Punjab National Bank June, 2014 Request for proposal (RFP) Security Integrator For Information Security Management System on the Bank & Security integration services for Enterprise Wide Network Punjab National Bank Information Security and Audit Department Information Technology Division HO: 5, Sansad Marg, New Delhi - 110001 RFP for Security Integrator Page 1 of 34
TABLE OF CONTENTS S.No. SUBJECT PAGE NO. 1 BID DETAILS 4 2 INTRODUCTION 5 3 SCOPE OF WORK 8 4 BIDDING PROCESS 12 5 ELIGIBILTY CRITERIA ANNEXURE-I 24 6 BIDDER S INFORMATION ANNEXURE-II 25 7 COMPLIANCE STATEMENT ANNEXURE-III 26 8 PERFORMANCE STATEMENT ANNEXURE-IV 27 10 TECHNICAL SPECIFICATIONS- ANNEXURE V 28 11 COMMERCIAL BID DETAILS ANNEXURE VI 31 12 CONFIDENTIALITY CUM- NON-DISCLOSURE AGREEEMENT - ANNEXURE VII 32 RFP for Security Integrator Page 2 of 34
To, Undertaking- I The Assistant General Manager IT Procurement Department Punjab National Bank Information Technology Division HO: 5, Sansad Marg New Delhi-110001 Sir, Reg.: Our bid for Security Integration Services for enterprise wide network We submit our Bid Document herewith. We understand that You are not bound to accept the lowest or any bid received by you, and you may reject all or any bid. If our Bid for the above job is accepted, we undertake to enter into and execute at our cost, when called upon by the purchaser to do so, a contract in the prescribed form. Unless and until a formal contract is prepared and executed, this bid together with your written acceptance thereof, shall constitute a binding contract between us. If our bid is accepted, we are to be jointly and severally responsible for the due performance of the contract. You may accept or entrust the entire work to one vendor or divide the work to more than one vendor without assigning any reason or giving any explanation whatsoever. Vendor means the bidder who is decided and declared so after examination of commercial bids. Dated at this day of 2014. Yours faithfully For Signature: Name: RFP for Security Integrator Page 3 of 34
BID DETAILS 1 Date of Commencement of Bidding Process 2 Last date and time for downloading of Bidding Documents 3 Last date of receipt of queries for clarification from bidders 4 Last date and time for Bid preparation and Hash submission (on-line) 5 Last date and time for Bid submission 6 Date and Time of Technical Bid Opening 09.06.2014 30.06.2014 till 16:00 hrs 18.06.2014 till 16.00 hrs 30.06.2014 till 16.00 hrs 01.07.2014 till 14:00 hrs AS PER TENDER SCHEDULE 7 Place of opening of Bids Punjab National Bank, Information Technology Division, 2nd floor, HO, 5 Sansad Marg, New Delhi - 110 001 8 Address for communication As above Tel:(011) 23714804 / 23710483 / 23710021 Ext: 230/301 Fax:(011) 23321305 / 23320409 9 Earnest Money Deposit Rs.5,00,000/- (Rs. Five Lakh only) in the form of Demand Draft/Pay order in favour of Punjab National Bank, IT Division payable at New Delhi. EMD should be enclosed in Technical Bid. It can be also paid online using the e-procurement system of the Bank. 10 Cost of RFP Rs.5000/- (Five thousand only) in the form of Demand Draft/Pay Order in favour of Punjab National Bank, IT Division payable at New Delhi. The DD/PO should be enclosed in Technical Bid. It can be also paid online using the e-procurement system of the Bank. 11 Contact to Bidders Interested Bidders are requested to send the mail to itdhw@pnb.co.in, itdiss@pnb.co.in, birinder.singh@pnb.co.in containing following information, in case any clarification is required. Name of Company, contact person, Mailing address with Pin code, Telephone No., Fax No. email, Mobile No. etc. RFP for Security Integrator Page 4 of 34
1. Introduction Punjab National Bank (PNB) has taken many IT initiatives. Bank has Computerized 100% of its branches and has implemented a Centralized Banking Solution (CBS) with Data Centre at New Delhi and Disaster Recovery Site at Mumbai. The centralized Banking Solution covers all the 6000 plus SOLs (Service Outlets), which are connected to the Data Centre and DRS through an Enterprise Wide Network. The mode of connectivity to the branches/offices is a combination of Leased Lines, ISDN Lines VSATs, Radio Links, PSTN and other forms of connectivity, which may emerge in the near future. Punjab national Bank also have a setup for Exchange, Alternate Delivery Channels services like Internet Banking, ATM, POS, Payment gateway, Mobile banking, Kiosks etc. Besides these services, there are interfaces with applications and networks used by different institutions like NPCI, MTNL, Customs, RBI, CIBIL, NSDL and other institutions wherever required. Applications from multiple vendors for different internal requirements of Bank are also in use. All the applications are having DRS setup. Bank has also implemented Security Operation Centre (SOC) and integrated the servers / devices for log analysis and monitoring of servers / devices installed across the bank network. Bank has implemented Enterprise Data Ware House Project to provide better access to information, to foster better and more informed decision-making, besides providing statutory reporting and MIS for the bank. The Operating Systems used in Different applications include different flavors of Unix like (Solaris, AIX, SCO, Linux etc.), flavors of Windows, Novell Netware, Tandem, DOS etc. The Data bases include Oracle, MS SQL, Access, FOXPRO, Sybase etc. To Secure the Network, Communications, Systems, Application software, Data bases, Data, Information etc. and to ensure the availability of resources including the network to authorized users without any disruption or degradation, the bank plans to utilize the services of Information Security Integrator, who has the requisite skills, experience and expertise in implementing, maintaining, monitoring and managing a robust security framework as per the Information Security standards. The Enterprise Wide Network is maintained by Bank s Network Integrator and the security measures are already enforced at various levels (Application Security, Network Security, Database Security, OS Security, Access Controls, Physical Security etc.). All these security measures are in place in congruence with the Bank s Information Security Policy, Business Continuity & Disaster Recovery Plans & various other regulatory compliances. To further strengthen the Security Infrastructure, the Bank has already got accreditations from International Certifying Authorities like BSI (ISO:27001) to implement the functional & operational controls at par with the best in the Industry. 2. Eligibility Criteria This invitation of bid is open to all the Indian Companies having presence in India who fulfill the minimum eligibility criteria as mentioned in below. The bidder shall submit the details of minimum eligibility criteria as per Annexure I 1. Bidder should be an established Indian Company (incorporated in India). Bidder must be currently a legal entity in India. Bidder to give certificate of incorporation or any other certificate of registration issued by competent authority from Government of India. 2. Bidder should have minimum turnover of Rs. 25 Crores in last each of 3 financial years, Bidder must provide the details of turn over for last 3 years (2010-11, 2011-12, 2012-13, 2013-14 (if audited Balance sheet ready till bid submission date). Bidder to submit the audited Balance sheets of the said 3 years and certificate of Chartered Accountant. 3. Bidder should have reported positive net worth for last financial year 2012-13 or 2013-14 (if audited Balance sheet ready till bid submission date). RFP for Security Integrator Page 5 of 34
4. Bidder should have a minimum 3 years experience in implementing Information Security either as security integrator or as security implementer in any large financial institution which has its offices/branches in National Capital region Delhi, Mumbai and / or in any of the state capitals with wide area network, intranet and internet as well as demilitarized zone and security equipment s like firewalls, IPS etc. Out of 3 years experience, at least 1 year experience should be in a public/private banks with minimum 2 lakh crores turnover in FY 2012-13 or 2013-14 (if audited Balance sheet ready till bid submission date). 5. Bidder should have experience in Designing of Information Security architecture and implementation of Information Security policy, standards, procedures etc. for the organizations across the enterprise. 6. The bidder should have minimum 3 CISA/CISSP/CCSP/CCSE/CSSP/CCNP security related certification holders in its own organization with three years expertise in handling Information Security issues /appliances /Management System/Services/ Forensic investigation. Please also note that:- a. The bidders who have an un-satisfactory record in completion of any of earlier contracts with Punjab National Bank shall not be eligible for participating in this tender. b. Current IS Auditors / Network Integrator of the Bank will not be eligible to bid. c. The successful bidder (once appointed Security Integrator) is not eligible to submit tenders for appointment of Security Auditors/ Network Integrator within a gap of one year from termination/completion of SI services. d. SI should work in close association with NI (Network Integrator) and other vendors/service providers (SOC, CBS, etc.) working for the bank. e. L-1 vendor selection will be done based on commercial bids along with Reverse Auction. Bank will hold Reverse Auction in the case of 2 or more bidders, being technically eligible. 3. BRIEF OF THE EXISTING SETUP Bank has a Data Centre and DRS for core banking application and other applications (fully functional). All branches are connected to the centralized banking application, through the enterprise wide network which is a four tier meshed architecture. In a four- tier meshed architecture network, the branches/ offices are directly connected to a Network Center (NC)/ Circle Network Centre (CNC). These NCs are further connected to a Circle Networking Center (CNC) which is directly connected to the Data Center (DC) at Delhi as well as Disaster Recovery Site (DRS), Mumbai. The branches / offices, NCs and CNCs are connected with a Lease line/ RF/VSAT as primary link and LL/ISDN (BRI and PRI)/VSAT/RF as back up link. The branches are generally using bandwidth of n*64/128/256 Kbps and NCs are using bandwidth of n* 64 Kbps up to 2 Mbps and CNCs are using bandwidth of 1/2/4Mbps. Bank is procuring this bandwidth from BSNL/MTNL as it has entered into a MOU with BSNL/MTNL. Bank is also using services of multiple service providers for connectivity between various locations. Presently Bank is using CISCO routers and switches for LAN and WAN connectivity at all Bank s locations. Bank has installed more than 6000 ATMs which are connected through Branch network as well as VSAT/CDMA/RF network at offsite locations from different service providers. Bank WAN is currently running on Class A IP Schema 10.X.X.X. The BANK is currently using Dynamic Routing Protocol (EIGRP) The IT resources of the bank at DC and DRS are protected with perimeter defense appliances/ equipment. Checkpoint Firewall and CISCO firewalls along with Intrusion Prevention System are installed in active-active and failover mode. All the desktops are protected by Symantec Antivirus Client Security and these are updated from the various servers deployed across Bank Network with Central Update server at ITD, HO. The Bank has also implemented IPSec, 3DES encryption in the Network for securing the traffic on the network. RFP for Security Integrator Page 6 of 34
Bank has installed an Enterprise Management System (EMS) -Unicenter from Computer Associates, for monitoring, managing and reporting the faults, configuration, performance and accounting of the Bank s Wide Area Network, Servers installed in Data Centre, Disaster Recovery Site and at other locations across the network. Bank has different modules of this solution namely Network System Management & Network Performance Operation, Server Management, E- Health, Database Management, Service plus Service Desk, Desktop Management, Web Server Management, Mail Messaging System Management and Service Level Management. The EMS shall also be used for monitoring the SLAs to be maintained by the successful bidder. SLA has to be calculated by SI as well. SOC The Bank has also implemented Security Operation Centre (SOC) and implemented SIEM solution for analyzing the logs of various devices & application. SI should use inputs from SOC along with other devices for analysis. Overseas Location Bank has also offices at overseas location which are connected to our Data Centre using SSL VPN and IPSEC. Security Integrator need not to deploy resources at overseas location. The Data Centre of PNB is consisting of Servers for various applications like Finacle, IBS, MMS, HRMS, SFMS, EMS etc. available on PNB Internal WAN and LAN. Several homegrown applications are also hosted at the DC and various offices across Bank offices. Bank has many webbased applications like e-circular, proposal tracking system, PMS etc. which are available through Internet also. Beside this, there are Tandem Switches for ATM connectivity, CISCO Layer-3 and Layer-2 switches for connectivity with servers and users, Multi Conferencing Unit for Video Conferencing installed in the Data Centre and various offices. The DRS is connected with Data Centre through multiple of Leased Lines. DRS is a replica of DC containing similar type of servers, routers, switches etc. The Network Cables of data centre are of 1Gbps fibre and 10/100/1000 Mbps UTP. Bidder is required to study the security of these applications and to recommend / assist in implementation of appropriate cost-effective solutions. Bank has already framed Information Security policy inline with international standards and it has been adopted by various business units. Detailed procedures have been drafted based on policy. 4. Objective of having SI (Security Integrator) 1. The integrator is positioned to act as the bridge between technological evolution, standardization and solution orientation. 2. The integrator is positioned to support, assist or define the network, application, security protocol standardization. 3. Offer the expertise in the area of information security, especially the financial sector and the centralized application environment. 4. Has sufficient insight into the cyber security and the associated threats. 5. Necessary expertise in the network technology and the internet technology, including the protocols etc. 6. Capable of implementing / managing new and existing security devices and having strong knowledge of the security devices deployed in the Enterprise wide network. 7. Capable of designing / reviewing security architecture of Bank Network. 8. Necessary expertise in network analysis tools and vulnerability assessment tools. 9. Understanding of the application/ database security and capable of providing the inputs to the developers to secure the application at the development stage itself. No code review by Security Integrator. 10. Assist and guide the Bank to address the audit points especially the VA and Penetration test results. 11. Review the process (operations and data flow) and the operational risk areas on a continuous basis and provide necessary inputs in alignment with best practices. SI shall be assisting in remediation activities. RFP for Security Integrator Page 7 of 34
5. SCOPE OF WORK 5.1. Security integrator to assist on the following activities 1. Implementing / managing new and existing security devices deployed in the PNB Enterprise wide network at various locations. 2. Formulating the security architecture for various application implementations. 3. Formulation and Implementation of best security practices in the network, Data Centre, DRS, & other locations. 4. Configuration, maintenance & monitoring of end-to-end security solutions (including products, appliances, monitoring consoles, Security log/data storage devices, Security appliance management servers etc.) in the entire network of the bank. 5. Post implementation and support capability at the locations where the security components are installed and proposed to be installed. 6. Study the impact of the Security Audit recommendations on the application at the server level, network level and client level and give appropriate Impact analysis documents. 7. Implementation of the Security Audit recommendations. 8. Perform Incident Management with respect to the following: a. Contain attacks through configuration of security devices after prior approval b. Forensic Analysis based on logs captured in the system c. Root cause analysis & suggest long term controls d. Evidence collection for legal and regulatory purposes e. Analyze and report incidents based on severity f. Escalate incidents as per process 9. Suggest the requisite control measures for monitoring, reporting, control self-assessment of various security components for various banking channels like CBS, ATM, Internet banking, Mobile Banking etc. and the associated threats addressing security concern including cyber security. 10. To review the various processes of the applications and the operational risk associated on a continuous basis and suggest mitigation & resolution. 11. Review the existing information security infrastructure on all the business applications across the bank and other security postures of the bank and its subsidiaries as and when required by the bank vis-à-vis the business requirements of the Bank and regulatory standards, guidelines and best practices. 12. To provide advice and analysis on new technologies and related issues. 13. For improving network and IT resources availability, integrity & Confidentiality keeping in view the application architecture and access requirement. 5.2. Security Integrator to provide the following 1. Details of work to be performed for the Engagement but not limited to following:- Security Devices Review & Management Rule base & user Management Configuration Management Configuration of rules as per change management process. Documentation of rule base change Rule base optimization Set up and manage admin and user accounts as per policies of organization Manage and restrict users as per the assigned role. Configuring the new / existing security devices deployed in enterprise network. Configuration and Management of Interface addresses, routing information, routing tables, Multicast configuration for the Device operations Patch implementation. Backup of configuration of all devices Configuration backup before making any changes. RFP for Security Integrator Page 8 of 34
Documentation of change management. Configuration review of security devices. Fault Management Performance & Availability Monitoring Reports & Documentation Device Management Daily Activity Trouble shoots faults & problem resolution. Open a case with Backend team for problem resolution or knowledge sharing. Open a case with product Supplier in the event of component malfunction or system failure and same need to be followed up for early resolution Open a case and coordinate with OEM to resolve bug fixes & patches. Escalation with Vendors/Service Providers/ OEM for any failures, response and issues. Report incident to Bank according to escalation matrix. Provide proper RCA, Preventive action and Proactive action of the problem. Documentation of Fault management and solution document Monitor devices for availability Monitor performance parameters including CPU utilization, memory, connections etc. Monitoring of any attacks or attack pattern on the Bank s infrastructure Monitoring and analysis of traffic at devices and report / resolve any abnormalities. Reports preparation viz. configuration changes of devices, traffic analysis and other reports according to requirement of organization. Preparation and submission of reports for CPU utilization, errors, memory utilization, bandwidth utilization, connections and other health parameters of devices on Daily/weekly/fortnightly/monthly basis Preparation and submission of reports for any failures/incidents along with details of resolution, root cause, preventive and proactive measures taken to avoid recurrence. Documentation of standard operating procedures for all security devices. Documentation of minimum base line security configuration of devices. Maintaining inventory of all devices/software/servers along with their version, licenses, AMC and other details. Checking of version updates and patch releases, IPS signatures and other updates on regular basis. Proactive monitoring of devices/servers/ utilization, CPU utilization, memory utilization, bandwidth/link utilization, errors, space and services on servers, connections etc. and perform corrective actions. Performing daily Checklist and health monitoring of devices Performing Firewall rules addition/deletion/modification Maintaining uptime as per the Uptime requirement specified in the penalty clause of the RFP. Keeping track of latest vulnerability, threat and patch advisories Interacting with Business user for resolving issues. Monitor alerts, events and logs of security devices. Analyze alerts and reduce false positives RFP for Security Integrator Page 9 of 34
Shift Management Change Management Handling and preparation of shift schedule. Maintaining shifts as per the RFP. Submission of shift attendance report at end of month with IN and OUT time details Planning of Changes to be carried out Carrying out changes with proper prior approval Strictly following Change Management process 2. To provide device level security architecture & authentication design for all the security devices and network components. 3. Vetting of Network and data flow Diagrams once every 3 months. 4. Vetting and designing of new/existing projects or applications and recommend according to best security practices and Bank s policy. 5. Provide an assessment report, gap analysis document and document containing suggestions and recommendations for addressing the gap and submit complete security design to protect the IT assets, data, information etc, across the bank (covering the networked set up, standalone systems etc.) 6. Provide updates with respect to the security system of PNB periodically, at least once in a month, about various threats, vulnerabilities etc related to the banks environment and products deployed along with views and suggestion for mitigating the same / reduce the risk. 7. Identify each security components required and evaluate the various products available and arrive at the appropriate cost effective solution which suits the requirements, in consultation with the Bank. 5.3. Miscellaneous 1. The entire design, implementation and integration of Information security Management System work has to be got done by qualified experienced professionals having product certifications like in Firewalls / IPS of CISCO, Checkpoint and other security devices. The implementation and security integration should be completed within the mutually agreed implementation and security integration schedule. 2. Service Provider will liaison with OEM / supplier for the deployed devices for resolving problems as per Service Level Agreements. 3. Service Provider will arrange qualified & competent resident engineers as per skill sets mentioned below. Security Integrator is to be stationed at PNB Data Centre, New Delhi. They will be the first point of contact and their efforts are to be supplemented and supported by expert team of the company at the backend. The engineers may be required to undertake visit to any location of the Bank to resolve security issues, install and configure security equipment. 4. Security Integrator services will be available for 24*7 (including Sundays and holidays) with following arrangements: a. One L2 Engineer should be available from 10 am to 7 pm on all days except on Bank holidays. b. And one L1 engineer will be available for providing 24*7 (including Sundays and holidays) services. c. Service provider has to arrange sufficient number of L1 engineers for managing shifts and leave arrangements for providing 24*7 (including Sundays and holidays) services. d. Service provider does not enforce engineers for doing shifts more than permissible limits as per directions from any regulatory authorities. e. Service provider has also to make leave arrangement for L2 engineer. RFP for Security Integrator Page 10 of 34
5. Security Integrator has to provide the above services for security devices deployed in PNB including that of Regional Rural Banks(RRBs) sponsored by the PNB, all subsidiaries of the Bank and overseas locations of Bank. 6. The Security integrator will work in close association with our Network Integrator, SOC Team and other officials for resolving / implementing any security issues / devices. 7. The support will also be provided by SI through its backend team, who will have to recommend / assist in implementation / configure solution to secure LAN/WAN environment and other technical consultancy. No contractual / 3rd party engineer is allowed. 8. SI is not expected to supply equipment whereas has to recommend devices and security solution as per the banks requirement and best security practices and policies. 9. Whenever, SI engineer shall have to travel outside NCR for solving the Bank s issues at remote location, he will be paid TA/ DA as per the entitlement of Scale- II Manager in the Bank. 10. No partner/ consortium allowed either prior or later. SI has to execute the contract itself. 11. SI does not have to manage SOC. SI has to use inputs from SOC for analysis of logs and events. 5.4. Details of skill set required for the Engagement but not limited to following Position Level L2 Level L1 Skill Set BE/B.Tech in Computer Sc / Electronics /ECE / EE / ECS / IT Engineering At least one security Certification in both Checkpoint and Cisco firewalls. Viz CCSP/ CCSE/CSSP/CCNP Security. Minimum 3 years of experience in handling security related products& services in an organization of repute. Person should have adequate knowledge of Check point firewall / IPS and Cisco firewall / IPS, IBM IPS and other security devices Sound analytical and troubleshooting skills Good Team Management and co-ordination skills BE/B.Tech in Computer Sc / Electronics /ECE / EE / ECS / IT Engineering At least one security certification such as CCNA - Security, CCSA, security certification in checkpoint or cisco firewalls. Minimum 1 year of experience in handling security related products & services. Knowledge and hands on experience especially in configuration and Management of Checkpoint Firewall / IPS with knowledge of Reporter and Cisco Firewall / IPS and other security products. Knowledge of packet level analysis using packet traces/dumps with tools like tcpdump, ethereal etc. Note: refuse. Before deploying any engineer, Bank has the right to assess his skills and retain the right to RFP for Security Integrator Page 11 of 34
6. BIDDING PROCESS (TWO STAGES) For the purpose of the present job, a two-stage bidding process will be followed. The response to the present tender will be submitted in two parts: Technical bid (Part-l) Commercial bid (Part-ll) The bidders shall duly complete the formats of Bid (Technical and Commercial) and the same must be submitted online through our e-procurement Systems at website https://www.pnbindia.biz on or before last date and time for acceptance of online Bids as specified in the RFP. Details of Earnest Money Deposit should also be filled in the format available in our e-procurement system website. The bid shall be signed using Digital Certificate by the Bidder so as to bind the bidder to the contract. The complete detail of e-procurement process is available on Bank s e-procurement website https://www.pnbindia.biz Apart from the online submission of bids, bidders will also be required to submit hardcopy of their bids along with DD for cost of bid, Earnest Money Deposit and supporting documents on or before last date and time for acceptance of online Bids as specified in the RFP. In event of the specified date for submission of bids/supporting documents being declared a holiday for the Purchaser, the bids/supporting documents will be received up to specified time on next working day. The physical bids / hardcopy can be submitted to the below mentioned address:- The Asstt. General Manager (Procurement Deptt) Punjab National Bank Information Technology Division 4th floor, Head Office, 5 SansadMarg, New Delhi 110 001 The process for submission of hard copy of bids is detailed as under:- The bidder will have to submit the Bid in an envelope super scribed Bid for Security Integrator Services. The envelop must mention that it contains envelop namely Technical Bid. In case envelope is not properly super scribed then Bank can reject the bid. Technical bid are in red lac sealed envelopes (wax seal), duly super-scribing TENDER FOR RFP for Security Integrator for Information security management system on the Bank & Security Integration services for enterprise wide network. A Non-Refundable amount of Rs.5000/- (Rs. Five thousand Only) in the form of Demand Draft favoring Punjab National Bank payable at New Delhi being cost of the bid document shall be submitted separately at the time of submission of bids, and it can be also paid online using the e-procurement system of the Bank. 6.1 TECHNICAL BID: Technical Bid Envelope should contain Technical bid comprising of one hard copy and one soft copy (non-modifiable format such as PDF) of the technical bid. Hard copy of the Technical bid should be a complete document and placed in a sealed envelope super-scribed as TECHNICAL BID. The soft copy (non-modifiable format such as PDF) of the Technical bid should be submitted on a CD sealed in an envelope marked as SOFT COPY OF TECHNICAL BID. Both of these sealed envelopes should be placed in a single sealed envelope super scribed as Technical bid for RFP for Security Integrator for Information security management system on the Bank & Security Integration services for enterprise wide network The technical bid should consist of the following: i). Earnest Money Deposit as specified in this document ii). A letter on bidder s letter head mentioning the following: a) Details of EMD submitted, technical competence and experience of the bidder b) Certifying that the period of the validity of the bids is 180 days from the target date of submission of bid, and c) Confirming that the bidder has quoted for all the items/services mentioned in RFP for Security Integrator Page 12 of 34
the tender in their commercial bid. iii). Supporting documents in respect of Eligibility Criteria as mentioned in Annexure-I. iv). Bidder s Information as per Annexure-II on bidder s letter head. v). Acceptance of the terms and conditions and compliance statements contained in Annexure-III on bidder s letter head. vi). Power of Attorney on stamp paper authorizing to sign and submit the bid vii). Performance statement (Annexure-IV) on bidder s letter head. viii). Last three years published audited balance sheets and profit and loss account statements. ix). Technical details as per Annexure-V (each page is to be signed by the bidder) x). Bidder shall appoint an experienced L2 dedicated to the project execution. The bidder should provide CV of the L1, L2, Project Leader [to whom L2 reports] that demonstrates proven experience in executing projects similar in scope and complexity. xi). Non-disclosure agreement as per Annexure-VII. In case of any discrepancy between physical and digital copies of bid, digital copy shall prevail. 6.2 Commercial Bid: The bidder should submit the commercial bid as per Annexure VI of the bid document. The bidder should submit commercial bid only through online using the e-procurement system. 6.3 Earnest Money Deposit (EMD) Bidder to submit the EMD of Rs.500000/- (Rupees Five lakh only) as Bid Security in the form of Demand Draft or Pay Order/ Cash Order in favour of Punjab National Bank Information Technology Division drawn on Delhi. This security is required to protect interest of PNB against the risk of conduct of the bidder, which may warrant the forfeiture of the security in the following scenario: a) In the event of withdrawal of bid during the period of bid validity; or b) In the case of a successful bidder, if the bidder fails to sign the contract in accordance with the Terms and Conditions and other requirement as specified in RFP. Or c) Any act of bidder, which is not in line with contract obligations. Any bid not accompanied with requisite EMD shall be treated as non-responsive and is liable to be rejected. The EMD of the unsuccessful bidder shall be returned as early as possible, but not earlier than 30 days after closure of bidding process against acknowledgment from the bidder. Successful bidder s EMD will be returned upon the bidder signing the contract and submitting the required Performance Bank Guarantee. No interest is payable on the amount of EMD. This EMD amount (DD/PO) should be kept in the envelope containing Technical Bid. In the absence of EMD, bid will be rejected. 6.4 BIDDING DOCUMENT: 6.4.1 Contents of Bidding Document The bidder is expected to go through all the instructions, terms, forms and specifications of the tender document. Failure to furnish all information required by the tender document or submission of bid not substantially responsive to the tender document in every respect will be at bidder s risk and RFP for Security Integrator Page 13 of 34
may result in the rejection of the bid. 6.4.2 Amendment of Bidding Document: At any time prior to the last date for receipt of the bid, PNB may, for any reason, whether at its own initiative or in response to a clarification requested by any of the prospective bidder, modify the tender document by an amendment. The amendment will be notified by posting the same on our official website www.pnbindia.in and/or our e-procurement website www.pnbindia.biz. In order to afford prospective bidders reasonable time to take the amendments into account in preparing their bids, PNB may, at its discretion, extend the target date for the submission of the bid and the same will be notified on the said website. 6.5 Preparation of Bids: 6.5.1 Language of bids: The bids prepared by the bidder and all correspondence and documents relating to the bids exchanged by the bidder and PNB, shall be written in English. 6.5.2 Bid Prices: The quoted price shall be uniformly applicable for delivery/performance to any part of the country and shall be all inclusive except service tax (i.e. including installation charges, any other applicable duties whether state or central, packing, freight and forwarding, transit insurance, local transportation, labour charges, incidental charges such other cost towards boarding, traveling, lodging etc.). Entry tax/octroi, if applicable to any location will be reimbursed by the Bank at actual on production of documentary evidence. Bank will not be making any other payment except those mentioned in the commercial bid. 6.5.3 Validity of bids: Bid shall remain valid for 180 days from date of submission mentioned in this document. A bid valid for shorter period is liable to be rejected by PNB. The bidders may be required to give consent for the extension of the period of validity of the bid beyond initial 180 days, if so desired by PNB in writing or by fax. Refusal to grant such consent would result in rejection of bid without forfeiture of the EMD. However any extension of validity of bids will not entitle the bidder to revise/modify the bid amount. 6.5.4 Revealing of Prices The rates and/or prices in any form or for any reasons should not be disclosed in the technical or other parts of the bid except in the commercial bid. Failure to do so will make the bid liable to be rejected. Before opening of the commercial bids, if price revision is envisaged by the bank, revised commercial bid may be required to be submitted in a separate sealed envelope. 6.5.5 Terms and Conditions of the bidder: The bidders are required not to impose their own terms and conditions to the bid and if submitted will not be considered as forming part of their bids. The bidders should also describe clearly in what respect and up to what extent the services being offered differ/ deviate from the specifications laid down in the specifications and requirements. (Only Technical) RFP for Security Integrator Page 14 of 34
6.5.6 Local conditions: The bidder must acquaint himself with the local conditions and factors which may have any effect on the performance of the contract and / or the cost. 6.5.7 Sealing and Marking of Bids: The bidder shall seal and mark each of the copies (one hard and one soft copy) wherever applicable, of all the bid documents in accordance with clause 6.1, 6.2 and 6.3. In case of non-compliance, PNB will not assume any responsibility for bids misplacement or premature opening or any other damage. 6.5.8 Last date of receipt of bids: Bids must be received by PNB at the address specified under clause Bid Details not later than the time and date specified there in. In the event of the target date for the receipt of bids being declared a holiday for PNB, the bids will be received till the target time on the next working day. PNB may at its discretion extend the bid submission date. The modified target date & time will be notified in the web site of PNB. 6.5.9 Late Submission of bids: Any bid received by PNB after target date and time of the receipt of bids prescribed at Bid Details, will be rejected and / or returned unopened to the bidder at his risk and responsibility. 6.5.10 Modification and Withdrawal: Bids once submitted will be treated as final and no further correspondence will be entertained on this. No bid will be modified after the target date & time for submission of bids. No bidder shall be allowed to withdraw the bid. In case of the successful bidder, he will not be allowed to withdraw/back out from the bid commitments. The bid earnest money in such eventuality shall be forfeited and all interests/claims of such bidder shall be deemed as foreclosed. 6.6 Opening of Bids: 6.6 All the bids will be opened at the date, time and locations mentioned under the clause Bid Details. The technical bids will be opened in the presence of representatives of the bidders who choose to attend. Clarifications: If deemed necessary PNB may seek clarifications on any aspect from the bidder. However that would not entitle the bidder to change or cause any change in the substance of the bid already submitted or the price quoted. The bidder may also be asked to give presentation for the purpose of clarification of the bid. All expenses for this purpose, as also for the preparation of the documents and other meetings/presentations, will be borne by the bidders. 6.6.2 Bid Currency: Prices shall be expressed in Indian Rupees only. 6.6.3 Preliminary Examination: The bids will be examined by PNB to determine whether they are complete, whether required bid security has been furnished, etc. and whether the bids are generally in order. A bid determined as not substantially responsive will be rejected. PNB may, at its discretion waive any minor non conformity or irregularity in a bid which does not constitute a material deviation, provided such waiver does not prejudice or affect the relative ranking of any bidder. RFP for Security Integrator Page 15 of 34
6.6.4 Evaluation and Award Criteria: Based on Minimum Eligibility Criteria (as mentioned in this document), fulfilled by the bidders, bank will determine whether the bidder is qualified to satisfactorily perform the contract. The decision of bank will be final in this regard. Technical bids of only those bidders, who qualify the minimum eligibility criteria, will be further evaluated to determine whether these are substantially responsive to meet the required Technical requirements as mentioned in Annexure V. Bids that are not substantially responsive to Technical requirements are liable to be disqualified at Banks discretion. The commercial bids for only those bidders will be opened who have substantially met the required Technical requirements. If there is a discrepancy between words and figures, the amount in words will prevail. In case, any bidder has missed to quote the rate and/or price for some item(s) / service(s), the highest rate quoted by other bidders for such item(s) / service(s) will be loaded to their commercial bid for ascertaining the L1 bidder. However, in case such bidder becomes L1 bidder then the lowest rate quoted in the said category for which the bidder did not quote will be final rate for further necessary action. After opening of the technical bids and preliminary examination, some or all of the bidders may be asked to make a presentation of the items/services offered by them as per the schedule decided by Bank. Bank may also visit and inspect the bidder s reference site and other installation. Bidder will bear all the costs associated with such presentations and visits. 6.6.5 Contacting PNB or putting outside influence: Bidders are forbidden to contact PNB or its Integrator s on any matter relating to this bid from the time of submission of bid to the time the contract is awarded. Any effort on the part of the bidder to influence bid evaluation process, or award of contract decision may result in the rejection of the bid. 6.6.6 COST OF BID The bidder will bear all cost(s) associated with the preparation and submission of bid, including cost of presentation(s), reference site visit, etc. for the purposes of clarification of the bid. Bank will not be responsible or liable for these costs, regardless of the conduct or outcome of the bidding process. 6.6.7 CANCELLATION OF BID/ BIDDING PROCESS The Purchaser reserves the right to accept or reject any bid and annul the bidding process or even reject all bids at any time prior to award of contract, without thereby incurring any liability to the affected bidder or bidders or without any obligation to inform the affected bidder or bidders about the ground for the Purchaser s action. The purchaser reserves the right to accept or reject any technical proposal of the vendor. 7. Guidelines for Reverse Auction 7.1. Initiation on the Bid Process Opening bid price and bid decrements will be intimated at the start of the bidding process by the means of on-line messages. In case of not receiving the details, the supplier has to inform PNB system administrator one hour before the scheduled event time through email and request for the details. RFP for Security Integrator Page 16 of 34
7.2. Opening Price Opening price is the upper/ceiling price of the contract value fixed by PNB for the lot /item. Suppliers can bid only lower than the opening price in case of Reverse Auctions (Bid price would be based on the total price arrived at multiplying specified quantities with unit rates and summing up for the entire requirement). 7.3. Weightage / Loading Factor This factor shall be incorporated by the System Automatically during the event. This factor is the effect of financial implication arising out of the deviation taken by the Bidder in his Bid. 7.4. Auction Types Bank may either go for Price Base Auction when the price quoted by each bidder is shown to all the participants or Rank Base Auction when only rank of the particular bidder is visible instead of price. 7.5. Alias Name Each bidder will be given a unique alias name, generated by the system and informed by system generated email. Bidders can see the bids of other suppliers but the real name will not be visible on the screen. Complete, schedule of the auction will be intimated through a system generated emails to the participating suppliers. Flash messages between the event and at the end of the events. The normal duration of Reverse auction will be 1 hour (60 minutes) with provision of auto extension as per auction rules to be decided by the Bank before start of auction. The Bid Extension rules shall be governed after the expiry of the Auction Time earlier set & decided before start of Event. In the event a bidder is placing his bid in last 5 minutes of the scheduled end time of the event, the event will get automatically extended for next 5 minutes infinitely. The auction time will get automatically extended so as to allow other the bidder an opportunity to supplier to participate and give better offer to win the bid. In the event of any typographic error while posting the bid, the auction would still get extended so as to allow the bidder an opportunity to correct the mistake. Screen will refresh automatically in every seven (7) second. It is recommended to manually refresh screen by pressing F- 5 from keyboard, if no changes are seen on screen for unusual period. 7.6. Bid Decrement Bid Decrement is the minimum fixed amount by which, or by multiples of which, the next bid value can be decreased. Bid decrement is usually calculated 0.25% of the opening price. However PNB reserves the right to decide appropriate bid decrement factor. Bidders should enter the next bid price considering the Bid Decrement, with reference to self-bid for Rank Auction and L1 bid with reference to Price Auction. However in no case would the system accept modification to a higher value. 7.7. Auto Bid Auto Bid is enabled from the start time of bidding. Once the vendor activates this feature in the system, the system places bid on behalf of the vendor as per the next bid decrement until the time the auto bid amount gets out bided by another participating vendor. This is particularly useful in case of un-reliable internet connection 7.8. Surrogate Bidding Surrogate bidding is not allowed. 7.9. Price Variation Factor RFP for Security Integrator Page 17 of 34
If a bidder quoting higher prices, higher by more than 40% as compared to the average quoted prices (of all technically qualified bidders) for all items in aggregate, the same bidder shall not be called for reverse auction process. 7.10. Price Break Up Bidders are required to submit the price break up of the final bid price just after the event on to the formats/ price breakup sheet. 7.11. Mistake Proofing If a bid placed X times below or higher of the bid decrement / increment as decided by PNB, a warning message will be flashed on screen to confirm the placed bid, Bid once placed will not be deleted in any circumstances and the supplier will be bond to deliver the item on the quoted bid. The following term and conditions are deemed as accepted by vendor on participation in the bid event. Bidders/ participants are deemed to have accepted the auction rules on participation at the bid event. Participation in a bid event is by invitation from PNB. Any other supplier does not automatically qualify for participation. PNB will make every effort to make the bid process transparent. However, the award decision by PNB would be final and binding on supplier. a. Bidders agrees to non-disclosure of trade information regarding the purchase, identity of PNB, bid process, bid technology, bid documentation and bid details. b. Bidder cannot change price or quantity or delivery terms (or any other terms that impact the price) post the bid event. c. Deed to furnish the item rate form within the stipulated time after the bid event. d. Bidder cannot divulge either his bids or those of other suppliers to any other external party. e. Technical and other non-commercial queries (not impacting price) can be routed to the respective PNB contact personnel indicated in the RFP. f. Bidder is advised that he will understand auto bid process is to safeguard them in case of technical failure. Inability to bid due to telephone line glitch, Internet response issues, software or hardware hangs will not be the responsibility of PNB. g. Bidder should be prepared with competitive price quotes on the day of the bidding event. Participate in the online bidding event as per the schedule. Submit the item wise price break up for all the items as per his last bid price in the stipulated time as per the schedule immediately after the online sourcing event. The bidder has to necessarily quote for all the items listed in the BOQ. In case of incompleteness of the bid, same may be rejected. 8. RELIABILITY / QUALITY OF THE SECURITY PRODUCTS PROPOSED The product/equipment proposed by Security Integrator are installed at critical sites and therefore to be ensured that the recommended products are robust and reliable. 9. SIGNING OF CONTRACT The successful bidder(s) shall be required to enter into a contract with PNB, within 7 days of the award of the tender or within such extended period as may be specified by Bank, (on the basis of the Tender Document), the letter of acceptance and such other terms and conditions as may be determined by the Bank to be necessary for the due performance of the work in accordance with the Bid and the acceptance thereof. Bank reserves the right to extend the validity of contract beyond two years, on same price and terms and condition with the consent of vendor up to 1 year. Successful bidder may be required to sign a separate Service Level Agreement with Bank. RFP for Security Integrator Page 18 of 34
10 Performance Bank Guarantee The Successful bidder shall submit a Performance Bank Guarantee to the Bank for an amount equal to 20% of the successful bid amount. The EMD amount deposited at the time of bidding will be released thereafter. The Bank guarantee will be valid for 27 months from the date of contract and retained by Bank which may be extended for further period as may be required by the Bank. The performance bank guarantee shall guarantee the due performance of the contract by vendor. In case vendor is unable to start the project within the stipulated time as and when required or if the starting of the project is delayed inordinately beyond the acceptable levels, PNB shall be entitled to invoke the Bank Guarantee. PNB shall also entitled to invoke the bank guarantee in case vendor is not able to meet any of the conditions of the project with regards to uptime and response time, or is unable to complete the project within the stipulated time. This shall be independent of the penalties refer to in clause 18 (PENALTY) and clause 13 (DELAYS IN THE SUPPLIER S PERFORMANCE) 11. PATENT RIGHTS The vendor shall indemnify the purchaser against all third party claims of infringement of patent, trademark or industrial design rights arising from use of the Goods/services, or any part thereof in India. a. The vendor shall, at their own expense, defend and indemnify the purchaser against all third party claims or infringement of intellectual Property Right, including Patent, trademark, copyright, trade secret or industrial design rights arising from use of the products or any part thereof in India or abroad. b. The vendor shall expeditiously extinguish any such claims and shall have full rights to defend itself there from. If the purchaser is required to pay compensation to a third party resulting from such infringement, the supplier shall be fully responsible therefore, including all expenses and court and legal fees. c. The purchaser will give notice to the vendor of any such claim without delay, provide reasonable assistance to the Supplier in disposing of the claim, and shall at no time admit to any liability for or express any intent to settle the claim. d. The vendor shall grant to the purchaser a fully paid-up, irrevocable, non- exclusive license throughout the territory of India or abroad to access, replicate and use software (and other software items) provided by the supplier, including-all inventions, designs and marks embodied therein in perpetuity. 12 ASSIGNMENT The bidder shall not assign, in whole or in part, its obligations to perform under the contract, except with the Purchaser s prior written consent. 13 DELAYS IN THE SUPPLIER S PERFORMANCE Delivery of the performance of the Services shall be made by the vendor/ supplier in accordance with the time schedule specified by Bank. Any delay in performing the obligation by the vendor/ bidder will result in imposition of liquidated damages at the rate of 1% per month on the half yearly payment and/or termination of rate contract for default. The successful bidder will required to submit escalation matrix with time lines. 14 GOVERNING LAWS AND DISPUTES RFP for Security Integrator Page 19 of 34
(This clause will be applicable in case of successful bidder only) All disputes or differences whatsoever arising between the parties out of or in relation to the construction, meaning and operation or effect of these Tender Documents or breach thereof shall be settled amicably. If however the parties are not able to solve them amicably, the same shall be settled by arbitration in accordance with the applicable Indian Laws, and the award made in pursuance thereof shall be binding on the parties. The Arbitrator/Arbitrators shall give a reasoned award. Any appeal will be subject to the exclusive jurisdiction of the courts at Delhi. During the arbitration proceedings the Vendor shall continue to work under the Contract unless otherwise directed in writing by the bank or unless the matter is such that the work cannot possibly be continued until the decision of the arbitrator or the umpire, as the case may be, is obtained. The Venue of the arbitration shall be Delhi 15 Payment Terms a. Payment once in every 3 months on arrear basis. b. Period starts from date of contract / commencement of services. c. Paid after the expiry of the 3 month period d. Amount quoted includes all cost, charges & taxes except Service Tax. Service tax will be paid extra by Bank. e. Total contracted amount is to be payable in 8 installments, one at the end of every 3 rd month f. Company should raise invoice. g. Amount is payable only after satisfactory discharge of the services as per RFP. h. SI Should submit an undertaking in every 3 months that L1 & L2 engineer (staff deployed by them) has been paid their contracted salaries and their legal and statutory requirements have been met. i. Onsite engineers L1 & L2 are also required to submit an undertaking in every 3 months that their contracted salaries are paid to them by their employer and no dues are pending during that period. j. List of activities performed by the staff should be submitted by them which will be validated before making the payment. 16 Uptime Requirement The enterprise wide network and critical servers at DC, DRS, CO, CNC, NC, and other location should not face any downtime due to security breach, security incident, improper configuration of security units / appliances / components and its uptime is to be minimum 99.75%. For the purpose of uptime calculation, the details maintained by network team and system team of the bank at DC/ DRS and the teams at other location will be taken. In respect of security equipment s the down time register will be maintained at ITD/ ISS, HO. Intimation of failure will be made in person/e-mail/ telephone/ letter/ fax etc. 17 SERVICE LEVEL AGREEMENT The duration of Security Integrator shall be for two years. The Security Integrator will also have to enter into a Service level agreement for Service Support and Maintenance of solution as per the terms and conditions of the RFP and covering the scope of work and technical requirements. The resident engineer of the Security Integrator/implementer shall respond/ attend to any notification of a fault incident immediately to bank officials. Email and Telephonic Support should also be provided by RFP for Security Integrator Page 20 of 34
the back end experts to the resident Security Integrator or banks security team besides On-site support for 2 years. The non-delivery of services or non-response or any breach of information will lead to penalty. The penalty is applicable in respect of non-delivery of services/ support as per the requirement of this RFP. For any security product implementation or other services, the expert team should be deputed to any location (across the country) without any cost to Bank. 18 PENALTY Penalty due to overall down time: Penalty at the rate of 5% of the contract amount for every 0.1% overall lower uptime in network due to any kind of security breach or security component malfunctioning (in case of hardware failure and it is not managed/ maintained by SI then it will be excluded) non-performances of the services as per RFP terms or improper configuration of the security appliances/ hardware/ units etc than mentioned above on prorata charges of total project cost as per Annexure VI (Total project cost /24months) for the calendar month during which uptime is observed on lower side e.g., Network, server and security equipments uptime 99.75% or above: Network, server and security equipments uptime 99.65% to 99.74%: Network, server and security equipments uptime 99.55% to 99.64%: No penalty 5% of contract amount 10%of contract amount and so on provided the penalty amount shall not exceed 25% of the amount paid to the Bidder correspondingly for the period (one calendar month) for which penalty is levied. Beyond this PNB reserves the right to cancel the contract. For the site, which will be down because of problems to be handled by Bank (like Power supply problem, Locking of door etc.), penalty will not be charged. Penalty will also be applicable for any absentee. Penalty as mentioned above shall be mutually exclusive and will be recovered from any payment due to the successful bidder (vendor). 19 Non-Disclosure Agreement (NDA) Bidders should sign the non-disclosure agreement as per ANNEXURE VII. The duly signed copy should also be submitted along with the bid document as part of technical bid. 20 TERMINATION i). By PNB: PNB shall be entitled to terminate this agreement by giving 30 days notice to successful bidder in case: a. Successful Bidder fails to integrate /implement the project as per Information Security Policy for Enterprise Wide Network/RBI s guidelines. In such eventuality, Successful Bidder will refund to PNB the entire amount received as advance from PNB pursuant to the terms of this agreement along with interest @ 12% per annum from the date of receipt of such amount by Successful Bidder till refund of such amount to PNB. b. Successful Bidder fails to provide maintenance services as per terms and conditions agreed hereunder and/or fails to fulfill any of its obligations enumerated hereunder. In such eventuality, PNB shall have the right to avail the services of any other person for the purpose without any let or hindrance from Successful Bidder. c. In the eventuality of termination of agreement, PNB shall have the right to avail the services of any other person for the purpose without any let or hindrance from Successful Bidder. d. In the eventuality of termination of agreement, besides claiming refund of amount as above, PNB shall have a right to claim liquidated damages of 10% of total contract RFP for Security Integrator Page 21 of 34
amounts. ii). By Successful Bidder: Successful Bidder shall have the right to terminate this agreement by giving 90 days notice to PNB in case PNB fails to pay the fees/charges to Successful Bidder as per terms agreed hereunder or fails to comply with the terms and conditions enumerated hereunder. Obligations of PNB a. PNB shall provide adequate access to the computer system to provide service hereon. PNB shall be responsible for providing proper power source, air-conditioning and other environmental conditions as prescribed by Successful Bidder. Any damage due to deviations from this at PNB end will not be covered under this agreement. b. During the period of this agreement, the setup may be relocated with information to Successful Bidder. c. PNB shall be responsible for communicating PNB s own users of the network security services and for handling all complaints, trouble reports made by such users. d. PNB staff may accompany Successful Bidder engineer(s) for carrying out any activity on PNB s security network. Obligations of Successful Bidder (vendor) a. Successful Bidder will always send trained and experienced engineers to provide service at PNB offices at New Delhi, Mumbai or any location for security product implementation. Their name, contact address and phone nos. will be advised in writing to PNB and they all will abide by IS policy of the Bank. (This clause will also be a part of an agreement and to be signed by the CO./service provider with the Bank) b. Whenever any designated Successful Bidder engineer is leaving his job, Successful Bidder will give prior information about this to PNB. c. Successful Bidder engineer(s) will always work on PNB servers /networks from PNB premises and will NEVER enter into PNB network from any other public or private network under any circumstance. d. Only in the case of extreme emergencies, Successful Bidder would access the firewall servers remotely through the relevant secured protocols for performing the required configuration changes after obtaining prior written consent of PNB s Security Team. Successful Bidder would ensure that these protocols are given remote access only for the troubleshooting purpose during this period, and the access would be denied on the firewall servers in the normal working environment. e. Successful Bidder engineer(s) will not change the password of security software/tools without the knowledge of PNB s Security Team. In case they are aware about any password(s), they will not share it with anyone other than PNB s security team without written communication from PNB s Security Team. f. Successful Bidder engineer(s) will always give a duly signed call report, at all locations, describing the activities carried out by them before leaving PNB premises. g. Whenever any new security threats / vulnerabilities become public, Successful Bidder will bring this to the notice of PNB immediately and help/guide PNB in plugging these. h. Once the call has been attended, Successful Bidder engineers will put their maximum efforts and deploy their best resources to resolve all calls at the earliest possible time frame at all locations and ensure appropriate uptime. i. Successful Bidder shall be responsible for any act of its employees that may result in security breach in respect PNB network and would provide an indemnity bond to the bank as given below. j. Successful Bidder agrees not to participate in PNB s tendering process for security auditors within a time gap of one year. k. Successful bidder shall not remove the engineers deputed at PNB site without Bank s prior written approval or at least 2 months of notice. If vendor does not comply with this guideline the penalty at the rate of 5% of quarterly charges shall be charged. l. At no time during the term of work-order, the support engineer is treated as an employee of PNB. The payment of salaries, all dues, all related taxes, Legal and statutory RFP for Security Integrator Page 22 of 34
requirement for the support engineers will be sole responsibility of successful bidder. The successful bidder (vendor) has to give an Indemnity bond to the bank confirming that [i] The vendor has done proper and sufficient background check on the persons employed by them, who are deputed for bank s work as per this RFP. [ii] The vendor hereby indemnifies the bank for any loss [monetary or otherwise] for the bank that can be attributable to its faulty business process/staff. [iii] The vendor has an independently verifiable professional and highly secure procedure for the operation of their staff who are deputed for bank s work as per this RFP. RFP for Security Integrator Page 23 of 34
ANNEXURE-I MINIMUM ELIGIBILITY CRITERIA S.No ELIGIBILITY CRITERIA SUPPORTING DOCUMENTS TO BE SUBMITTED 1. Should be an Company incorporated in India. Certificate of incorporation or any other certificate of registration issued by competent authority from Government of India. 2. Bidder should have minimum turnover of Rs. 25 Crores in last each of 3 financial years, Bidder must provide the details of turn over for last 3 years (2010-11, 2011-12, 2012-13, 2013-14 (if audited Balance sheet ready till bid submission date). Audited Balance sheets of the said 3 years and certificate of Chartered Accountant. COMPLIANCE (YES/NO) 3. Bidder should have positive net worth for last financial year 2012-13 or 2013-14 (if audited Balance sheet ready till bid submission date). 4. Bidder should have a minimum 3 years experience in implementing Information Security either as security integrator or as security implementer in any large financial 3ii. institution which has its offices/branches in National Capital region Delhi, Mumbai and / or in any of the state capitals with wide area network, intranet and internet as well as demilitarized zone and security equipment s like firewalls, IPS etc. Out of 3 years experience, at least 1 year experience should be in a Public/private banks with minimum 2 lakh crores turnover in FY 2012-13 or 2013-14 (if audited Balance sheet ready till bid submission date). 5 Bidder should have experience in Designing of Information Security architecture and implementation of Information Security policy, standards, procedures etc. for the organizations across the enterprise. 6 The bidder should have minimum 3 CISA/ CISSP/ CCSP/CCSE/CSSP/CCNP security related certification holders in its own organization with three years expertise in handling Information Security issues /appliances /Management System/Services/ Forensic investigation. Audited balance sheet, Profit and Loss accounts for the said financial year is to be submitted Letter / PO supporting the claim from the respective organization should be submitted along with contact details of the company. Letter / PO supporting the claim from the respective organization should be submitted along with contact details of the company. List of staff members and their qualification details / copy of certificates to be submitted on the organization letter head. (to be signed by authorized person of the company) Authorized Signatory And Seal of company RFP for Security Integrator Page 24 of 34
ANNEXURE-II BIDDER S INFORMATION i. Company Name ii. Date of incorporation and / or commencement of business. iii. Address of the corporate headquarter and its branch office(s) iv. Address for communication v. Certificate of incorporation of company vi. Brief description of the Bidder including details of its main lines of business. vii. Company website URL viii. Particulars of the authorized signatory (having PoA on stamp paper) of the Bidder: Name: Designation: Address: Phone number: Fax Number: Email Address: ix. Is company ISO Certified, if yes, provide information along with true copy of certificate. Authorized Signatory And Seal of company RFP for Security Integrator Page 25 of 34
ANNEXURE-III COMPLIANCE STATEMENT DECLARATION We hereby undertake and agree to abide by all the terms & conditions and Scope of services stipulated by the Bank in the RFP including all annexure, addendum and corrigendum. Authorized Signatory And Seal of company We certify that the systems/services offered by us for tender conforms to the technical specifications stipulated by you with the following deviations - List of deviations of the technical specification only (No other deviation on RFP terms and conditions will be accepted) 1) 2) 3) 4) (If left blank it will be construed that there is no deviation from the technical specifications given above) Authorized Signatory And Seal of company RFP for Security Integrator Page 26 of 34
ANNEXURE-IV PERFORMANCE STATEMENT (FOR A PERIOD OF LAST 3 YEARS) S.No Particulars of Bid Name of Organization to whom bid submitted (Full Address) Month and Year of Bid Description of Services Value of Order Date of Completion (As per contract ) Date of Completion (Actual ) Remarks / Reason for late delivery, if any Performance of SI Service (Attach certificate from customer) Authorized Signatory And Seal of company RFP for Security Integrator Page 27 of 34
ANNEXURE-V Technical requirement for security Integrator SERIAL NO DESCRIPTION YES/NO BIDDER S RESPONSE 1. Exclusive Information Security consultancy / Management company or otherwise 2. Information Security Consultancy experience Major products handled(supporting document) 3 Percentage of Revenue from Information Security related Business 4. Information Security (IS) products deployment, configuration & Management, major deployment along with products (Supporting Document) 5. IS policy, procedures, standards etc defined, reviewed & consultancy provided. Details along with experience. Name of the organization along with the contact person details 6. Experience in IS architecture design, review, implementation- Name of the organization along with contact person details 7. List of persons with CISA/CISSP/ etc. qualification in the bidder company(list with name, qualification and experience total and in the Co. to be enclosed) 8. List of persons with products certifications along with the relevant experience to be enclosed. RFP for Security Integrator Page 28 of 34
9. Companies expertise on the following area to be specified (provide relevant supporting documents from clients) i. Network security ii. Data centre security iii. Gateway security iv. End to end point security v. Desktop security vi. Wireless network security vii. Mail messaging security viii. Web application security ix. E-commerce security x. S/w application security xi. Cryptography tool handling xii. Data security xiii. Server (Solaris) security xiv. Network equipment security xv. Internet security 10. The expertise & experience in handling the following security products(product name to be mentioned)-- provide relevant supporting documents from clients i. Checkpoint Firewall ii. IPS ( IBM ISS / Cisco) iii. IDS iv. HIDS v. UTM boxes vi. Antivirus solution central deployment vii. CISCO security products viii. Gateway Antivirus, Spyware, Spamware solutions 11. Experience in performing the Internal Vulnerability (database & network) and external penetration test -Number of organization where it has been conducted. Contact details of the organization (Copy of the Purchase order to be enclosed) 12. Security audit conducted, if any with details 13. Establishing SOC( Security operating Centre) 14. Implementation of security standards like BS 7799 Details of implementation done, with contact details 15. List of persons with certification in ISO 27001 or other standards implementation, audit etc. RFP for Security Integrator Page 29 of 34
16. Expertise in handling the management S/W for collating, corroborations of the logs of various security products. (Product handled to be mentioned) Central Management. Details of the s/w used etc. 17. List of organization where the bidder is managing the security be given along with contact details. Authorized Signatory And Seal of company RFP for Security Integrator Page 30 of 34
ANNEXURE-VI COMMERCIAL BID Details: PER Year (in INR) FOR 2 years (in INR) Cost towards maintenance and management o f Security Integration [SI] Project including cost of stationing the resident engineers at PNB HO premises. Cost amount in words The cost includes all other duties, taxes, traveling charges, boarding and lodging charges etc. except Service Tax. Service tax will be paid extra as applicable. Authorized Signatory And Seal of company RFP for Security Integrator Page 31 of 34
ANNEXURE-VII If it is not a company, Constitution and address be stated appropriate ly. CONFIDENTIALITY-CUM-NON DISCLOSURE AGREEMENT This Confidentiality cum-nondisclosure Agreement is entered into at on this day of 2014, between (Insert Name of the Service Provider) a company within the meaning of Companies Act, 1956, having its Registered Office at (herein after called Service Provider ) and Punjab National Bank, a Body Corporate constituted under the Banking Companies (Acquisition & Transfer of Undertakings) Act, 1970 having its Head Office at 7 Bhikaji Cama Place, New Delhi 110 066 and inter-alia, its Information & Technology Division at 5 Sansad Marg, New Delhi 110 001(herein after referred to as PNB ). The Service Provider and PNB would be having discussions and negotiations concerning the establishment of and during continuance of a business relationship between them as per Agreement dated (hereinafter referred to as Agreement ). In the course of such discussions and negotiations, it is anticipated that either party may disclose or deliver to the other party certain of its trade secrets or confidential or proprietary information for the purpose of enabling the other party to evaluate the feasibility of such a business relationship. The parties have entered into this Agreement, in order to assure the confidentiality of such trade secrets and confidential and proprietary information in accordance with the terms of this Agreement. As used in this Agreement, the party disclosing Proprietary Information (as defined below) is referred to as the Disclosing Party and will include its affiliates and subsidiaries, the party receiving such Proprietary Information is referred to as the Recipient, and will include its affiliates and subsidiaries. Now this Agreement witnesseth:- 1. Proprietary Information: As used in this Agreement, the term Proprietary Information shall mean all trade secrets or confidential or Proprietary Information designated as such in writing by the Disclosing Party, whether by letter or by the use of an appropriate prominently placed Proprietary stamp or legend, prior to or at the time such trade secret or confidential or Proprietary Information is disclosed by the Disclosing Party to the Recipient. Notwithstanding the forgoing, information which is orally or visually disclosed to the recipient by the Disclosing Party or is disclosed in writing unaccompanied by a covering letter, proprietary stamp or legend, shall constitute proprietary information if the disclosing party, within 10 (ten) days after such disclosure, delivers to the Recipient a written document or documents describing such Proprietary Information and referencing the place and date of such oral, visual or written disclosure and the names of the employees or officers of the Recipient to whom such disclosure was made. 2. Confidentiality: a) Each party shall keep secret and treat in strictest confidence all confidential information it has received about the other party or its customers and will not use the confidential information otherwise than for the purpose of performing its obligations under this Agreement in accordance with its terms and so far as may be required for the proper exercise of the Parties respective rights under this Agreement. b) The term confidential information shall include all written or oral information (including information received from third parties that the Disclosing Party is obligated to treat as confidential) that is (i) clearly identified in writing at the time of disclosure as confidential and in case of oral or visual disclosure, or (ii) that a reasonable person at the time of disclosure reasonably would assume, under the circumstances, to be confidential. Confidential information shall also include, without limitation, software programs, technical data, methodologies, know-how, processes, designs, new products, developm ental work, m ark eting requirements, marketing plans, customer names, prospective customer names, customer information and business information of the Disclosing Party. RFP for Security Integrator Page 32 of 34
3. Non-Disclosure of Proprietary Information: For the period during the Agreement or its renewal, the Recipient will: (a) Use such Proprietary Information only for the purpose for which it was disclosed and without prior written authorization of the Disclosing Party shall not use or exploit such Proprietary Information for its own benefit or the benefit of others. (b) Protect the Proprietary Information against disclosure to third parties in the same manner and with the reasonable degree of care, with which it protects its confidential information of similar importance: and (c) Limit disclosure of Proprietary Information received under this Agreement to persons within its organization and to those 3 rd party contractors performing tasks that would otherwise customarily or routinely be performed by its employees, who have a need to know such Proprietary Information in the course of performance of their duties and who are bound to protect the confidentiality of such Proprietary Information. 4. Limit on Obligations: The obligations of the Recipient specified in clause 3 above shall not apply and the Recipient shall have no further obligations, with respect to any Proprietary Information to the extent that such Proprietary Information: a) is generally known to the public at the time of disclosure or becomes generally known without any wrongful act on the part of the Recipient, b) is in the Recipient s possession at the time of disclosure otherwise than as a result of the Recipient s breach of a legal obligation; c) Becomes known to the Recipient through disclosure by any other source, other than the Disclosing Party, having the legal right to disclose such Proprietary Information. d) Is independently developed by the Recipient without reference to or reliance upon the Proprietary Information; or e) Is required to be disclosed by the Recipient to comply with applicable laws or governmental regulation, provided that the recipient provides prior written notice of such disclosure to the Disclosing Party and takes reasonable and lawful actions to avoid and/or minimize the extent of such disclosure. 5. Return of Documents: The Recipient shall, upon the request of the Disclosing Party, in writing, return to the Disclosing Party all drawings, documents and other tangible manifestations of Proprietary Information received by the Recipient pursuant to this Agreement (and all copies and reproductions thereof) within a reasonable period. Each party agrees that in the event it is not inclined to proceed further with the engagement, business discussions and negotiations, or in the event of termination of this Agreement, the Recipient party will promptly return to the other party or with the consent of the other party, destroy the Proprietary Information of the other party. 6. Communications: Written communications requesting or transferring Proprietary Information under this Agreement shall be addressed only to the respective designees as follows (or to such designees as the parties hereto may from time to time designate in writing) M/s (PNB) Attn: Attn: 7. Term: The obligation pursuant to Clause 2 and 3 (Confidentiality and Non- Disclosure of Proprietary Information) will survive for 10 years following the term of the Agreement dated. Nothing herein contained shall be construed as a grant by implication, estoppel, or otherwise or a license by either party to the other to make, have made, use or sell any product using Proprietary Information or as a license under any patent, patent application, utility model, copyright or any other industrial or intellectual property right covering same. RFP for Security Integrator Page 33 of 34
8. Damages: The provisions of this Agreement are necessary for the protection of the business goodwill of the parties and are considered by the parties to be reasonable for such purposes. Both the parties agree that any breach of this Agreement will cause substantial and irreparable damages to the other party and, therefore, in the event of such breach, in addition to other remedies, which may be available, the party violating the terms of Agreement shall be liable for the entire loss and damages on account of such disclosure. Each party agrees to indemnify the other against loss suffered due to breach of contract and undertakes to make good the financial loss caused directly or indirectly by claims brought about by its customers or by third parties. 9. Miscellaneous: a) This Agreement may not be modified, changed or discharged, in whole or in part, except by a further Agreement in writing signed by both the parties. b) This Agreement will be binding upon and ensure to the benefit of the parties hereto and it also includes their respective successors and assigns c) The Agreement shall be construed and interpreted in accordance with the laws prevailing in India. In witness whereof, the parties hereto have agreed, accepted and a cknowledged and signed these presents, on the day, month and year mentioned herein above. For M/s Authorized Signatory Shri Designation For Punjab National Bank Authorized Signatory Shri Designation RFP for Security Integrator Page 34 of 34