BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP Page 1 of 50 REQUEST FOR PROPOSAL (RFP) For Empanelment of Information Security and Audit Service Providers [ISASPs] For Information Security Cell [ISC] and Information Systems Audit Cell [ISAC] Ref: HO: BOI/HO/RMD/INFOSEC/2014/112 Dated 31.10.2014 [Friday] The information provided in response to this Request For Proposal (RFP) will become the property of the bank and will not be returned. The Bank reserves the right to amend, rescind or reissue this RFP and all amendments will be advised to the bidders and such amendments will be binding on them. The Bank also reserves the right to accept or reject any or all the responses to this RFP without assigning any reasons whatsoever. This document is prepared by Bank of India for its Empanelment of Information Security and Audit Service Providers [ISASPs]. It should not be reissued or copied or used either partially or fully in any form.
50
Embed
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – … ISASP 31102014 Final.pdf · BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP ... Objectives:- The bank has
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 1 of 50
REQUEST FOR PROPOSAL (RFP)
For
Empanelment of Information Security and Audit Service Providers [ISASPs]
For Information Security Cell [ISC] and
Information Systems Audit Cell [ISAC]
Ref: HO: BOI/HO/RMD/INFOSEC/2014/112
Dated 31.10.2014 [Friday]
The information provided in response to this Request For Proposal (RFP) will
become the property of the bank and will not be returned. The Bank reserves
the right to amend, rescind or reissue this RFP and all amendments will be
advised to the bidders and such amendments will be binding on them. The
Bank also reserves the right to accept or reject any or all the responses to this
RFP without assigning any reasons whatsoever.
This document is prepared by Bank of India for its Empanelment of
Information Security and Audit Service Providers [ISASPs]. It should not be
reissued or copied or used either partially or fully in any form.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 2 of 50
CONTENTS
PART DESCRIPTION PAGE
NO.
1. INVITATION TO BID (ITB) 3
2. DISCLAIMER 6
3. INSTRUCTIONS FOR BIDDERS (IFB) 7
4. TERMS & CONDITIONS OF CONTRACT (TCC) 26
5. ADDRESSES FOR NOTICES
31
6. BID FORMS, PRICE SCHEDULES AND OTHER FORMS 32
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 3 of 50
PART 1
INVITATION TO BID [ITB]
1. Background:-
Bank of India is a leading and innovative Public Sector Bank, having its registered office in
Mumbai. The Bank has 4800+ branches in India spread over all states / union territories including
150+ specialized branches and 36+ Extension Counters. Bank has 6 Staff Training Centers
[STCs]. M/s HP is the solution provider for Finacle CBS application and the system integration.
These branches are controlled through 50 Zonal Offices [ZOs] under six National Banking
Groups [NBGs]. The Bank has a dominant presence abroad with 56+ branches / offices. The
Bank is listed at both NSE & BSE. The Bank has 5,700+ ATMs spread over the Country.
2. Objectives:-
The bank has its primary Data Centre [DC] and Near Site in Mumbai and its Disaster Recovery
[DR] site at Bengaluru. The Data Center serves the domestic branches in India, Overseas
Branches, Offices of the Bank and Regional Rural Banks [RRBs] sponsored by Bank of India.
The Data Center houses various other applications and resources. The database environment is
a heterogeneous mix of UNIX, Linux, HP-Unix, AIX, Solaris and Windows platforms, with
databases like Oracle, SQL, PostgreSQL, Networking devices like CISCO, Check Point etc. The
Bank has Integrated Treasury Operations in Mumbai.
With multifarious servers, databases, network devices and applications serving as components of
the critical infrastructure, continuous maintenance, management and monitoring of the resources
are required.
The Bank had called for Expression of Interest (EOI) on the Bank’s website on 12.08.2014 for
Empanelment of Information Security Service Providers [ISSPs] from eligible vendors. Vendors
with their preferred services have participated in that process and made presentations to
understand the details about the various services offered by them.
3. General Terms and Conditions in brief:-
Now Bank of India invites sealed bids from the eligible Bidders to participate in this RFP for
empanelment of ISASPs under the following terms and conditions;
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 4 of 50
a) Fulfillment of eligibility criteria as mentioned below. These are MANDATORY and are to be
included in Technical Bid, without which the Bid is liable to be rejected.
b) Bank reserves the right to change the evaluation process for adherence to CVC guidelines
and / or better transparency as it deems fit.
c) This RFP is to empanel eligible firms to provide various services and activities related to
Information Security and Information Systems Audit for the Bank.
d) Bank’s decision on admissible and acceptable evidences is binding on the bidder.
e) Bank may have two groups of empanelment of ISASPs. Basing on the marks obtained in
Evaluation of Technical Bids, panels of the Groups will be decided by the Bank.
f) Bank will reserve list of empaneled ISASPs to be used as per Bank’s discretion.
g) The purpose of the grouping is only to form two tiers for management convenience,
criticality of operations to be handled effectively etc.
h) It is the discretion of the Bank to decide which group an ISC / ISAC related exercise /
assignments would be allocated.
i) The Bank will communicate to the empaneled vendors about the objective, scope,
eligibility requirements, deliverables, time lines, any other information that is deemed fit for
smooth execution of the assignment and services.
j) The vendor would submit their quote regarding deployment of resources, number of man-
days required for the specific assignment.
k) The selected empaneled bidder has to provide the documentation / presentation for the
assignment for PRE and POST implementation of the services during the process of
actual process of assignment. We would also like to inform the bidders that, the Bank has
a complex infrastructure with multiple resources maintained and managed through multiple
vendors. So the bidder has to coordinate with the service providers of different
applications / system integrators [SI] of the Bank to carry out assignment/s.
l) Upon empanelment Bidder is required to enter into an appropriate Service Level
Agreement [SLA], wherein Clause for active Participation in the various Assignments and
Services offered by Bank from time to time during the complete tenure of agreement.
4. Non Refundable Bid Amount:-
A Non-refundable bid amount o f `. 5 ,000/- [ R u p e e s F i v e T h o u s a n d o n l y ] to be
paid by means of a demand draft / pay order favouring “Bank of India" payable at Mumbai
towards the cost of the Bid Application.
The Technical Bid envelop, without Bid Amount would be treated as non-responsive and
in such case, financial / price bid envelop would not be opened.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 5 of 50
5. Empanelment Period:-
The empanelment of ISASPs is proposed to be for a period of five years. This would be subject
to annual review. Bank reserves the right to de-empanel any empanelled ISASP. Empanelment
does not confer any rights on the vendors to necessarily receive assignments / jobs. This
allocation of assignments / jobs will be at the sole discretion of the Bank. Empaneled ISASPs are
required to enter into Service Level Agreement [SLA] and Non-Disclosure Agreement [NDA]. The
decision of the Bank in this regards will be final.
6. Schedule / Relevant Dates of this RFP:-
RFP Issuance Date 31/10/2014 – FRIDAY
Last date for requesting any clarifications by Email 13/11/2014 up to 12.00 noon – THURSDAY
Pre-bid meetings for clarifications. 14/11/2014, 4.00 To 5.00 p.m. – FRIDAY
Last Date & Time for Receipt of Bids at our Office. 25/11/2014 by 3.00 p.m. – TUESDAY
Date and Time of opening of Technical Bids 25/11/2014, 4.00 p.m. - TUESDAY
Representatives of bidder may be present
during opening of Technical bid, however, it
would be opened even in the absence of
any or all of the bidder`s representative.
Presentation on experience, proposed approach,
work plan and methodology
1st Week of December 2014 – Exact schedule will be advised separately.
Date and time of opening of Commercial Bids 2nd Week of December 2014 – Exact schedule will be advised separately.
Contact Persons & Telephone Numbers Shri Sanjay Save @ ISC – 6668 4974 & Shri R. K. Pamnani @ ISAC – 6131 9425
Address for Communication & Submission of bid The General Manager, Risk Management Department, Information Security Cell, 4th Floor, East Wing, Star House - I, C-5, G-Block, Bandra Kurla Complex, Bandra East, Mumbai – 400 051. Email: [email protected]
Availability of Bid Document and all other related
communications.
Available on our Website – www:\bankofindia.co.in under Tender Section
Bank reserves the right to change the dates / time mentioned in the RFP if any, which will be
communicated to bidders through our Website / Email separately.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 6 of 50
PART – 2
DISCLAIMER
The information contained in this Request for Proposal (RFP) document or information provided
subsequently to bidder(s) or applicants whether verbally or in documentary form by or on behalf
of Bank of India (BOI - Bank), is provided to the bidder(s) on the terms and conditions set out in
this RFP document and all other terms and conditions subject to which such information is
provided.
This RFP is neither an agreement nor an offer and is only an invitation by BOI [Bank] to the
interested parties for submission of bids. The purpose of this RFP is to provide the bidder(s) with
information to assist the formulation of their proposals. This RFP does not claim to contain all the
information each bidder may require. Each bidder should conduct its own investigations and
analysis and should check the accuracy, reliability and completeness of the information in this
RFP and where necessary obtain independent advice. BOI makes no representation or warranty
and shall incur no liability under any law, statute, rules or regulations as to the accuracy, reliability
or completeness of this RFP. BOI may in its absolute discretion, but without being under any
obligation to do so, update, amend or supplement the information in this RFP.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 7 of 50
PART – 3
INSTRUCTIONS FOR BIDDERS (IFB)
TABLE OF CLAUSES
Clause No.
Topic Clause
No. Topic
A. Introduction 3.16 Period of Validity of Bids
3.1 General Background 3.17 Format and Signing of Bid
3.2 Broad Scope of Work D. Submission of Bids
3.3 Consortium 3.18 Sealing and Marking of Bids
3.4 Cost of Bidding. 3.19 Deadline for Submission of Bids
3.5 Eligibility Criteria 3.20 Late Bids
B. Bidding Documents 3.21 Modification & Withdrawal of Bids
3.6 Content of Bidding Documents E. Bid Opening and Evaluation
3.7 Clarification of Bidding Documents 3.22 Opening of Technical Bids by the Bank
3.8 Amendment of Bidding Documents 3.23 Clarification of Bids
C. Preparation of Bids 3.24 Preliminary Examination
3.9 Language of Bid 3.25 BID Evaluation & Comparison of Price Bids
3.10 Format / Documents & Signing of the Bid
3.26 Contacting the Bank
3.11 Bid Prices / Rates
F. Award of Contract
3.12 Bid Currencies 3.27 Bank’s Rights
3.13 Documents establishing Bidder’s Eligibility and Qualifications
3.28 Notification of Award
3.14 Documents establishing eligibility and conformity
3.29 Signing of Contract
3.15 Bid Security
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 8 of 50
A. Introduction
3.1 General Background
Bank of India (hereinafter referred to as the “Bank”) intends to prepare a panel of reputed Information Security and Audit Service Providers [ISASP], Information Security [IS] Consulting Organisations, Information Technology [IT] Auditors, Information Systems [IS] Audit Agencies / Firms [including Chartered Accountant Audit Firms with CISA qualified Auditors], Cyber Security Auditors and Forensic Consultants etc. for carrying out various activities, assignments and assistance to Information Security and IT / IS Audit related work of Information Security Cell [ISC] in Risk Management Department and Information Systems Audit Cell [ISAC] in Inspection and Audit Department of the Bank. The Bank has mixed environment of IT outsourcing and managing in-house. During the past decade, the Bank has strengthened its IT infrastructure. To embark upon its ambitious growth plan and meet present and future need of Bank’s business, Bank is under process of undergoing IT up gradation process with latest available technology.
The complexity of bank’s IT operations has really increased demanding higher level of IS skills and Monitoring the IS Operations, as IS Audit requirements as well. The Bank invites ‘Request for Proposal [RFP] from reputed Companies / firms / Service Providers who have proven experience in the field of work related to Information Security, IT/IS Audit, Cyber Security and related work and fulfil the eligibility criteria as laid down in this document.
Bank intends to have an Empanelment of Information Security and Audit Service Providers [ISASPs] for Information Security / IT & IS Audit related work, for approximately for a period of five years at Bank’s discretion. This would be subject to annual review. In case the empaneled ISASP do not respond to the quotation / inquiry by Bank on three occasions or do not perform / execute the assignment during the validity of the empanelment, they may be delisted from the Panel by the Bank. The decision of the Bank will be final and binding to the Empaneled ISASPs.
3.2 Broad Scope of Work [SoW]
Types of present and future activities and services required by our ISC and ISAC of the Bank are covered / defined in this RFP is illustrative and indicative but not exhaustive. The scope may also undergo changes / updates due to implementation of new products, technology, projects, configuration requirements, business needs, legal and regulatory requirements etc. Broad SoW is as under;
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 9 of 50
1) Services on Information Security & Audit Projects and Security Certifications
2) Assistance in implementation of ISC and or ISAC related Project/s and Tools
3) IT and IS Audits including Outsourced Activities and Third Party Audits.
4) Technological Risk Assessment [TRA], Risk Profiling and Threat Perception of Assets,
GAP Analysis, Third Party Outsourcing Activities etc.
The Bid is open to all Bidders who fulfil the following eligibility criteria. Bidders are required to
submit their Bids along with supporting documents. If the Bid is NOT accompanied by ALL the
required documents together with CHECK LIST as per FORMAT – 6.13 supporting and
confirming eligibility criteria, the same would be REJECTED. No further communication will be
entertained in this regards.
Sr.
No.
Eligibility Criteria Enclose - Required
Documents as Proof
To be
Marked as
1 Bidder should be Indian Company / Firm /
Organisation, registered in India under
Companies Act 1956 or related Act at least for
the past FIVE years i.e. established on or
before 01.04.2009.
Certificate of Incorporation
/ Date of Establishment /
Registered Organisation.
EC – 1
2 Bidder should be empaneled with CERT-IN. CERT-IN Certificate EC – 2
3 Bidders should have experience & expertise in
handling Assignments / Services related to IS /
IS-IT Audit in India in BFSI Sectors in last
THREE years i.e. On or after 01.11.2011.
They must have carried out Minimum TWO
Information Security and or IS Audit related
Assignments in BFSI during preceding year
i.e. on or after 01.11.2013 for a duration of
minimum 15 Man-Days.
1> Details of Assignments
and Experience Certificate
from BFSI Sectors
together with PO as per
- FORMAT – 6.6.
2> Number of different
types of activities carried
out in Banks in past 3
years i.e. after 01.11.2011
- FORMAT – 6.7.
EC – 3
4 Bidder should have NET Profit in last THREE
Financial Years [i.e. 2011-2012, 2012-2013
and 2013-2014].
Audited Balance Sheet,
P&L or Certificate from
CA.
EC – 4
5 Bidder should have minimum Turnover of
`. 10.00 Crores in the last Financial Year.
Certificate from CA. EC – 5
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 11 of 50
6 Fair Practice Code by Bidder – No [Black
Listing, Barred, Litigation] by ANY
Regulator / Statutory Body / Sector.
Present and Past Litigations / Disputes [if
any], Out come and present status – Self
Certificate.
Self-Declaration giving
full details of Blacklisting,
litigations etc. [if any
please give results /
present status with proof
as an evidence.]
EC – 6
7 Bidder should have Minimum TEN staff with
any of the following qualifications /
Certifications.
I> CISA II> CISSP, III> CISM, IV> PCI-DSS,
V> ISO 27001 LA/LI Holder, VI> COBIT
Certificate Holder, VII> CEH, VIII> ISO 22301
LA/LI, IX> CCNA, X> COBIT Certification, XI>
CRISC, XII> CHFI, XIII> GIAC, XIV> SSCP,
XV> Any Other Specialised Products /
Domains related Professional Qualifications /
Certifications [Please Specify].
Provide details of No. of
staff having listed
certificates after avoiding
duplication. Multiple
Certificate Holders will be
counted once only. Total
10 Staff. FORMAT – 6.8.
EC – 7
8 Check List of Enclosures of all related
documents including Bid Amount of `. 5,000/=.
As per the CHECK List.
FORMAT – 6.13.
EC – 8
NOTES on Qualification / Eligibility Criteria:-
1> Assignments done during past three years i.e. on or after 01.11.2011 should only be
mentioned.
2> While it is desired to empanel vendors of versatile exposure and resources in the
Information Security and IS / IT Audit related activities for entrusting jobs from time to time
in any of the areas mentioned hereinabove, Bank at its sole and absolute discretion,
may opt for empanelment of firms with well-known specialised expertise in specific areas,
for limited empanelment for some specified activities only, in case of not fully and or
partly complying with all and or any of clauses stated above but are able to present
equivalent expertise in their specific areas, for specific jobs on a case to case basis.
3> ALL Documents are to be signed by the Authorised Signatories of the Bidders.
4> Supporting documents shall be copy of Work Order [PO], letters from clients on their letter
head, contacts of clients including Scope of Work [SoW] for all the relevant assignments
carried out during past three years from the date of RFP.
5> Brochures / Emails attached shall not be considered for evaluation.
6> Information Security and IT / IS Audit Services does not include sale of Products.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 12 of 50
7> The Eligibility criteria mentioned in the RFP like turnover, staff experience, number of
qualified staff etc., should be maintained by the service provider till the end of the
empanelment period/contract period.
8> CHECK LIST in FORMAT– 6.13 must be enclosed.
B. The Bidding Documents
3.6 Content of Bidding Document/s
3.6.1 The Solution required, Bidding procedures, and contract terms are prescribed in the
Bidding Documents. The Bidding Documents includes:
(a) PART 1 - Invitation To Bid (ITB)
(b) PART 2 - Disclaimer
(c) PART 3 - Instruction For Bidders (IFB)
(d) PART 4 - Terms and Conditions of Contract (TCC)
(e) PART 5 - Technical and Functional Formats and Specifications (TFF / TFS)
(f) PART 6 - Bid Forms, Price Schedules and other forms (BF)
3.6.2 The Bidder is expected to examine all instructions, forms, terms and specifications in the
Bidding Document. Failure to furnish all information required by the Bidding Document or
to submit a Bid not substantially responsive to the Bidding Document in every respect will
be at the Bidder’s risk and may result in the rejection of the Bid. We repeat to confirm the
CHECK LIST in FORMAT– 6.13 before submitting the Bid document to the Bank.
3.7 Clarification of Bidding Document/s
3.7.1 Bidder / requiring any clarifications, queries, questions etc. on the Bidding Document
[RFP] may notify the Bank by e-mail only indicated in Invitation to Bid on or before
12.00 noon on Thursday, 13.11.2014
3.7.2 A pre-bid meeting is scheduled on Friday, 14.11.2014 from 4.00 p.m. to 5.00 p.m.
Venue for the pre-bid meeting will be at the communication address given bellow.
Bank of India, The General Manager – RMD, Information Security Cell [ISC], 4th Floor, East Wing, Star House - I, C-5, G-Block, Bandra Kurla Complex, Bandra East, Mumbai – 400 051. Email: [email protected] Contact Officials / Senior Managers;
[1] Shri Sanjay Save - 6668 4974 from ISC and [2] Shri R. K. Pamnani - 6131 9425 from ISAC.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 13 of 50
Bidders should provide their email address in their queries without fail. All responses will be posted on the website of the Bank.
3.8 Amendment of Bidding Document/s
3.8.1 At any time prior to the deadline for submission of Bids, the Bank, for any reason,
whether, at its own initiative or in response to a clarification requested by a prospective
Bidder, may modify the Bidding Document/s, by amendment.
3.8.2 All prospective Bidders will be notified of the amendment, if any, by Bank hosting the same
on the Bank’s website which will be final and binding on all the bidders. It will be the
responsibility of the bidders to regularly visit the Bank’s website for any amendments from
time to time and respond accordingly. No other intimation will be given by the Bank.
3.8.3 In order to allow prospective Bidders reasonable time in which to take the amendment into
account in preparing their Bids, the Bank, at its discretion, may extend the deadline for the
submission of Bids.
C. Preparation of Bids
3.9 Language of Bid
The Bid prepared by the Bidder, as well as all correspondence and documents relating to
the Bid exchanged by the Bidder and the Bank and supporting documents and printed
literature shall be written in English.
3.10 Format / Documents & Signing of the Bid
All the documents submitted by bidder shall be duly signed by the authorised
signatory.
3.10.1 Each bid shall be in two parts:-
Part I - Technical Bid Form – Stage I (in FORMAT – 6.11)
Part II – Commercial Bid (in FORMAT – 6.3)
The two parts should be in two separate covers, each super-scribed with the name of the Project
as well as i.e. “Empanelment of ISASPs - Technical Bid” and “Empanelment of ISASPs -
Commercial Bid” as the case may be. Both these two envelops should be sealed in one
main envelop.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 14 of 50
Bids are liable to be rejected, if is incomplete.
3.10.2 The Bid shall be typed or written in indelible ink and shall be signed by the Bidder or a person or persons duly authorized to bind the Bidder to the Contract. The person or persons signing the Bids shall initial all pages of the Bids, except for un-amended printed literature.
3.10.3 Any inter-lineations, erasures or overwriting shall be valid only if they are initialled by the person signing the Bids. The Bank reserves the right to reject bids not conforming to any of above.
3.10.4 Documentary evidence establishing that the Bidder is eligible to Bid and is qualified for ISASP Empanelment as per CHECK LIST of evidences in FORMAT No.6.13 of the Bidding Document if it’s Bid is accepted.
3.10.5 A Non-disclosure Agreement as per FORMAT – 6.2
3.10.6 Documents comprising Price Bid Envelope, should be a complete document and placed in
a sealed envelope super-scribed as “COMMERCIAL BID” as per FORMAT – 6.3. Price
bids containing any deviations or similar clauses will be summarily rejected.
3.10.7 While submitting, the Technical Documents and other documentary evidence, Literature
on the Solution Architecture Diagram, Drawings, Data and Broachers should be
segregated and kept together in one section/lot along with CD containing Technical
Documents and PPT of the proposed Presentation.
3.10.8 The other papers, Forms as mentioned above, etc. should form the main section, bound
properly so that no paper can be taken out/loosened, and should be submitted in one lot,
separate from the section containing literature and annual accounts etc. This includes
Referral letters from clients and customers.
3.11. Bid Prices / Rates
The prices / rates indicated in the Price Schedule shall be entered in the following manner:
The prices / rates should be specified only in “Commercial Bid” and must not be
specified at any other place in the bid document. The quoted prices should be exclusive of
all taxes and statutory levies such as Service Tax / VAT, Sales Tax, Octroi etc. which
should be specified separately.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 15 of 50
Prices / rates quoted as above shall be valid for a minimum period of 180 days from last
date for submission of the tender / bid. This quote is applicable for this RFP process.
The Bank has the discretion to adopt the pricing formula on a case to case basis which will
be communicated to the empaneled bidders during the bidder selection process for an
exercise.
3.12. Bid Currencies
Bids are to be quoted in Indian Rupees only.
3.13 Documents Establishing Bidder’s Eligibility and Qualifications
3.13.1The Bidder shall furnish, as part of its Bid, documents establishing the Bidder’s eligibility
to Bid and its qualifications to be empanel as ISASPs, if its Bid is accepted.
3.14.2 The documentary evidence of the Bidder’s qualifications to empanel as ISASPs if it’s Bid
is accepted shall establish to the Bank’s satisfaction:
a) That the Bidder has the technical and professional capability necessary to perform the
Contract as per Organization Profile;
b) That adequate, specialized expertise is already available to ensure that the support
services are responsive and the Bidder will assume total responsibility for the operation
and assignment on continuous real time basis.
3.14 Documents Establishing Eligibility and Conformity to Bidding Documents as per
Techno – Commercial eligibility and Evaluation process prescribed by the Bank.
3.15. Bid Security
Upon empanelment as ISASPs, the Bidder may require to furnish bid security at the time
of actual assignment decided for the respected activity. The Bid security is required to
protect the Bank against the risk of Bidder’s conduct, which would warrant the security’s
forfeiture. The Bid security shall be denominated in Indian Rupees and shall be in the
form of bank guarantee issued by a nationalised / public sector bank.
In case the Bidder is not ready to offer as above, will be rejected by the Bank, as non-
responsive.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 16 of 50
The successful completion of the assignment/s, Bid security will be discharged.
The Bid security may be forfeited:
a) if a Bidder withdraws its Bid during the period of Bid – assignment validity specified by
the Bidder on the Bid Form; or
b) if a Bidder makes any statement or encloses any form which turns out to be false /
incorrect at any time prior to signing of Contract; or
c) in the case of a successful Bidder, if the Bidder fails;
(i) to sign the Contract; OR
(ii) to furnish Performance Security OR
(iii) to furnish NDA
3.16 Period of Validity of Bids
Bids / rates shall remain valid for 180 days from the date of opening of the Bid. A Bid valid
for a shorter period shall be rejected by the Bank as non-responsive.
In exceptional circumstances, the Bank may solicit the Bidders’ consent to an extension of
the period of validity. The request and the responses thereto shall be made in writing.
3.17. Format and Signing of Bid
3.17.1 The Bid shall be typed or written in indelible ink and shall be signed by the Bidder or a
person or persons duly authorized to bind the Bidder to the Contract. The person or
persons signing the Bids shall initial all pages of the Bids, except for un-amended printed
literature.
3.17.2 Any inter-lineations, erasures or overwriting shall be valid only if they are initialled by the
person signing the Bids. The bank reserves the right to reject bids not confirming to
above.
D. Submission of Bids
3.18. Sealing and Marking of Bids
3.18.1The inner and outer envelopes shall:
a) be addressed to the Bank at the address given; and
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 17 of 50
b) Envelops should bear the Project Name "Empanelment of Information Security and
Audit Service Provider” and a statement: “DO NOT OPEN BEFORE (mention last
date of submission of the bid i.e. 25.11.2014 before 4.00 p.m.”.
c) All envelopes should indicate on the cover the name and address of the Bidder.
3.18.2 If the outer envelope is not sealed and marked, the Bank will assume no responsibility for
the Bid’s misplacement or premature opening.
3.19. Deadline for Submission of Bids
3.19.1 Bids must be received by the Bank at the address specified, not later than the date
and time for submission of Bids specified in the Invitation to Bid [RFP].
3.19.2 The Bank may, at its discretion, extend this deadline for the submission of Bids by
amending the Bid Documents, in which case, all rights and obligations of the Bank and
Bidders previously subject to the deadline will thereafter be subject to the deadline as
extended.
3.20. Late Bids
Any Bid received by the Bank after the deadline for submission of Bids prescribed, will be
rejected and returned unopened to the Bidder.
3.21. Modification and Withdrawal of Bids
3.21.1 The Bidder may modify or withdraw its Bid after the Bid’s submission, provided that
written notice of the modification, including substitution or withdrawal of the Bids, is
received by the Bank, prior to the deadline prescribed for submission of Bids.
3.21.2 The Bidder’s modification or withdrawal notice shall be prepared, sealed, marked and
dispatched. A withdrawal notice may also be sent by Fax, but followed by a signed
confirmation copy, postmarked no later than the deadline for submission of Bids.
3.21.3 No Bid may be modified after the deadline for submission of Bids.
3.21.4 No Bid may be withdrawn in the interval between the deadline for submission of Bids
and the expiration of the period of Bid validity specified by the Bidder on the Bid Form.
Withdrawal of a Bid during this interval may result in the Bidder’s forfeiture of its Bid
security amount.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 18 of 50
E. Opening and Evaluation of Bids
3.22 Opening of Technical Bids by the Bank
The Bidders’ names, Bid modifications or withdrawals and the presence or absence of
requisite Bid Security and such other details as the Bank, at its discretion, may consider
appropriate, will be announced at the Bid opening. No bid shall be rejected at bid
opening, except for late bids, which shall be returned unopened to the Bidder.
Bids (and modifications sent) that are not opened at Bid Opening shall not be
considered further for evaluation, irrespective of the circumstances. Withdrawn bids will
be returned unopened to the Bidders.
3.23. Clarification of Bids
During evaluation of the Bids, the Bank, at its discretion, may ask the Bidder for
clarification of its Bid. The request for clarification and the response shall be in writing,
and no change in the prices or substance of the Bid shall be sought, offered, or
permitted.
3.24 Preliminary Examination
3.24.1 The Bank will examine the Bids to determine whether they are complete, required
formats have been furnished, the documents have been properly signed, and the Bids
are generally in order.
3.24.2 The Bank may, at its discretion, waive any minor infirmity, non-conformity, or irregularity
in a Bid, which does not constitute a material deviation.
3.24.3 Prior to the detailed evaluation, the Bank will determine the substantial responsiveness of
each Bid to the Bidding Document. For purposes of these Clauses, a substantially
responsive Bid is one, which confirms to all the terms and conditions of the Bidding
Document without material deviations. Deviations from, or objections or reservations to
critical provisions, such as those concerning Bid Security, Applicable Law, Performance
Security, Qualification Criteria, Insurance, Contract, AMC and Force Majeure will be
deemed to be a material deviation. The Bank’s determination of a Bid’s responsiveness is
to be based on the contents of the Bid itself, without recourse to extrinsic evidence. The
Bank reserves the right to evaluate the bids on technical & functional parameters
including possible visit to inspect live site/s of the Service providers and witness demos,
presentations or undertake a POC exercise of the system and verify functionalities,
response times, users acceptability etc.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 19 of 50
3.24.4 If a Bid is not substantially responsive, it will be rejected by the Bank and may not
subsequently be made responsive by the Bidder by correction of the non-conformity. The
bank may, at its sole discretion, opt for a technical evaluation which will take into account
the capability of the bidder application to implement the proposed services.
3.24.5 In case of the successful bidder, the Bank will evaluate the capability of the bidder to fulfil
the requirements. If the Bank is not satisfied with the offerings, the Bank may cancel /
remove from empanelment from ISASPs without incurring any liability to anybody
whatsoever.
3.24.6The Bank’s determination of a Bid’s responsiveness will be based on the contents of the
Bid itself, without recourse to extrinsic evidence.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 20 of 50
3.25. Bid Evaluation Weightage and Comparison of Price Bids [TWO STAGES]
STAGE – I
Bank proposes for TWO stages for Evaluation Process. In STAGE - !, Bank shall intends
to arrive at TWO GROUPs. Based on the Highest Scorer list of Bidders will be prepared and
GROUPED. This STAGE – I only for the purpose of Empanelment of ISASPs in TWO Groups.
3.25.1 Technical BID Evaluation – [STAGE – I]
Sr.
No. Activities / Details Max
Marks
Marks
Scored
*
Weightage REMARKS
1 Total No of Assignments carried out in BFSI related to IS / ISAC
Activities in India as declared in FORMAT – 6.10 to be submitted by
the Bidder. Proof need to be submitted. - One Mark per Assignment
/ Purchase Order [Maximum 3 Marks for 3 years for same /
similar activity] for different activities in different organisations.
23
2 Total No of Assignments carried out for IS / ISAC related activities for
their Global Clients as per the LIST enclosed as an evidence by the
Bidder. One Mark per Assignment / Purchase Order after
01.11.2011 [i.e. during past three years].
10
3 Total No. of Skilled Employees / Resources available as per the
enclosed LIST of Employees with their Credentials / Certifications
related to IS / ISAC Activities given in the FORMAT – 6.8.
11 to 25 Employees 05 Marks
26 to 50 10 Marks
Over 51 15 Marks
15
4 No. of Years’ Existence/Establishment in IS/ISAC related activities in
INDIA in BFSI Sector. Evidence of the 1st Assignment to be enclosed
as a proof of Experience. - One Mark per year prior to 01.04.2009.
sharing, etc. Attach Evidences as a proof. (each activity will carry
1 mark)
10
6 Certifications/Accreditations relevant to IS/ IS Audit Services received
from GoI, RBI, IDRBT, IBA, Gartner, BFSI Sector or any other
independent Authority. - One Mark per valid current Certificate
05
7 Presentation and Methodologies, Procedures, Tools, Utilities,
Templates Developed / used during execution of previous assignments
and arrangements for BCPDR Infrastructure proposed etc. presented
by the Bidder. – To be given by Bank Team based on Presentations.
25
* TOTAL Marks are to be calculated and filled by the Bidders for
item Nos. 1 to 6 and submit together with the Technical Bid Cover
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 21 of 50
3.25.2 Bank shall have Technical Evaluation based on following broad criteria/parameters;
1> only qualifying eligible bidders will be considered for Technical Evaluation.
2> As per inputs and information provided in the bid, Services undertaken, presentations
by bidders, site visits [if required], existing customers feedback, highlights of noteworthy /
superior features of their services. Noticeable State of the Art Services, Capabilities
proposed and demonstrated, Future IS threats, Vision, future requirements NOT
highlighted by the Bank in the RFP, Specialised Services like Forensic Services etc.
offered. Bidder to provide evidences to substantiate their claims. This includes in house
capabilities, Proprietary Tools developed, Additional Support facility provided etc. Broad
base of Technical Evaluation weightage by the Bank Team / Committee will be as under;
a. Variety of Experience - 15%
b. Proposed Methodology and Work Plan - 30%
c. Professional Staff - 15%
d. Execution Capabilities - 15%
e. Specialised Services Offered - 15%
f. Other like Vision, Tools, Support Offered, Client Opinion etc. - 10%
3> To qualify, Bidders must score minimum 55%Technical Score in Technical Evaluation.
4> Bank proposed to form shortlist in TWO groups base on %age Tech. Score as under;
- Group “A” 76% and Above Tech. Score
- Group “B” 55% to 75% Tech. Score
- Bidders scoring less than 55% Tech. Score will not be considered. Their
Commercial Bids will NOT be considered for further process. Commercial Bids of
NOT qualifying Bidders will NOT be opened and returned the respective Bidders.
BOI will NOT be responsible for security / privacy of such Bid/s.
- Bank may change / modify captioned criteria / parameters of Evaluation procedure
etc. at its sole discretion. Bank will decide on evaluation and weightage of
marks on the evidences / proof (acceptable to the bank) submitted and
presentation made by the bidder. The decision of the bank will be final. Bank
has right to verify, seek confirmation on the evidences furnished by the
bidders from the respective BFSI / Organisations.
3.25.3. The Bank may use the services of external consultants for bid evaluation, if required.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 22 of 50
3.25.4. The Bank will evaluate and compare the Price bids, which have been determined to be
substantially responsive.
3.25.5 Arithmetical errors [if any] will be rectified on the following basis. If there is a discrepancy
between the unit price [man day rate] and the total price [no of days] that is obtained by
multiplying the unit price and quantity, the unit price shall prevail, and the total price shall
be corrected. If the successful bidder does not accept the correction of the errors, its Bid
will be rejected, and its Bid security may be forfeited. If there is a discrepancy between
words and figures, the amount in words will prevail.
3.25.5 The evaluation will be done on the basis of evaluation of the Technical bid and the bidder
offering the lowest price as mentioned in the respective FORMAT.
3.25.6 Commercial Evaluation
The envelope containing the Commercial Bids of only those Bidders, who are short-listed
and eligible after technical evaluation – STAGE - I, would be opened. The format for
quoting commercial bid set out in FORMAT 6.3.
Commercial quotes of Bidders of Group A will be opened and compared. The lowest
quoted rates will be offered to the other bidders of Group A. All the Group A bidders
accepting the lowest quoted rates will be empanelled at those rates.
Similar separate process will be followed for bidders of Group B.
Bank will create two separate panels – Group A and Group B.
Allocation / Distribution of activities / assignments to different Group or any other Empaneled Bidders will be solely at the discretion of the bank.
Empanelment by the Bank does not constitute any right on the vendor to receive assignments / activities / work orders. The bank reserves the right to opt for manual negotiation. 3.25.7 Awarding of Assignment and Technical Bid Evaluation – STAGE - 2 This is an empanelment only, the actual job allocation or Scope of Work [SoW] will be a
dynamic time to time activity and in any areas of ISC / ISAC related activities as required by
Bank; payments will be based on actual work mutually agreed at the time awarding an
assignment / contract.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 23 of 50
While the empanelment will attempt to set specific service rates (man–hour, man-day /
man-month rate i.e. Rate per Hour, Rate per Day and Rate per Month), Bank can, at its
sole and absolute discretion, prefer multiple price models including piece rates for some
activities or techno-commercial bids for any specific activities or assignments from time to
time.
Entire process of Awarding actual assignment and Services is explained by giving an illustration as under; [However, this process is illustrative. Bank at discretion may adopt / change the process / parameters with prior intimation to respective empaneled bidders]
Example: Arrival of L1 [At the time actual awarding a Contract / Assignment]
A. Proficiency Assessment: (TECHNICAL EVALUATION - STAGE – II of Technical Bid)
1) Full marks i.e. 100 (notional absolute value) will be awarded to the empaneled bidder/s scoring the highest marks at the time of process of awarding a contract.
2) The inputs will be based on the information provided in this RFP - Bid process or Bank may ask for the latest information concerning the assignment / services.
3) Proportionate marks will be awarded to the other bidders as the percentage of the highest marks received.
4) Full 70 marks will be awarded to the bidder getting the highest marks.
5) Similarly proportionate marks will be awarded to the other bidders. (as per calculation shown under item B – Example).
6) Normally this will be dynamic based on the information provided by the Empanelled bidders for actual assignment / services.
7) Marks on Proficiency may vary / differ based on nature / critically / proficiency required etc. This will be communicated to the bidders before actual requirement.
B. Commercial Assessment (Price Bid):
1) Rate of Man Hour / Day / Month will be the same rate agreed with the Empaneled ISASPs by the Bank.
2) Full marks i.e. 100 (notional absolute value) will be awarded to the bidder quoting number of MAN - HOURS / DAYS / MONTH for actual requirement for an assignment / services.
3) Actual cost of the Assignment will be No of Man days quoted x Agreed RATES for Man days [as the case may be]
4) Actual cost quoted by the Bidder for lowest price / rate as shown above.
5) Proportionate marks will be awarded to the other bidders as the percentage of the lowest quote.
6) Full 30 marks will be awarded to the bidder quoting the lowest price i.e. 30% of 100 i.e. 30.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 24 of 50
7) Similarly proportionate marks will be awarded to absolute value quoted by other bidders (as per calculation shown under item a– Example)
8) As stated above Marks on Commercial Assessment may vary / differ based on requirements of nature / criticality / professional services etc.
Comparative Chart of Calculations
Bidder X Y Z
(a) Price in `. (30% marks)
1000 1100 1200
Calculation (i) (1000/1000) x 100=100 (1000/1100)x 100 = 90.90 (1000/1200) x 100 = 83.33
Base is 100% of the lowest bidder
100 90.90 83.33
Calculation (ii) (100/100)x30=30 (90.90/100)x30=27.27 (83.33/100)x 30 =24.99
Sub:- Our Bid for Empanelment of Information Security And Audit Service Providers
We intend to participate in the RFP process for empanelment of the vendors [ISSPs] to provide various ISC and ISAC related services required by the Bank. We submit our Bid Documents along with CHECK LIST. We understand that;
1> You are not bound to accept the lowest or any bid received by you, and you may reject all or any bid without assigning any reason or giving any explanation whatsoever.
2> Bank may follow close or open bidding [RFP] process as per requirement and sole discretion of the Bank.
3> If our Bid is accepted, we undertake to enter into and execute at our cost, when called upon by Bank to do so, a contract in the prescribed Form.
4> You may accept or entrust the entire work to one vendor or divide the work to more than one vendor without assigning any reason or giving any explanation whatsoever.
5> Vendor [ISASPs] means the Bidder (s) who is / are selected by the Bank after the RFP - bidding process.
6> The name(s) of successful bidder(s) to whom the empanelment is finally awarded after the completion of bidding process shall be communicated to the successful bidder(s) - ISSPs. Bank shall NOT entertain any communication in this regards.
7> We have gone through the Technical, Commercial Bidding process and other Terms and Conditions as mentioned in the RFP.
8> We understand that this RFP process is ONLY for empanelment of ISASPs and deciding the mutually agreed Man-Days / Man-Month Service charges.
9> We agree that the lowest price quoted by any vendor under each level will be final and binding on us.
10> We understood the entire bid process of empanelment including the grouping and levels mentioned within the groups.
11> The number of pages in the document is ……………….. This has been duly verified, signed and company’s stamp affixed.
Yours faithfully,
For: [Name of the Company] (Signature of the Authorised Official)
Name:- Designation:-
Place:- Date:-
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 43 of 50
FORMAT 6.10
Priority List of SERVICES and ASSIGNMENTS by the ISSP in BFSI Sector
SoW Services / Assignments Capability Total No. of
CODE No. YES PRIORITY
1 is TOP
Priority
Assignments
ISC-STD-01 Vulnerability Assessment [VA].
ISC-STD-02 Penetration Testing [PT].
ISC-STD-03 Secured Configuration, & Hardening
Documents Review - [Technical Standards
Updation].
ISC-STD-04 Mobile Application Review and Security related
Work.
ISC-STD-05 Risk Assessment, Asset Classification,
Review, Compliance of NDAs, SLA with
Vendors / Third Party Outsourcing Agencies.
ISC-STD-06 SMS and All Middleware Security Review and
related work.
ISC-SPL-07 Network Security, Access Control, Review of
NAP Locations, Switches and Routers and
LAN - WAN NW.
ISC-STD-08 General Controls Review / Audit Review and
related Work.
ISC-STD-09 Anti-Phishing, Anti-Malware and Brand
Monitoring Services etc.
ISC-STD-10 PCI DSS Certification and Compliance related
Work.
ISC-SPL-11 COBIT – Advisory Services and related Work.
ISC-STD-12 ISO 20000 Certification and related Work.
ISC-STD-13 ISO 22301 Certification, Automated Score
ISMS Score Board and related Work.
ISC-STD-14 ISO 27001 Certification and related Work.
ISAC-STD-15 ISO 27001 Audit and Compliance related
Work.
ISAC-SPL-16 Review, Update Gaps of IS Audit Policies, IS
Audit Manual, IS Audit Procedures, Metrics
and related Work.
BANK OF INDIA, HEAD OFFICE, INFOSEC CELL – RFP FOR EMPANELMENT OF ISASP
Page 44 of 50
ISC-SPL-17 Review, Update Gaps of Corporate Information
Security Policy [CISP], Procedures, Metrics,
Controls.
ISAC-SPL-18 IS Audit - Internal Control Guidelines of
Treasury Branch, Dealing Room Activities
Review and related Work.
ISAC-STD-19 IS Audit of ATMs of Bancs under Section PSS
Act 2007 of RBI and related Work.
ISAC-STD-20 IS Audit of ATMs of BOI Network, Gaps and
related Work.
ISAC-SPL-21 Concurrent Audit of Data Center
ISC-SPL-22 Forensic Audit / Analysis / Special Reviews /
Scrutinise / Cyber Crime – Investigations and
related Work.
ISAC-STD-23 Green Process Audit [GPA], Configuration