BANKA SOCIETE GENERALE ALBANIA

Transcription

1 BANKA SOCIETE GENERALE ALBANIA Request for Proposals (RFP) for: Penetration Test on Core Banking System Issued on May 10 th, 2016 Deadline for Response: May 24 th, :00 CET 1

2 1 Objective of the RFP BANKA SOCIETE GENERALE ALBANIA is inviting eligible local and international companies to submit a proposal for: Penetration Test on Core Banking System. As a result of this solicitation, BANKA SOCIETE GENERALE ALBANIA expects to award one fixed price contract per the selected supplier. A fixed price contract is a contract for services that will result in concrete deliverables provided to and accepted by BANKA SOCIETE GENERALE ALBANIA. As the name implies, the price of the contract is fixed and it is not subject to any adjustment on the basis of the Contractor's cost experience in performing the work, thereby placing full responsibility for all costs and resulting profit or loss on the Contractor. Note: Partial bidding is NOT allowed in this RFP and such offers will NOT be accepted.! Subcontracting will not be allowed during the realization of the contract. 1.1 Contacts and communication This Request for proposal is piloted and coordinated by the General Resources Department of Banka Societe Generale Albania. The contact for any information during this process will be through on the following mention address and authorized discussions will be organized with each supplier if needed. Any question regarding the content or technical requirements must be submitted, solely by electronic messaging, to: Procurement Unit procurement.al@socgen.com All participating suppliers will receive a copy of all questions relative to the invitation to tender process, the content of the specifications and their responses, which will be sent to the contact details indicated in the acknowledgment of receipt for the invitation to tender documents. (Appendix 1) Questions must be submitted before May 17 th, 2016 at the very latest. Beyond that date, no response will be provided. 1.2 Return of the Proposal The paper version of each bidding supplier s proposal must include the following elements, to be uploaded in the Procurement Platform Sourcing Hub as per instructions in the Suppliers Guide: 1. Signed and stamped copy of NDA (Appendix III). Failure to deliver this document will result in immediate disqualification from this tender; 2. General presentation of the company; 3. A planning (including follow-up meeting). 4. The deadlines and the detailed costs (including travels costs). 5. A presentation of the stakeholders, their role and the time they will spend on the mission. 6. A Typology of the attacks that will be performed as well as the list of the tools that will be potentially implemented. 2

3 7. A description of the technical needs (exclusive availability of the platform, availability of the administrators, specific needs...). 8. A technical description of the penetration tests and the controls perform during the audit. 9. Means available (laboratory, specific devices ). 10. References of past missions on Delta Amplitude or other comparable core banking solution regarding penetration testing, (as per our format Appendix II) 11. An explanation on how will be managed the confidentiality of the results during and after the mission. 12. Last Year s Financial Statement certified by an Auditor; Important Note: Document Nr. 1; 3; 4; 7 and 8 are mandatory to be provided. Failure from the participants to provide these documents will lead in disqualification from the Tender process. Important Note: Failure from the participants to provide the rest of documentation required above, leads to application of penalties in the result of scoring points. We must receive the proposals on or before May 24 th, :00 CET, in the Sourcing Hub Platform in the following Internet Address: Proposals arriving after this deadline will not be taken into consideration. The supplier is free to provide any additional relevant information not covered by this RFP or an alternative proposal if considers them more tailored to the Client. Such items will be submitted as attachments to the proposal. Banka Societe Generale Albania reserves the right at any time, to: Stop, or not follow up this RFP for reasons which may not be disclosed without reparations; Send a 2 nd RFP if the first one is incomplete or unsatisfying without reparations; Sign a contract only on a reduce part of the RFP purchase scope. Sign a contract with more than one company for different section part of current RFP. 1.3 Supplier s obligations Even if the contract will be further defined when finalized with the selected Supplier, it is reminded that this RFP aims to bind it to an obligation of results (and not solely of means). That is why the Supplier shall perform the agreed services (both for technical and organizational aspects), this namely means bringing its experience and expertise. The Supplier is the sole responsible entity for involving the right means and methods to achieve this goal (number of employees involved, devices qualifications, etc ). NOTE: The SGAL reserves the right to discontinue the RFP Process at any time with no financial compensation, and makes no commitment that this process will result in a business transaction with one or more third parties. 3

4 1.4 Financial proposal The financial proposal of the bidder should be quoted in Albanian Leke or its equivalent in Euro, will have to be valid for three months as of the date when the offer is received by the Banka Societe Generale Albania. In the Section Financial Proposal in Sourcing Hub Platform, will be included the financial proposal layout that you should submit. Financial Proposal for Preventive maintenance should have the following Layout: The financial proposal delivered to us should have the following layout. Nr Main service Price of Service Number of days 1 Penetration testing according to point 4 (Section 2), Organization of Penetration testing Note: The prices at financial proposals should have specified if VAT or other taxes are included or not. Your proposal will be considered as the best response that you can provide. After a detailed analysis of the proposals, only the most competitive suppliers according to the selection criteria established will be selected to participate in the negotiations that will lead to an eventual one year contract as the Banka Societe Generale Albania service provider for the goods and services described below. 4

5 2 Technical and Functional Requirements 1 Presentation of the Mission Delta Amplitude which is edited by Sopra is a core banking solution that has been historically deployed in Société Générale's subsidiaries to manage the core banking business. This solution handles business data as well as banking information related to its customers. The scope of this request for proposal includes penetration tests on the Delta Amplitude solution. The objective of the audit is to identify the risks and potential vulnerabilities related to appliances setup supporting the Delta Amplitude architecture. Communication protocols, system, applications and functionalities will be assessed to identify potential vulnerabilities. The audit carried out shall allow assessing the global level of security of the solution and in particular the security of information handled and accesses to the solution. The simulation of the behaviour of an attacker (internal and external) may be performed to identify and exploit flaws leading to the compromising of the solution. The solely use of automated tests will not be considered as penetration testing. In that context, the customer requests the support of the contractor regarding technical, security and functional expertise. 2 Functional Scope The functional scope of the Delta Amplitude solution includes the following fields: 5

6 3 Objective of the Mission and Expected Outputs The purpose of this request is to highlight technical and functional vulnerabilities, to assess their level of criticality as well as their business impact and to provide recommendations to patch the vulnerabilities that would have been identified to increase the global security level of the system. The suggestions below may apply depending of the architecture provided: Research and exploitation of network vulnerabilities Architecture design Components robustness Protocols configuration Access controls Research and exploitation of system vulnerabilities Systems configuration Access controls Components robustness Risks related to super users (privileged profiles) such as developers, administrators... Research and exploitation of applicative vulnerabilities URL interpretation Lack of control of users inputs SQL code injections Attacks on session identifiers Cross Site Scripting Authentication mechanisms relying on Java, JavaScript or ActiveX Access control based on the header HTTP_REFERER Lack of re authentication Wrong management of user context Attacks on client s side Man in the middle Research and exploitation of fraud possibilities (both internal and external) Implementation of 4-eyes type controls Management of toxic combinations at roles level Implementation of technical trails / logs Implementation of audit trails 6

7 Field of Analysis ISS risks assessment Fraud risks assessment Description Identification and assessment of the risks from the analysis of the vulnerabilities and the weaknesses of the solution Delta Amplitude and the security requirements. The meaning for these vulnerabilities is the potential modification of one or several security criteria regarding availability, integrity, confidentiality and proof for the information managed by the solution Identification and assessment of the risks related to the theft of information or to the malicious usage of sensitive functions. This item includes audit trails and technical traces mandatory in the context of fraud management. The technical scope of the penetration tests exclude: The ecosystem: any action targeted against appliances that are not directly involved in the solution (AD servers, NAS, WSUS, intranet and internet servers ) Administrative workflows: clearance requests/validation, application request forms Additional expectations will be detailed in the coming sections. Information related to the technical architecture will be provided following the selection of the contractor. 4 Organisation of Penetration Testing 4.1 Constraints Related to Production Environments The environment to be audited will be the production platform. Any operation that might impact the mutualised components of the platform will require the formal agreement of users impacted moreover these operations may have to be performed in specific timeslots. As a consequence these audits might be organized outside opening hours. It may be requested to run neither destructive actions nor DDoS attacks. 4.2 Introduction to the Technical Architecture Interfaces testing must allow assessing the exposure to threats, mainly external, of the solution. Applications are mostly hosted on two AIX servers which constitute the two nodes of a HACMP 1 cluster. One server is dedicated to Delta Amplitude and the second one to an Oracle database gathering the business information exploited by the solution. Currently, to ensure availability, each node includes both of the features to guarantee a fast and efficient recovery of the solution in case of failure of one of the node. Exchanges with the applicative server may be performed in different ways: 1. From a user workstation using Genero Desktop Client, 2. By the mean of a SSH access for the functional administrators of the solution (user accounts management), 3. Thanks to dedicated «interfaces» allowing for instance exchanging files embedding orders to handle potentially via FTP(s) or NFS connections. This includes also accesses with thin clients to the Delta Portal module or ODBC accesses performed by other applications. The objective is to ensure that components conform to the security requirements and that they are adequately implemented to ensure the sustainability of the solution. 1 High-Availability Cluster MultiProcessing 7

8 4.3 Penetration Testing Those tests must assess the robustness of security components implemented against attacks requiring a high level of skill (cf. Annex A - Charter related to penetration testing). Two distinct phases are expected: 1. First, a blackbox approach: the evaluator has no information on the system assessed (context example: lost or theft of a mobile device, intrusion in the facilities, intrusion attempts relying on internet SG website...) 2. Second, a withbox approach: the evaluator is given detailed information on the solution and a business profile is provided (context example: privilege escalation, internal fraud, handling errors ) The final report will include: All intrusion attempts performed (successful or not), A timestamp related to each operation performed, The list of weaknesses that have been found, Details on how to exploit the weaknesses identified, Explanations regarding associated risks and how to mitigate them, Attacks scenarios (potentially combining several vulnerabilities) with the associated risks. 4.4 Operating Mode / Actions Expected Generic operating mode: Initialization (meeting) Analyse of the scope Information gathering Cartography Research of vulnerabilities Exploitation of the vulnerabilities Privilege escalation Hiding of the traces (Malicious) Accesses maintenance Propagation Report writing Report presentation The following actions will be undertaken: A single internal interface will be appointed to manage the relationship with the contractor. The contractor will also appoint a single interface for the same purpose. A kick off meeting. A weekly follow-up meeting. A technical synthesis meeting with its detailed supportive documents An executive synthesis meeting may also be requested. 4.5 Expected Deliverables The customer expects the following deliverables in English: A detailed audit report describing all the tests, their results and the vulnerabilities that have been discovered as well as the scenarios ranked by risk level (decreasing) with their counter measures. A technical synthesis meeting. A potential executive synthesis meeting. 8

9 Those deliverables will allow: To provide information elements to the teams in charge of the security of the Delta Amplitude solution and to IBFS senior management on the adequacy of the security measures implemented in the context of the Delta Amplitude solution. To define technical implementation guidelines related to the Delta Amplitude solution. To update the generic security folder of the Delta Amplitude solution. Care will have to be taken regarding the completeness of the explanations provided. 5 Rules of the Consultation 5.1 Objectives An answer is expected for each item of chapter 2 and 4 that will be part of the global delivery expected by SGAL. 5.2 Non Disclosure Agreement The provider will commit himself in performing this mission in a confidential way and in keeping confidential any information gained or discovered during the mission. The provider will commit himself to not revealing the information found. The provider will commit himself in describing all the flaws that have been found as well as the processes allowing exploiting them. The major weaknesses found during the test phases will have to be pointed out immediately to the CSO of the entity impacted and to IBFS CSO (using the confidentiality means agreed at the beginning of the mission). At the end of the mission, the provider commits himself in providing and destroying all the confidential information or not that would have been provided or discovered during the mission. This commitment will be formalized in the contract and must be formalized through a dedicated section in the provider's proposal. The provider must also commit himself in not damaging the hardware and software used during the mission. The hardware lent by IBFS for the sake of the mission must not leave the facilities and must be returned to the person accountable for the mission at the end of the audit. Should the provider be accountable of any kind of damage, then the provider commits himself in informing as soon as possible the person accountable for the mission at SGAL, by phone and in writing. 5.3 Security Requirements Because of the sensitivity of the information that may be handled by the information system of the provider during the mission, the provider commits himself to ensure the physical security of the facilities and in particular to implement the following rules: Access segregation to the various facilities (the infrastructure is separated in several security areas, implementation of adequate devices in particular to control employees traffic in providing specific access rights. These access rights may be linked to workstations and to the level of accountability), Physical access control to the facility, Formalized clearance of the stakeholders Because of the sensitivity of the information that may be handled by the information system of the provider during the mission, the provider commits himself to ensure the logical security of its 9

10 infrastructures, in particular regarding the availability, the confidentiality, the integrity and the traceability of: The storage and the handling of the information provided by the customer, The storage of the information gathered during the audit, The destruction of the information upon Société Générale request. From a general point of view, the provider will have to implement adequate technical and organizational means to ensure the security of customer data including accidental or non licit destruction, accidental loss, alteration, the broadcast or the unauthorized access, in particular in the context of the transmission of information on the network as well as against any kind of non licit handling. 6 ANNEX A : Charter Related to Penetration Testing: Penetration testing practice Penetration testing is an iterative process simulating a network attack led by an external attacker or a malicious user and which rely on the identification and the exploitation of any technical vulnerability. Penetration testing constitute a preventive measure whose purpose is to identify weaknesses or flaws of a given security system to patch them before any abuse or malicious act. The goal of penetration testing is more to provide recommendation to increase the level of security of the system targeted and to avoid actual intrusions rather than the intrusion itself in the system. The document herein frame the operations performed in the context of a penetration testing mission and act as a deontological guideline for the stakeholder denoted aggressor. Intervention agreement The stakeholder aggressor must have received the customer agreement. A written agreement of the customer is required before starting the operations. This agreement may have the format of a mission letter that limits over the time the duration, the means, the target and the scope of the mission. Availability of the system The stakeholder aggressor must not impact the availability of the system to assess. Should a denial-ofservice type of attack exists, this must not lead to the unavailability of the system. Integrity of the system The stakeholder aggressor must not impact the integrity of the system assessed. No modification of applicative data shall be performed (e.g. database content...) Modifications related to programs, processes, parameterisation, rights performed in the context of penetration testing must be communicated to the customer that will immediately restore the system integrity. Should a data modification or deletion be non reversible, then a formal written approval from SGAL must be granted before any action. Confidentiality of information The stakeholder aggressor must ensure the confidentiality of all the information accessed. He must not store data inside or outside the system assessed, he does not look for documents on the information 10

11 system of its customer whatever the criteria, he neither keeps nor extracts documents (whatever the format) from the scope whose he has been assigned. At the end of the mission, the provider will have to destroy all the information gathered during the mission. A secure exchange mechanism will be agreed between stakeholders at the beginning of the mission to ensure the security of data exchanged. Trace of interventions The stakeholder aggressor must maintain an exhaustive list of the actions led taking care to associate a timestamp with each action so that its responsibility may be excluded in case of a simultaneous attack. A minute of meeting must be endorsed by all the stakeholders at the end of the mission. This document will at least describe the size of the reports provided, the tasks that have been performed by the provider, the name of the participants and the duration of the mission. Intrusion feedback The stakeholder aggressor must provide a feedback simultaneously to the sponsor of the mission and a third party authority that has been defined at the beginning of the mission. 7 ANNEX B : Documents Provided for this Request for Proposal SGAL will provide to the selected contractor the following information: Contact information of the internal interface for this mission, Contact information of selected technical referents, Relevant architecture elements regarding whitebox testing, The location of the solution Delta Amplitude, Two business profiles in the context of whitebox testing, - 1 standard user profile - 1 privileged profile ANNEX C : Audit Matrix CBS Questions At the end of realization of the Penetration Test, the Winner will provide to SGAL, appart of the Audit Report, also the answers for the below Audit matrix CBS with 80 questions. Audit matrix CBS.xlsm 2.2 Reporting The contractor reports to the Head of IT Department and/or his/her designee and will work closely with him and other specialist of his department. 2.3 Timing and Budget Guidelines The assignment is expected to commence on June 2016 or as soon as agreement to the Technical and Financial proposal is reached and a contract signed. The contract will be valid for the entire duration of the project and no price changes is allowed during this period. 11

12 3 General terms 3.1 Confidentiality clause This RFP constitutes confidential and proprietary material of Societe Generale Albania and shall not be disclosed in whole part by the Suppliers to any third party. Besides, it shall not be duplicated or used by Suppliers for any other purpose than to supply a response to this RFQ. The confidentiality of this document will remain whatsoever you decide to answer to this RFP or not. 3.2 General principles The submission of a proposal implies that the bidders accept the present specifications. However, these specifications only represent a minimum that is to be respected. The proposals will be signed by a person authorized to take on commitments for the bidding company. Only proposals that strictly comply with the obligations of the present specifications, considered as minimums, will be taken into account. In their offers, the bidding service providers declare their familiarity with the service(s) that is/are to be provided, and will refrain from, after the submission of their proposal, arguing with regard to provisions, constraints or special conditions of any kind that they may have overlooked. The Bank reserves the right to not take into consideration any response that is incomplete or does not comply with all of the demands, requirements and constraints expressed by the Bank as part of the present consultation. The bidding service provider undertakes, as a result of its response to the request, to not claim from the Bank any cost for preparation, proposal or any other activity related to this processes. 3.3 Reservation The Bank reserves the right, at any time and until the signing of the contract, to not proceed with all or elements of the request and to terminate, without compensation, the contracting process for reasons of its own. As part of this service, the Bank reserves the right: - to carry out a second provider if it is not satisfied with the results of the first - to sign a contract only relative to a portion of the services proposed The decision of the Bank to accept or reject a bid is not subject to appeal. The Bank reserves the right not to contact bidders concerning this call for offers if the bid does not satisfy the specified criteria or fails to supply some of the information requested. 3.4 Legal framework The service provider will have sole responsibility for the financial management, notably relative to its personnel. It will be personally responsible for the results of the operation of the service provided under the conditions defined in the specifications, without being able to initiate any recourse of any kind against the customer in the event that this operation should be unprofitable. 12

13 3.5 Contract The objectives pursued by the Bank asking the bidders to respond to the present consultation on a legal level as well are notably: - To assess the contractual formalization of the services offered by the bidder, - To assess the level of commitment proposed by the bidder, - To anticipate the subsequent contractual negotiation. It is also expressly indicated that the bidder s response to the legal aspects will be taken into consideration as part of its assessment by the Bank. 3.6 Contractual documents The bidder is hereby warned that the service and its response will be an integral part of the contract. 3.7 Contract term and termination The Bank reserves the right to terminate the contract without notice in the event of gross negligence by the service provider. 3.8 Effective date of the contract The effective date of the operator s contract will be stipulated by the Bank at a later time. 3.9 Ownership of Proposals All materials submitted in response to this RFP shall become the property of The Bank and, upon Proposer s request, may be returned only at the option of the Bank and at the expense of the Proposer. In any case, The Bank shall retain one copy for its official files. 13

14 4 Qualifications and selections criteria 4.1 Qualifications Interested companies shall demonstrate the following: At least 3 years of experience on related topics. Similar previous services with other Banks and/or other institutions; Capable to provide high volume and quality of the service within a short time; 4.2 Selection Criteria The quality of each offer will be evaluated in accordance with the selection criteria and the associated weighting as specified below: Criteria Criteria Description Max points Supplier Experience - The references/experience of the company on similar services; - Most extensive experience in offering the required item / services 30 Quality of the Tender Documentation - Documents provided are complete, relevant to the requirements and clearly related with the request of SGAL 10 Security Field Expertise - Expertise and ability in the security field - Most extensive expertise and ability in the security field 20 Financial health of the Company - Balance sheet financial figures - Maximum goes to the bidder with best financial figures 10 Cappabilities - Supplier s ability to consider the various components of the environment and to guarantee the result and completion of the assignment 10 Time Frame and Workload Proposed - Time frame and workload for completing this assignment - Maximum goes to the bidder with best time frame and workload proposed 20 TOTAL Technical Points

15 5 Selection Process Subcontract awards will be based on a best value approach. There are 2 major factors when evaluating the proposal: technical approach (including management approach, past performance on similar contracts), and price. Each major factor is assigned a weight such that the sum of the weights is equals 100. The assigned weights allow for a greater emphasis to be placed on one major factor over another. For this RFP the assigned weight for technical approach will be 60 points and for the financial proposal will be weighted to 40 points. Total Score for the provider = weighted technical score + weighted financial score Example: Companies providing the offers are: A, B, and C. Based on the technical evaluation Criteria the score of each company is as following: Company Technical points Weighted Technical Score A (maximum) B (74 * 60 / 85) C (60 * 60 / 85) The maximum weighted score is given to the company with the max technical points, in this example to Company A. The others are weighted with a factor of Max score possible/max technical points (Weight Factor = 60/85) Financial Score is calculated as below: Max weighted score is given to the lowest price. In our example Company C. Weighted price for the others is equal to (Lowest price/company price) * max weighted score. Company Financial Offers 2 Weighted Price Score (price EUR) C 1000 (lowest) 40 (maximum) A (40 * 1000 / 1200) B (40 * 1000 / 1500) Total Score for each Provider is: Company Total Score A = 93 B = 79 C = 82 The winner in this example is Company A. The Bank will notify officially via the bidders on their individual result. 2 Prices listed here are only part of the example and are not related to this RFP 15

16 Appendix I - Acknowledgment of Receipt Acknowledgment of Receipt and Intent to Propose REQUEST FOR PROPOSAL (RFP) GRD-RFP Please send via in pdf format this notification of receipt and intent to apply on or before May 17 th, 2016, at the latest. procurement.al@socgen.com ; A. Acknowledgment of Receipt: (Company) Hereby Acknowledges Receipt of RFP document. Print Name: Tel: Authorized Signature: Title: Date: I intend to submit a proposal I do not intend to submit a proposal How did you learn about this tender? News paper (Please specify) Direct invitation Website Other (Please specify) Note: Only proposals from bidders who returned this form completed and signed will be considered and evaluated. 16

17 Appendix II Similiar Contract references Nr Customer name Contract Start date Contract End date Companies where this service is realized Contact person / position Contact number 1 XXXXXXXX SGAL, Albania Ilir Apostoli 068xxxx 2 YYYYYYYY Ilir Apostoli 068xxxx Etc. Note: The above example is given to show how to fill the reference table. 17

18 Appendix II CONFIDENTIALITY AND NON DISCLOSURE AGREEMENT BETWEEN, a company incorporated in Albania, whose registered office is at " ", (City), (Country), with registration NUIS., dated, legally represented by its administrators, Mr., Referred to hereinafter as Disclosing Party AND BANKA SOCIETE GENERALE ALBANIA SH.A. a joint-stock company, incorporated under the laws of Albania by Tirana District Court Decision No , dated , having its registered office at: Bul. Deshmoret e Kombit, Twin Towers, Tower 1, 9th floor, Tirana, Albania, with NIPT No. K U and License No.17, dated , issued by the Bank of Albania represented by Mr. Frédéric BLANC, acting in his position as CEO, French citizen, resident in Tirana, born in Lyon, France, on , bearer of the French Passport No. 14DC28824, adult having full juridical capacity to act, Referred to hereinafter as the Receiving Party The Disclosing Party and the Receiving Party are also referred to hereinafter individually as the Party and collectively as the Parties. PREAMBLE: Whereas the Disclosing Party has agreed and undersigned with, contracts in regards to the execution and completion of specific projects undertaken (hereinafter referred to as the Project ). Whereas the Receiving Party has expressed an interest in providing financing to the Disclosing Party. Whereas the Disclosing Party has invited the Receiving Party to review Confidential Information (as defined in Article 1 below) in order to further develop its interest in relation to the potential financing. In order to protect any such Confidential Information, the Parties have decided to enter into this Agreement. NOW THEREFORE THE PARTIES HAVE HEREBY AGREED THE FOLLOWING: ARTICLE 1 DEFINITIONS Agreement shall mean this confidentiality and non-disclosure agreement. Confidential Information shall mean any information relating to: (a) the Project (including any of the terms, conditions or other facts with respect to the Project or possibility thereof including the status thereof and any discussions and any versions of Project agreements or documents), (b) all information of all kinds, including, but not limited to, writing, sample material and recorded (audio or other) form, or in any intangible oral, visual, or computer data base form and any derivatives thereof, and in any form whatsoever whether or not the information is marked or identified as being confidential. The Confidential Information includes, without limitation, the product specifications, ideas, plans, drawings, models, designs, architectures, trade secrets methods and business, technical, commercial, strategic, marketing or financial data, relating to the Project, a Party, an Affiliate or the Disclosing Party, disclosed in connection with this Agreement to the Receiving Party in tangible form, Receiving Party" is the Recipient of Confidential Information, it includes all its Subsidiaries, Employees and Representatives which have a legitimate "need to know" the Confidential Information for the purposes of this agreement. Disclosing Party is the Disclosing Party of the Confidential Information, it includes any of its subsidiary directly involved in the Project. 18

19 Representative shall mean any director, officer, employee, agent, auditor, insurer, financier or any technical, legal or other advisor of a Party, to whom the Confidential Information has been disclosed on a need-to-know basis for the Subject of the Agreement. Third Party shall mean any party, person or entity that is not a Party to this Agreement. ARTICLE 2 SUBJECT The purpose of this Agreement is to define the terms and conditions upon which the Receiving Party shall have access to Confidential Information. The Receiving Party shall keep such information confidential and use it solely for the purpose of considering, evaluating and negotiating the possibility of financing the Disclosing Party (hereinafter referred to as the Subject of the Agreement). ARTICLE 3 - PROPERTY RIGHTS 3.1 The Parties hereby reciprocally acknowledge that the Confidential Information and intellectual property rights such as patent, copyright, trademark or other proprietary right contained therein and/or in relation thereto, are and shall remain the exclusive property of the Disclosing Party. 3.2 Any and all tangible material provided by the Disclosing Party or copies shall remain the property of the Disclosing Party. 3.3 Any and all Confidential Information communicated in connection with this Agreement shall not be construed as a disclosure in the meaning of patent laws or others industrial or intellectual property laws. ARTICLE 4 - NO REPRESENTATION OR WARRANTY 4.1 No representation or warranty is made or is to be implied on behalf of the Disclosing Party in respect of the Confidential Information. 4.2 Nothing in this Agreement shall be construed as authorizing the Receiving Party to make use of the Disclosing Party's name for publicity or marketing purposes. 4.3 Nothing in this Agreement shall be construed as an obligation on the Disclosing Party to disclose any specific information to the Receiving Party. ARTICLE 5 - OBLIGATIONS OF CONFIDENTIALITY AND LIMITED USE 5.1 The Receiving Party undertakes with respect to all Confidential Information: a) not to disclose all or part of the Confidential Information to any Third Party and to restrict access to such Confidential Information exclusively to its Representatives, and provided that : (i) those Representatives are informed of the confidential nature of the Confidential Information and understand and accept the obligations contained in this Agreement; (ii) to people whom the Disclosing Party agrees may receive the Confidential Information; (iii) (iv) to the extent permitted by Article 5.2; and Those Representatives comply with the confidentiality obligations contained in paragraph c) hereunder; the Receiving Party shall promptly notify the Disclosing Party if it becomes aware of a breach of any provision of this Agreement by any of its Representatives and take all the necessary measures to ensure that the illegal disclosures cease immediately. b) to use Confidential Information solely for the Subject of the Agreement, and procure that all Representatives may have access to the Confidential Information solely for the Subject of the Agreement; and c) to maintain in strict confidence and procure that all such Representatives who have access maintain in strict confidence Confidential Information by applying to all such Confidential Information no lesser security measures and degree of care than those which the Receiving Party applies to its own confidential or proprietary information and which the Receiving Party 19

20 warrants as providing adequate protection of such information from unauthorized disclosure or use, notably not to copy, reproduce or reduce to writing any part of such Confidential Information, except as is strictly necessary to carry out the Subject of the Agreement. 5.2 The obligations set out in Article 5.1 above shall not apply to any part of the Confidential Information that the Receiving Party can demonstrate to the reasonable satisfaction of the Disclosing Party: a) was already lawfully in the possession of the Receiving Party prior to the disclosure thereof by the Disclosing Party and is not subject to any other duty of confidentiality; or b) at the time of its disclosure to the Receiving Party was already in the public domain or subsequently becomes available in the public domain otherwise than as a result of some act or omission on the part of the Receiving Party in breach of the terms of this Agreement; or c) is required by applicable law or regulations of a governmental authority or regulatory authority, or valid order of a competent jurisdiction, to be disclosed, but only to the extent and for the purpose of such disclosure and provided the Receiving Party first notifies the Disclosing Party, if so requested,; or d) is independently developed by employees of the Receiving Party without use, directly or indirectly, of Confidential Information received from or disclosed by the Disclosing Party; or e) Has been rightfully received by Receiving Party from a third party without restriction on disclosure and without breach of this agreement, this third party being, to the best of Receiving Party s knowledge, under no obligation of confidentiality to Disclosing Party with respect to such Confidential Information; If only a portion of any Confidential Information falls within one or more of the foregoing exceptions, the remainder shall however continue to be subject to the confidentiality obligations and limitations set out in Article 5.1of this Agreement. 5.3 The communication of the Confidential Information supplied under this Agreement, and in general this Agreement, does in no event confer or imply the grant or agreement to grant any rights to the Receiving Party and its Representatives in respect of any patent, copyright, license or other rights (e.g. intellectual property rights) in force and belonging to or disclosed by the Disclosing Party. 5.4 The communication of the Confidential Information supplied under this Agreement does not allow or entitle the Receiving Party to use, lease, sell, disclose to or otherwise dispose for the benefit of any party or person other than the Disclosing Party, the analysis, products, sub-assemblies, assemblies or components, manufactured, designed or otherwise generated on the basis or by making use of the Confidential Information or by using the Confidential Information in combination with other information. 5.5 The Parties agree to return or destroy, upon the written request and at the discretion of the Disclosing Party at any time, all Confidential Information received from the Disclosing Party in tangible or intangible form, and any copy, reproduction or reduction to writing of any part thereof in any form whatsoever. The Receiving Parties shall confirm in writing such destruction or return the Confidential Information as well as any copies thereof to the disclosing Party within fourteen (14) days after receipt of the Disclosing Party's request. The provisions of this Article 5.5 do not apply to Confidential Information or copies thereof which must be stored by the Receiving Party, its Affiliates or its advisers according to provisions of mandatory law or to the Receiving Party's and its Affiliates' internal compliance guidelines, provided that such Confidential Information or copies thereof shall be subject to an confidentiality obligation according to the terms and conditions set forth herein. ARTICLE 6 - TERM AND TERMINATION This Agreement shall enter into force on the date it has been signed by both Parties and it shall expire within three (3) years from the occurrence of the earliest of the following events (whichever occurs first): i. Written notification by the Disclosing Party that it will not pursue further the award of the Project; ii. written notification by Disclosing Party that it has abandoned the Project; iii. iv. unanimous decision of the Parties to terminate this Agreement; or Signature and entry into force of another agreement between the Parties replacing this Agreement. 20

21 ARTICLE 7 - EFFECTS OF TERMINATION 7.1 On the termination of this Agreement, whether at the expiration of the initial term or at the expiration of any additional term agreed by the Parties or upon any earlier termination of this Agreement, the rights and obligations of the Parties which have accrued prior to termination shall survive for five (5) years from the date of such termination. 7.2 Notwithstanding the early termination or expiration of this Agreement, the obligation to return or destroy, at request and discretion of the Disclosing Party, the Confidential Information and any copy, reproduction or reduction to writing of any part thereof shall remain in force and shall be binding for five (5) years from the date of such termination or expiration. ARTICLE 8 Assignment 8.1 Neither this Agreement nor any rights and obligations under this Agreement may be assigned or delegated by either Party without the prior written consent of the other Party. 8.2 Either Party may, without the consent of the other Party, while remaining entitled and obligated under this Agreement, assign and transfer the same rights and obligations under this Agreement to a successor in business or an acquirer of all or a substantial part of the business (whether by way of a share deal, asset deal or otherwise) to which this Agreement pertains. The assigning Party shall inform the other Party in writing if the successor in business or the acquirer is not an Affiliate. The assigning Party and the other Party shall themselves continue to bear all of their rights and obligations originating under this Agreement until and up to the assignment. ARTICLE 9 - GOVERNING LAW/SETTLEMENT OF DISPUTES 9.1 This Agreement shall be construed in accordance with Law No.8269 dated "On Bank of Albania" Law No.9662 dated "On Banks in the Republic of Albania "(with amendments) and BoA s Regulation no 31.dated On the Bank Secrecy and other applicable Albanian. 9.2 Any dispute arising in connection with or out of the performance or the interpretation of this Agreement, which the Parties cannot settle amicably, shall be finally settled by District Court of Tirana, Albania. 9.3 The Receiving Party agrees that in breach of this Agreement the Disclosing Party who has suffered the breach shall have all rights and remedies provided by Albanian law. ARTICLE 10 - GENERAL PROVISIONS 10.1 Nothing in this Agreement shall grant to either Party the right to make commitments of any kind for or on behalf and or for account of the other Party without the latter's prior written consent No amendment to terms and conditions of this Agreement shall be valid and binding on the Parties hereto unless made in writing and signed by an authorised representative of each of the Parties This Agreement shall be binding upon the Parties hereto and their respective successors and assignees This Agreement is made for the benefit of the parties to it and their successors and permitted assigns and is not intended to benefit, or be enforceable by, anyone else To the extent that any provision(s) of the Agreement is held to be invalid, illegal or unenforceable, such provision(s) shall be considered null and void but the remaining provision(s) of the Agreement shall not be impaired, and the illegal or unenforceable provision(s) shall be replaced by provision(s) that are acceptable to both Parties, are valid, legal and enforceable, and come as close as possible to reflecting accuracy the intentions of the Parties underlying the invalid, illegal or unenforceable provision(s) This Agreement constitutes the entire understanding between the parties concerning the subject matter hereof and supersedes all prior discussions, agreements and representations concerning the subject matter hereof, whether oral or written or not executed by the Parties. 21

22 IN WITNESS WHEREOF, the Parties hereto have caused this Agreement to be executed by their duly authorised representatives in two (2) originals copy, one (1) for each Party, as of the day and year set forth below Dated: For and on behalf of the For and on behalf of Banka Societe Generale Albania SH.A By: Title: Date: By: Title: Date: 22