Response to Queries Received for RFP of Security Integrator - Tender No. 63



Similar documents
Response of bidders' queries for RFP for Hosting of Website(s) of PNB on Dedicated Server

Re-Tender RFP for Providing Dedicated Web Hosting Services for IBA Pre-Bid Queries

ADDENDUM TENDER: TENDER FOR MANAGED SERVICES - I.T SECURITY OPERATIONS CENTER (SOC) ADDENDUM NO.1 CLARIFICATIONS

Goals. Understanding security testing

Rajya Sabha Secretariat Rajya Sabha Television 12 A, Gurudwara Rakab Ganj Road, New Delhi TENDER NOTICE FOR INTERNET CONNECTIVITY

Sl. No. Ref Sections/Clause requiring Clarification. RFP (Page No.)

Sample Vulnerability Management Policy

allowed. Request for inclusion and consideration of ISO 2008:9001 quality certification. CMMI Level 5 : 10 Marks CMMI Level 3 : 07 marks ISO: 05

For windows erver, Which edition of Windows server 2008 is required ( i. e. Web / Standard / Enterprise )?? Kindly suggest.

IDBI Bank Ltd. value which should be sized on this appliance second for 2048 Bit SSL encryption." appliance/hardware and should be upgrade to 15 Gbps

Request For Proposal (RFP) for Empanelment of IT Consultants for Bank

Frequently Asked Questions (FAQ) Guidelines for quality compliance of. eprocurement System?

Remote Services. Managing Open Systems with Remote Services

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Cyber Security RFP Template

Response to Questions CML Managed Information Security

Professional Services Overview

Expression of Interest (EOI) For. End to End Solution For Enterprise Data Warehouse Solution In Punjab National Bank

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD)

RFP # ADDENDUM #1 & ACKNOWLEDGMENT OF RECEIPT

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Punjab National Bank

PCI Solution for Retail: Addressing Compliance and Security Best Practices

The Protection Mission a constant endeavor

APPENDIX 8 TO SCHEDULE 3.3

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

PCI Requirements Coverage Summary Table

RFP No C017 OFFICE OF TECHNOLOGY INFORMATION SYSTEMS AND INFRASTRUCTURE PENETRATION TEST

ADDENDUM #1 REQUEST FOR PROPOSALS

HEC Security & Compliance

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

N e t w o r k E n g i n e e r Position Description

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Discover what the power of one service provider can do for your bank.

Service Offerings. Ensuring IT Resources are available, reliable, scalable & manageable always.

Technical breakout session

Client Security Risk Assessment Questionnaire

Infrastructure Technical Support Services. Request for Proposal

Cybersecurity: What CFO s Need to Know

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

UNION BANK OF INDIA. minimum 1000 branches; three financial years

Logging In: Auditing Cybersecurity in an Unsecure World

CLOUD GUARD UNIFIED ENTERPRISE

Overview of Banking Application Security and PCI DSS Compliance for Banking Applications

Wherever there is a conflict, the Addenda to the RFP document and the RFP document (in that order) override the explanations that are provided here.

PCI-DSS Penetration Testing

Request for Proposal MDM Offeror s Questions for RFP for Virtual Private Network Solution (VPN)

Network Security Administrator

Caretower s SIEM Managed Security Services

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Information Services. Standing Service Level Agreement (SLA) Firewall and VPN Services

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

S.No RFP Reference Clarification Sought Modified Clause/ Clarification

Payment Card Industry Data Security Standard

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Annex 9: Technical proposal template. Table of contents

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Securing the Service Desk in the Cloud

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

APPENDIX C - PRICING INDEX DIR-SDD-2514 VERIZON BUSINESS NETWORK SERVICES, INC SERVICES

Request for Proposal INFORMATION SECURITY ASSESSMENT SERVICES RFP # Addendum 1.0

Information security controls. Briefing for clients on Experian information security controls

University of Pittsburgh Security Assessment Questionnaire (v1.5)

SERVICE DEFINITION DOCUMENT

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

PCI Requirements Coverage Summary Table

Amendment 1 - Annexure 5 (C) Technical Criteria

Request for Proposal For: PCD-DSS Level 1 Service Provider St. Andrew's Parish Parks & Playground Commission Bid Deadline: August 17, 2015 at 12 Noon

TENDER FOR INTERNET LEASED LINE FOR PERMANENT CAMPUS OF THE INSTITUTE AT OKHLA, PHASE-III NEW DELHI

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

Best Practices for Building a Security Operations Center

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Securing SIP Trunks APPLICATION NOTE.

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Spyders Managed Security Services

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

I.T. Security Specialists. Cyber Security Solutions and Services. Caretower Corporate Brochure

Understanding SCADA System Security Vulnerabilities

IT Security & Compliance. On Time. On Budget. On Demand.

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Transcription:

Sr.N RFP Clause Original Query Reply/Remark o. 1. Perform Incident Management with respect to the following: For Forensic Analysis of logs Please clarify the systems/devices Contain attacks through for which log analysis is required. configuration of security Whether this includes network devices after prior approval system /devices or just only Forensic Analysis based on logs captured in the system security devices. Evidence collection for legal and Root cause analysis & suggest regulatory purposes- please clarify long term controls the extent or scope of evidence Evidence collection for legal collection and possible sources. Analysis of all the logs so obtained. and regulatory purposes Analyse and report incidents based on severity Escalate incidents as per process 2. Configuration of IPS and Firewall Does SI needs to manage security Please be guided as per RFP Configuration and Management of IP operations procedures like addresses, routing information, change, Config, patch and security routing tables, Multicast configuration Fault management along with for the Device operations reporting and monitoring of Patch implementation security devices? Weekly backup of configuration of all devices Configuration backup before making any changes 3. Objectives of having SI : Assist and guide the Bank to address the audit points especially the VA and Penetration test results. Does PNB requires periodic VA and PT to be conducted by SI or only assistance for GAP closure is expected? For any Incident attempt / happened, then log / evidence collection & forensic analysis for traversal through all nodes / Servers / Router / hops of PNB Advise the necessary collection of logs from 3rd party, if any. SI is expected to assist for Gap closure. 4. Does PNB looking for compliance -It is expected that SI is aware of Regulatory requirements like PCI DSS 2? requirements and best Banking practices 5. Scope of Work L1 and L2 support required at DC Please be guided by RFP 1 P a g e

Configuration, maintenance & monitoring of end-to-end security solutions (including products, appliances, monitoring consoles, Security log/data storage devices, Security appliance management servers etc) in the entire network of the bank. 6. Para 3- Brief The IT resources of the bank at DC and DRS are protected with perimeter defense appliances/ equipments. Checkpoint Firewall with Check point boxes and CISCO firewalls along with Intrusion Prevention System are installed in active-active and failover mode. for managing PNB end to end security solutions? Number of security devices i.e firewall/ips etc. 7. Misc. para (c) - Proposed locations for L1 and L2 engineer 8. Misc. para (h) Whenever, SI shall have Would the role require visiting to travel outside NCR for solving the PNB branch location or is static at Bank s issues at remote location, he will be paid TA/ DA as per the one location entitlement of Scale- II Manager in the Bank. 9. Misc. para (c) - One L2 Engineer should be available during banks business hours from 10 am to 8 pm on all days except all holidays and for the remaining period, one L1 engineer will be available for providing 24*7 services. 10. Misc. para (c) They (L1 & L2) will be the first point of contact and their efforts are to be supplemented and supported by expert team of the Number of onsite L1 and L2 engineer required in liason with PNB, Regional Rural banks and subsidiries banks. Is the back-end Support team for onsite engineer be part of Security operation centre Security devices like Firewall, IPS, SSL VPN approx 35 in number, however the scope covers for any number of devices those may be added/replaced in future. Security Integrator stationed at Data Centre New Delhi. They sometime require outside visit Availability is expected for L2 engineer from 10 AM to 8PM on all days except holidays. Availability of L1 engineers is expected on all other times 24*7 including holidays, except above timings when L2 is available. Please be guided by RFP item No. Misc ( c ). 2 P a g e

company at the backend. 11. RFP- Obligations of Successful Bidder- Para C. Does SI can manage the PNB end to end security solutions from their own premises using secure channel? Please be guided by RFP (Page-24) 12. Does PNB allows to access HLD and LLD documents to review network and security solution off premises to be managed and to which new deployment has to done? 13. What new devices are to be integrated in the network 14. Does PNB going to supply VA/PT tools? 15. Does PNB allows application security review and testing off premises? 16. Eligibility Criterion notings -> that current IS Auditors/ Network Integrator of the Bank will not be eligible to bid. -> that the successful bidder (once appointed Security Integrator) shall not be entitled to submit tenders for appointment of Security Auditors/ Network Integrator. 17. Eligibility Criterion - Bidder should have a minimum 3 years experience in implementing Information Security either as security integrator, or security implementer in Will the successful bidder be allowed to bid for other security RFP from PNB in future except auditor Is it one client having multiyear contract with bidder will do or PNB requires multiple client experience in 3 year NO, Generally on-site review. May be given offpremises at discretion of Bank with NDA in force Any Security / Network device or application VA PT is not expected to be done by SI No Please be guided by RFP Successful bidder will be allowed to bid for all RFPs of PNB except Security Auditor / Network Integrator. A total of 3 years experience within given RFP Eligibility Criterion. 3 P a g e

any large organization which have its offices/branches at least in the National Capital region Delhi and Mumbai with wide area network, intranet and internet as well as demilitarized zone and security equipments like firewalls, IDS and IPS. Out of 3 years experience, at least 1 year s experience should be in a reputed/large organization. 18. Point No. 3, Brief of existing setup Required the Detail list of IT Infrastructure (No. Of Servers, Routers, Firewall) 19. Under Introduction Required more information about the applications (No. of applications, Size, Purpose, No. of Pages) 20. Point No. 3, Brief of existing setup Are the new servers and applications will be added in the future? Security devices like Firewall, IPS, SSL VPN approx 35 in number, however the scope covers for any number of devices those may be added/replaced in future. For Servers, Routers, please be guided by RFP. Please be guided by RFP. Yes. -- All additions / changes will come under the scope for SI vetting / recommendations. 21. Security Integrator to Review/ Suggest on the following activities 22. Security Integrator to Review/ Suggest on the following activities Will they come under the scope of work Is vetting of the network architecture is a one time activity or a periodic activity IS application security based on black box testing or grey box Vetting is regular as well as periodic activity. Be guided by the scope of RFP. 4 P a g e

(Page-10) 23. Security Integrator to Review/ Suggest on the following activities (Page-10) 24. Under Eligibility Criteria:- The successful bidder (Once appointed Security Integrator) shall not be entitled to submit tenders for appointment of security auditors/ network integrator testing Is development/testing environment is also part of scope Ours is WAN service providing company, If we will be appointed as security integrator, Will we be eligible for providing our other services to bank (Like Connectivity (MPLS/LL/BB, Hosting Services, Other services of us) Be guided by the scope of RFP. Please be guided by RFP Successful bidder will be allowed to bid for all RFPs of PNB except Security Auditor / Network Integrator. 25. Ref. EMD in the form of DD or pay order. We would like to request PNB to accept EMD in the form of Bank Guarantee 26. Ref. Page 9, Scope of Work section. Do you have tools for doing forensic analysis? We would like to know full scope of work in Forensic Analysis. Our understanding is that we have to do Forensic Analysis only for the logs. Please confirm. If not so, please elaborate on the scope of Forensic Analysis. EMD in the form of Bank Guarantee not accepted please be guided by RFP. No forensic tool available with the Bank. (Refer to answer of query no. 1) Other scope given in RFP and please be guided by the same. 5 P a g e

27. Ref. Page 9 Perform Incident Management Forensic analysis based on logs captured in the system Q:- Please provide details of the SIEM tools deployed and capabilities configured. Q:- Please provide detail on average number of Security incidents in last 3 months? Q:- Do you want us to suggest or bring our tools? Details would be shared with successful bidder only. Details would be shared with successful bidder only. Yes, the successful bidder to suggest configuration changes / improvement of existing SIEM tool. 28. Ref. Page 10 Security Devices Review & Management Q:- Provide list of the devices under scope (make/model/quantity) Q:- Do we have to provide L1 & L2 resources based out of Delhi - Security devices like Firewall, IPS, SSL VPN approx 35 in number, however the scope covers for any number of devices those may be added/replaced in future. - For Applications, Servers, Routers, please be guided by RFP. - Service Provider will arrange qualified & competent resident engineers as per skill sets mentioned. Security Integrator stationed at Data 6 P a g e

29. Ref. Page 10 or other locations as well. Please specify all location. Q:- Are you open to have remote management support from Vendor NOC? Q:- Can you provide detail of number of tickets per month 1. Incident tickets 2. Change Tickets 3. Configuration request This information will help us plan L2 resources to manage the environment. 30. Ref. Page 11 daily Activity Request you to share existing daily checklist to be performed every day? 31. Page 13 - (h) Whenever, SI shall have to travel outside NCR for solving the Bank s issues at remote location, he will be paid TA/ DA as per the entitlement of Scale- II Manager in the Bank. Centre New Delhi as per Misc Para ( c ) of RFP. - No remote management from outside PNB allowed. Please be guided as per clause Misc ( c ) Page 13 The required information will be shared with successful bidder. Details given at Page 10-11-12 of RFP. Rarely, once-twice in a year. However scope is unlimited. Q:- How frequently such visit will be there in a month? Does it include near to NCR or 7 P a g e

anywhere across India? 32. Ref. - Page 9 Security Integrator to Review/ Suggest on the following activities: Suggest the requisite control measures for monitoring, reporting, control selfassessment of various security components for various banking channels like CBS, ATM, Internet banking, Mobile Banking etc. and the related card based technology (debit, credit & smart cards) and the associated threats addressing security concern including cyber security. Regular on-going activity, on addition of new application or on review of information security measures. Query: What is the frequency of the above activity? 33. Ref. - Page 10. To review the various processes of the centralized application, other applications Regular on-going activity, on addition of new application or on review of information security measures. 8 P a g e

like card issue and pin issue etc. and the operational risk associated on a continuous basis and suggest mitigation & resolution. Query: What is the frequency of the above activity? 34. Ref. - Page 10. Review the existing information security infrastructure on all the business applications across the bank and other security postures of the bank and its subsidiaries as and when required by the bank vis-à-vis the business requirements of the Bank and regulatory standards, guidelines and best practices. 1. Regular on-going activity, on addition of new application or on review of information security measures. 2. Specific business requirement would be shared with successful bidder, however SI is expected to have broader knowledge and best practices. Query: 1. What is the frequency of the above activity? 2. It is assumed that the business requirements of the bank, regulatory 9 P a g e

requirements and guidelines would be shared by the bank. Pls. confirm 35. Ref. - Page 10. For improving network and IT resources availability, integrity & Confidentiality keeping in view the application architecture and access requirement. Query: 1. What is the frequency of the above activity? 2. Is this limited only to suggestion or implementation also? 36. What is the scope of the penalty? Does it include to the points listed under Security Integrator to Review/ Suggest on the following activities in page 9 of the document? 37. Annexure 4: We would like to have clarity on the Performance Certificates to be submitted 38. Ref. Annexure 4 Experience: vendor has experience providing security solutions to 1. Regular on-going activity. 2. Suggestions and implementation both. Please be guided by RFP. Name of organizations served by company for Info security with duration and Order values Please be guided by Eligibility Criterion in RFP. 10 P a g e

multiple organizations outside India including Fortune 10. Request you to accept such experience as part of Annexure 4 as we do not have similar experience with clients in India. 39. Ref. Page 12 Miscellaneous clause c): They will be the first point of contact and their efforts are to be supplemented and supported by expert team of the company at the backend. Q. We assume that the backend engineers will be providing support to resident engineers remotely. Is this support expected 24x7 or during prime support hours of 10 a.m. to 8 p.m.? Q. Do you need dedicated resources for remote support or shared resources would be acceptable? Q. The RFP mentions only L1 and L2 engineers. Does PNB already have L3 engineers that will be escalation points for L1 and L2 engineers? - Backend engineers support required on call basis any time on 24x7 basis - Shared resources would be acceptable as long as PNB is assigned top priority. - PNB does not have L3 engineers. (Refer Point no. 15 regarding SLA in RFP Page-21) 11 P a g e

40. Vulnerability and Pen test mentioned on page 31 and page 11 of RFP document. Q. Who is responsible for conducting Vulnerability assessment and Pen test (VAPT)? If bidder is expected to do VAPT, can he do it remotely or you have a team that does VAPT? 41. Ref. Page 20, clause 14. We would like to request you to elaborate on the uptime requirement and how do you define down time? Is bidder responsible for SLAs for devices that are not managed by it. If yes, kindly elaborate. - - - - - SI is not expected to conduct VA / PT. Please be guided by RFP. Directly management of Info security devices but any downtime happening due to omission - commission by SI within its work scope. 42. Bank reserves the right to extend the contract for additional one year after expiry of this contract. The terms and conditions of the contract for extended period shall be negotiated with successful bidder at the time of award of the extension. Note: 1. No further queries will be entertained by the Bank. 2. Last dates remain the same i.e. there is no change in last date for bid submission for RFP. 12 P a g e

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information