of this Agreement and agrees that, if it or any of its directors, officers or employees should engage or cause

or permit any other person to engage in any act in violation of any provision hereof, Punjab & Sind

Bank may suffer immediate irreparable loss for which monetary compensation may not be

adequate. Punjab & Sind Bank shall be entitled, in addition to other remedies for damages & relief

as may be available to it, to an injunction or similar relief prohibiting the Vendor, its directors, officers etc. from engaging in any such act which constitutes or results in

breach of any of the covenants of this Agreement.

Any claim for relief to Punjab & Sind Bank shall include Punjab & Sind Bank's costs and expenses of

enforcement (including the attorney's fees).

7. Entire Agreement, Amendment and Assignment: This Agreement constitutes the entire

agreement between the Parties relating to the matters discussed herein and supersedes any and all

prior oral discussions and / or written correspondence or agreements between the Parties. This




Agreement may be amended or modified only with the mutual written consent of the Parties.

Neither this Agreement nor any right granted hereunder shall be assignable or otherwise transferable.

8. Dispute Resolution: Disputes, if any, arising out of this Agreement remaining unresolved by

mutual discussions shall be referred to a sole Arbitrator for Arbitration and the provisions of Arbitration & Conciliation Act, 1996, shall accordingly apply. The venue for such Arbitration shall be

New Delhi. The language of the Arbitration shall be English. 9. Governing Law: The provisions of this Agreement shall be governed by the laws of India and

the competent court at Delhi shall have exclusive jurisdiction in relation thereto even though other

Courts in India may also have similar jurisdictions. 10. Indemnity: The Vendor shall defend, indemnify and hold harmless Punjab & Sind Bank, its

affiliates, subsidiaries, successors, assigns, and their respective officers, directors and employees, at

all times, from and against any and all claims, demands, damages, assertions of liability whether

civil, criminal, tortuous or of any nature whatsoever, arising out of or pertaining to or resulting from

any breach of representations and warranties made by the Vendor. and/or breach of any provisions of this Agreement, including but not limited to any claim from third party pursuant to any act or

omission of the Vendor, in the course of discharge of its obligations under this Agreement.

11. General: The Vendor shall not reverse - engineer, decompile, disassemble or otherwise

interfere with any software disclosed hereunder.

All Confidential Information is provided “as is”. In no event shall the Punjab & Sind Bank be liable for

the inaccuracy or incompleteness of the Confidential Information. None of the Confidential

Information disclosed by Punjab & Sind Bank constitutes any representation, warranty, assurance,

guarantee or inducement with respect to the fitness of such Confidential Information for any

particular purpose.

Punjab & Sind Bank discloses the Confidential Information without any representation or warranty,

whether express, implied or otherwise, on truthfulness, accuracy, completeness, lawfulness, and

merchantability, fitness for a particular purpose, title, non-infringement, or anything else.

12. Waiver: A waiver (whether express or implied) by Punjab & Sind Bank of any of the

provisions of this Agreement, or of any breach or default by the Vendor in performing any of the provisions hereof, shall not constitute a continuing waiver and such waiver shall not prevent Punjab

& Sind Bank from subsequently enforcing any of the subsequent breach or default by the Vendor

under any of the provisions of this Agreement. In witness whereof, the Parties hereto have executed these presents the day, month and year first

herein above written.

For and on behalf of ------------- Ltd. For and on behalf of Punjab & Sind Bank

(Designation) (Designation)




Annexure VIII :- (Commercial Bid)

COMMERCIAL DEVIATION STATEMENT FORM

The following are the particulars of deviations from the requirements of the tender/

bid:

CLAUSE DEVIATION REMARKS

(Including

justification)

The cost of offered IS AUDIT services furnished in the bidding document

(Annexure- III) shall prevail over those of any others document forming a part

of our bid except only to the extent of deviations furnished in this statement.

Dated ________________ Signature and seal of the Bidder

NOTE: Where there is no deviation, the statement should be returned duly

signed with an endorsement indicating “No Deviations”.




Annexure IX

LETTER OF CONFIRMATION

The Asstt. General Manager,

PUNJAB & SIND BANK,

H.O. Inspection Department,

2nd floor, plot No. 151,

Sector 44,

Gurugram – 122003

Dear Sir,

We confirm that we will abide by the conditions mentioned in the Tender

Document (RFP and annexure) in full and without any deviation subject

to Annexure- VII & VIII. We shall observe confidentiality of all the

information passed on to us in course of the IS Audit process and shall not use

the information for any other purpose than the current tender.

We confirm that we have not been blacklisted by any Govt. Department /PSU /

PSE or Banks or otherwise not involved in any such incident with any

concern whatsoever, where the job undertaken / performed and conduct

has been questioned by any authority, which may lead to legal action.

We also confirm that we are not a bidder /consultant to the bank

involved in either supply/installation of Hardware/Software, implementation

of Security/Network Infrastructure of the Bank or providing services

excluding IS Audit services, in the past three years directly or indirectly

through a consortium.

Place :

Date:

(Authorized Signatory)

SEAL




Annexure X

Compliance for Reverse Auction

RFP No: PSB/INSP/RFP/01/2021-22 Date: 24.11.2021

Punjab & Sind Bank,

2nd floor, Inspection Department,

Plot No. 151, Sector 44,

Gurugram – PIN 122003

Dear Sir,

We ______________________ (name of the company) hereby confirm having

submitted our bid for participating in Bank’s RFP dated _________ for procurement

of ____________.

1 We also confirm having read the terms of RFP as well as the Business Rules relating

to the Reverse Auction for this RFP process.

2 We hereby undertake and agree to abide by all the terms and conditions stipulated

by Punjab & Sind Bank in the RFP document including all annexures and the

Business Rules for Reverse Auction.

3 We shall participate in the on-line auction conducted by ………………..

(Auctioneer Company) and submit our commercial bid. We shall also abide by the

procedures prescribed for online auction by the auctioneer company.

4 We, hereby confirm that we will honour the Bids placed by us during the auction

process, failing which we shall forfeit the Earnest Money Deposit. We also understand

that the bank may debar us from participating in future tenders.

5 We confirm having nominated Mr. ________________, designated as

______________ of our company to participate in the Reverse Auction on behalf of

the company. We undertake that the company shall be bound by the bids made by him

in Reverse Auction.

6 We accordingly authorize Bank and/ or the reverse auction company to issue user ID

and password to the above named official of the company.

7 Both Bank and the auction company shall contact the above named official for any

and all matters relating to the Reverse Auction.

8 We, hereby confirm that we will honour the Bids placed by Mr. __________ on

behalf of the company in the auction process, failing which we will forfeit the EMD.

We agree and understand that the bank may debar us from participating in future

tenders for any such failure on our part.

9 We undertake to submit the confirmation of last bid price by us to the auction

company/Bank within 48 working hours of the completion of event. We also

undertake to submit the Bill of Materials for the TCO (Total Cost of Ownership) in

terms of RFP.

Name of Authorized Representative: _______________________

Signature of Authorized Representative: ____________________

Verified above signature

Date: Seal and signature of the bidder




ANNEXURE – XI

Letter of Authority for Participating in Reverse Auction

Punjab & Sind Bank

Second Floor

Inspection Department

Plot Number 151, Sector 44,

Gurugram, 122003

Dear Sir,

We _____________________ (name of the Company) have submitted our bid for

participating in Bank’s RFP dated _________________ for procurement of

_______________ .

We also confirm having read and understood the terms of the RFP as well as the

business rules relating to the Reverse Auction for this RFP process.

As per the terms of RFP and Business Rules, we nominate Mr. __________________,

designated as ______________________ of our company to participate in the Reverse

Auction.

We accordingly authorize Bank and/ or the Auction Company to issue user ID and

password to the above names official of the company.

Both Bank and the auction company shall contact the above names official for any and

all matters relating to the Reverse Auction.

We, hereby confirm that we will honor the Bids placed by Mr. __________________

on behalf of the company in the auction process, failing which we will forfeit the

EMD. We agree and understand that the Bank may debar us from participating in

future tenders for any such failure on our part.

(Signature)

(Name of Authorized Signatory)

(Designation)

(Date)

Place:

(Name and address of the bidder)

(Company Seal)




ANNEXURE “C”

A. Systems/ Applications and its Locations (tentative)

1.1 Information Systems Audit should cover entire Information Systems

Infrastructure which includes Servers & other hardware items, Operating Systems,

Databases, Application Systems, Technologies, Networks, Facilities, Process &

People of the under noted locations :

Sr.

No.

Particulars DC DR NLDC

1. CBS Servers, Interfaces, Network & Other Devices, Finacle

Application

Navi Mumbai Noida Navi

Mumbai

2. ATM Switch & Back Office, ATM Card (Debit & Prepaid

Cards)

Mumbai Banglore N.A.

3. Financial Inclusion, Centralized FI gateway Application solution

NaviMumbai Noida N.A.

4. E-KYC (Biometrics) NaviMumbai Noida N.A.

5. Internet Application Banking NaviMumbai Noida Navi

Mumbai

6. Mobile Application Banking NaviMumbai Noida Navi

Mumbai

7. Mail Solution Messaging NaviMumbai Noida Navi

Mumbai

8. Intranet of the bank NaviMumbai Noida Navi Mumbai

9. SMS Alert System Mumbai Pune

10. RTGS/NEFT etc. HO.IT Deptt.

Rajendra Place (to

be shift Mumbai)

Noida

11. Cheque Truncation System (CTS) - Northern Grid

Ranjit Nagar, New Delhi

Noida

12. Cheque Truncation System (CTS) - Southern Grid

RCC, Chennai(Opex Model)

13. Cheque Truncation System (CTS) - Western Grid

RCC, Mumbai (Opex Model)




14. TreasurySolution Navi Mumbai Greater Noida N.A.

15. UPI/OMNI Channel Navi Mumbai Noida N.A.

16. BBPS Mumbai Chennai --

17. POS, Cash@POS Mumbai Bangalore --

18. Bharat QR Code Mumbai Bangalore --

19. Aadhar Enable Payment System (AEPS)

Navi Mumbai Noida

20. Merchant Aadhar Payment System

Hyderabad Navi Mumbai

21. Accumen Pro Connect(Liquidity Management System)

HO.IT Deptt. Rajendra Place

Noida

22. RFMS (Middleware) HO.IT Deptt. Rajendra Place

Noida

23. Call Centre New DC mumbai

Noida

24. GST Navi Mumbai Noida

25. SWIFT Navi Mumbai Noida --

26. Card Management Mumbai Banglore --

27. CCIL Server HO.IT Deptt. Rajendra Place

Noida --

28. ALM Navi Mumbai Noida --

29. AML Navi Mumbai Noida --

30. Data Archival Retrieval(DAR)

Navi Mumbai Noida --

31. Security Operation Center(SOC)

Navi Mumbai Noida Navi Mumbai




32. Account department Server and application

Rajendra place

-- --

33. SWIFT (including process audit) Navi Mumbai Greater Noida New DR

--

34. NOTIVA Navi Mumbai Noida ----

35. TRRACS HO RAJENDRA PLACE

----- -----

36. Third Party Applications

1. PKI

2. C-KYC

3. E-TDS(As per HO account

department no such application

available)

4. LOS-Loan Origination System

5. RTTS-Real Time Transaction System(RTTS)

6. EIRMS-Risk Management Systems for Standardized & Advanced Approaches

7. GST Suvidha Provider

8. Internal Credit Rating Solution

9. Settlement, Reconciliation& Dispute Management

10. e-Procurement& e-Auction Services

11. PFMS

12. Doorstep Banking

NaviMumbai Noida Navi Mumbai

B.IS AUDIT OF INTERNET BANKING (WWW.PSBONLINE.CO.IN), MOBILE

BANKING, INTRANET.PSB.CO.IN, WEBMAIL.PSB.CO.IN, UPI, BHIM, FI AND

CORPORATE WEBSITE (WWW.PUNJABANDSINDBANK.COM) OF THE BANK

While conducting the IS Audit, the guidelines/ recommendations issued by CERT-In

and Reserve Bank of India should be strictly complied with.

C. Vulnerability Assessment & Penetration Testing (Internal and External) The

Bidder is expected to conduct a VA/PT of the deployed solution at the Data Centre

and the Disaster Recovery Site and ensure compliance of the security gaps. A list of

a minimum set of activities to be performed as detailed in scope of work.

D. Application Review and Testing

The bidder is to carry out an application review covering the functionality, security,

and controls within the applications. A list of a minimum set of activities to be

performed as detailed in scope of work. The auditor has to conduct VA, PT & white

box (with credentials) testing for security assurance of the applications.




ANNEXURE‘D’ LIST OF SERVERS/ DEVICES IN DIFFERENT AUDITEE LOCATIONS

(It may vary in actual scenario)

Sr.

no. Purpose Model

Quantity

DC DR NLDC

Servers, Storage & Tape Library

1

CBS

Servers

(Database +

Application)

Oracle T4-4 2 2 NA

2

CBS

Servers

(Database +

Application)

Oracle T4-1 6 6 NA

3 SASCL Server Oracle T3-1 1 NA NA

4 Storage EMC VNX 5500 in DC & DR and

EMC VNX 5300 in near site 1 1 1

5 SAN Switch Cisco SAN Switch 2 2 2

6 Tape Drive Tandberg T40+ Tape

library 1 2 NA

7 Blade Chassis

(Linux) Cisco UCS chassis 11 11 NA

8 Windows Servers Cisco UCS Blade server 46 33 NA

9 Storage Cisco MDS 9132T 32G

FC Enterprise 2 2 NA

10 New MIS Server S7-2L 1 NA NA

11 CBS Servers (Database

+ Application) Oracle T8-1 2 2 NA

12 Storage RecoverPoint 2 2 2

13 Storage Dell EMC PowerStore1000T

1 1 NA

14 Storage Dell EMC Networking S4112F-ON

2 2 NA

15 Network Switch & Router 21 NA 4

16 UCS Switch UCS Switch 4 4 NA

17 HSM Safe Net 3 3 NA

Networks equipment




1 MPLSRouters ASR1002-HX /

ASR1002-HX-DNA

2 2 NA

2 MPLS Switch C9300-24T-E - 2 NA

2 Vmanage server UCSC-C240-M5SX 6 6 NA

3 Internet load balancer APV 2800 2 2 NA

4 Replication Load

Balancer

APV 2800 2 2 NA

5 SDWAN Router ASR1002-HX-DNA 2 2 NA

6 SDWAN controller Cisco Business Edition

Server / HX-FI-6454 /

Cisco ISR 4331/K9 /

Cisco Catalyst switch /

HXAF220C-M5SX / HX-

C220-M5SX

13 4 NA

7 Internet router Cisco ISR 4331/K9 1 1 NA

8 BMC Server HXAF220C-M5SX 1 4 NA

9 Leaf switch N9K-C93180YC-FX /

N9K-C9348GC-FXP /

N9K-C93108TC-FX

15 16 NA

10 Access switch N9K-C93180YC-FX

/N9K-C9348GC-FXP

3 3 NA

11 SDWAN Switch N9K-C93180YC-FX 1 2 NA

12 APIC Server UCSC-c220-M5SX 3 3 NA

13 Backup server OV-NEOST247FC 1 1 NA

14 BEEM server UCSC-c240-M5L 1 1 NA

15 NTP Server SyncServer S600 1 1 NA

16 Spine switch N9K-C9504 2 2 NA

17 TACACS server SNS-3655-K9 2 2 NA

18 Titration Server UCSC-C220-M5SX 6 6 NA

19 Titration Switch TA-C93180YC-FX 2 2 NA

20 V- center UCSC-c220-M5SX 1 1 NA

Sr.

no.

Purpose Model Quantity

DC DR NLDC

Security Equipments

1 Intranet

Firewall ASA5585-S20P20XK9 2 2 NA

2 RA VPN Firewall

ASA5545-K9 2 2 NA




3 Internet

Firewall CP4200 2 2 NA

4 CP Security

Mgmt Smart-1 1 NA NA

5 CP Smart Event SM503-EVNT 1 NA NA

6 Access Control CSACS-1121-K9 1 1 NA

7 Admission Control

ISE-3395-K9 8 8 NA

8 Web Gateway MFEWebGateway5500 Appl-B

2 1 NA

9 Email Gateway MFE Email Gateway 5500 Appl-C

2 1 NA

Sr.

no.

Purpose Model Quantity

DC DR NLDC

Other

1 Network

Monitoring LMS-4.1-2.5K-K9 1 1 NA

2 Security

Monitoring L-CSMPR250-4.2-K9 1 1 NA

3 NAC CiscoL-ISE-ADV5Y-

5K=

4 3 NA

LIST OF SERVERS/DEVICES IN SOC Sr

.

n

o.

Device

/Technology OEM Model/ Version Purpose

Quantity

D

C

D

R

HO

IT

Augmented Hardware (Switch, Server, Storage & Appliances)

1 WAF Barracuda 660A Web Application Monitoring 2 2

2 DDI Trend Micro 510 ANTI-APT 2 2

3 DDAN Trend Micro 1100 ANTI-APT 2 2

4 SAN Switch Brocade Brocade SAN Switch Inter Connectivity 2 2

5

Netapp SAN

Storage Netapp 212 C Storage 1 1

6

Netapp NL

Storage Netapp 224 C Storage 1 1

7 CISCO UCS Server Cisco C220M5

Server for Virtual

Implementation 5 2

8

CISCO Catalyst

N/W Switch Cisco 2960L

Network Equipment for N/W

Connectivity 4 4

9

Internet Firewall

Gateway Checkpoint DMZ zone 2 2




10

Internet Firewall

MGMT & Event Checkpoint DMZ zone 2 0

11

Web Gateway

(Proxy) McAfee Proxy 2 1

New Hardware (Switch, Server, Storage & Appliances)

1

Core Firewall

Gateway Checkpoint 6800 MZ Zone 2 2

2

Core Firewall

MGMT Checkpoint Smart-1 5150 MZ Zone 1 1

3 EDR Checkpoint Smart-1 5150 Endpoint 1 1

4

Endpoint

Forensics

&Behavior

Analysis with Anti

Phishing &

Sandblast

appliance Checkpoint

SandBlast TE

Appliance TE1000X SandBlast 2 2

5 QOS Testing, Training 0 0 1

6 DLP McAfee

MFE DLP 6600A ||

8543 DLP 4 4

7

Web Gateway

(Proxy) McAfee 5500 Proxy 0 1

8 DDoS Radware DefensePro 20-2 DDoS 2 1

9

SSL Interception

Tool Radware Alteon 5208 2 1

10 VPN Array AVX 5800 VPN 1 1

11 Algosec Algosec 2063 Firewall Management 1 1

12 SIEM RSA NW S6 Log 5 5

13 SIEM Storage RSA 78 TB PV, 96 TB PV DAC 2 2

14 Load Balanacer Array APV 1800 Load Balancing 2 2

15 Switch Node HP 5710 48XGT


Connectivity 4 2

16 Server HP DL360 Gen 10 8SFF Virtual Environment

1

6

1

1

17 SAN Storage HP MSA 2050 SAN SFF Storage 1 1

18 FC Switch HP SN6010C 12


Connectivity 2 2




19 Base Module HP MSL3040 Tape Liberary 1 1

20 IPKVM HP Aten 17" TFT Server Console 1 1

Virtual Appliances

1

Core Firewall

Mangement Checkpoint Smart-1 5150

Security management for

external & internal firewall 1 1

2 NBAD Vehere

PKTW-6Y-

1616669830058-5G

Network Behaviour Anomaly

Detection 2 2

3 MDM Blackberry UEM 12.13.1

BlackBerry UEM -

Management Server & BCN 2 2


BlackBerry BEMS - Push

Notification Server 1 1


BlackBerry BEMS - Database

Server for Push Notifications 2 2

6 DRM Blackberry App-x-10.1.1

BlackBerry Workspaces -

Application, Orchestration &

Front End Server 2 2

7 DRM Blackberry App-x-10.1.1

BlackBerry Workspaces -

Conversion Server 2 2

8 DRM Blackberry App-x-10.1.1 BlackBerry Workspaces - UCC 2 2

9 ARCHER RSA Version 6.9 SP1 P1

IT GRC-Web Application

Server 6 4

10 ARCHER RSA Version 6.9 SP1 P1 IT GRC- DB 3 2

11 ARCHER RSA Version 6.9 SP1 P1 IT GRC- Service Center 3 2

12 Decoy

Smokescree

n v4.9.11

Integrated virtual appliance

with built in CMC with

Network decoys 1 1

13 Decoy

Smokescree

n v4.9.11

Teleport v2.0 virtual

appliances / agents for

Remote DCs and ROBOs 1

14 WebDLP Mcafee 6600

AntiVirus, DAM, DLP and

Proxy 2 1

15 WebDLP Mcafee 6600

AntiVirus, DAM, DLP and

Proxy 1 2

16 mailDLP Mcafee 6600 Data Loss Prevention 2 2

17 mailDLP Mcafee 6600 Data Loss Prevention 1 2

18 VAS

Tenable

Nessus Version: 5.19.0 VA Tool- Security center 1




19 VAS

Tenable

Nessus Version: 5.19.0 VA Tool- Nessus Scanner 1

20 AppSec Microfocus V20.2.0

Application securuty tool-

LIM (License and

Infrastructure Manager)

server and

SSC (Software Security

Center) 1

21 AppSec Microfocus V20.2.0

Application Security tool-

Fortify SCA (Static Code

Analyser) WebInspect

Database Server 1

22

Data

Classification Ghanghor V3.0 ISE-data classification server 2 2

23 Cyberrange Nutanix

Distributed Denial of Service

(DDoS) and SSL Inspection

Tool 1

24 IAM MAF Microfocus V 4.8

Identity Manager (

eDirectory&MetaDirectory )

in HA 2 2


User Application ( RBPM)

component in HA 2 2

26 IAM MAF Microfocus V 4.8 IDM Reporting 1 1

27 IAM MAF Microfocus V 4.8 Identity Governance 2 2

28 IAM MAF Microfocus V 4.8 Self Service Password Reset 2 2

29 IAM MAF Microfocus V 4.8 Provisioned for AD Driver 1 1

30 IAM MAF Microfocus V 4.8 AG + IDP + AC 3 3

31 IAM MAF Microfocus V 4.8 NAAF Master Server 1 1

32 IAM MAF Microfocus V 4.8 NAAF Secondary Server 2 2


Secure Login Administration

Server 2 2

34 IMSVA Trendmicro V9.1.0.2073 Email Security 1

35 IMSVA Trendmicro V9.1.0.2073 Email Security 2

36 HIPS Trendmicro V20.0.366 Deep Security 1 2

37 HIPS Trendmicro V20.0.366 DS Database 2 2

38 HIPS Trendmicro V20.0.366

Smart Protection Reputation

Server 1 1




39 MTP SDK Checkpoint

Firewalls, Endpoint Forensics

& Behaviour Analysis ,

Endpoint Antiphishing,

Mobile Threat Prevention 1 1

40 MTP SDK Checkpoint

Mobile Threat Prevention

and

SDK for Mobile Access

Security 1 1

41

EDR EP

AntiPhising Checkpoint V84.40

Endpoint Forensics &

Behaviour Analysis

and

Endpoint Anti Phishing 1 1

42 DAM Mcafee ePO Server 2

43 DAM Mcafee V4.7 ePO Backend database 2

44 DAM Mcafee V4.7

Database Security

Management Application 2 2

45 DAM Mcafee V4.7

Database Security

Management Backend

database 2 2

46 DNS Protection Efficient Ip V7.3.1A DNS Security 1 1

47 DNS Protection Efficient Ip V7.3.1A DNS Security 1

48 DNS Protection Efficient Ip V7.3.1A DNS Management 1

49 SIEM VLC RSA 11.5 SIEM 2 2

50 TIF Mcafee Threat Intelligent Feed 1 1

51 Darkweb RSA

Dark Web Monitoring &

Incident Response (Services) 1 1

52 SSLi DDoS Radware V4.80

Distributed Denial of Service

(DDoS) and SSL Inspection

Tool 1 1

53 PAM Arcon U4 4.8.5.0 Remote Management 3 3

LIMITED TENDER Request for Proposal from the empanelled ...

Documents

Transcript of LIMITED TENDER Request for Proposal from the empanelled ...