TO No.Ed.CIL/IS Unit/It Security/2014/1..April, 2014 Subject: Quotation for Security Audit for EdCIL house IT infrastructure. Dear Sir, This Corporation is interested in security Audit of its IT infrastructure as per TOR given in Annexure - I If you are in a position to meet the above-mentioned requirement, you are requested to submit your quotation based on our terms & conditions as set forth hereunder. The quotation is based on single bid (Techno-commercial) system. The envelope should contain the following documents. 1. Price Bid (format attached at Annexure-II) 2. Letter of acceptance to the terms and conditions of the NIQ. TERMS AND CONDITIONS: - Your quotation will be considered only for above subject matter. Other terms & conditions will be as under: - 1. Since the audit should be conducted at EdCIL House, 18A, Sector -16A, NOIDA, sales tax, service tax to be charged should be shown separately; if no service tax is shown separately, it will be presumed that service tax is included in the rates. 2. You are requested to quote your service Tax No. or Central Sales Tax No. whichever is applicable for the purpose of making payment on account of service tax/central sales tax. 3. The quotation in the enclosed format should reach in a sealed cover superscribed Quotation for IT Security Audit for EdCIL House. addressed to the Deputy General Manager (IS), EdCIL (India) Ltd., Ed.CIL House, 18A, Sector 16A, NOIDA so as to reach not later than 1600 hrs. on 07 h May, 2014. The quotation received after the due date will not be entertained. Any quotation received without the above superscription on the face of the envelop will not be entertained.
-2-4. All the amount shall be indicated by the vendor in figures as well as in words. Where there is any difference between price quoted in figures and words, amount quoted in words shall prevail. 5. Your quotation shall remain open for acceptance for 60 days or as may be specified from the date of opening. No revision / modifications in the quoted rate will be allowed during the period of validity of quotation or the extended period. 6. The successful vendor shall not sub-let or assign this contract or any part thereof without obtaining prior written permission of the Corporation otherwise the Corporation shall have the right to cancel the contract and to get the contract executed with another party and the successful vendor shall be liable to the Corporation for any loss or damage which the Corporation may sustain in consequence or arising out of such contract. 7. The payment will be made within 15 days on receipt of invoice (in duplicate) against the conduct of security audit of IT Infrastructure at EdCIL House, 18A, Sector 16A, Noida in your favor by a crossed a/c payee Cheque. 8. In the event of the quotation being submitted by a firm it must be signed separately by each partner holding Power of Attorney authoring him to do so. 9. In case of a Company the quotation should be submitted in the manner as laid down in the said Company s Articles of Association. 10. You are requested not to erase or mutilate any word(s) or figures occurring in your quotation, otherwise the quotation may be ignored. The overwriting is not allowed. 11. Start of audit should made within 15 days (fifteen days) from the date of receipt of purchase order in this regard positively. 12. This Corporation also reserves the right to accept or reject any quotation in whole or in parts without assigning any reason thereof. 13. Agencies, which have failed to fulfill earlier contractual obligations, may not be considered. 14. Your quotation should be free from overwriting. All corrections and alteration should be duly attested by the vendor/tenderer. 15. The quotation should be unambiguous in all respects. Yours faithfully, (G S Sreedhar) DGM (IS)
Vulnerability Assessment Annexure - I Vulnerability Assessment Methodology: Study & scope the IT architecture & components. Determine the boundary of analysis Identify asset owners & schedule tasks Impact analysis for Active scans, which includes assessment of Service(s) or Server (s) (Six in number), Network devices, Firewalls and Desktops(5) scans in online production. Plan for Downtime & Contingency, if applicable Estimate the scan process, based on the complexity of the target network(s) and host(s) Scan Policy to define the level of scan - Information gathering, Policy checking, Port scanning, Password analysis, Attack stimulation etc. Scan the targeted network(s) and host(s), based on the defined scan policy Collect the scan results and analyze for security loopholes, configuration errors, default installation settings, overlooked setups, password quality, firmware/software revisions, patch fixes, security policy violations etc. Submission of assessment Reports with suggestions and recommendations to fix the vulnerabilities. Fixing the errors in server logs. Any other tests not mentioned above which are necessary. Penetration Testing Methodology (Internal and External) IT A & P shall undertake the following test as a part of the penetration testing (Internal and External (3 IPS)): Port Scanning System & Services Identification Vulnerability Research and Verification Password Cracking Denial of Service Testing Various other attacks and tests Risk Mitigation and Safeguard Recommendation The aim of this phase is to identify remedial solutions and recommend implementation of the same to mitigate all identified risks, the aim being to develop a secure
environment. This shall be done through an in-depth review of the Security Scanner outputs for high to low vulnerabilities. Asset/Threat/Vulnerability mapping and its risk mitigation. Fixing High-Level Security Vulnerabilities IT consultants would then recommend the fixes for the high level vulnerabilities, which need to be implemented by the client s network administration team and Vendor audit team. Sometimes it is necessary to test a patch or other upgrade for compatibility, and it may not be possible to update some patches immediately without testing. However, these need to be implemented for safe operation after testing. Deliverables Vulnerability Assessment & Penetration Testing Report with recommendations for mitigation of risk.
Annexure II PRICE BID format Sl. No. Particular 1. Security Audit of Infrastructure 2. Vulnerability Assesment 3. External Penetration Testing ( 3 IPS) 4 Risk Mitigation Plan 5 Fixing vulnerabilities found TOTAL (Rs.) Total Cost (Rs.) Tax, if any