Sl. No. RFP (Page No.) Ref Sections/Clause requiring Clarification Pre-Bid Queries for RFP Reference No: OBC/HO/DIT/RFP/SECURITY EQUIPMENTS/47/2014 Points of clarification given in the RFP Clarification Sought Bank's Reply 1 11 5. SCOPE OF WORK The Bidder shall ensure that the offered solution has to be identical for both the locations as per technical specifications mentioned in this RFP document. Each site should be provided with all the features mentioned in the RFP and should be able to handle the prescribed load, throughput, connections etc independently. The solution should be deployed in high availability mode (minimum 2 set of identical devices with auto failover) at each site except management module 2 12 5. SCOPE OF WORK 16) The Bidder shall be responsible for providing the operational and maintenance training to the identified IT staff of the Bank as and when asked by the Bank. 3 20 13. DELIVERY, INSTALLATION AND COMMISSIONING OF ITEMS The vendor shall be responsible for delivery and installation of the ordered item(s) at the sites i.e. Primary Data Centre, Mumbai and Disaster Recovery Site, Delhi and making them fully operational at no extra charge within 8 weeks of the date of purchase order 4 20 15. PAYMENT TERMS 25% - On delivery of the perimeter security equipments. 65% - After installation, Configuration, operationalization and integration of the same to the satisfaction of the Bank. 10% - 30 days after operationalization of the offered solution. It is understood that Single Management device at DC will manage the proposed security devices at DC & DR site. No separate management is required at DR. Kindly confirm Request OBC to provide the training duration & batch size for which training needs to be conducted. Request OBC to extend the mentioned duration (8 weeks) for delivery, installation & commisioning as delivery itself would normally take 6 weeks. Hence request bank to increase the overall duration for "Delivery, Installation and Commissioning" to minimum 12 weeks Yes. The training shall be provided to the identified officials of the Bank at PDC, DRS and at DIT, Head office. Request the bank to change the payment terms as: No Change in the payment clause as The Bank will make payment as per following scheduled terms. mentioned 50% - On delivery of the perimeter security equipments. 40% - After installation, Configuration, operationalization and integration of the same to the satisfaction of the Bank. 10% - 30 days after operationalization of the offered solution. 5 22 20. WARRANTY a) Service support should be available on 24*7*365 basis. b) The complaint should be resolved at the earliest with following uptime and conditions Resolution time of 4 hr cannot be commited for all kind of incidents especially the ones which involve product bug. As bidder, we can commit response time of 4 Hr or better. uptime of 99.9% per month. upgrades if any, for hardware and related software. 6 21 18.Order Cancellation 1. Delay in supply, installation, and commissioning of perimeter security equipment beyond the specified period (8 weeks). 7 23 22. SUPPORT & MAINTENANCE 8 32 Annexure V- L1 Commercial Format Request OBC to increase overall duration to 12 weeks The bidder is required to provide sound after-sales service/support by It is understood that bidder needs to provide on-demand support during arranging timely attending of calls received from Primary Data Centre, Mumbai the warranty & AMC period. Pls clarify. and from Disaster Recovery Site, Delhi where the security equipments shall be supplied & installed and problem rectification through competent service engineers. The desired support time should be uniformly maintained at all the sites. To meet up time the vendor has to maintain sufficient inventory of spare parts/equipments at all the support centers to avoid unnecessary delay in obtaining the spare parts/equipments. Firewall along with VPN at PDC (Pairs)- Qty-2 Firewall along with VPN at DRS (Pair)- Qty-1 Centralized Management Gateway (PDC/DRS)- 1 It is understood that bidder needs to quote 2 Pairs of FW along with VPN Yes. at DC site which means 2 clusters will be required at DC & 1 similar cluster will be required at DR site. Request OBC to clarify & confirm. The Bidder shall provide onsite support as per terms & conditions of the RFP during Warranty and AMC period. 9 23 24.Liquidated Damages The Bank expects delivery and installation within 8 weeks. However, if the vendor commits delay in delivery or installation, integration of the offered security equipments as mentioned in the purchase order within the period, the bidder will be liable to pay a sum of 1% (one percent) of the undelivered/uninstalled portion of the order value per site for each week of delay beyond the scheduled delivery date by way of liquidated damages. Cap The Bank expects delivery and installation within 12 weeks. However, if the vendor commits delay in delivery or installation, integration of the offered security equipments as mentioned in the purchase order within the period, the bidder will be liable to pay a sum of 1% (one percent) of the undelivered/uninstalled portion of the order value per site for each week of delay beyond the scheduled delivery date by way of liquidated damages. on liquidated damages shall be 10% of the undelivered/uninstalled value of the Cap on liquidated damages shall be 10% of the undelivered/uninstalled order. value of the order. 10 32 Annexure V- L1 Commercial Format Request Bank to provide a line item for implementation charges. Please refer amended L1 Bidder Determination sheet.
11 Additional Point Suggested Firewall & its management platform should be based on secure & The architecture requirement of the hardened operating system. It should not be based on ASIC based required solution again reviewed keeping platform as ASIC platforms are hard coded and any product advancement in view the technical Infrastructure would require box replacement. operational at Bank s Critical Locations and after discussing the same with IT Consultant of the Bank the revised clause is as under:- The Bidders are advised to propose the solution supporting open Architecture and should not be proprietary/ ASIC based architecture. 12 Additional Point Suggested Solution should be ICSA Labs certified for ICSA 4.0, FIPS 140-2 certified & EAL certified to match industry standard. 13 Additional Point Suggested Firewall should have recommended rating in 2013 NGFW Group tests of Not accepted. NSS Labs 14 Additional Point Suggested Security management application must support role based administrator accounts. For instance roles for firewall policy management only or role for log viewing only. Not accepted. The offered product should be EAL certified. 15 Limitation of Liability Clause not present in RFP The Bidder s maximum aggregate liability in connection with obligations Clause Accepted. undertaken as a part of this RFP regardless of the form or nature of the action giving rise to such liability (whether in contract, tort or otherwise), shall be at actual and limited to the value of the contract. The Bidder s liability in case of claims against the Bank resulting from wilful misconduct or gross negligence of the Bidder, its employees and subcontractors or from infringement of patents, trademarks, copyrights or such other Intellectual Property Rights or breach of confidentiality obligations shall be unlimited. Notwithstanding anything to the contrary elsewhere contained in this or any other contract between the parties, neither party shall, in any event, be liable for (1) any indirect, special, punitive, exemplary, speculative or consequential damages, including, but not limited to, any loss of use, loss of data, business interruption, and loss of income or profits, irrespective of whether it had an advance notice of the possibility of any such damages; 16 Exchange Rate Variation Clause not present in RFP Kindly include - It is agreed that the price quoted is arrived at based on Not accepted. the exchange rate of 1 USD = INR ( Base Exchange Rate ). In the event the Base Exchange Rate either increases or decreases by percentage points greater than two per cent [2%], the prices shall be charged as per the then current exchange rate. 17 Risk and Title Clause not present in RFP Kindly include -The risk, title and ownership of the products shall be Not Accepted. transferred to the customer upon dispatch of such products to the customer. 18 Savings Clause Clause not present in RFP Kindly include- Bidder s failure to perform its contractual responsibilities, to Clause Accepted. perform the services, or to meet agreed service levels shall be excused if and to the extent Bidder's performance is effected, delayed or causes nonperformance due to Customer's omissions or actions whatsoever. 19 Deemed Acceptance Clause not present in RFP Kindly include- Services and/or deliverables shall be deemed to be fully The Revised Clause may be read as and finally accepted by Customer in the event when Customer has not "Services and/or deliverables shall be submitted its acceptance or rejection response in writing to Bidder within deemed to be fully and finally accepted 15 days from the date of installation/commissioning or when Customer by Customer in the event when uses the Deliverable in its business, whichever occurs earlier. Parties Customer has not submitted its agree that Bidder shall have 15 days time to correct in case of any acceptance or rejection response in rejection by Client. writing to Bidder within 30 days from the date of installation/commissioning or when Customer uses the Deliverable in its business, whichever occurs earlier. Parties agree that Bidder shall have 30 days time to correct in case of any rejection by Client."
20 Term and Termination Clause not present in RFP Either party may, without cause, terminate any Statement of Work and/or Clause Accepted. the entire Agreement upon written notice of thirty (30) days to the other. In case ownership or control of one party, existing as of the date set forth in the agreement changes in a manner that, in sole judgment sole judgment of the other party, adversely affects its rights or interests hereunder. In the event of termination, Customer shall pay for the services rendered till the date of termination. 21 28 Technical Specifications Proposed Perimeter Security Solution should support Stateful inspection Firewall, IPSec & SSL VPN Request Bank to confirm if Bank needs Robust Firewall which can do Yes. stateful Inspection along with IPSEC & SSL VPN feature support from day one 22 28 Technical Specifications Firewall should have a provision to support next generation firewall capabilities As understand Bank is looking for a Firewall platform should have The revised Clause may be modified as including- IPS, Application Control, URL, Content Filtering features (if required provision for Next generation Firewall capabilities from day one and "Firewall should have a provision to in future) without adding any additional appliance and should support unlimited additionally it should have capabilities for IPS, Application Control, URL, support next generation firewall policies. Content Filtering features in future, Running Firewall with multiple capabilities including- IPS, Application services like IPS, Application Control, COntent Filtering Features might Control, URL, Content Filtering features impact performance, Hence now a days OEM has started developing (if required in future) by adding software specific hardware based/modules for this services like content filtering, etc license or modules on the same firewall to acheive better performance on the firwall BOX, Hence requesting Bank appliance." to consider Firewall appliance having support for modules for different services. Proposed Change:-Firewall should have a provision to support next generation firewall capabilities including- IPS, Application Control, URL, Content Filtering features (if required in future) by adding software license or modules on the same firewall appliance. 23 28 Technical Specifications The IPS should be able to inspect SSL, https, SFTP, SSH etc. traffic. Now a days its very critical to inspect TLS/SSL traffic which is usually The IPS should be able to inspect SSL, Integrated IPS should not make use of additional external device to perform required in order to find malware in web 2.0 world. Support for inspecting https etc. traffic. Integrated IPS should these functions. SFTP and SSH traffic are rarely used in the real world, and is not not make use of additional external supported by some OEM boxes, hence requesting please relax this SFT device to perform these functions. and SSH point. Proposed Change:-The IPS should be able to inspect SSL, https etc. traffic. Integrated IPS should not make use of additional external device to perform these functions. 24 28 Technical Specifications The firewall appliance should have minimum 300 GB local hard-disk in order to There are thousands of flow information and Logs needs to be stored for The revised clause may be read as keep the various logs. several years for forensics purpose therefore 300 GB HDD will not be "Appliance Solution should have local good enough and you will need more storage capacity, Hence OEM storage of minimum 180 days logs always doesnt support dedicated hardisk for storing logs and therefore as storage capacity with minimum of 300 a best practise Enterprise and lot of other Banks store all the Logs into a GB storage. 3rd party solution as Syslog server or a SIEM Tool or better management and less touch points on the firewall appliance. Proposed Change:-The firewall appliance should have capability to transfer the various logs to external 3rd party solution as Syslog server or a SIEM Tool. Proposed Change:-Please reduce this number to 240 GB as lot of vendor don't provide 300GB HDD. 25 28 Technical Specifications New Suggestion Bank should also look at having Application visbility and control features The Bidder may offer the said feature which enables policies to be written based on a wide range of contextual over and above the technical elements, including application, user, device, and location. specifications mentioned Proposed Change:-Proposed Firewall should support Application visbility and control features. 26 28 Technical Specifications New Suggestion For Better Management of the firewall and automated Diagnostic and The Bidder may offer the said feature troubleshooting, Bank can look at this features over and above the technical Proposed Change:-Automated diagnostic & troubleshooting capability specifications mentioned using Smart Call Home functionality to raise a TAC case automatically when the system is facing hardware or software issues without requiring human intervention.
27 28 Technical Specifications New Suggestion Now a days Enterprise are demanding OPEN architecture, and many Please refer the technical specifications OEM have started building Security devices on OPEN architecture In mentioned past other Banks in india & RBI for perimeter security tenders they have included this requirement "Bidders are advised to propose architecture that is open architecture and should not be Proprietary ASIC based architecture ensuring protection against latest threats" Requesting Bank to include this requirement. Proposed Suggestion:-The Proposed Platform Architecture should be based on open architecture and should not be Proprietary ASIC based architecture ensuring protection against latest threats" 28 28 Technical Suggestions VPN throughput (AES/3DES) should be 5 Gbps. The VPN throughput of 5Gbps requested seems to be very high, which The revised Clause may be read as will increase the cost for the Bank, Also if you see other organisations like "VPN throughput (AES/3DES) should be RBI for VPN requirement they tenders request maximum of 1Gbps. minimum of 3 Gbps or higher." Proposed Change:-VPN throughput (AES/3DES) should be minimum of 3 Gbps or higher 29 28 Technical Specifications New Suggestion The Technical specification doesn t talk about the Firewall throughput with The features required in the solution has all services loaded like IPS, Application Control, URL, Content Filtering already been asked in the RFP along features, Hence requesting Bank to mention the Firewall throughput with the required capacity. considering all the services loaded of minimum 8Gbps, to have a better performance when full loaded with services. Proposed Change:-The Firewall Next-Generation throughput (multiprotocol) should be minimum 8Gbps. 30 28 Technical Specifications Real world (multi-protocol) throughput of Firewall should be 12 Gbps. The Firewall Statefull inspection throughput specifically 12Gbps is on the The Revised Clause may be read higher side specfically it will offer more advantage to specific one OEM, as''real world (multi-protocol) throughput Hence requesting bank to open this so other OEM can also participate in of Firewall statefull inspection/production this tender, Hence requesting bank to make throughput of minimum should be minimum of 10 Gbps or 10Gbps and will fullfill OBC network traffic requirements. higher." Proposed Change:-Real world (multi-protocol) throughput of Firewall statefull inspection should be minimum of 10Gbps OR Higher. Proposed Change:-Please increase this to 40 Gbps as 4 x 10 Gbps ports been asked hence performance should match the number of 10 Gig interfaces 31 28 Technical Specifications Real world (multi-protocol) throughput of IPS should be of 3 Gbps. Since Bank is planning to use Firewall and IPS services together in future, The Bidder may offer the said feature The Traffic inspected by the IPS will have to go through the firewall & IPS, over and above the technical hence The Performance parameters should be a combination of FW + IPS specifications mentioned services together of the appliance, Hence request Bank to mention firewall + IPS multiprotocol throughput. Proposed Change:Real world (multi-protocol) throughput of IPS + Firewall should be minimum of 5 Gbps 32 29 Technical Specifications It must support clientless SSL VPNs for remote access without the need to Understand Bank is looking for support clientless SSL VPNs for remote Yes. Further the offered solution should install a client. access without the need to install a client. Request Kindly let us know to support this feature however we would how many SSL VPN license we need to factor from day one for sizing not required any licenses to be activated currently. 33 12 Scope of Work The Bidder shall be responsible for Integration of the offered solution with From which SIEM solution Firewalls would be integrated, this will help to Bank is in the process of procurement of Bank s Active Directory System. Further the offered solution should also identify if default integration of firewall with SIEM is supported or not. support smooth integration with Security Information and Event Management Solution as and when deployed by the Bank. SIEM solution along with other Security Modules. As on date the procurement process has not been completed. 34 9 Bidder Eligibility Criteria Bidder should have minimum 5 ISA/CISM/CISSP/CIHE/CVA/CCSE or similar We request to amend the clause as security related certification holders in the organization. Bidder should have minimum 5 ISA/CISM/CISSP/CIHE/ CVA/CCSE/CISA/ CCSA/CCSE or similar security related certification holders in the organization." 35 9 Bidder Eligibility Criteria The Bidder should be empanelled with CERT-In for Information Security We are in process of getting empanelled. Services So we request bank to allow us to submit copy of relevant document / acceptance of application along with undertaking that the process will be completed in due course to time against this clause. The revised Clause may be read as "Bidder should have minimum 5 ISA/CISM/CISSP/CIHE/ CVA/CCSE/CISA/ CCSA/CCSE or similar security related certification holders in the organization." Accepted provided the Bidder furnishes a time line shared by Cert-in for the empanelment. Further the Bidder should have at least Gold Partnership with the OEM of proposed solution.
36 12 Scope of Work New addition The Bank would require the implementation sign off to be given by OEM on their letterhead or through email after bidder has completed the implementation at the Bank site.