संदर्भ सं/ rfp.no.0001/ vapt/ ho:id/ 0084/ isa/ vapt-2017

संदर्भ स/ं RFP.No.0001/ VAPT/ HO:ID/ 0084/ ISA/ VAPT-2017 ददन ंक/ Date: 06.01.2017

To, All Eligible CERT-IN Empanelled Information Systems/ Security Auditing Organizations [for eligibility please see the clause: - 2.Pre Qualification Criteria] Note: In the following pages, ‘IS Audit/ IS Security Firm’, ‘IS Auditor’, ‘IS Security Auditor’, ‘Vendor’ are used interchangeably, and the meaning of these terms should be construed as same for the purpose of this document. Sub: Request For proposal for conducting

Comprehensive Audit of SWIFT Infrastructure

Detailed pre-implementation Application Control Audits and Data Migration Audits

with regard to critical systems as per Gopalakrishna Committee recommendation

Vulnerability Assessment and Penetration Testing (VAPT) of our Bank’s CBS

(Core Banking Solutions) Internal as well as External Systems/ Networks

Application security testing of web/ mobile applications throughout their lifecycle

(pre-implementation, post-implementation, after changes) in environment closely

resembling or replica of production environment, etc., as per ‘Scope of Work’.

Any other Audit on need basis

We request you to submit your proposal for a period of 3 years, as per specifications mentioned in Annexure-2 Scope of Work. 1.1 Background

Syndicate Bank has implemented the Core Banking Solution covering all the branches and offices which are connected to the Data Centre, through a Wide Area Network. Internet Banking Services are being offered to eligible customers. The modes of connectivity to the branches are a combination of VSATS, MPLS (leased lines), ISDN Lines and other forms of connectivity which may emerge in the near future. Bank has also implemented various other systems and processes like Mobile Banking/ SMS Banking, Cheque Truncation System (CTS), Financial Inclusion (FI), Cash Management Services (CMS) & Depository Participant (DP), Integrated Treasury Management System (ITMS) and Card Centre related technologies. To secure the Network, Communications, Systems and Application software, Data bases, Data, Information, etc., and to ensure the availability of resources to authorised

ननरीक्षण विर् ग/ INSPECTION DEPARTMENT

प्रध न क र् भलर्, मणणप ल/ Head Office, Manipal - 576104

GM:0820-2570898 DGM: 2570386 AGM: 2574390

Fax: 0820-2570967 E-Mail : [email protected]

mailto:[email protected]

संदर्भ स/ं RFP.No.0001/ VAPT/ HO:ID/ 0084/ ISA/ VAPT-2017 ददन ंक/ Date:06.01.2017

of 54

users without any disruption or degradation, the bank has put robust security framework as per the Information Security Policy of the Bank. The Bank wants to utilise the services of an Information Security Auditor to undertake penetration testing and vulnerability assessment of CBS Network (internal/ external) as per Information Security Policy and Information Systems Audit Policy of the Bank. The present RFP is for engaging the services of Information Security Auditor for a period of three years for undertaking various Audit/ Security jobs, as per the scope of work defined by the Bank as per Annexure-2. The selected IS Audit/ Security firm will be on the panel for a period of three years and the Bank may utilise its services for undertaking such IS Audit/ Security activities. The field of Information Technology is very dynamic and the pace at which the changes take place is very high. As such it is difficult to predict precisely the future IT scenario/ environment of the Bank. While we do not anticipate any change in scope of work for the current year, should there be any change, the Bank has the right to change the same. The Bank reserves the right to cancel the engagement without assigning the reason whatsoever. 1.2 Qualified professionals to be deployed for the job The entire Audit work has to be got done by qualified CISA/ CISSP Professionals having requisite expertise in Information Security Audit. The Information Security Audit should be completed within the mutually agreed implementation and security integration schedule. 1.3 Annexure to RFP

This RFP comprise of the following Annexures:

Annexure No.

Description

1 Bidders Details

2 Scope of Work

3 Indicative Checklists for IS Audit on internet Banking as suggested by RBI committee on Computer Audit for guidance (Paragraph 15.1 to 15.61)

4 Pre-qualification Criteria

5 Bid Form

6 Bid Security Form

7 Letter of Authorization to Bid

8 Service Support Form

9 Terms and Conditions compliance Table

10 Turnover and P & L details

11 Format for seeking clarification in respect of RFP Terms.

12 Rules for Reverse Auction

13 Details of servers, Networking equipments and Locations

14 Format of Non-Disclosure Agreement to be executed by successful bidder

15 Format of Contract/ Agreement to be executed by successful bidder

16 Performance Bank Guarantee format


of 54

1.4 Bidding Processes Bidders are requested to submit Bidder’s Details containing the General Terms and Conditions including Compliance to Scope of Work and other applicable documents as mentioned elsewhere in this RFP only and NOT to submit commercial bid. Bidders Details shall NOT contain any pricing or commercial information. The bidder is not required to submit the Price Bid, as Bank will be conducting the online sealed bid and Reverse-auction. In the first stage, only Bidder’s Details will be opened and evaluated. Those bidders satisfying the requirements as determined by the Bank and accepting the terms and conditions of this document shall be short-listed. Under the second stage, Bank will be conducting the online sealed bid and Reverse auction among the bidders short-listed as above. Bidders are requested to go through ‘Rules for Reverse Auction’ as detailed in Annexure- 12. 2. Pre Qualification Criteria Bidders must meet the following eligibility requirements: - 2.1 Bidders should be from CERT-IN empanelled Information Systems Audit

Organizations and shall produce certificate from CERT-IN in this regard; bids without this certificate will not be considered for evaluation and will be rejected.

2.2 Organizations who are working in any of our Bank’s projects at present and/ or

already engaged by our Bank as vendor for any software and/ or any hardware/ network/ security components and/ or involved directly or indirectly in implementing/ managing the Security/ Network infrastructure for the Bank are not eligible and proposal received from such Organizations will not be taken for consideration.

2.3 The bidder should have a minimum of 3 years’ experience in Information Systems

Audit/ Network Audit of any Bank/ financial Organization. 2.3a. The Bidder should not have conducted IS Audit/ VAPT of the Bank during the last 2

years. 2.4 Bidders should have performed Penetration Testing & Vulnerability Assessments,

Information Systems/ Security Audits and Application Control reviews for at least one Bank in India with a network of minimum of 500 branches.

2.5 The bidder should have minimum 5 CISA/ CISSP qualified Information Security

Auditors for conducting the Information Systems/ Security Audit and continue to have the same during the validity period of the contract.

2.6 The Bidder should have made profit in the last 3 financial years i.e., 2013-2014,

2014-2015 and 2015-2016. 2.7 The vendor should arrange for producing supporting documents in respect of

proof of Information Systems/ Security Audits conducted by them of our Bank’s

CBS (Core Banking Solutions) Internal as well as External Systems/ Networks, total


of 54

turnover, list of support centres and qualified professionals on the rolls of the

company.

2.8 The Vendor should submit proof in support of all Pre-Qualification Criteria while

submitting the bid proposals. Failing which, the Bid proposal will not be considered for further evaluation and may be treated as technically non-responsive.

2.9 Bank reserves the right not to consider the bids of vendors for further evaluation who

do not meet Pre-Qualification Criteria. 2.10 The vendor should submit Annexure 4 on Pre qualification criteria. 3. Documents to be submitted The bidder shall submit the following:

1) All applicable annexures given in this document. 2) Bidder’s Details as per Annexure 1. 3) Bidder’s acceptance of the terms and conditions as contained in this document in

the company letter-head. 4) Documents supporting all eligibility and Technical specifications/ requirements. 5) Xerox copies of Audited financial statements (Balance Sheet and P & L a/ c) for the

financial year ended 31st March 2014, 31st March 2015 & 31st March 2016 6) DD/ BC towards cost of RFP as per clause 24 of this RFP. 7) BG towards Bid Security as per clause 25 of this RFP. 8) An undertaking as per clause no.12 & 13 of this RFP. 9) Please furnish full details, ensuring strict conformity with the specifications in every

respect, in order to avoid ambiguity. 4. Instruction to Bidders 1) Vendor has to invariably submit Annexure 9 on compliance to various terms and

conditions of this RFP. 2) All papers of Bidders Details should invariably be stamped, and signed by the

personnel authorized to submit the Bid. 3) Bid documents are to be numbered serially like Page 1 of 50, Page 2 of 50, etc. 4) All documents meant for submission should be properly filed either with spiral

binding or in a box file to facilitate easy handling. 5. Bidding The cost of bidding and submission of tender documents is entirely the responsibility of bidders, regardless of the conduct or outcome of the tendering process. 6. Bid currency All costs and charges related to the bid shall be expressed in Indian Rupees (₹).


of 54

7. Period of bid validity The Bids shall be valid for a period of ONE YEAR from the last date for submission of the bid. 8. Format and signing of bid An accompanying letter is required, signed by an authorised signatory of the bidder [Annexure 7]. Each bid shall be made in the legal name of the Bidder and shall be signed and duly stamped by the Bidder or a person duly authorised to sign on behalf of the Bidder. 9. Evaluation and comparison of bids The Bank reserves the right to modify or relax the eligibility criteria at any time, without assigning any reason, whatsoever. Only bids from Bidders meeting the eligibility criteria and submitting complete and responsive bids will proceed to the stage of being fully evaluated and compared. The evaluation procedures to be adopted for the bid will be at the sole discretion of the Bank and the Bank is not liable to disclose either the criteria or the evaluation report/ reasoning to the bidder(s). 10. Acceptance or rejection of bid The Bank reserves the right to accept any bid, or to reject a particular bid at its sole discretion without assigning any reason whatsoever. 11. Confidentiality/ Non Disclosure Agreement As the successful bidder(s) will have access to the data/ information of the bank while auditing the security, Bank will require the bidder(s) to sign a confidentiality/ non-disclosure agreement [Format given in Annexure-14], within 30 days of accepting the Purchase Order, undertaking not to disclose or part with any information relating to the bank and its data to any person or persons, as may come into possession of the successful bidder(s) during the course of Vulnerability Assessment and Penetration Testing. 12. Compliance to Laws in India The Information Systems/ Security Auditor will undertake to comply with all the prevailing laws and regulations in India relevant for Information Systems Audit. 13. Compliance to Regulations of Reserve Bank of India/ other Regulatory bodies and agencies The Information Systems/ Security Auditor will also undertake to comply with all the requirements of the guidelines of Reserve Bank of India or other appropriate agencies as regards Information Systems Security Standards issued from time to time.


of 54

Note: - Bank reserves the right to inform IBA/ GOI/ RBI in case any major vulnerability is noticed after Security Audit within 6 months from the date of security audit. 14. Signing of Contract/ Agreement The successful bidder shall be required to enter into a contract (as per format given in Annexure -15) with SyndicateBank, within 7 days of the award of the tender or within such extended period as may be specified by The General Manager, Inspection Department, SyndicateBank, Head Office, Manipal–576104, Karnataka. The successful bidder shall submit letter of acceptance of the Purchase Order issued by the Bank and agree to such other terms and conditions in writing as may be determined by the Bank to be necessary for the due performance of the work, as and when required by the Bank. 15. Governing Language All correspondence and other documents pertaining to the contract shall be written in English only. 16. Notices Any notice given by one party to the other pursuant to this contract shall be sent to the other party in writing or by cable or facsimile and confirmed in writing to the sender's address (the address as mentioned in the contract). A notice shall be effective when delivered or on the notice's effective date, whichever is later. 17. Use of Contract Documents and Information The Information Systems/ Security Auditor shall not, without the Bank's written consent, disclose the Contract or any provision thereof, or any specification or information furnished by or on behalf of the Bank in connection therewith, to any person(s) other than a person(s) employed for the Information Systems/ Security Audit or in the performance of the Contract. Disclosure to any such employed person(s) shall be made in confidence against Nondisclosure agreements completed prior to disclosure and disclosure shall extend only so far, as may be necessary for the purpose of such performance. Any document, other than the Contract itself, shall remain the property of the Bank and all copies thereof shall be returned to the Bank on termination of the Contract, if so required by the Bank. The Information Systems/ Security Auditors shall not, without the Bank's prior written consent, make use of any document or information except for purposes of performing the Contract.


of 54

18. Penalty for delays in the Information Systems/ Security Audit The Information Systems/ Security Auditor must strictly adhere to the audit schedule, as specified in the Contract, executed between the Bank and the Information Systems/ Security Auditor, pursuant hereto, for performance of the obligations arising out of the contract and any delay will enable the Bank to resort to any or all of the following: (a) Claiming Penalty (b) Termination of the agreement fully or partly 19. Penalty/ Liquidated damages The penalty will be an estimate of the loss or damage that the Bank may have suffered due to delay in performance of the obligations (under the terms and conditions of the contract) by the selected Information Systems/ Security Audit Firm and the selected Information Systems/ Security Audit Firm shall be liable to pay the Bank a fixed amount for each day of delay/ non performance of the obligations by way of liquidated damages, as decided by the Bank. Vulnerability Assessment and Penetration Testing of CBS (Core Banking Solutions)

Internal as well as External Systems/ Networks of the Bank have to be completed and

reports have to be submitted within forty five days from the date of placing specific

orders for each audit. For any delay in completing the VAPT beyond 45 days from the

date of Orders issued by the bank, the Bank reserves the right to charge a LD

(Liquidated Damages) at the rate of 0.5% of the cost of the assignment per week or part

thereof subject to a maximum of 10% of the Total Basic Cost of the Contract value.

Without any prejudice to the Bank's other rights under the law, the Bank shall recover the liquidated damages, if any, accruing to the Bank, as above, from any amount payable to the selected Information Systems/ Security Audit Firm either as per the Contract, executed between the Bank and the Information Systems/ Security Audit Firm pursuant hereto or under any other Agreement/ Contract, the Bank may have executed/ shall be executing with the Information Systems/ Security Audit Firm. 20. Force Majeure The Bidder shall not be liable for forfeiture of its performance security, liquidated damages or termination for default, if and to the extent that it’s delay in performance or other failure to perform its obligations under the contract is the result of an event of force Majeure. For purposes of this Clause, "Force Majeure" means an event beyond the control of the Bidder and not involving the Bidder's fault or negligence and not foreseeable. Such events may include, but are not limited to, Acts of God or of public enemy, acts of Government of India in their sovereign capacity, acts of war, and acts of the Bank either in fires, floods, strikes, lock-outs or any other event beyond the control of either party which directly, materially and adversely affect the performance of any contractual obligation. If a force majeure situation arises, the selected Information Systems/ Security Audit Firm shall promptly notify the Bank in writing of such conditions and the change thereof.


of 54

Unless otherwise directed by the Bank, in writing, the Information Systems/ Security Audit Firm shall continue to perform their obligations under the contract as far as reasonably practiced and shall seek all reasonable alternative means for performance not prevented by the force majeure event. 21. Delivery & Payment Terms Payments will be released from our office within 30 days of claim after satisfactory completion of the audit, upon – 1) Submission of Claim/ Invoice by the vendor. 2) Arranging for a presentation/ discussion on the final findings of VAPT with the officials

of Bank’s Department of Information Technology (DIT) at Corporate Office, Bengaluru and Inspection Department, by deputing a senior official to DIT, by vendor.

3) Submission of Final Audit Report (hard copy and soft copy) including reports mentioned under ‘Scope of Work’ by the vendor to Bank’s Inspection Department and Department of Information Technology (DIT) at Corporate Office, Bengaluru.

4) Vendor has to submit complete set of documents/ invoices/ audit reports for each audit.

22. Disclaimer This RFP is not an offer by SyndicateBank, but an invitation to receive response from the vendors. No contractual obligation whatsoever shall arise from the RFP process unless and until a formal contract is signed and executed by duly authorised officers of SyndicateBank with the vendors. 23. Authorization to Bid The Proposal/ Bid being submitted would be binding on the Vendor. As such it is necessary that authorized personnel of the firm or organization sign the BID. The designated personnel should be authorized by the organization or by a senior official of the organization having authority to do so. The same person or a different person should be authorised who should have digital certificate issued in his name and should have authority to quote bid amount in online sealed bid and also quote offer price during on-line reverse auction. The details of digital certificate like Name, Digital Key details, issuing authority and validity etc have to be provided. The XEROX copy of necessary Original resolutions/ authority/ Power of Attorney having authority to authorise the person to submit Bid documents/ participate in on-line sealed bid and reverse auction, on behalf of the company shall be enclosed. The proposal must be accompanied with an undertaking letter duly signed by the designated personnel providing a Bid commitment. The letter should also indicate the complete name and designation of the designated personnel as per Annexure 7. 24. Cost of RFP The Bid documents are available in our Bank’s website www.syndicatebank.in and can be downloaded from the website or a complete set of Bid documents may be obtained by any of eligible vendors from this office (Head Office: Inspection Department, Manipal). A


of 54

non-refundable Demand Draft/ Banker’s Cheque for ₹ 5,000/ - (Rupees Five Thousand Only) in favour of SyndicateBank payable at Udupi or Manipal towards RFP cost will have to be handed over separately at the time of submission of the Bid documents to the Bank. The amount will not be refunded to any prospective bidder under any circumstances including cancellation of RFP or procurement process at any stage. 25. BID Security 1) The Bidder shall submit, along with other bid documents, a Bid security for an amount

of ₹.25,000/ - (Rupees Twenty Five thousand only) in the form of Bank Guarantee

with a validity period of one year from date of Bid, as per format given in Annexure 6.

2) The successful Bidder's bid security will be discharged upon the Bidder executing the agreements as per clause 11 & 14 and the Bidder furnishing the performance security (Bank Guarantee) for 10% of the contract value for a period of 3 years plus 3 months grace period. Unsuccessful Bidders’ bid security will be discharged, refunded or returned as promptly as possible but not later than 30 days after the expiration of the period of bid validity as mentioned in this RFP.

3) The Bid security may be forfeited:

(i) If a Bidder withdraws its Bid during the period of Bid validity; or (ii) If a Bidder fails to participate and quote price in Online Sealed bids or fails to

login in Reverse Auction Process, or (iii) In case of a successful Bidder, if the Bidder fails:

a) To accept purchase order, b) To execute the agreements as per clause 11 & 14 c) To furnish Performance Security (BG) valid for 3 years plus 3 months grace

period within the stipulated time or d) Fails to comply any terms of RFP or Purchase Order.

26. PERFORMANCE SECURITY: 1) Within Thirty (30) days from date of acceptance of proposed Purchase Order, the

successful Bidder shall furnish the performance security (BG) for 10% (Ten percent) of the contract value for a period of 3 years plus 3 months grace period in the format prescribed as per annexure 16.

2) Vendor has to ensure that Performance bank guarantee is sent directly to our Office by the issuing Bank.

3) Failure of the successful Bidder to comply with the requirement of accepting the

purchase order/ executing Contract and/ or submitting Performance Security (BG) shall constitute sufficient grounds for the annulment of the award and forfeiture of the bid security, in which event the Purchaser may make the award to any other next lowest evaluated bidder at the price quoted by L1 bidder or any other price which cannot be more than L2 bidders price. In such an eventuality bank retains the right to call fresh bids under this RFP barring the defaulting bidder.


of 54

27. Bid Documents: 1) Bid will be treated as invalid if price is disclosed.

2) Bidder's proposal should strictly conform to the technical specifications.

3) Proposals not conforming to the specifications will be rejected summarily.

4) Any incomplete or ambiguous terms/ conditions/ quotes will disqualify the offer.

5) The details required as per all Annexures shall also be enclosed without fail.

6) The Bank may reject any proposal not containing all the requirements called for in all/

any one of the Annexures.

28. Bid Submission 28.1 The response to the present tender will be submitted as the Bidders Details in

sealed envelope duly super-scribing the envelope with the reference number of this RFP, due date, name of the Bidder and Offer reference number. The Bidder’s Details shall be as per the format specified in this RFP (Annexure 1).

28.2 The last date for submitting the proposals, along with cost of RFP, is 10.02.2017

by 16:30 hours at this office. Any proposal received after the due date and time or received without cost of RFP/ Bid Security will not be considered. Bid documents complete in all aspects should be submitted to Sri J N Mallikarjun Rao, Chief Manager (IT) or Sri Sitapati Rao, Chief Manager , Syndicate Bank Head Office: Inspection Department, Manipal, Karnataka-576104 (Tel No. 0820-2574073 or 0820-2571181- Extn 307) within the above stipulated date/ time.

28.3 Receipt of bids shall be closed at 16:30 hours on 10.02.2017 Bids received after

16:30 hours on 10.02.2017 will not be accepted under any circumstances. Bank will inform the date of opening of the bid/ s at the time of accepting bid documents.

28.4 All vendors who submit their bids are requested to mark their presence when bids

will be opened. 28.5 A Current Account with a Bank is essential for award of contract under this RFP.

All payments will be routed through the Vendor’s Bank account. The Vendor should furnish the details of account such as branch at which account is maintained and the account number. Requests for waiver of the requirement of a Bank Account will not be entertained by the Bank.

29. The vendor has to submit various documents/ formats mentioned in Annexure – 4 along with all other annexure mentioned in this RFP on Company’s letterhead with seal and signature. Relevant proof/ supporting documents is/ are to be enclosed, wherever applicable. 30. Bank reserves the right to reject this invitation to offer in part or full, or cancel the entire procurement process at any stage without assigning any reason whatsoever. 31. If the vendor needs any clarification on any of the aspects of the Bid Document, they can seek clarifications in advance through e-mail to [email protected] on or


of 54

before 24.01.2017 strictly as per format provided in Annexure-11. The Bank reserves the right to make amendments to the RFP before the last date prescribed for submission of the responses. Such clarifications, amendments to our RFP, if any, will also be hosted on our website www.syndicatebank.in and will form part of this RFP. Vendors are requested to take note of the same. 32. Information on awarding of contract pertaining to this RFP will be hosted on our Bank’s website. 33. BIDDER'S OBLIGATIONS: 1) The bidder is responsible for managing the activities of its personnel and will hold

itself responsible for any misdemeanours.

2) The bidder will treat as confidential all data and information about the Purchaser (Bank), obtained in the execution of his responsibilities, in strict confidence and will not reveal such information to any other party without the prior written approval of the Purchaser.

3) All the bills raised for the supplies/ services made under this RFP shall be from the

same office/ branch from where the bids are submitted against this RFP. If billing being done from any other branch of the bidder, same is to be clearly mentioned in the Bid and should not change till validity of the contract expires.

34. INDEMNITY: The Bidder shall indemnify, protect and save the Bank against all claims, losses, costs, damages, expenses, action suits and other proceedings, resulting from infringement of any law pertaining to patent, trademarks, copyrights, etc. 35. LIABILITY OF THE VENDOR: Selected Bidder shall hold the Bank, its successors, Assignees and administrators fully indemnified and harmless against loss or liability, claims actions or proceedings, if any, that may arise from whatsoever nature caused to the Bank through the action of its employees, agents, contractors, subcontractors, etc. However, the Selected Bidder would be given an opportunity to be heard by the Bank prior to taking a decision in respect of such loss or damage. 36. TERMINATION: The Bank reserves its right to cancel the entire/ unexecuted part of the contract, at any time by giving 30 days written notice, without assigning reasons and without prejudice to any other remedy for breach of contract, in the event of one or more of the following conditions: 1) If the vendor fails to deliver any or all of the Services within the period(s) specified in

the Contract or within any extension thereof granted by the Purchaser (Bank).

2) If the vendor fails to perform any other obligation(s) under the Contract.


of 54

3) Delay in conducting the audit/ s beyond the specified periods.

4) Non satisfactory performance of the Project during implementation.

5) Failure to integrate/ implement the project as per the requirements of the Bank.

6) Serious discrepancies noted in the implementation of the project.

7) Breaches in the terms and conditions of the Purchase Order.

8) Non satisfactory performance of the Project in terms of affecting the Core Systems of

the Bank or the Core Business of the Bank and the functioning of the Branches/

Offices of the Bank.

In the event the Bank terminates the Contract in whole or in part, Bank may procure, upon such terms and in such manner, as it deems appropriate, Services similar to those undelivered and the vendor shall be liable to the Purchaser (Bank) for any excess costs for such similar Services. However, the vendor shall continue performance of the Contract to the extent not terminated. In such a case, the Bank will not be liable in any way for payment towards such undelivered portion of the Services as per the terms of the contract. 37 ARBITRATION Disputes and differences of any kind whatsoever arising out of or in connection with the purchase order shall be referred to arbitration. The arbitrator may be appointed by both the parties or in case of disagreement each party may appoint an arbitrator and such arbitrators shall appoint an Umpire before entering on the reference. The decision of the Umpire shall be final. Such arbitration shall be governed by the provisions of Indian Arbitration and Conciliation Act 1996, at MANIPAL/ UDUPI. The Information Systems/ Security Audit Firm shall continue to work under the Contract during the arbitration proceedings unless otherwise directed by the Bank or unless the matter is such that the work cannot possibly be continued until the decision of the arbitrator or umpire, as the case may be, is obtained. 38. Validity of the Contract/ Agreement: The agreement/ contract executed between the successful bidder and the Bank as per clause 11 & 14 shall be valid for a period of 3 years from the date of execution of the agreement/ contract. 39. Jurisdiction Notwithstanding anything contained herein above, in case of any dispute, claim and legal action arising out of this contract, the parties shall be subject to the jurisdiction of courts at Udupi, India only.


of 54

Annexure 1 Bidder’s Details

1. Name 2. Constitution and year of establishment 3. Address 4. Names & Addresses of the Partners if applicable 5. Contact Person(s) 6. Telephone, Fax, e-mail 7. Number of CISA Qualified persons working in your firm along with names and

experience. 8. Number of CISSP Qualified Persons working in the firm along with the names and

experience. 9. Number of BS7799/ ISO 27001 lead auditors working in the firm along with the

names and experience. 10. Number of years of experience in Information Systems/ Security Audit. 11. Describe Project Management methodology for the proposed IS Audit assignment,

clearly indicating about the composition of various teams. 12. Describe Audit Methodology and Standards to be used for IS Audit. 13. Indicate Project Plan with milestones and the time frame of completion of different

activities of the project. 14. List of Deliverables as per the ‘Scope of Work’. 15. Role and responsibility of SyndicateBank and the Audit firm. Explain other

requirements from SyndicateBank, if any. 16. Have you done Penetration Testing & Vulnerability Assessment on network, Internet

Banking, etc.? Please give details required in the following table.

Sl. No.

Areas Whether penetration Testing &

Vulnerability Assessment were

If yes, mention details of

services and the scope along with

Details of proof

submitted along with

the Bidders


of 54

conducted proof. Details.

1 Network YES/ NO

2 Internet Banking YES/ NO

3 Mobile Banking/ SMS Banking

YES/ NO

4 Cheque Truncation system

YES/ NO

5 Financial Inclusion YES/ NO

6 Cash Management Services Centre

YES/ NO

7 Depository Participant Cell

YES/ NO

8 Integrated Treasury Management system

YES/ NO

9 Card Centre YES/ NO

10 Others YES/ NO

17. Have you done Information Systems Audit / Network Audit for a Bank on a large

scale? If yes, please give details of the same including the details of services and the scope along with proof.

18. Have you done Information Systems Audit for Internet Banking for any Bank in India? If yes, please give details of the same including the complete details of services and the scope along with proof. Audits, if any carried out abroad may be specified separately.

19. Please give brief financial particulars of your firm for the last 3 years (1st April 2013 to 31st March 2016) along with the volume of business handled. (The information will be kept confidential)

Financial Particulars 2013-14 2014-15 2015-16

Net Profit

Total Turnover

Revenue earned from Information security Audit

20. a. Specify tools used for the audit.

b. Specify that technical consultants who would be involved in the Audit Work are certified on types of tools used for audit.

21. Details of Location and infrastructure of Security Operations Centre from where services such as external vulnerability analysis and problem response are managed.

22. Details of biggest Information Systems/ Security Audit including the scope, service cost and details of services.

23. Any other related information, not mentioned above, which the audit firm wish to furnish.


of 54

DECLARATION We hereby declare that the information submitted above is complete in all respects and true to the best of our knowledge. We understand that in case any discrepancy or inconsistency or incompleteness is found in the information submitted by us, our application is liable to be rejected. Date: Authorised Signatory. Note: The Bidders Details shall include the detailed project plan corresponding to the deliverables as required by SyndicateBank (as mentioned in ‘Scope of Work’) for the Project. The project plan should indicate the milestones and time frame of completion of the different activities of the project. The audit firm is required to give details of the project management methodology, Audit Standards and methodology along with the quantum of resources to be deployed for the project, in the Bidders Details. Resources and support required from the Bank may also be clearly defined. The Bidders Details is required to be submitted in the format as given above.

*****


of 54

Annexure -2 SCOPE OF WORK

a. Undertake penetration tests of the Information system. It should include,

i. Attempt to guess passwords using password-cracking tools. ii. Search for back door traps in the programs. iii. Malware scanning, OS finger printing, war dialing, Man in middle attack and Man

in the browser attack. iv. Attempt to overload the system using DDoS (Distributed Denial of Service)

attacks. v. Check if commonly known holes in the software, especially the browser and the e-

mail software exist. vi. checking for the other common vulnerabilities like IP Spoofing, Buffer overflows,

Session hijacks, Account spoofing, Frame spoofing, Caching of web pages, Cross-site scripting, Cookie handling, etc as specified in clause 15.61 of “Checklists for IS Audit” as suggested by “Committee on Computer Audit”. (Details given in Annexure 3 of RFP).

vii. Conduct penetration testing keeping in view prevailing RBI Guidelines, IT Act and other applicable regulations in India.

b. The auditors will report on various aspects on internet banking specified in Paragraph 15.1 to 15.61 of “Checklists for IS Audit” as suggested by “Committee on Computer Audit” (Details given in Annexure 3 of RFP).

c. The scope of the Audit of Web-Server to include - Review of Security Management,

Service Level Agreement, Capacity Monitoring Process, Change Management (HW/ SW/ Content), Penetration testing, Access control, Incidence Management, Firewall/ IDS Management, Logon process, Sessions handling, Cookies, Input validations, Web server- Authentication Mechanism, Hardening of OS (operating systems), Business Continuity Preparedness in case of Web server failure, Internet Link failure and other components failure. Review of Internet Banking includes Internet Payment Gateway on the Internet, Adequacy of controls related to Internet Banking (e.g. Registration Procedure, Authorization Procedure, Record Maintenance Procedure etc.) and any other security concern in Internet Banking of the Bank vis-à-vis Industry Standards.

d. Scope of the audit to include Mobile Banking/ SMS Banking, Cheque Truncation System (at Mumbai, Delhi and Chennai centres), Financial Inclusion (FI), Cash Management Services Centre (CMSC) & Depository Participant (DP) Cell, Integrated Treasury Management System (ITMS), Card Centre, Government Business Module, Cheque book and passbook Kiosk, Biometric Authentication, HRMS, Synd-e-passbook, Synd Mobile Guide, Tab Banking, Online-Trading, Critical in-house Applications, eTHIC.

e. Scope of the audit to include ‘the guidelines as per working Group recommendations

on Electronic Banking of RBI and RBI guidelines on Internet Banking, Mobile banking, SMS Banking and Financial Inclusion’.


of 54

f. The Information Systems/ Security Audit Firm should also undertake VAPT to verify applicable International laws for Information Systems/ Security Audit are complied with.

g. During the course of Vulnerability Assessment all the processes should be assessed based on their fraud risk. Controls need to be checked and improvements suggested for tightening the same.

Note- If any change in “Scope of Work” is necessitated for the subsequent audits, the Bank

has the right to change the same. During the course of conduct of the audit, if the Bank desires to include any new

areas not covered under the defined scope of audit, the successful bidder shall take up such of those areas at an agreed price for the man-day and the man-day shall be mutually agreed for the additional work.

The scope of work includes External VAPT for public IPs and internal VAPT. VAPT should cover all Servers and Networking equipments at Data Centre, DR Site

and other locations, the details of which are given in Annexure 13 of RFP. Locations covered in VAPT are Mumbai and Bengaluru and other centres, if any,

mentioned in Annexure 13 of RFP. During the course of conduct of the audit, if the bank desires, the successful bidder

shall conduct the audit in the presence of the Bank’s IT/ IS Audit officials nominated by the Bank and shall familiarise them with the audit processes/ applications/ tools with explanations, discussions, materials and hands-on training, to the satisfaction of the Bank.

Responsibilities:

1. The Audit assignment is time bound. 2. The selected IS Audit/ Security Firm shall adopt industry best practices and

standards for application testing like The Open Source Security Testing Methodology (OSSTM), The Open Web Application Security Project (OWASP).

3. Wherever servers are hosted at out sourced networks, care shall be taken not to disturb the service provider’s network during testing process.

4. The selected IS Audit/ Security Firm shall conduct non-destructive penetration testing.

5. The selected IS Audit/ Security Firm shall abide by the Security Policy of the bank to the extent applicable.

6. The selected IS Audit/ Security Firm shall maintain confidentiality of the information received obtained or gathered by them during the process of conducting IS Audit or during interaction with the Bank’s personnel or Bank’s Vendors.

7. Penetration testing shall be conducted in presence of the representatives identified by the bank.

8. Bank has right to decide the extent of penetration testing and to stop/ extend further testing by the selected IS Audit/ Security Firm without assigning any reason. IS Auditors shall abide by such instruction as and when received.

9. The selected IS Audit/ Security Firm shall enter in to a contract with the bank and abide by the terms of the contract (Format of contract given in Annexure -15).


of 54

10. The selected IS Audit/ Security Firm should provide the Bank a Test Plan which must include both calendar time and man hours. The test plan must include hours of testing.

11. Penetration test report shall contain the details of tests conducted, tools used by the selected IS Audit/ Security Firm, methodology used for testing, mitigation recommendations.

12. Bank should be informed in the following cases:

a. whenever the selected IS Audit/ Security Firm changes the testing Plan, b. whenever the selected IS Audit/ Security Firm changes the source test venue, c. whenever the selected IS Audit/ Security Firm has observed high risk findings

compared to previous audit findings, d. whenever the selected IS Audit/ Security Firm conducts high risk or high traffic

tests, e. whenever the selected IS Audit/ Security Firm encounters any testing

problems. REPORTING:

1. Submit the reports duly classified both for the Top Management presentation and Technical groups with full details. The classification to be made as high, medium and low risk criteria.

2. High Risk vulnerabilities such as discovered breaches, vulnerabilities with known, high exploitation rates, vulnerabilities which are exploitable for full, unmonitored or untraceable access, or which may put immediate lives at risk, discovered during testing must be reported to the Bank with a practical solution as soon as they are found.

3. IS Auditors shall report their findings and recommendations during the audit to appropriate authorities identified by the bank. At the minimum, report shall contain description of the vulnerability, Risk status, any specific comments and mitigation recommendations.

4. Bank should be informed of the progress updates at intervals as prescribed by the Bank.

5. Reporting must include practical solutions towards discovered security problems. 6. Reports must include all unknowns clearly marked as unknowns. 7. Reports must state clearly all states of security found and not only failed security

measures. 8. Reports must use only quantitative/ qualitative metrics for gauging risks based on

industry accepted methods. These metrics must be based on a mathematical formula and not on the subjective opinions of the analyst.

*****


of 54

Annexure 3

Indicative Checklists for IS Audit on internet Banking as suggested by RBI committee on Computer Audit, for guidance

Information Systems Security Framework 15.1 Is there a security policy duly approved by the Board of Directors? Is there

segregation of duty of Security Officer/ Group dealing exclusively with information systems security and Information Technology Division which actually implements the computer systems? Is the role of an Information Security Officer independent in nature?

15.2 Is the role of an Information Systems/ Security Auditor independent in nature? (It should be independent of Operations and Technology Unit)

15.3 Bank should ensure that Information Systems Auditor forms part of their Internal Audit Team.

15.4 Bank should acquire tools for monitoring systems and the networks against intrusions and attacks. These tools should be used regularly to avoid security breaches. Bank should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate their security personnel and also the end-users on a continuous basis.

15.5 Bank should subscribe for the Systems Alerts/ Patches. Information Systems Auditor should ensure that all vulnerable patches are applied on a periodic to prevent outsiders exploiting the Bank’s systems.

15.6 Under the present legal requirements there is an obligation on Banks to maintain secrecy and confidentiality of customer’s accounts. In the Internet banking scenario, the risk of Banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. Does the bank, therefore, institute adequate risk control measures to manage such risks?

15.7 In order to address the risk of liability to customers on account of breach of secrecy, denial of service etc., does the Bank follow a privacy policy?

15.8 Some of the indicated areas which all Banks need to include as part of the Privacy Policy is given below,

- Banks should safeguard, according to strict standards of security and

confidentiality, any information customers share with them. - Banks will not reveal customer information to any external organization unless

they have previously informed the customer in disclosures or agreements, have been authorized by the customer, or are required by law or our regulators.

- Whenever Banks hire other organizations to provide support services, they should require them to conform to our privacy standards and to allow us to audit them for compliance.


of 54

Web Server 15.9 Is the web server configured to be a stand-alone unit without any membership to

any domain inside the Bank’ IT architecture? 15.10 Ensure whether the web server is ported with latest versions of patches and

service packs. Specifically, the OS vendor releases patches and service packs with appropriate fixes to prevent Denial of Service attack. These should have been applied to prevent such attacks on the web server.

15.11 All security settings applicable to the operating system in which the web server operates should have been implemented as per IT security policy. Check and ensure this.

15.12 With regard to Super User account :- - Check whether the super user account in the web server is enabled for login

only on the system console and not from across the network. Perhaps this is applicable to all user accounts in the web server.

- Check if appropriate parameters are implemented in the operating system of the web server so that the super user account will lock out if too many unsuccessful attempts are made across the network, but remain unlocked at the system console.

15.13 Check if sensitive operating system related executable program files and data files on the web server are not stored on public area but in any other secure location with audit duly enabled.

15.14 IP routing should be disabled in the web server. Check and confirm this. 15.15 Ensure that unauthorized ports for e.g., UDP port No.443 are not allowed inside

the web server. Also, ensure that unnecessary services like ftp, messenger, SMTP, telnet, etc. are not installed and active on the web server.

15.16 The facility to shutdown the machine should be restricted to the system console on the web server. Check and ensure this.

15.17 Access to floppy drive, CD-ROM drive, etc. should be restricted in the web server to interactive only to prevent these devices from being shared by all processes on the system. Check and ensure this.

Logs of activity 15.18 Ensure that auditing is enabled in the web server’s operating system and whether

the logs are reviewed and authenticated by authorized officials periodically. 15.19 Check if audit trail is enabled on the firewall to log the changes made to the rule

base settings and verify whether the logged entries are approved by higher authorities in the IT Department.

15.20 Whether the system administrators are monitoring the logs produced by the Intruder Detection System (IDS) (An intrusion detection system helps in recognizing Security threats and is capable of scanning packets for vulnerabilities. It ensures that distributed denial of service attacks are prevented) and escalating the access violations to the attention of senior management in IT department for guidance. Are these documented and appropriate corrective actions taken?

15.21 Check whether audit trails are enabled for administration activities and whether entries logged in the audit trail are in accordance with process flow chart and no unauthorized activity has been carried out.


of 54

De-militarized zone and Firewall 15.22 Are all Internet connections are routed through a Firewall? Does a dedicated team

manage the Firewall? Are the ports opened only on a "need to have" basis? 15.23 Is there an Intruder Detection System (IDS) implemented? 15.24 Are the application and database servers kept separated from the web server in

the de-militarized zone? 15.25 Is the de-militarized zone separated from the Internet cloud by means of a

Firewall? (Firewall procurement should be through an approval mechanism, which ensures that only firewalls of highest standards are procured).

15.26 If the de-militarized zone is connected to the Intranet within the Bank, it should be separated by a Firewall. Check and ensure the same.

15.27 Check whether the Firewall rule base is treated as a sensitive information and knowledge of the same is restricted to only authorized officials in the IT / Computer operations department.

15.28 Ensure that the decision to open specific firewall ports/ rule base is approved in accordance with IT Security Policy (IT Security Policy should list out such ports) e.g. firewalls should block unwanted ports running services such as ftp, telnet, SMTP, etc. into the de-militarized zone. Ideally, only http and https ports are allowable. Check and verify this.

Security Review of all Servers used for Internet Banking 15.29 Carry out a Operating System Security review on all the servers used for internet

banking apart from web server as stated in (I) above and ensure that all security parameters have been properly set as per Security Policy.

Database and System Administration 15.30 Has the Bank designated a Database Administrator with clearly defined roles? 15.31 Has the Bank designated System Administrator(s) with clearly defined roles? 15.32 Check whether process flow of administration activities is documented and

approved by the Head of Operations and whether the administrators are conversant with the process flow.

15.33 Carry out an application control review of the administration module and ensure whether the functionality as described in the process flow document are adequately met by the module.

15.34 Examine who has access to the Super User account in the administration module? Examine the procedures for custody and usage of this password and records maintained for the same. Are all usages recorded by the administrator authenticated by appropriate authority?

15.35 Obtain a list of all administrator accounts in the administrator’s module and check whether all are attributable to personnel doing the administration job. Extraneous admin IDs should be identified and reported for deletion.

15.36 Check whether the menu options in the admin module are assigned to different administrators on need to know basis, based on functionality offered by the menu options and the work allotment made to the administrator.


of 54

15.37 Obtain the list of menu options in the Internet banking module for customers and whether such menu options are assigned to user (customer) IDs only as per their request and as per the policy of the Bank.

15.38 Pay particular attention to user (customer) IDs, which are provided with third party funds transfer facility on the Internet and verify whether they are backed by proper customer request in writing.

15.39 Does the Bank have proper infrastructure and schedules for backing up data? Is the backed-up data periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank’s security policy? Is Business Continuity ensured by setting up disaster recovery sites? Are these facilities tested periodically?

15.40 Check the procedure for creation of different user accounts for the customers for usage on the internet and whether they are backed by valid customer request for such facility.

Operational Activities 15.41 Considering the legal position prevalent, is it ensured that the Banks not only to

establish the identity but also to make enquiry about integrity and reputation of the prospective customer? Therefore, is it ensured that even though request for opening account can be accepted over Internet, accounts are opened only after proper introduction and physical verification of the identity of the customer? Is there a Legal Contract with the customer in place covering the risks of communicating using the Public Network?

15.42 Pay particular attention to customers whose constitution is other than 'individual', particularly corporate accounts and check whether appropriate account opening documentation have been submitted by such customers for internet banking.

15.43 Check if any customer is provided with multiple user IDs, if he/ she is not a joint account holder, but only single.

15.44 Any account linkage activity should take place only after ensuring that the user accounts are created based on valid customer requests.

15.45 Check if user-IDs are linked to multiple bank accounts. If so, verify whether such accounts pertain to the same customer only.

15.46 Check the procedure for enabling the customer user ID on the internet and verify whether adequate precautions are taken by the operations personnel to identify the customer before enabling. Account enablement process should be decided and signed off before product launch. Entire process should be auditable and audit trails should be enabled for the same (Each Bank can decide whether they can pre-enable or post-enable the user accounts based on their policy).

15.47 Check the procedure for creation of new password for customers who report having forgotten the password. Verify the procedure for ensuring the identity of the customer before creating the new password.

15.48 Verify whether adequate records (either electronic or manual) are maintained for the customer user IDs created, enabled, new passwords provided, etc. and whether they are authentic. Test check the instances of change of customer’s passwords and whether they are backed by valid customer requests.

15.49 Do all applications of banks have proper record keeping facilities for legal purposes? It may be necessary to keep all received and sent messages both encrypted.


of 54

Application Control Review of Internet Banking Application 15.50 Does the software allow creation of user-IDs in the same name more than once? 15.51 Does the software encrypt the passwords one way and store the same in

encrypted form in the database? 15.52 Does the software display the password as it is keyed in? (It should not be

displayed on the screen). 15.53 Does the software lock the user-id if it is used for X unsuccessful times to logon to

the system? 15.54 Does the software force the User to change the password at set periodical

intervals? 15.55 Does the software maintain password history i.e., the same password should not

be used again on rotation basis? 15.56 Check whether the software logs the instances of change of user’s (customer’s)

password in the audit trail? 15.57 Does the software allow automatic logical deletion of inactive user IDs after certain

period of time? 15.58 Does the system maintain password length to be of minimum 6 or 8 characters or

as the case may be with combinations of alpha, numeric and special characters? 15.59 Check whether the menu options available on the web page for a customer after

logging on to the system provide only appropriate functionality as designed and no deviation is possible.

Application Security 15.60 Is the Security infrastructure properly tested before using the systems and

applications for normal operations? Following needs to be taken care of for ensuring that Security infrastructure is tested properly before using the systems and applications:

As part of the System Development Life Cycle (SDLC), during the development stage an Information Security Review needs to be conducted covering the entire system and architecture review.

Comprehensive Information Security related checks needs to be conducted during the Coding & Testing stage.

On completion of User Acceptance testing (UAT), all Internet related systems or applications needs to be penetration tested by an independent party.

Banks should enter into an Agreement with the independent party who conducts the penetration testing covering both Legal and Contractual terms.

15.61 Following should be covered as part of penetration tests / vulnerability tests: -

1. Check for following common vulnerabilities :

- IP Spoofing - Buffer overflows - Session hijacks - Account spoofing - Frame spoofing - D-DoS attacks - Caching of web pages


of 54

- Cross-site scripting - Cookie handling - Malware scanning - OS finger printing - Password cracking - War dialling - Man in the middle attack - Man in the browser attack

2. As per RBI’s guidelines PKI (Public Key Infrastructure) is the most favoured

technology for secure Internet banking services. Since Government & RBI is in the process of identifying a PKI service provider, it may take some time to implement PKI in all the Banks. However, as it is not yet commonly available, does the bank use the following alternative system during the transition, until the PKI is put in place:

- A static ID and password login process. - Usage of SSL (Secured Socket Layer), which ensures server authentication

and use of client side certificates issued by the Banks themselves using a Certificate Server.

- The use of at least 128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like passwords in transit within the enterprise itself.

*****


of 54

Annexure – 4

Pre - Qualification Criteria

Sl.No Eligibility Criteria Support documents to be

submitted

Please mention

page No. of bid

document where these details are available

1 Bidder should be a registered company Certificate of incorporation.

2 The bidder should be a profit making company/ firm during last 3 consecutive financial years. i.e. 2013-2014, 2014- 2015 and 2015-2016.

Audited Financial Statements, B/ S & P&L and also to be mentioned in Annexure-10.

3 Bidders should be from CERTIN empanelled Information Systems Audit Organizations and shall produce,

Certificate from CERT-IN; bids without this certificate will not be considered for evaluation and may be rejected.

4 Bidders should undertake to conduct the audit on mutually agreed dates/ schedule at Bank’s office/ s.

Undertaking letter from the bidders for adhering to the schedule.

5 Bidder should have minimum 3 years experience in Information Security Audit for Internet Banking / Core Banking Services / Network Audit of any Bank/ financial Organization.

Xerox copy of Purchase Order or Letter from Banks/ Financial institutions for having conducted the audit/ s.

6 Bidders should have performed Penetration Testing & Vulnerability Assessment, Security audit and Application Control review for at least one Bank in India with network of minimum of 500 branches.

Xerox copy of Purchase Order or Letter from Banks/ Financial institutions for having performed Penetration Testing & Vulnerability Assessment, Security audit and Application Control review.

7 The bidder should have minimum 5 CISA/ CISSP qualified Information Security Auditors for conducting the Information Security Audit.

Details of CISA/ CISSP qualified personnel of the Organization along with Xerox copies of certificate/ s showing their qualification/ s.


of 54

8 Bidder should have ISO 9001/ 14001/ 18001 or any latest ISO certificate.

Xerox copy of latest Certificate issued

9 Bidders should have digital signature to participate in online sealed bid and reverse auction

Details of digital certificate/ signature like Name, Digital Key details, issuing authority and validity etc to be provided.

*****


of 54

Annexure - 5 BID FORM

Ref No………………… Place : .......... Date:.../ ..../ 2017

The General Manager SyndicateBank Inspection Department Head Office Manipal-576104 Dear Sir, Having examined the Request for Proposal (RFP): Ref: RFP-.................... dated ..................., the receipt of which is hereby duly acknowledged, we, the undersigned, offer to conduct the audit as per ‘Scope of Work’ in conformity with the said RFP at the prices to be offered during the Reverse Auction process and is made part of this Bid. We undertake to conduct audit/ s according to the periodicity fixed by the bank, from time to time, at the accepted price, during the period of three years from the date of acceptance of purchase order. We agree to abide by this bid for a period of one year from the last date of submission of Bid and shall remain binding upon us and may be accepted at any time before the expiration of that period. We further confirm that, until a formal contract is prepared and executed, this bid, together with your written acceptance thereof and your Notification of Award, shall constitute a binding Contract between us. We undertake that, in competing for (and, if the award is made to us, in executing) the above contract, we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of Corruption Act 1988”. Commissions or gratuities, if any paid or to be paid by us to agents relating to this Bid, and to contract execution if we are awarded the contract, are listed below:

Name & address of

agent

Amount & currency Purpose of commission or gratuity

(If none, state none)

We understand that you are not bound to accept the lowest or any bid you may receive. Dated this ........ day of ............... 2017 (Signature) (In the capacity of) Duly Authorised to sign bid for & on behalf of (Name & Address of the Bidder)


of 54

Annexure – 6

BID SECURITY FORM

Whereas ______ (herein after called “the Bidder”) has submitted its Bid dated ____2017 for empanelment for conducting Vulnerability Assessment and Penetration testing of our Bank’s CBS Network and Internet Banking System etc.(hereinafter called “the Bid”). KNOW ALL PEOPLE by these presents that WE ___________ having our Registered Office at ___________ (hereinafter called “the Bank”) are bound unto SyndicateBank, Head Office, Inspection Department, Manipal - 576104 (hereinafter called “the Purchaser”) in the sum of _____ for which payment well and truly to be made to the said Purchaser, the Bank binds itself, its successors and assigns by these presents. Affixed with the Seal of the said Bank this ____ day of __________2017. THE CONDITIONS of this obligation are: 1 If the Bidder withdraws its Bid during the period of bid validity specified by the Bidder

on the Bid Form; or 2 If the Bidder fails to participate in Online Sealed bids to quote initial price and fails to

login in Reverse Auction Process, or 3 If the Bidder, having been notified of the acceptance of its Bid by the Purchaser during

the period of Bid validity:

a) Fails or refuses to execute the Contract Form if required; or b) Fails or refuses to furnish the Performance Security, in accordance with the terms

of the Bid; or c) Fails to supply the goods within the stipulated period. or d) Fails to accept the purchase order or e) Fails to comply with any terms and conditions of RFP or Purchase Order.

We undertake to pay the Purchaser up to the above amount upon receipt of its first written demand, without the purchaser having to substantiate its demand, provided that in its demand the Purchaser will note that the amount claimed by it is due to it, owing to the occurrence of one or both of the two conditions, specifying the occurred condition or conditions. This Guarantee will remain in force up to and including -----------------, 2018, and any demand in respect thereof should reach the Bank not later than the above date. ____________________________ (Signature and Seal of Bank)

*****


of 54

Annexure– 7

LETTER OF AUTHORISATION TO BID No. .............................. Dated:__ / __ / 2017 The General Manager SyndicateBank Inspection Department Head Office Manipal-576104 Dear Sir, Sub: Letter of Authorisation to bid for SyndicateBank’s VAPT audit requirement. We M/ s …................................ (Name and address of the principal) hereby authorize Mr/ M/ s.…..................... (Name and Address of Agents), our Authorised Person to submit Bid documents on behalf of our Company and to participate in on-line-sealed bid/ reverse auction and to sign the contract on behalf of our Organization for all the services required by the bank as called for vide the bank’s request for proposal reference no RFP-........................dated ........... We confirm that the person so authorised above has digital signatures and confirm that all the prices quoted in on-line-sealed bid or in reverse auction by him shall be binding on us. Yours faithfully, (NAME) (Name of principal vendor on whose behalf the proposal is submitted) Note: 1. Xerox copy of power of attorney of the Company, authorising/

reauthorizing a person to submit bid documents on behalf of the Company to be submitted along with this annexure.

2. The details of Digital Signatures of the person participating in online sealed bid/ reverse auction are to be mentioned below:

Sl.No. Name of the Person Digital Signature Number

Certifying Agency

Valid upto

*****


of 54

Annexure- 8

SERVICE SUPPORT FORM

Sl.No. Bidders Office details. (for single point contact for any issues on delivery, service etc)

Contact person, Designation, Mobile.

Address

1

2

****

Annexure – 9

TERMS AND CONDITIONS COMPLIANCE TABLE

Term No.

Description RFP Clause

No.

Complied Yes/ No

Page No.of Bid Document

Detailed explanation

about deviation, if not complied

1 Pre qualification Criteria

2

2 Documents to be submitted

3

3 Instructions to Bidders 4

4 Accompanying letter as per Annexure 7

8

5 Cost of RFP 24

6 BID Security 25

7 Undertaking as per clause No. 12 & 13

12 &13

NOTE: This annexure is an indicative list. Vendor has to comply all terms and other conditions as per RFP document. Signature of the Vendor with Company Seal

*****


of 54

Annexure- 10

Turnover and P&L Details: (Bidders have to submit Xerox copies of audited balance sheet / P&L A/ c ).

(amount in ₹)

FY Turnover Profit and Loss

2013-14

2014-15

2015-16

*****

Annexure-11

Format for reporting clarifications required, if any, in respect of terms & conditions of this RFP: (It is to be submitted in MS Word document format)

Sl.No. Clause No/ Page No.

RFP Term Bidders Request for following

clarifications and amendments

Bank’s clarification/ Revised

amendment, if any.

*****


of 54

Annexure – 12

RULES FOR REVERSE AUCTION

Sl.No. Particulars Details

1 Buyer Name SyndicateBank Head Office: Inspection Department Manipal – 576 104 Karnataka

2 Auction to be conducted by (Service Provider)

Name: M/s e Procurement Technologies Ltd.

Address:

No.10/2, Narendra Plaza, Universal Business Centre,

Victoria Road, Bangalore – 560 047

Phone No : 080 - 4031176

Fax : 080 - 4031 6201

Ahmedabad Address:

Name: M/s e Procurement Technologies Ltd.

A-201, Wall Street – 2, Ellisbridge, Ahmedabad – 380 006

Phone: 079 40230816/41072518 / 517 / 519 / 520 / 521

Fax: 079 40016876

Contact Persons : Ms. PoonamRathore - [email protected]

3 Website address for reverse auction Date of Auction

http:/ / syndicatebank.abcprocure.com Auction Date :Will be Intimated Online Initial Sealed Bid Time: Will be Intimated Online Reverse Auction Time: Will be Intimated (With extension as applicable)

4 Documents attached Rules and Terms & Conditions of Reverse Auction: Compliance Statement (Annexure K - 1) Price Bid Confirmation (Annexure K - 2)


of 54

Online Reverse Auction Bank desires to make use of Online Reverse Auction for various procurement processes at its Corporate/ Regional Offices to get the most competitive price from the participating technically qualified suppliers/ vendors. Reverse Auction event will be carried out among the Technically Qualified Bidders, for providing opportunity to the Bidders to quote the price dynamically for the procurement for which RFP is floated. PROCESS OF REVERSE AUCTION: a) Bank will engage the services of a Service provider for conducting Online Reverse

Auction on behalf of the Bank. b) The Bank shall enter into a separate agreement with the Service Provider clearly

detailing the roles and responsibilities of the Service Provider who hosts the web portal and conducts the Reverse Auction.

c) For the proposed reverse auction, technically qualified Bidders having a valid digital certificate alone shall be eligible to participate.

d) Rules like event date and time, start price, bid decrement, extensions etc., will be communicated for compliance by the Bidder.

e) For creating necessary obligations and rights, the Service Provider will also enter into an agreement with each Bidder for this purpose.

f) The Service Provider will provide all necessary training and assistance before commencement of online bidding on Internet. Service Provider / auctioneer is responsible for conducting training to all technically qualified Bidders participating in the reverse auction and bidding process. Bidder may contact the Service Provider in this regard.

g) Wherever it is considered necessary and asked by the Bidders or as decided by the auctioneer or by Bank, a mock auction may also be conducted for the benefit of all concerned.

h) Each Bidder shall participate in the training/ mock auction at his / their own cost. i) Bidder / Authorised representatives of the Bidders named in the authorization letter

given by the Bidder shall be given with a unique user name, password by the Service Provider / auctioneer. Each Bidder / Authorised representatives shall change the password after receipt of initial password from Service Provider.

j) Reverse auction will be conducted on scheduled date & time and the same shall be communicated in advance.

k) Bidders have to submit the compliance form in the prescribed format, if any, provided by Service Provider before start of Reverse Auction. Without this the Bidder will not be eligible to participate in the event.

l) Bidder is required to give their indicative price to the Bank during the online sealed bid before conducting reverse auction. Timings of the online sealed bid will be intimated by the Bank in advance to the technically responsive bidders.

m) Start price for the Reverse Auction will be notified by the Bank. n) All the bids made from the Log-in ID given to Bidder will be deemed to have been

made by the Bidder to whom Log-in ID and password were assigned by the Service Provider / auctioneer.


of 54

o) Any bid once made through registered Log-in ID / password by the Bidder cannot be cancelled. The Bidder, in other words, is bound to supply the items/ deliver the services as per the RFP at the bid price offered during the Reverse Auction.

p) Every successive bid by the Bidder being decremental bidding shall replace the earlier bid automatically and the final bid as per the time and Log-in ID shall prevail over the earlier bids.

q) The Bank shall conduct the reverse auction as per the Standard English reverse auction, that is, no two bids can have identical price from two different Bidders. In other words, there shall never be a “Tie” in bids.

r) The minimum time limit for Online Reverse Auction is 1 hour only. s) At the end of reverse auction event, the lowest Bidder value will be known on the

network. t) The lowest Bidder (L1) has to fax the duly signed filled-in prescribed format along with

break-up as provided on case-to-case basis to the Bank within 24 hours of auction without fail.

u) Any variation between the Online Bid value and the signed document will be liable for rejection of the Bid, forfeiture of the Bid Security etc., and the Bidder may be disqualified to conduct business with the Bank in future.

v) The reverse auction will be treated as closed only when the bidding process gets closed in all respects for the item listed in the tender.

w) The Service Provider at the end of each Reverse Auction shall provide the Bank with all details of the bids and reports of Reverse Auction.

x) Bank's decision on award of Contract shall be final and binding on all the Bidders. Rules and Terms & Conditions of Reverse Auction Online Reverse Auctions are carried out under the framework of a set of rules. Following are the ‘Rules and Terms & Conditions’ of Online Reverse Auction: 1. Definitions :

“Bank” means SyndicateBank “Service Provider” means the third party agency / company who have been selected by the Bank for conducting Reverse Auction.

“Bidder” means the party or his authorised representative who has participated in the RFP / Tender Process, Technically qualified, having valid Digital Certificate, and willing to comply with all the instructions and terms & conditions of RFP.

“L1” means the Bidder who has quoted lowest price in the Reverse Auction process. “L2” means the Bidder who has quoted second lowest price in the Reverse Auction process.

2. Eligibility of Bidders to participate in Reverse Auction:

2.1. Bidders who are technically qualified in terms of the relative Terms & Conditions of the RFP and accept the Rules and Terms & conditions of Reversion


of 54

Auction and submit the undertaking as per the prescribed format in Annexure – 12.1 can only participate in Reverse Auction related to the procurement for which RFP is floated.

2.2. Bidders not submitting the above undertaking or submitting the same with deviations / amendments thereto will be disqualified from further evaluation / participation in the process of relevant procurement.

2.3. Bidders should ensure that they have valid digital certificate well in advance to participate in the Reverse Auction. Bank and / or Service Provider will not be responsible in case Bidder could not participate in Reverse Auction due to non-availability of valid digital certificate.

2.4. Bidders participating in Reverse Auction shall submit the following duly signed by the same Competent Authority who signs the offer documents in response to the RFP floated by Bank.

2.4.1. Undertaking letter for acceptance of Rules for Online Reverse

Auction and letter of Authority authorizing the name/ s of official/ s to take part in Reverse Auction as per the format Annexure – 12.1 (Compliance Statement)

2.4.2. Agreement between Service Provider and Bidder. This format will be given by the service provider prior to announcement of Reverse Auction.

3. Training:

3.1. The Service Provider shall impart training on the Reverse Auction to representatives of all eligible Bidders for participation in Reverse Auction.

3.2. All rules & procedure related to Reverse Auction will be explained during the training.

3.3. The Bank/ Service Provider may also conduct a “Mock Reverse Auction” to familiarise the vendor/ s with Reverse Auction process.

3.4. Date, Time, Venue etc. of training will be advised at appropriate time. 3.5. Eligible Bidder / his authorized nominee has to attend the training as per

the schedule and at the specified venue at his / Bidder’s own cost. 3.6. No request from the Bidders for change in training schedule and/ or venue

will be entertained. 3.7. However, Bank reserves the right to postpone / change / cancel the training

schedule for whatsoever reasons without assigning any reasons thereof, even after its communication to eligible Bidders.

3.8. Any Bidder not participating in the training process will do so at his own risk and it shall not be open for him to make any complaint / grievance later.

4 Reverse Auction Schedule:

4.1. The date & time of commencement of Reverse Auction and its duration of time shall be communicated to the technically responsive Bidders prior to the Reverse Auction date.

4.2. Bank reserves the right to postpone / change / cancel the Reverse Auction event even after its communication to Bidders without assigning any reasons thereof.

4.3. Reverse Auction will normally be for a period of one hour. If a Bidder places a bid price in last 10 minutes of closing of the Reverse auction, the auction period shall get extended automatically for another 10 minutes. In case there is no bid price in


of 54

the last 10 minutes of closing of Reverse Auction, the auction shall get closed automatically without any extension.

4.4. The time period of Reverse Auction & Maximum number of its extensions & time are subject to change and will be advised to eligible Bidders before the start of the Reverse Auction event.

4.5. During English Reverse (no ties) Auction, if no bid is received within the specified time, the Bank, at its discretion, may decide to revise Start price / scrap the reverse auction process / proceed with conventional mode of tendering.

5. Bidding Currency:

Bidding will be conducted in Indian Rupees ( ₹ ).

6. Price Schedule:

The Bidder, during the Reverse-auction, shall quote the Total Project Cost (Prices) as per the following format:

{Amount in Indian Rupees (₹) excluding taxes}

Sl.No. Description / Name of the Project/ Assignment

Cost of ONE audit

1 Comprehensive audit of SWIFT infrastructure

Xxxx

2 Detailed pre-implementation application control audits and data migration audits with regard to critical systems as per Gopalakrishna Committee recommendation

These Audits are on need basis. Location of the Audits is Bengaluru. Bidder has to quote pricing on the basis of per man-day cost.

3 Vulnerability Assessment & Penetration Testing of CBS Network and Internet Banking, etc., for SyndicateBank ( as per Scope of work mentioned in the Annexure-2)

Xxxx

4 Any other Audit on need basis

These Audits are on need basis. Location of the Audits is Bengaluru. Bidder has to quote pricing on the basis of per man-day cost.

Notes: The successful bidder has to undertake to conduct the audit strictly as per scope of work mentioned in Annexure-2. a. The vendor has to quote the above prices excluding taxes. b. Service Tax / VAT, at actual, is payable extra. c. TDS will be deducted as applicable.


of 54

d. The prices quoted should be valid for three years from the date of acceptance of purchase order.

e. The selected vendor will have to conduct audit/ s according to the periodicity fixed by the bank, from time to time, at the accepted price, during the period of three years from the date of acceptance of purchase order. At present the periodicity is ‘half yearly’. The dates and duration of each audit to be conducted shall be fixed on mutual agreement.

f. If the scope of work remains the same, the bidder shall complete the assignments that will be entrusted during the next three years, at the price fixed through reverse auction. However, if the scope of work changes, the remuneration for the additional assignments if any, will depend on the scope of work for that assignment/ year and the prevailing conditions in the market at that point of time, as decided by the Bank.

7. Start Price:

7.1 Bidder needs to give their indicative price to the Bank during the ONLINE SEALED

BID. Timings of the Online sealed bid will be intimated by the Bank in advance. 7.2 Bank shall determine the Start Price for Reverse Auction

a. On its own and / or b. Based on the indicative price band information on Grand Total as per our price

schedule received during the ONLINE SEALED BID, or c. Bank may determine the start price on the basis of the lowest quote of indicative

commercial bids received during ONLINE SEALED BID.

7.3 The start price of an item in Online reverse auction is open to all the participating bidders. Bidders are required to start bidding after announcement of Start Price and decrement amount. Any bidder can start bidding, in the Online reverse auction, from the start price itself. Please note that the first Online bid that comes in the system during the Online reverse auction can be equal to the auction's start price, or lesser than the auction's start price by one decrement, or lesser than the auction's start price by multiples of decrement. The subsequent bid that comes in to outbid the L1 rate will have to be lesser than the L1 rate by one decrement value or in multiples of the decrement value.

8. Decremental Bid Value:

8.1. The bid decrement value will be specified by Bank before the start of Reverse Auction event. It can be a fixed amount or percentage of Start Price or both whichever is higher.

8.2. Bidder is required to quote his bid price only at a specified decremented value, which may be informed, to the technically responsive bidders during reverse auction.

8.3. Bidder need not quote bid price at immediate next available lower level, but it can be even at 2 / 3 / 4. …level of next available lower level.

8.4. Bid decrement value shall be rounded off to nearest ₹1000s.


of 54

9. Web Portals and Access:

9.1. Reverse Auction will be conducted on a specific web portal meant for this purpose with the help of the Service Provider identified by the Bank.

9.2. Service Provider will make all necessary arrangement for fair and transparent conduct of Reverse Auction like hosting the web portal, imparting training to eligible Bidders etc., and finally conduct of Reverse Auction.

9.3. Bidders will be participating in Reverse Auction event from their own office / place of their choice. Internet connectivity and other paraphernalia requirements shall have to be ensured by Bidder themselves.

9.4. In the event of failure of their Internet connectivity (due to any reason whatsoever it may be)

9.4.1. It is the Bidders responsibility/ decision to send fax communication

immediately to Service Provider furnishing the bid price, they want to bid Online, with a request to upload the faxed bid price Online so that the service provider will upload that price Online on behalf of the Bidder.

9.4.2. It shall be noted clearly that the concerned Bidder communicating this price to Service Provider has to solely ensure that the fax message is received by Service Provider in a readable / legible form and also the Bidder should simultaneously check up with Service Provider over phone about the clear receipt of the bid price faxed and the service provider has entered the same in the system.

9.4.3. It shall also be clearly understood that the Bidder shall be at liberty to send such fax communications of prices to be uploaded by Service Provider only before the closure of Reverse Auction time and under no circumstances it shall be allowed beyond the closure of Reverse Auction event time.

9.4.4. Such Bidders have to ensure that the Service Provider is given reasonable time by the Bidders, to upload such faxed bid prices online and if such required time is not available at the disposal of Service Provider at the time of receipt of the fax message from the Bidders, Service Provider will not be uploading the bid prices. It is to be noted that neither the Bank nor the Service Provider will be responsible for these unforeseen circumstances.

9.5. In order to ward-off such contingent situation:

9.5.1. Bidders are advised to make all the necessary arrangements / alternatives

such as back–up power supply, whatever required so that they are able to circumvent such situation and still be able to participate in the reverse auction successfully.

9.5.2. Bidders are requested not to wait till the last moment to quote their bids to avoid any such complex situations.

9.5.3 Failure of power at the premises of Bidders during the Reverse auction cannot be the cause for not participating in the reverse auction.

9.5.4. On account of this the time for the auction cannot be extended and Bank is not responsible for such eventualities.

9.5.5. Bank and / or Service Provider will not have any liability to Bidders for any interruption or delay in access to site of Reverse Auction irrespective of the cause.


of 54

9.6. For making the process of Reverse Auction and its result legally binding on the participating Bidders, Service Provider will enter into an agreement with each Bidder, before the start of Reverse Auction event. Without this Bidder will not be eligible to participate in the event.

9.7. Neither Bank nor service provider / auctioneer can be held responsible for consequential damages such as no power supply, system problem, inability to use the system, loss of electronic information, power interruptions, UPS failure, etc. (Bank shall, however, entertain any such issues of interruptions, problems with open mind and fair degree of transparency in the process before deciding to stop or extend the auction.)

10. TRANSPARENCY IN BIDS:

All bidders will be able to view during the auction time the current lowest price in portal. Bidder shall be able to view not only the lowest bid but also the last bid made by him at any point of time during the auction time.

11. MASKING OF NAMES:

11.1. Bidder will be able to view the following on their screen along with the necessary fields in Reverse Auction:

i) Opening Price ii) Leading / Lowest Bid Price in Auction (only total price) iii) Last Bid Price placed by the respective Bidder.

11.2. Names of bidders/ vendors shall be anonymously masked in the Reverse

Auction process and vendors will be given suitable dummy names. 11.3. After completion of Reverse Auction, the Service Provider / auctioneer shall

submit a report to the Bank with all details of bid and the original names of the bidders as also the L1 bidder with his / their original names.

12. Finalisation of the Successful Bidder:

12.1. At the end of Reverse Auction event Service Provider will provide the Bank all necessary details of the bid prices and reports of Reverse Auction.

12.2. Upon receipt of above information from Service Provider, Bank will evaluate the same and will decide upon the winner i.e. Successful Bidder. Bank’s decision on award of Contract shall be final and binding on all the Bidders.

12.3. Successful Bidder has to fax the duly signed filled-in prescribed format (Annexure – 12.2) as provided on case-to-case basis to Bank within 24 hours of Reverse Auction without fail. The Original signed Annexure–K-2 should reach the Bank within 48 hours of Reverse Auction without fail.

12.4. Any variation between the On-line Reverse Auction bid price and signed document will be considered as sabotaging the tender process and will invite disqualification of Bidder/ vender to conduct business with Bank as per prevailing procedure.

12.5. Successful Bidder has to give break-up of his last/ lowest bid price as per Bill of Material at the end of Reverse Auction event within 24 working hours without fail.


of 54

12.6. Successful Bidder is bound to supply at their final bid price of Reverse Auction. In case of back out or fail to supply/ deliver the services as per the rates quoted, Bank will take appropriate action against such Bidder and / or forfeit the Bid Security amount, debar him from participating in future.

12.7. In case Bank decides not to go for Reverse Auction related to the procurement for which RFP is floated and price bids if any already submitted and available with Bank shall be opened as per Bank’s standard practice.

13. Bidder’s Obligation:

13.1. Bidder shall not involve himself or any of his representatives in Price manipulation of any kind directly or indirectly with other suppliers / Bidders at any point of time. If any such practice comes to the notice, Bank shall disqualify the vendor / bidders concerned from the reverse auction process.

13.2. Bidder shall not divulge either his Bid details or any other details of Bank to any other party without written permission from the Bank.

14. Changes in Rules and Terms & Conditions of Reverse Auction:

14.1. Any change in the Rules as may become emergent and based on the experience gained shall be made only by a Committee consisting of Senior Executives of Bank.

14.2. Bank reserves the right to modify / withdraw any of the Rules and Terms & Conditions of Reverse Auction at any point of time.

14.3. Modifications of Rules and Terms & Conditions of Reverse Auction will be made available on website immediately.

14.4. Modifications made during the running of Reverse Auction event will be informed to participating Bidders immediately.

15. Errors and Omissions

15.1. On any issue or area of material concern respecting Reverse Auction not specifically dealt with in these Rules, the decision of the bank shall be final and binding on all concerned.

----


of 54

Annexure – 12.1

COMPLIANCE STATEMENT (To be submitted in Company’s letterhead by all the Bidders participating in Reverse

Auction)

Date: To The General Manager SyndicateBank Inspection Department Head Office Manipal-576104

DECLARATION

1. We ______________________(name of the company) hereby confirm having submitted our bid for participating in Bank’s RFP No. _________ dated _________ for empanelment for conducting ‘Comprehensive Audit of SWIFT Infrastructure, Detailed pre-implementation Application Control Audits and Data Migration Audits with regard to critical systems as per Gopalakrishna Committee recommendation, Vulnerability Assessment and Penetration Testing (VAPT) of our Bank’s CBS (Core Banking Solutions) Internal as well as External Systems/ Networks, Application security testing of web/ mobile applications throughout their lifecycle (pre-implementation, post-implementation, after changes) in environment closely resembling or replica of production environment, etc., as per ‘Scope of Work’ and Any other Audit on need basis’.

2. We also confirm having read and understood the terms of RFP as well as the Rules relating to the Reverse Auction for this RFP process.

3. We hereby undertake and agree to abide by all the terms and conditions stipulated by SyndicateBank in the RFP document including the Rules for Reverse Auction, all annexure, addendum, and corrigendum.

4. We shall participate in the On-line auction conducted by M/ s e Procurement Technologies Ltd. (Service Provider) and submit our Commercial bid. We shall agree to enter into an agreement with the Service Provider for making the process of Reverse Auction and its results legally binding on us.

5. Bank and Service Provider shall not be liable & responsible in any manner whatsoever for our failure to access & bid in Reverse Auction due to loss of internet connectivity, electricity failure, virus attack, problems with the PC, any other unforeseen circumstances etc. before or during the auction event.

6. We understand that in the event we are not able to access the auction site, we may authorize Service Provider to bid on our behalf by sending a fax containing our offer price before the auction close time and no claim can be made by us on either Bank or Service Provider regarding any loss etc. suffered by us due to acting upon our authenticated fax instructions.

7. We do understand that Service Provider may bid on behalf of other Bidders as well in case of above-mentioned exigencies.


of 54

8. We also confirm that we have a valid digital certificate issued by a valid Certifying Authority.

9. We shall fax the duly filled in signed Price Bid format as provided in the RFP to the Bank and to the Service provider within 24 hours of end of Online Reverse Auction without fail.

10. We undertake to submit the Original confirmation of last bid price by us to the Bank as well as to the Service provider within 48 working hours of the completion of event. We also undertake to submit the claim/ invoice as per the Payment Terms (clause 23) of this RFP.

11. We, hereby confirm that we will honour the Bids placed by us during the reverse auction process, failing which we shall forfeit the Bid Security. We also understand that the Bank may debar us from participating in future tenders.

12. We undertake to supply at our final lowest bid price of Reverse Auction. In case of back out or not supplying as per the rates quoted by us, Bank is free to take appropriate action against us and / or forfeit the Bid Security amount, debar us from participating in future tenders.

13. We confirm having nominated Mr./ Ms.________________, designated as ______________ of our company to participate in the Reverse Auction on behalf of the Company.

14. We accordingly authorize Bank and / or the Service Provider to issue user ID and password to the above named official of our Company.

15. Both Bank and the Service Provider shall contact the above named official for any and all matters relating to the Reverse Auction.

16. We undertake that the Company shall be bound by the bids made by the above named official of our Company in the Reverse Auction, failing which the Bank shall forfeit the Bid Security. We agree and understand that the Bank may debar us from participating in future tenders for any such failure on our part.

Signature of the Authorised Signatory with company seal Name - Company / Organization - Designation within Company / Organization – Address of Company / Organization – Name of Authorised Representative: Mr. / Ms. ____________________ Designation of the Authorised Representative: ____________________ Signature of Authorised Representative: _________________________ Verified above signature Signature of the Authorised Signatory with Name and Company seal Date: _________________


of 54

Annexure – 12.2 Price Bid Confirmation

(To be submitted in Company’s letterhead by L1 Bidder

Participated in Reverse Auction along with detailed price schedule) Date :

To The General Manager SyndicateBank Inspection Department Head Office Manipal-576104 Dear Sir, SUB: Final / Lowest Bid Price quoted in Reverse Auction held on

……………………………… in respect of RFP Ref. No. __________Dated ______ for empanelment for conducting ‘Comprehensive Audit of SWIFT Infrastructure, Detailed pre-implementation Application Control Audits and Data Migration Audits with regard to critical systems as per Gopalakrishna Committee recommendation, Vulnerability Assessment and Penetration Testing (VAPT) of our Bank’s CBS (Core Banking Solutions) Internal as well as External Systems/ Networks, Application security testing of web/ mobile applications throughout their lifecycle (pre-implementation, post-implementation, after changes) in environment closely resembling or replica of production environment, etc., as per ‘Scope of Work’ and Any other Audit on need basis’.

We confirm that the final total bid price quoted by us in the captioned Reverse Auction event for captioned tender is as under – Rs. (in figure): ___________________________ Rs. (in words): __________________________ and we are submitting the detailed price schedule as per RFP. We confirm that: We enclose herewith the detailed break-up of above price as per Bill of Material OR We undertake to submit the Original duly signed detailed break-up of above bid price as per Bill of Material of the subject RFP within 48 hours from the end-of Reverse Auction event. Any variation between the On-line Reverse Auction bid price quoted by us and this document will be considered as sabotaging the tender process and will invite disqualification of Bidder/ vender to conduct business with Bank as per prevailing procedure. In such case Bank is free to take appropriate action and/ or forfeit the Bid Security amount and/ or debar him from participating in future. We are bound to supply at the above final bid price of Reverse Auction.


of 54

We note that in case of back out or not delivering services/ conducting audits as per the above rates quoted by us, Bank will take appropriate action against us and / or forfeit our Bid Security amount and / or debar us from participating in future. Signature of the Authorised Signatory with company seal Name – Company / Organization – Designation within Company / Organization – Address of Company / Organization – Email: Mobile: Tel. No: Fax No: CC: Service Provider: M/ s e Procurement Technologies Ltd. No.10/ 2, Narendra Plaza, Universal Business Centre, Victoria Road, Bengaluru – 560 047

---- End of document -----


of 54

Annexure 13 Details of Servers, Networking Equipments etc.

Details of Hardware and Network (Specific details will be provided individually)

Type of Hardware OS At Data Centre, Mumbai

At Disaster Recovery site, Bengaluru

Servers, Systems, Physical machines, Virtual machines, BJA, G2A, G4A, G7A, ISU, etc. web servers like IIS, Apache etc. (Specific details will be provided individually)

Windows, AIX, IOS, Linux, Unix, Vmware, Centos, RHEL, ESXi-5, etc.

250+ 250+

Details of storage devices

SAN switch 14

Storage 7

Security Devices: Network Security Devices: Routers, Switches, Modems, Firewalls, Load balancers, IPS, HSM, KVM, IDS

5 6

100+ (Separate routers/ switch in all the branches 4000 nos)

Databases 90+

No of web pages 1500+

(Servers/ network equipments in respect of Mobile Banking/ SMS Banking, Cheque Truncation System(CTS), Financial Inclusion(FI), Cash Management Services (CMSC) & Depository Participant (DP), Integrated Treasury Management System( ITMS) & Card Centre, Government Business Module, Cheque book and passbook kiosk, Biometric Authentication, HRMS, synd-e-Passbook, Synd Mobile guide, Tab Banking, Online-Trading, Critical IN-house Applications are also to be included) The number of servers and networking equipments mentioned above may undergo change due to subsequent additions/ upgrading and these also have to be taken / included by the selected vendor for the purpose of VAPT.

*****


of 54

Annexure 14 MUTUAL NON-DISCLOSURE AGREEMENT

This Agreement is made as of the …………… day of ……… 2017, between…………………………………….., a company registered under the Companies Act, 1956 and having its Head Office ………………………………………… and SyndicateBank, a banking company incorporated and functioning under the provisions of Banking Companies (Acquisition and Transfer of undertakings ) Act 1970 having its Head Office at Manipal – 576104, Karnataka ( hereinafter collectively referred to as “the Parties”). In order to pursue the mutual business purpose contemplated under this Mutual Non-Disclosure Agreement (hereinafter referred to as the “Agreement”, and such mutual business purpose hereinafter referred to as the “Business Purpose”), the Parties recognize that there is a need to disclose to one another certain confidential information of each party to be used only for the Business Purpose and to protect such confidential information from unauthorized use and disclosure. In consideration of the other party’s disclosure of such information, the Parties agree as follows: 1. This Agreement will apply to all plans, information (whether written or oral),

documentation and support material contained within all analyses, compilations, studies, reports records and other documents which are shown or provided by one party to the other, whether or not any portion thereof is or may be validly copyrighted, trademarked or patented (hereinafter referred to as “Confidential Information”). The terms confidential Information shall also include all information provided to M/ s ………………………………………….., for undertaking

Detailed pre-implementation Application Control Audits and Data Migration Audits

with regard to critical systems as per Gopalakrishna Committee recommendation

Vulnerability Assessment and Penetration Testing (VAPT) of our Bank’s CBS

(Core Banking Solutions) Internal as well as External Systems/ Networks

Application security testing of web/ mobile applications throughout their lifecycle

(pre-implementation, post-implementation, after changes) in environment closely

resembling or replica of production environment, etc., as per ‘Scope of Work’.

Any other Audit on need basis

of the Bank etc., as per the Scope of Work and terms & conditions mentioned in the Request For proposal ref no. ……..dated………. ..

2. Each party agrees (i) to hold the other party’s Confidential Information in strict confidence , (ii) not to disclose such Confidential Information to any third parties, and (iii) not to use any confidential Information for any purpose except for the business


of 54

Purpose. Without limiting the generality of the aforesaid restrictions, neither party shall use any Confidential Information in connection with any activities or ventures competitive with the business of the other. Each party may disclose the other party’s Confidential Information to its directors, officers, employees attorneys and other advisors (collectively, “Representatives”) on a bona fide need to know basis, but only to the extent necessary to carry out the Business Purpose. Each party agrees to instruct all such Representatives not to disclose such Confidential Information to third parties., including consultants, without the prior written permission of the disclosing party.

3. Confidential Information will not include information which; (i) is now, or hereafter becomes through no act or failure to act on the part of the

receiving party, become generally known or available to the public; (ii) was acquired by the receiving party before receiving such information from the

disclosing party and without restriction as to use or disclosure; (iii) is hereafter rightfully furnished to the receiving party by a third party, without

restriction as to use or disclosure; (iv) is information which the receiving party can document, was independently

developed by the receiving party; (v) is required to be disclosed pursuant to law, provided the receiving party provides

the other party, to the extent legally permissible, with prompt written notice of such requirement so that the other party may seek an appropriate protective order with respect thereto; or

(vi) is disclosed with the prior written consent of the disclosing party. 4. The Parties agree to exercise extreme care in protecting the confidentiality of any

Confidential information, which is removed from the disclosing party’s premises. The Parties agree to comply with any and all terms and conditions, the disclosing party may impose upon any such removal, such as conditions that the removed confidential Information and all copies must be returned by a certain date, and that no copies are to be made off of the premises.

5. Upon the disclosing party’s request, the receiving party will promptly return to the disclosing party all tangible items containing or consisting of the disclosing party’s Confidential Information and all copies thereof.

6. The Parties recognize and agree that nothing contained in this Agreement will be construed as granting any rights to the receiving party, by license or otherwise, to any of the disclosing party’s Confidential Information, except as specified in this Agreement.

7. The parties acknowledge that all of the disclosing party’s Confidential Information is owned solely by the disclosing party (or its licensors) and that the unauthorized disclosure or use of such Confidential Information would cause irreparable harm and significant injury, the degree of which may be difficult to ascertain. Accordingly, the Parties agree that the disclosing party will have the right to obtain, without the necessity of proving actual damages or posting any bond or other security, temporary and permanent injunctive relief including, but not limited to, specific performance of the terms of this Agreement, as well as the right to pursue any and all other rights and remedies available at law or in equity for such a breach.

8. All references herein to the Parties shall also refer to all entities owned or controlled by the parties, all entities that own or control, or are under common control with, the Parties and their respective offices, directors, employees, shareholders, agents attorneys and other advisors.


of 54

9. This Agreement will be construed, interpreted, and applied in accordance with the laws of India. This Agreement is the complete and exclusive statement regarding the subject matter hereof and supersedes all prior agreements, understandings and communications, whether oral or written, express or implied, between the Parties regarding the subject matter of this Agreement.

10. This Agreement will remain in effect for three (3) years from the date of the last disclosure of Confidential Information, at which time it will terminate.

11. All Confidential Information and Confidential Materials are and shall remain the property of Disclosing Party/s. By disclosing information to the other Party/s, Disclosing Party/s or Receiving Party does not grant any express or implied right to the other party’s patents, copyrights, trademarks, or trade secret information.

12. This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof. It shall not be modified except by a written agreement dated subsequent to the date of this Agreement and signed by both parties. None of the provisions of this Agreement shall be deemed to have been waived by any act or acquiescence on the part of Disclosing Party/s, its agents, or employees, but only by an instrument in writing signed by an authorised officer of Disclosing Party/s. No waiver of any provision of this Agreement shall constitute a waiver of any other provision(s) or of the same provision on another occasion.

13. This Agreement shall be governed by, and construed interpreted and enforced in accordance with the internal substantive laws of India.

14. If any provision of this Agreement shall be held by a court of competent jurisdiction to be illegal, invalid or unenforceable, the remaining provisions shall remain in full force and effect.

IN WITNESS WHEREOF, the parties hereto have executed this Agreement by their duly authorized officers or representatives.

For SyndicateBank For................... Signature Signature Name Name Title Title

*****


of 54

Annexure 15

VAPT Agreement

This AGREEMENT is made at Manipal on this …. day of ……., 2017 BETWEEN: SYNDICATEBANK, a banking company incorporated and functioning under the provisions of Banking Companies (Acquisition and Transfer of undertakings) Act 1970 having its Head Office at Manipal – 576104, Karnataka, through its Inspection Department, represented by its Assistant General Manager, Sri ……………….. (hereinafter referred to as the ‘BANK’, which term shall mean and include its successors and assigns) of the ONE PART AND M/ S. ……………………. a company incorporated and functioning under the provisions of the Companies Act, 1956, having its Head Office at ………………………………………. represented by its Authorised Signatory …………………….. (hereinafter referred to as the ‘IS Auditor’, which term shall mean and include its successors and assigns) of the OTHER PART. WHEREAS: (a) The Bank has implemented Centralised Banking Solution and Internet Banking

with Data Centre at Mumbai. (b) The Bank is desirous of engaging the services of Information Security Auditor for

a period of three years for undertaking Penetration Testing & Vulnerability Assessment of CBS Network and Internet Banking.

(c) For this purpose, the Bank had called for bids as per Request For Proposal no………. dated………………from potential audit services providers, pursuant to which the IS Auditor has been selected. The I S Auditor will be on the Bank’s panel for a period of three years from the date of the agreement and the Bank may utilize the services for undertaking such audits/ testing. Generally the audit will be conducted at half yearly intervals.

(d) Both the parties have arrived at and agreed upon the terms and conditions on the basis of which the IS Auditor will provide its services to the Bank, as set out hereinbelow.

NOW THIS AGREEMENT WITNESSETH: 1. TENURE OF THE AGREEMENT:

1.1 This agreement is valid for three years from the date of the agreement. 2. SCOPE OF WORK:

2.1 The Scope of Work of the IS Auditor shall be as set out in the Schedule annexed and marked as ‘Annexure A’ hereto. While the Bank do not anticipate any change in scope of work for the current half year, should there be any change for next three half years, the Bank has right to change the same, by way of additions or


of 54

deletions. If the Scope of Work is modified for future assignments, the remuneration etc will be decided as detailed in the RFP.

2.2 The implementation of the services of the IS Auditor will be as per a mutually agreed Implementation and Security Integration Schedule to be finalised between the parties.

2.3 The IS Auditor acknowledges and confirms that it shall endeavour to comply with and abide by the agreed Schedule to the best of its abilities.

3. PRICE:

3.1 For each audit assignment the Bank shall pay a total sum of Rs. ………. (Rupees ………………….. only) exclusive of taxes for the services rendered by the IS Auditor. The contract amount will remain the same for subsequent such audits/ assignments that may be entrusted by the Bank during the tenure of the contract/ agreement.

3.2 The above amount of Rs. …………… is towards payment of the professional fees of the IS Auditor and applicable taxes will be paid in addition to the above mentioned amount. (TDS as per applicable laws).

3.3 The IS Auditor confirms that there shall be no further amounts payable by the Bank to the IS Auditor on any account whatsoever, other than that provided under 3.2. In the event of any additional amount of money being required to be paid in respect of the services being rendered by the IS Auditor to the Bank, such monies, if any, shall be paid by the IS Auditor only.

3.4 The amount of Rs. ……… and applicable taxes shall be paid by the Bank to the IS Auditor in the following manner:

100% after the successful completion of the audit assignment, payable by cheque favouring M/ s ……………………..

4. QUALITY AND COMPLIANCES:

4.1 The IS Auditor shall engage / employ the services of qualified CISA / CISSP professionals only. Such professionals shall have requisite prior expertise / experience in Information Systems and Security Audits. Also the IS Auditor shall abide by the responsibilities as detailed in RFP.

4.2 It shall be the responsibility of the IS Auditor to ensure full and complete compliance with all the requirements and guidelines of the Reserve Bank of India and / or any other appropriate authorities regarding the standards set out for the Information Systems Security Audits, Penetration Testing & Vulnerability Assessment. Bank reserves the right to inform IBA/ GOI/ RBI in case any major vulnerability, which is not brought out by the I S Auditor during the security audit, is noticed within 6 months from the date of such security audit.

4.3 It shall be the responsibility of the IS Auditor to ensure full and complete compliance with all the requirements and applicable laws, rules and / or regulations, as applicable in India, regarding the standards for Information Systems Security Audits, Penetration Testing & Vulnerability Assessment.

4.4 The I S Auditors will have to audit the Security Architecture / carry out Penetration Testing & Vulnerability Assessment at the designated locations within the mutually agreed time period specified for this purpose by the Bank.


of 54

5. OTHER OBLIGATIONS OF THE IS AUDITOR:

5.1 The IS Auditor shall not, without the Bank’s written consent, disclose the contents of this Agreement and / or any specifications, information and / or documents furnished to the IS Auditor by and / or on behalf of the Bank and / or which may come to the knowledge or in possession of the IS Auditor in the course of the implementation of its services either relating to the Bank and/ or its customers etc., to any third party other than such person(s) as would be employed / engaged by the IS Auditor for the fulfilment and performance of its obligations and responsibilities under this Agreement.

5.2 Any disclosure of any information, by and / or on behalf of the IS Auditor to such person(s) as mentioned above, shall be subject to further non-disclosure to any other person(s) and it shall be the responsibility of the IS Auditor to ensure that such person(s) to whom the IS Auditor may disclose any information shall comply, in all respects, with the requirement / obligation of non-disclosure to any other person(s).

5.3 All information and / or documents, which may be furnished to the IS Auditor by and / or on behalf of the Bank and / or which may come to the knowledge or in possession of the IS Auditor in the course of the implementation of its services, shall, at all times, remain the property of the Bank and the IS Auditor shall have no rights, of whatsoever nature, in respect thereof.

5.4 All information and / or documents, which may be furnished to the IS Auditor by and / or on behalf of the Bank and / or which may come to the knowledge or in possession of the IS Auditor in the course of the implementation of its services, shall be utilised / relied upon by the IS Auditor, solely, for the purposes of the implementation of its services only and for no other purposes of whatsoever nature.

5.5 The IS Auditor is aware, admits and acknowledges that any breach, of whatsoever nature, in respect of the any of the terms above, shall be viewed seriously by the Bank and the IS Auditor shall be liable for the consequences of such breach as set out elsewhere in this Agreement.

6. INDEMNITY:

6.1 The IS Auditor is aware that, for the purposes of the implementation of its services, it is required to deal with extremely sensitive and confidential data, information, documents, systems, etc. Hence, the IS Auditor does hereby indemnify and shall keep the Bank indemnified at all times from any loss, claim, damages, etc., caused to and / or suffered by the Bank due to any loss or damage to any data, information, documents, systems, etc. and any violation of any of the terms of this agreement including the secrecy, that may be caused due to or may arise out of any negligence or fault or acts of commission or omission on the part of the IS Auditor and/ or the persons engaged by IS Auditors.


of 54

7. BREACH AND CONSEQUENCES THEREOF:

7.1 Any default on the part of the IS Auditor in complying with and / or in fulfilling any of its obligations set out in this Agreement, including timely completion of the audit, confidentiality and non-disclosure, etc., shall constitute a breach of this Agreement.

7.2 In the event of such a breach on the part of the IS Auditor and the same remaining un-remedied / un-rectified for a period of 30 days from the receipt of Notice thereof from the Bank, the Bank shall be entitled to either, forthwith, without any Notice, terminate this Agreement and / or claim Damages from the IS Auditor.

8. GOVERNING LAWS & DISPUTE RESOLUTION:

8.1 This Agreement and all issues between the parties shall be subject to the laws of India.

8.2 All disputes and differences of any kind whatever arising out of or in connection with the purchase order shall be referred to arbitration. The arbitrator may be appointed by both the parties or in case of disagreement each party may appoint an arbitrator and such arbitrators shall appoint an Umpire before entering on the reference. The decision of the Umpire shall be final. Such arbitration shall be governed by the provisions of Indian Arbitration and Conciliation Act 1996.

8.3 Only the Courts in Udupi shall have exclusive jurisdiction over all matters arising out of or connected with this Agreement.

IX. MISCELLANEOUS PROVISIONS:

9.1 :

9.1.1 In spite of any disputes / differences having arisen between the parties, the IS Auditor shall be obliged to continue to provide its services under this Agreement unless terminated by the Bank and / or called upon by the Bank to cease to provide its services and / or the nature of the disputes / differences is such that the IS Auditor cannot possibly continue to provide its services till any interim order / final decision is obtained from the Arbitrator / court.

9.1.2 Irrespective of the above the Bank can terminate this Agreement by giving 15 days notice without assigning any reasons.

9.2 All Notices issued by one party to the other under this Agreement shall be sent in writing, by registered post or hand delivery or cable or facsimile (in case of the last two, to be confirmed later in writing), and shall be effective on the day of receipt thereof by the party to whom it is addressed or on the expiry of the 5th day from the date when issued by the party addressing the Notice, whichever is earlier.

9.3 Any amendment to this Agreement shall be effective only if it is in writing and is executed by both the parties.

9.4 Either party shall not be liable for any delays or non-performance of any contractual obligation caused due to war, blockage, revolution, civil unrest, riot, strikes, acts of God, plague or other epidemics, fire, flood, acts of Government, or any other like event, beyond the control of the concerned party, which directly or materially or adversely affects the ability of the concerned party to fulfil its obligations and / or responsibilities.


of 54

9.5 In the event of a Force Majeure situation, as stated above, the concerned party shall, promptly, inform the other party, in writing, of the existence of the event and shall, simultaneously, attempt to find out alternative means to fulfil its obligations and / or responsibilities.

9.6 If the event of Force Majeure continues for a period of more than 30 days then the Bank shall be entitled to terminate this Agreement and the IS Auditor shall be entitled only to pro-rata payment for the services rendered by it till the date of commencement of the Force Majeure event.

9.7 All other issues, not specifically provided for in this Agreement shall be governed as per the prevailing laws of India.

9.8 It is clearly understood by the parties that the RFP is a part of the agreement and shall be referred in the case of any doubt and/ or dispute. The provisions of this agreement shall prevail in-case of any inconsistency.

9.9 The IS Auditor will abide by the security policy of the Bank as applicable to them. 9.10 The IS Auditor would use all the tools for which they have valid license and/

or free tools which do not require any licenses.

IN WITNESS WHEREOF, the Parties hereto have affixed their respective stamps and signatures on the date first hereinabove mentioned. For SYNDICATEBANK For M/ S. ……………………… (Authorised Signatory) (Authorised Signatory) Witness : 1) 2)

***********


of 54

Annexure 16

Performance Bank Guarantee format

To, The General Manager SyndicateBank Inspection Department Head Office Manipal-576104 WHEREAS ( ) has undertaken in pursuance of the contract no/ Purchase order no.______ dated _____ to, inter-alia, Vulnerability Assessment and Penetration Testing as per the contract document ( herein after called “The Contract”), dated ____ AND WHEREAS it has been stipulated by you in the said contract that ________ shall furnish you with a performance bank guarantee by a recognized bank for the sum of Rs._____ specified therein as security for compliance with the ___________ performance obligations in accordance with the contract. AND WHEREAS we have agreed to give you the guarantee on behalf of _______________. THEREFORE WE hereby affirm that we as guarantors and responsible to you, on behalf of _________, upto a total of Rs._____ and we undertake to pay you, upon your first written demand declaring __________ to be in default under the contract and without cavil or argument, any sum or sums within the limit of Rs.______ as aforesaid, without your needing to prove or to show grounds or reasons for your demand or the sum specified therein. This guarantee is valid until the _____________ ( Date ) “All rights and obligations arising from this guarantee shall be governed by the laws of Republic of India”. Notwithstanding anything herein above contained including what is stated in clauses thereof, our liability under this guarantee is restricted to Rs.______ and shall remain in force until _____________. ( Date ) Unless a demand or claim under the guarantee is lodged with us in writing at Bengaluru on or before ____________ ( Date ), all your rights under said guarantee shall be forfeited and we shall be relieved and discharged from all liabilities hereunder whether or not this document is returned. Place: Manipal Date: