Response to Queries Received for RFP of Security Integrator - Tender No. 63

Transcription

1 Sr.N RFP Clause Original Query Reply/Remark o. 1. Perform Incident Management with respect to the following: For Forensic Analysis of logs Please clarify the systems/devices Contain attacks through for which log analysis is required. configuration of security Whether this includes network devices after prior approval system /devices or just only Forensic Analysis based on logs captured in the system security devices. Evidence collection for legal and Root cause analysis & suggest regulatory purposes- please clarify long term controls the extent or scope of evidence Evidence collection for legal collection and possible sources. Analysis of all the logs so obtained. and regulatory purposes Analyse and report incidents based on severity Escalate incidents as per process 2. Configuration of IPS and Firewall Does SI needs to manage security Please be guided as per RFP Configuration and Management of IP operations procedures like addresses, routing information, change, Config, patch and security routing tables, Multicast configuration Fault management along with for the Device operations reporting and monitoring of Patch implementation security devices? Weekly backup of configuration of all devices Configuration backup before making any changes 3. Objectives of having SI : Assist and guide the Bank to address the audit points especially the VA and Penetration test results. Does PNB requires periodic VA and PT to be conducted by SI or only assistance for GAP closure is expected? For any Incident attempt / happened, then log / evidence collection & forensic analysis for traversal through all nodes / Servers / Router / hops of PNB Advise the necessary collection of logs from 3rd party, if any. SI is expected to assist for Gap closure. 4. Does PNB looking for compliance -It is expected that SI is aware of Regulatory requirements like PCI DSS 2? requirements and best Banking practices 5. Scope of Work L1 and L2 support required at DC Please be guided by RFP 1 P a g e

2 Configuration, maintenance & monitoring of end-to-end security solutions (including products, appliances, monitoring consoles, Security log/data storage devices, Security appliance management servers etc) in the entire network of the bank. 6. Para 3- Brief The IT resources of the bank at DC and DRS are protected with perimeter defense appliances/ equipments. Checkpoint Firewall with Check point boxes and CISCO firewalls along with Intrusion Prevention System are installed in active-active and failover mode. for managing PNB end to end security solutions? Number of security devices i.e firewall/ips etc. 7. Misc. para (c) - Proposed locations for L1 and L2 engineer 8. Misc. para (h) Whenever, SI shall have Would the role require visiting to travel outside NCR for solving the PNB branch location or is static at Bank s issues at remote location, he will be paid TA/ DA as per the one location entitlement of Scale- II Manager in the Bank. 9. Misc. para (c) - One L2 Engineer should be available during banks business hours from 10 am to 8 pm on all days except all holidays and for the remaining period, one L1 engineer will be available for providing 24*7 services. 10. Misc. para (c) They (L1 & L2) will be the first point of contact and their efforts are to be supplemented and supported by expert team of the Number of onsite L1 and L2 engineer required in liason with PNB, Regional Rural banks and subsidiries banks. Is the back-end Support team for onsite engineer be part of Security operation centre Security devices like Firewall, IPS, SSL VPN approx 35 in number, however the scope covers for any number of devices those may be added/replaced in future. Security Integrator stationed at Data Centre New Delhi. They sometime require outside visit Availability is expected for L2 engineer from 10 AM to 8PM on all days except holidays. Availability of L1 engineers is expected on all other times 24*7 including holidays, except above timings when L2 is available. Please be guided by RFP item No. Misc ( c ). 2 P a g e

3 company at the backend. 11. RFP- Obligations of Successful Bidder- Para C. Does SI can manage the PNB end to end security solutions from their own premises using secure channel? Please be guided by RFP (Page-24) 12. Does PNB allows to access HLD and LLD documents to review network and security solution off premises to be managed and to which new deployment has to done? 13. What new devices are to be integrated in the network 14. Does PNB going to supply VA/PT tools? 15. Does PNB allows application security review and testing off premises? 16. Eligibility Criterion notings -> that current IS Auditors/ Network Integrator of the Bank will not be eligible to bid. -> that the successful bidder (once appointed Security Integrator) shall not be entitled to submit tenders for appointment of Security Auditors/ Network Integrator. 17. Eligibility Criterion - Bidder should have a minimum 3 years experience in implementing Information Security either as security integrator, or security implementer in Will the successful bidder be allowed to bid for other security RFP from PNB in future except auditor Is it one client having multiyear contract with bidder will do or PNB requires multiple client experience in 3 year NO, Generally on-site review. May be given offpremises at discretion of Bank with NDA in force Any Security / Network device or application VA PT is not expected to be done by SI No Please be guided by RFP Successful bidder will be allowed to bid for all RFPs of PNB except Security Auditor / Network Integrator. A total of 3 years experience within given RFP Eligibility Criterion. 3 P a g e

4 any large organization which have its offices/branches at least in the National Capital region Delhi and Mumbai with wide area network, intranet and internet as well as demilitarized zone and security equipments like firewalls, IDS and IPS. Out of 3 years experience, at least 1 year s experience should be in a reputed/large organization. 18. Point No. 3, Brief of existing setup Required the Detail list of IT Infrastructure (No. Of Servers, Routers, Firewall) 19. Under Introduction Required more information about the applications (No. of applications, Size, Purpose, No. of Pages) 20. Point No. 3, Brief of existing setup Are the new servers and applications will be added in the future? Security devices like Firewall, IPS, SSL VPN approx 35 in number, however the scope covers for any number of devices those may be added/replaced in future. For Servers, Routers, please be guided by RFP. Please be guided by RFP. Yes. -- All additions / changes will come under the scope for SI vetting / recommendations. 21. Security Integrator to Review/ Suggest on the following activities 22. Security Integrator to Review/ Suggest on the following activities Will they come under the scope of work Is vetting of the network architecture is a one time activity or a periodic activity IS application security based on black box testing or grey box Vetting is regular as well as periodic activity. Be guided by the scope of RFP. 4 P a g e

5 (Page-10) 23. Security Integrator to Review/ Suggest on the following activities (Page-10) 24. Under Eligibility Criteria:- The successful bidder (Once appointed Security Integrator) shall not be entitled to submit tenders for appointment of security auditors/ network integrator testing Is development/testing environment is also part of scope Ours is WAN service providing company, If we will be appointed as security integrator, Will we be eligible for providing our other services to bank (Like Connectivity (MPLS/LL/BB, Hosting Services, Other services of us) Be guided by the scope of RFP. Please be guided by RFP Successful bidder will be allowed to bid for all RFPs of PNB except Security Auditor / Network Integrator. 25. Ref. EMD in the form of DD or pay order. We would like to request PNB to accept EMD in the form of Bank Guarantee 26. Ref. Page 9, Scope of Work section. Do you have tools for doing forensic analysis? We would like to know full scope of work in Forensic Analysis. Our understanding is that we have to do Forensic Analysis only for the logs. Please confirm. If not so, please elaborate on the scope of Forensic Analysis. EMD in the form of Bank Guarantee not accepted please be guided by RFP. No forensic tool available with the Bank. (Refer to answer of query no. 1) Other scope given in RFP and please be guided by the same. 5 P a g e

6 27. Ref. Page 9 Perform Incident Management Forensic analysis based on logs captured in the system Q:- Please provide details of the SIEM tools deployed and capabilities configured. Q:- Please provide detail on average number of Security incidents in last 3 months? Q:- Do you want us to suggest or bring our tools? Details would be shared with successful bidder only. Details would be shared with successful bidder only. Yes, the successful bidder to suggest configuration changes / improvement of existing SIEM tool. 28. Ref. Page 10 Security Devices Review & Management Q:- Provide list of the devices under scope (make/model/quantity) Q:- Do we have to provide L1 & L2 resources based out of Delhi - Security devices like Firewall, IPS, SSL VPN approx 35 in number, however the scope covers for any number of devices those may be added/replaced in future. - For Applications, Servers, Routers, please be guided by RFP. - Service Provider will arrange qualified & competent resident engineers as per skill sets mentioned. Security Integrator stationed at Data 6 P a g e

7 29. Ref. Page 10 or other locations as well. Please specify all location. Q:- Are you open to have remote management support from Vendor NOC? Q:- Can you provide detail of number of tickets per month 1. Incident tickets 2. Change Tickets 3. Configuration request This information will help us plan L2 resources to manage the environment. 30. Ref. Page 11 daily Activity Request you to share existing daily checklist to be performed every day? 31. Page 13 - (h) Whenever, SI shall have to travel outside NCR for solving the Bank s issues at remote location, he will be paid TA/ DA as per the entitlement of Scale- II Manager in the Bank. Centre New Delhi as per Misc Para ( c ) of RFP. - No remote management from outside PNB allowed. Please be guided as per clause Misc ( c ) Page 13 The required information will be shared with successful bidder. Details given at Page of RFP. Rarely, once-twice in a year. However scope is unlimited. Q:- How frequently such visit will be there in a month? Does it include near to NCR or 7 P a g e

8 anywhere across India? 32. Ref. - Page 9 Security Integrator to Review/ Suggest on the following activities: Suggest the requisite control measures for monitoring, reporting, control selfassessment of various security components for various banking channels like CBS, ATM, Internet banking, Mobile Banking etc. and the related card based technology (debit, credit & smart cards) and the associated threats addressing security concern including cyber security. Regular on-going activity, on addition of new application or on review of information security measures. Query: What is the frequency of the above activity? 33. Ref. - Page 10. To review the various processes of the centralized application, other applications Regular on-going activity, on addition of new application or on review of information security measures. 8 P a g e

9 like card issue and pin issue etc. and the operational risk associated on a continuous basis and suggest mitigation & resolution. Query: What is the frequency of the above activity? 34. Ref. - Page 10. Review the existing information security infrastructure on all the business applications across the bank and other security postures of the bank and its subsidiaries as and when required by the bank vis-à-vis the business requirements of the Bank and regulatory standards, guidelines and best practices. 1. Regular on-going activity, on addition of new application or on review of information security measures. 2. Specific business requirement would be shared with successful bidder, however SI is expected to have broader knowledge and best practices. Query: 1. What is the frequency of the above activity? 2. It is assumed that the business requirements of the bank, regulatory 9 P a g e

10 requirements and guidelines would be shared by the bank. Pls. confirm 35. Ref. - Page 10. For improving network and IT resources availability, integrity & Confidentiality keeping in view the application architecture and access requirement. Query: 1. What is the frequency of the above activity? 2. Is this limited only to suggestion or implementation also? 36. What is the scope of the penalty? Does it include to the points listed under Security Integrator to Review/ Suggest on the following activities in page 9 of the document? 37. Annexure 4: We would like to have clarity on the Performance Certificates to be submitted 38. Ref. Annexure 4 Experience: vendor has experience providing security solutions to 1. Regular on-going activity. 2. Suggestions and implementation both. Please be guided by RFP. Name of organizations served by company for Info security with duration and Order values Please be guided by Eligibility Criterion in RFP. 10 P a g e

11 multiple organizations outside India including Fortune 10. Request you to accept such experience as part of Annexure 4 as we do not have similar experience with clients in India. 39. Ref. Page 12 Miscellaneous clause c): They will be the first point of contact and their efforts are to be supplemented and supported by expert team of the company at the backend. Q. We assume that the backend engineers will be providing support to resident engineers remotely. Is this support expected 24x7 or during prime support hours of 10 a.m. to 8 p.m.? Q. Do you need dedicated resources for remote support or shared resources would be acceptable? Q. The RFP mentions only L1 and L2 engineers. Does PNB already have L3 engineers that will be escalation points for L1 and L2 engineers? - Backend engineers support required on call basis any time on 24x7 basis - Shared resources would be acceptable as long as PNB is assigned top priority. - PNB does not have L3 engineers. (Refer Point no. 15 regarding SLA in RFP Page-21) 11 P a g e

12 40. Vulnerability and Pen test mentioned on page 31 and page 11 of RFP document. Q. Who is responsible for conducting Vulnerability assessment and Pen test (VAPT)? If bidder is expected to do VAPT, can he do it remotely or you have a team that does VAPT? 41. Ref. Page 20, clause 14. We would like to request you to elaborate on the uptime requirement and how do you define down time? Is bidder responsible for SLAs for devices that are not managed by it. If yes, kindly elaborate SI is not expected to conduct VA / PT. Please be guided by RFP. Directly management of Info security devices but any downtime happening due to omission - commission by SI within its work scope. 42. Bank reserves the right to extend the contract for additional one year after expiry of this contract. The terms and conditions of the contract for extended period shall be negotiated with successful bidder at the time of award of the extension. Note: 1. No further queries will be entertained by the Bank. 2. Last dates remain the same i.e. there is no change in last date for bid submission for RFP. 12 P a g e