S.No RFP Reference Clarification Sought Modified Clause/ Clarification

Transcription

1 The clarification for the queries submitted by the biders in response to RFP for Managed Security Services dated is as follows: S.No RFP Reference Sought Modified Clause/ 1. The bidder will be responsible for any hardware, software upgrade, for the proposed solutions and any kind of upgradation of existing infrastructure while implementing the solutions proposed under the project. 2. Ensure that all aspects of Installation, De - Installation, Configuration, Re- configuration, relocation (within the listed locations), enhancements, updates, upgrades, bug fixes, problem analysis, performance analysis, audits, on - site as well as off - site support. 3. Bidders SOC and DR Site should be connected to Banks MPLS Network to the nearest POP centers with minimum 256 KBPS MPLS link. Vendor has to coordinate and maintain the above link. Please clarify -our understanding - existing production infra upgrade refers to the proposed setup or the production setup of bank. Please clarify -our understanding is that device management of the proposed solutions is required -- need more clarity on the same. Please clarify that does bank requires the remote SOC to be connected to banks infra via MPLS and also the remote SOC-DR to be connected to bank. Is our understanding correct. The bidder is expected to provide end to end management of software/hardware proposed for delivering the MSS services. For e.g. the vender will be responsible for the implementation, configuration, integration, management, support, upgrades, renewal of the licenses etc of the SIEM tool, server or any other solution proposed under this RFP.

2 S.No RFP Reference Sought Modified Clause/ 4. The log transfer and device management should happen over an encrypted channel.( log & device) 5. Bidder should perform Vulnerability Assessment & Penetration Testing for critical devices/ servers /applications 6. Bidders should support all types and models of the product range such as Cisco, Checkpoint, Nokia, Fortigate, Netscreen, ISS and any other standard Make introduced by Union Bank from time to time. 7. Information Security consultancy for newer technology deployment for new and existing applications and products X7 log monitoring of operating systems, network & security devices using log analysis tools Support at central location for encryption to be enabled is available -- is our understanding correct. Pl provide network connectivity topology with min bandwidth. Can bidder propose VA & PT in opex model solution or Banks has its own VA & PT tool. Please clarify Extending the SOC scope of work to new device introduced can be handled through additional commercials. In our understanding - pl confirm or should we consider 10% growth. Extending the SOC scope of work to new device introduced can be handled through additional commercials. In our understanding - pl confirm or should we consider 10% growth. Can Bidder propose SIEM solution in OPEX model or bank wants to procure the SIEM tool & leverage the same tool to bidder's remote team for security log monitoring. Please clarify The bidder is expected to deploy automated vulnerability scanner tool for VA onsite at the bank. However penetration Testing can be performed from the SOC. The vendor is expected to propose VA & PT on opex model. The new devices will be introduced under the scope of work at the rate finalized through the RFP process for the particular services Bank will avail such services under the consultancy services at rates discovered through the RFP process. 9. Anti-Phishing services Please clarify how many web sites consider for Anti-Phishing. How many take down would

3 S.No RFP Reference Sought Modified Clause/ consider per Year 10. Advisories to bank on relevant threats and vulnerabilities supported with mitigation against identified risk exposure 11. Anti Malware and Anti Trojan Scanning 12. Establishing process for preventing, detecting, analyzing & reporting what is the periodicity of such services expected? Standard practices can be suggested, clarify otherwise. Please clarify how many web sites consider for Anti-malware & Anti-Trojan solution. which kind of process needs to be established? Standard processes/practices can be suggested, clarify otherwise These advisories are expected to be delivered as when applicable threats are identified for the in scope devices 13. Dash Board which and how many (number) customizable reports are expected? Need more clarity on the same. 14. Service Desk bank need service desk 24*7 or 12*6 shift Please clarify 15. Service Desk Does the bank have an existing service desk tool? Or we should propose for an tool along with this solution. what kind of reports are expected? 16. Audit of new applications, systems, implemented by the bank Compliance report would be provided as a solution however audit requirements needs to be shared by the bank. Extending the scope work to additional requirements can be handled through additional commercials. Service desk is required on 24X7 basis Bidder is expected to propose service desk tool through their SOC. The bidder is expected to provide reports as mentioned under specifications & SLA for traffic analysis, log corelation,phishing incidents etc.

4 S.No RFP Reference Sought Modified Clause/ 17. Security Log monitoring How many devices would be coming under security log monitoring scope 18. Vendor should have atleast 1 resource onsite dedicated for the device management activities during regular business hours. Do you need people to be staffed at both DC & DR. Onsite support with 3xL1 & 1XL2 is already mentioned in the RFP. 19. VA & PT How many devices would be coming under VA & PT scope The frequency of assessments needs to be defined. 20. The risk baseline should be integrated with the asset register Risk analysis can be provided as per the reports generated out of the solution. Kindly confirm what additional solution is expected. Our understanding is the bank having an existing asset management tool - pl confirm 21. Security Service Desk Does bank has its own Service desk tool or Bank wants to procure the tool & leverage the same for the SOC project. What is expected from the reports which would be pulled out from the service desk portal. Bidder is expected to propose service desk tool through their SOC. 22. A drill down of assets affected by new threats, vulnerabilities and status of mitigation should be supported. is there a requirement of CMDB to be integrated? If yes pl share the details.

5 S.No RFP Reference Sought Modified Clause/ 23. Limitation of Liability :Vendor s aggregate liability for actual direct damages shall be limited to contract value, provided that this limit shall not apply to (1) the infringement indemnity; or (2) bodily injury (including death) and damage to real property and tangible personal property caused by Vendor s negligence. For the purposes of this Section, Contract Value at any given point in time, means the aggregate value of purchase orders placed by Bank on the Vendor under this project. Request amendment to this clause to make it consistent with other RFP's of UBI :-Vendor s aggregate liability under the contract shall be limited to a maximum of the Contract value. This limit shall not apply to third party claims for 1) IP infringement indemnity; 2) bodily injury (including death) and damage to real property and tangible personal property caused by vendor s gross negligence. For the purpose of this section, Contract value at any given point of time, means the aggregate value of the purchase orders placed by Bank on the vendor that gave rise to claim, under this tender. Vendor shall not be liable for any indirect, incidental or special damages under the agreement/ purchase order. As per annexure-i 24. Payments We understand that payment for only two components i.e. Consulting Hours & Site Take down will be as per actuals consumption all other components & services will be paid as per the quantity/ period mentioned in commercial sheet. Please confirm 25. SIEM Tool Used Please clarify if bank is open to consider open source tool for SIEM? However it is recommended to use industry leading tools for such critical SOC having following features - a) OEM tool have both features such Security Incident analysis & Event monitoring. b)oem tool will come with in-built Storage facility c)oem tool has multiple compliance report facility comply with industry standards.d)oem tool has come with in-built database as well as compatible with other database such as Oracle & there is no limit of storing the data. e)oem tool has its own multiple

6 S.No RFP Reference Sought Modified Clause/ dashboards which can modify as per the requirement.f)oem tool can integrate with any services desk tool to measure the incidents. 26. The bank reserves the right to extend the agreement for a further period upto four (4) years at the option of the bank at the same cost, terms and conditions after negotiating the rates for any additional service identified by the bank. The bank reserves the right to extend the agreement for a further period upto four (4) years at the option of the bank at the revised cost, terms and conditions after negotiating the rates for any additional service identified by the bank. The bank reserves the right to extend the agreement year on year basis upto a maximum period of four (4) years after 1st year at the same cost, terms and conditions The rates for any additional services will be mutually decided by the bank & the bidder. 27. Indemnity Since "Vendor Name" is acting as a reseller of completed products, "Vendor Name" shall passthrough any and all warranties and indemnities received from the manufacturer or licensor of the products and, to the extent, granted by such manufacturer or licensor, the Customer shall be the beneficiary of such manufacturer s or licensor s warranties and indemnities. Further, it is clarified that "Vendor Name" shall not provide any additional warranties and indemnities with respect such products 28. The offer should remain valid for a period of at least 180 days from the date of the submission of offer. The offer should remain valid for a period of at least 30 days from the date of the submission of offer.

7 S.No RFP Reference Sought Modified Clause/ 29. Liquidated Damages Notwithstanding the Bank's right to cancel the order, liquidated damages at 0.5% of the cost of equipment per week will be charged for every week's delay in the delivery of the equipment beyond the specified delivery/installation period subject to a maximum of 2% of the value of total payout for the first year. Bank reserves its right to recover these amounts by any mode such as adjusting from any payments to be made by the Bank to the company. Notwithstanding the Bank's right to cancel the order, liquidated damages at 0.5% of the cost of services of project cost of one year per week will be charged for every week's delay in the starting of all the services beyond the specified period subject to a maximum of 2% of the value of total payout for the first year. Bank reserves its right to recover these amounts by any mode such as adjusting from any payments to be made by the Bank to the company. 30. For log monitoring the existing HIPS agents installed on the assets can be used. Security log monitoring Service The solution is expected to be agent less as per specifications on page 15 whereas page 16 specifies "Solution should support filtering of noise events from being sent to SOC by the agents deployed on bank assets". These points are contradictory. We recommend removing the point on page 16. Filtering on logs is not recommended. For assets on which HIPS agents are not installed SNMP traps or proposed agents can be installed.however, performance degradation should not be there due to these agents.

8 S.No RFP Reference Sought Modified Clause/ Also the solution should support existing/ proposed appliance such as firewall management server, & Internet gateway etc used for the management & monitoring. 31. Security log monitoring Service The log monitoring system will not suffice with current threats. SIEM to look for intrusions, not exfiltration. An intrusion is when employees, unknown individuals, or other malicious actors are poking around inside the network and perhaps accessing data that they should not have access to, while exfiltration is when that data actually leaves the organization and turns into a data breach. We recommend including a security analytics tool in the same. Bank has asked SIEM tool for log monitoring and analysis of logs through remote SOC. The minimum specification of SIEM is mentioned in the RFP. However, Bidders can quote solution supporting additional requirements in addition to minimum requirement mentioned in the RFP. 32. Anti-Phishing Services "Vendor should monitor the previously identified phishing domain/site on periodic basis for identifying any reopen case and close the old/ new phishing url identified during the monitoring without levying any additional charge to the bank as per SLA" We cannot guarantee that the offender will not repeat his/her offence. If the fraudster is leveraging a vulnerability on some server where he is hosting the phishing site. If the vulnerability is not fixed he will be able to break in again and recreate a phishing attack. All the phishing sites are expected to be taken down as per the SLA and terms & condition mentioned in RFP. The vendor will give the reports of such takendown sites as mentioned in the RFP.

9 S.No RFP Reference Sought Modified Clause/ 33. Malware and Trojan scanning services No mention about service s capability to identify specific financial Trojans targeting netbanking users to steal user credentials, passwords, account details etc. to detect and shutdown such malware attacks including infection points, command and control centre and the drop points to recover data stolen by such financial malware The service should obtain the above information from sources of attacks/ malware/ collection of compromised data, IP addresses used in attacks, bot net addresses, etc. The Forensic data to be collected for the Trojans should include but not limited to the following o Tools used in attacks o Compromised data o Account Information o Compromised credit cards /debit cards issued by Bank o addressees o Customer profiles 34. Security Service desk system requirements No mention about: Identify malware infected corporate systems trying to connect from inside to the outside malware infection points, command and control centre and the drop points Provide data feeds of malicious host IP addresses into web proxies / SIEM to alert about infected botnets inside the corporate network as they try to connect to external malware servers In addition to specifications mentioned on pg no. 22 the solution proposed by the bidder should comply to following additional specifications: Identify malware infected corporate systems trying to connect from inside to the outside malware infection

10 S.No RFP Reference Sought Modified Clause/ points, command and control centre and the drop points Provide data feeds of malicious host IP addresses into web proxies / SIEM to alert about infected botnets inside the corporate network as they try to connect to external malware servers 35. Security Dashboard is the dashboard expected to have a feature to track how vulnerabilities are assigned to owners and tracked that remediation is completed? Yes dashboard is expected to track & assign vulnerabilities to owners 36. Security Dashboard is the dashboard expected to compare the issues identified by Union bank's vendors, with the issues identified by the vulnerability scanners? Are these expected to map in any way? Yes, the dashboard is expected to compare the issues identified by Union Bank's vendor with the issues identified by the vulnerability scanners 37. Security Dashboard Is there a plan to integrate device information from multiple sources, such as AD, CMDB and bank's provisioning process to give you a greater view of your device and threat landscape? 38. Methodology of commercial selection of vendor Request bank to follow normal bidding process since we as an organization policy do not follow the reverse auction process.

11 S.No RFP Reference Sought Modified Clause/ 39. The bidder should own and have been managing well established Security Operations Centre (SOC) in India since last 3 year s. 40. The bidder should have the DR Site of similar capacity for their SOC in India Request bank to consider the bidder to own and manage SOC in India or Abroad since last 3 years. Request bank to consider DR site of similar capacity in India or anywhere in the world 41. The bidder should have provided/be providing SOC/Managed Security Services including log monitoring & corelation for minimum 75 device to atleast two customers out of which atleast one should be a bank in India 42. The bidder should have provided/be providing SOC/Managed Security Services including log monitoring & corelation for minimum 75 device to atleast two customers out of which atleast one should be a bank in India (Please provide purchase order copy & reference site details for the same). Request bank to dilute the criteria for one Indian bank reference to allow for global customers We would request Bank to modify the said clause as "Bidder Atleast Two customer where min 75 devices is managed remotely from SOC,out of which one customer should be from BFSI in India. The above modified clause will help us to participate in the said RFP as "Vendor" is very strong in the said domain and have expertise to deliver said services as per SOW mentioned in the RFP.

12 S.No RFP Reference Sought Modified Clause/ 43. The bidder should have the DR Site of similar capacity for their SOC in India (Self Declaration with details of DR infrastructure as per Annexure-XX). We would request Bank to delete the said clause from RFP as "Vendor" has only primary SOC active for all their BFSI customer. We assure is the managed security, consulting & network technology arm of "Vendor Name" having its diversified and highly skilled expertise into giving audits and consultancy solutions for the various compliances norms namely: ISO 27001, BS , PCI- DSS, VA & PT. Bidder is required to submit self declaration as per annexure -I 44. Performance Bank Guarantee Request Bank to limit PBG to 15% of the Contract value. 45. Indemnity Indemnity cannot be provided for warranties, covenants, representations or obligations under this Agreement. Request exclusion 46. Limitation of Liability Uncapped limitation of liability as the liability should be capped at indirect or consequential losses or loss of profits or revenue or goodwill or anticipated savings. As per annexure-i Further direct liability need to be capped at 12 months charges under the Agreement (i.e. for all SOW taken together).since it is suggested that the agreement may be extended for 4 years at the discretion of Bank

13 S.No RFP Reference Sought Modified Clause/ 47. Force Majeure We recommend that the Suppler should have the liberty to withdraw / terminate in case Force Majeure continues for more than 1 month 48. Liquidated Damages Further right of recovery should be limited to the present Agreement only with effect any other Agreements. Request Bank to delete "Bank reserves the right to recover these amounts by any mode such as adjusting from any payments to be made by the Bank to the company. " 49. Annexure H, PBG undertaking PBG draft not shared, kindly clarify as to same and the bidder should have the liberty to negotiate as to terms/value/maturity. The format for the performance Bank Guarantee will be provided by the Bank to the selected bidder 50. Annexure E In addition to providing log monitoring and log management solution for all 103 devices listed in Annexure-E, Should the Bidder scope also includes to provide Security Infrastructure (Remote) Management for 40 Security Devices listed in Annexure-E? Please clarify. Log Monitoring & Log Management is required for Critical Servers, Network & Security devices. Security Infrastructure management for 40 security devices is expected to be done by the onsite team during business hours and by remote SOC during non-business hours 51. Log Monitoring Requirement table Please specify the list of application logs that needs to be integrated for 24x7 security log monitoring services.

14 S.No RFP Reference Sought Modified Clause/ 52. Log Monitoring Requirement table Log Monitoring Requirement spec shows that, The solution must give real time compliance monitoring of standards like PCI DSS, ISO 27001, GLBA, SOX, HIPAA, FISMA, Indian IT Act 2000 etc. Generally SIEM OEM's would have packages for compliance reporting. Can Bank be specific about the regulations for which reporting will be needed so that bidder can provide the relevant packages in our solution. 53. Log Monitoring Requirement table Requirement table shows that local log retention (ONLINE LOGS) for minimum of six months period, could you also please specify the retention period for archived logs (OFFLINE LOGS)? 54. Eligibility Criteria As of 30-Jun-2012, the bidder should own and have been managing well established Security Operations Centre (SOC) in India including DC & DR SOC Sites since last 3 year s. We have Global SOCs spread around the globe but not in India and these are running for moe than three years. Will SOCs outside India be acceptable to bank 55. Eligibility Criteria Will customers outside of banking be considered?

15 S.No RFP Reference Sought Modified Clause/ 56. minimum 10 skilled staff with CISA/CISSP/CISM/ professional certification from Net screen/ Check Point Firewall. Request UBI to extend this clause to the following certifications- CISA/CISSP/CISM/CEH/ISO27001 LA, CISC, CPH, CCIE, CCSA, CCSP 57. Anti-phishing Services Please clarify whether these services can be provided through a third party however "vendor" will remain the single point of contact for the engagement. 58. Anti-Malware and Anti Trojan scanning Services 59. Closure of Raised Alerts as in SLA 60. The bidder should be registered company in India and providing IT security services / business (i.e. in the area of implementation of Firewall / IPS / IDS / UTM) for a minimum of five year as on (Please submit proof, such as Registration Certificate etc for existence and purchase order/work order showing implementation of Firewall / IPS / IDS / UTM since last five years. ) Please clarify whether these services can be provided through a third party however "vendor" will remain the single point of contact for the engagement. Is it regarding closure of Incidents for which Alerts are raised or closure of Alert tickets by taking/initiating action on the raised alerts? Need more on this clause. Bank has asked for providing IT Security Services, Please confirm whether MSS will be treated as IT security Service. As specialized information security firm, we do Managed Security services for many PSU and Global Banks. Hence we request bank to consider the Proof or Purchase order for the Managed Security Services (MSS) offered to the clients since last five years. Bank can consider Managed Security Services experience as IT Security Services supported by purchase order/work order/ reference letter from the organization.

16 S.No RFP Reference Sought Modified Clause/ 61. The bidder should own and have been managing well established Security Operations Centre (SOC) in India since last 3 year s. (Year wise Copies of purchase orders showing SOC services provided to customer/s). 62. Bidders SOC and DR Site should be connected to Banks MPLS Network to the nearest POP centers with minimum 256 KBPS MPLS link. Vendor has to coordinate and maintain the above link. Bank has MPLS Network through M/s BSNL. Bank may provide the required Letter in this Apart from the bidder having the established SOC for last 3 years, we request the bank to consider The SIEM used in the SOC should be in the Gartner's Magic Quadrant for last three years (Year 10, 11 & 2012). Does the site connectivity will be provided by the bank and the bidder will have to maintain the link alone or the bidder has to provide the link as well? Kindly provide more clarity on this requirement. 63. Along with remote monitoring from the vendor SOC, the bidder should ensure that the solution provides for local retention of logs at bank s premises for a minimum period of 6 months. Log Retention onsite is this a mandatory requirement or optional. Also is log retention for 6 months a mandatory requirement. The bidder is expected to retain the logs at bank's premises for a minimum period of 6 months. The vendor is required to deploy required hardware/software for the same. 64. Service Desk Is the bank already using a service desk or the bidder should provide the same? Kindly provide more clarity on this requirement Bidder is required to provide the service desk as mentioned in the RFP

17 S.No RFP Reference Sought Modified Clause/ 65. IV. Anti-phishing Services Vendor should monitor the previously identified phishing domain/site on periodic basis for identifying any reopen case and close the old/ new phishing url identified during the monitoring without levying any additional charge to the bank as per SLA After how much time period will the take down of a phishing site will be counted as a new incident if the phishing site is up again. 66. Profile of Onsite Engineers for DC and DR Site Can the experience and certification requirements of the resources as requested by the bank be reduced? 67. Anitphishing services are required for following: a) online.co.in with all the sub domains Annexure E List of devices and locations Antiphishing Kindly provide the number of URL's in each domain. b) dia.co.in /with all the sub domain. c) co.in d) a.co.in/ with all the sub domain.

18 S.No RFP Reference Sought Modified Clause/ However vendor is expected to monitor web referral logs of both corporate website and internet banking website. 68. Bank should be able to search, extract, and generate reports, if required, from the local logs. Is this a mandatory requirement or can the vendor provide reports as agreed from the SOC. 69. Section V: Service level agreement Are the following SLA acceptable with the bank? Real Time Alert SLA Category Time Window [Mins]High Alerts 30Medium Alerts 45Low Alerts 60Daily Reports SLA Category Time Window All Devices Daily Reports 11 AM 70. Bank Working hours Request the bank to confirm the number of working days per week? Will it be a 5 day working or 6 day working in a week. Bank is operating on 6 days a week basis. However the onsite team is required to attend DR Drills and other planned/nonplanned activities. 71. Vulnerability Assessment Are you looking for a configuration review in this particular requirement? 72. Vulnerability Assessment How many devices/servers are there in total on which this activity has to be performed.

19 S.No RFP Reference Sought Modified Clause/ 73. Vulnerability Assessment Do you expect us to perform a black box application security test on the applications hosted on the servers.if yes please provide the number of applications hosted. 74. Vulnerability Assessment Number of Ips on which Penetration Test (Internal and External) has to be performed? 75. Vulnerability Assessment Do you expect us to perform a black box application security test on the applications hosted on these Ips. If yes please provide the number of applications hosted. 76. Application Security Assessment What kind of assessment are you looking for? White box (Source Code review), Greybox (Tests on generic threats like OWASP top 10 and Privilege escalation checks from an attackers perspective)? If Source Code review is required, please fill in Table 2in Details sheet 77. Application Security Assessment How many Applications are there? 78. Application Security Assessment Are there any mobile applications in scope? If yes please specify it with the application name in the below table

20 Annexure-I Annexure K- Self Declaration with details of DR infrastructure Place: Date: To: The Dy. General Manager Union Bank of India Department of Information Technology, Technology Center, Adi Shankaracharya Marg, (JVLR), Opp. Powai Lake, Andheri East, Mumbai Self Declaration with details of DR infrastructure We (bidder name), hereby confirm that as required in the RFP, we have DR Site of similar capacity for proposed SOC services in India. Brief details are as under: Sl no Description Primary SOC DR SOC 1 Address of 2 Floor area in Sq ft 3 Total no of engineers 4 No of engineers in each shift 5 Whether ISO Certified 6 SIEM Tool used(with the version) Yours faithfully, Authorized Signatories (Name, Designation and Seal of the Company) Date:

21 Limitation of Liability Vendor s aggregate liability under the contract shall be limited to a maximum of the Contract value. This limit shall not apply to third party claims for 1) IP infringement indemnity; 2) bodily injury (including death) and damage to real property and tangible personal property caused by vendor s gross negligence. For the purpose of this section, Contract value at any given point of time, means the aggregate value of the purchase orders placed by Bank on the vendor that gave rise to claim, under this tender. Vendor shall not be liable for any indirect, incidental or special damages under the agreement/ purchase order.