Request for Proposal For Managed Security Services for Security Operation Centre

Similar documents
Request for Proposal For Outsourcing of ATM Managed services, Tender No: PSB/HOIT/40/2014 Dated

Request for Proposal For End to End ATM Switch Services on Hosted/ASP Model

Development of application Software for Election Commission

Tender for Procurement of -2- Nos of GeoTrust SSL Certificate (Secure Site with EV) Tender Ref. No. - BCC:IT:PROC:108:26 Tender Date - 10 th June 2016

(No.-IIITD/S&P/05/ ) Page 1 of 16

Oracle Financial Services Applications

Terms of Use Dedicated Servers

Request For Proposal (RFP) for Empanelment of IT Consultants for Bank

Empanelment of Vendors for Load Testing

Terms and Conditions of Offer and Contract (Works & Services) Conditions of Offer

EOI - Empanelment of Vendors for Load Testing. Expression of Interest (EOI) Empanelment of Vendors for Load Testing

School of Open Learning University of Delhi

Tender for development, upgradation of web based software application for Student Information System (SIS) INVITATION OF THE BID

SUPPLY AND INSTALLATION OF INTERNET BANDWIDTH SERVICES

(RFP) PURCHASE OF BLADE SERVER

TENDER DOCUMENTS FOR INTERNET LEASED LINE CONNECTION AT HRDG, CSIR COMPLEX, NEW DELHI : ( upto 1500 hrs.)

Request for Proposal Document (RFP) For Procurement of Web Application Firewall for IDBI Bank

CONTRACT FOR CONSULTANCY SERVICES. Section 1 Form of Contract

OIL INDIA LIMITED (A GOVERNMENT OF INDIA ENTERPRISE) DULIAJAN , ASSAM NOTICE OF INVITING TENDER

Invites Offers from Consulting Actuary

PUNJAB NATIONAL BANK EXPRESSION OF INTEREST (EOI) FOR EARLY WARNING SYSTEM LOAN ACCOUNTS

Selection of Digital Promotion & Marketing Consultant. for. the Ministry of Tourism, Government of India

ELECTRONIC TRADING FACILITIES SUPPLEMENTAL TERMS AND CONDITIONS OF TRADING

Contents: 1 General. 1 General. 2 Tenderer s obligations. 3 The Procuring Department s undertakings. Republic of Botswana. OF TENDER Feb 2006

SOFTWARE TECHNOLOGY PARKS OF INDIA

TENDER FOR INSTALLATION OF TEA/COFFEE VENDING MACHINES AND SUPPLY OF MATERIALS/CONSUMABLES AT CORPORATE OFFICE, GURGAON

Star Union Dai-ichi Life Insurance Company Limited. Request for Proposal (RFP) For. Learning Management System (Online e-learning tool)

Request for Techno-Commercial Proposal. Design, Development, Implementation & Maintenance of Portal Solution for Dr. MCR HRD IAP

LIMITED TENDER FOR DESIGN, DEVELOPMENT AND IMPLEMENTATION OF WEBSITE FOR NON TIMBER FOREST PRODUCE (NTFP)

Document Control Sheet

THE SUSTAINABLE ENERGY AUTHORITY OF IRELAND PURCHASE ORDER TERMS AND CONDITIONS OF PURCHASE

CITY OF LANCASTER RFP NO LANCASTER PERFORMING ARTS CENTER TICKETING SOFTWARE SUBMISSION DEADLINE. July 24, 2015 BY 11:00 A.M.

TENDER FOR THE SUPPLY, INSTALLATION AND COMMISSIONING OF DISASTER RECOVERY EQUIPMENT AND REPLICATION SOFTWARE

TENDER NOTICE FOR SOCIAL MEDIA MONITORING SERVICES (TWITTER) FOR THE EXTERNAL PUBLICITY AND PUBLIC DIPLOMACY DIVISION, MINISTRY OF EXTERNAL AFFAIRS

E- NOTICE INVITING QUOTATION FOR HANDLING AND FORWARDING OF MEDICINESAND MEDICALEQUIPMENT FOR HAJ -2016

Limited Tenders for the work of : Web Hosting Space for UGVCL s website.

Reference No. RFP/IT/CO/2016/2 Dated 29/02/2016. IMPORTANT DATE: Last date for submission of Quotes: 10 th March, 2016

SERVICES AGREEMENT. In consideration of the rights and obligations herein set forth, the parties do hereby agree as follows:

Request for Proposal Scanning of Policy and non policy documents at SBI Life HO

Request for Techno-Commercial Proposal(TCP) for Design, Development, Implementation & Maintenance of ERP Solution for APMDC

Ref No: / /91/IT/Dir/ Date: 02/02/2012.

JRI S STANDARD TERMS OF PURCHASE. Business Day: a day (other than a Saturday, Sunday or public holiday) when banks in London are open for business.

INSTRUCTIONS TO BIDDERS

TENDER FOR AMC OF LAN NODES & SWITCHES

Request for Proposal (RFP) for. Corporate Agency Arrangement for General Insurance Business

ICC UNIFORM RULES FOR CONTRACT BONDS

Rajya Sabha Secretariat Rajya Sabha Television 12 A, Gurudwara Rakab Ganj Road, New Delhi TENDER NOTICE FOR INTERNET CONNECTIVITY

Service Level Agreement for providing Annual Maintenance Services for STPI.in Project

TENDER DOCUMENT FOR RISK MANAGEMENT POLICY (ALM Policy and Hedging Policy)

PERSONAL ALERT SYSTEMS REBATE SCHEME PROVIDER PANER DEED

TENDER FOR TRAVEL SERVICES

CENTRAL INFORMATION COMMISSION BLOCK IV, 5 TH FLOOR, OLD JNU CAMPUS, NEW DELHI TENDER DOCUMENT

SECTION 6: RFQ Process, Terms and Conditions

JHARKHAND STATE ELECTRICITY BOARD

REQUEST FOR PROPOSAL: A NEW AUDITING SOLUTION FOR WINDOWS FILE AND DATABASE SERVERS

Master Service Agreement

STANDARD TENDER DOCUMENT SUPPLY, DELIVERY, INSTALLATION, CONFIGURATION, TRAINING AND POST IMPLEMENTATION OF PERFORMANCE MANAGEMENT SYSTEM

MASTER SERVICES AGREEMENT - DIGITAL ADVERTISING SERVICES

PURCHASE ORDER TERMS AND CONDITIONS

INDIAN INSTITUTE OF TECHNOLOGY GANDHINAGAR

(A K Chatterjee ) Sc. F & Head, BIS-DSBO

How To Pay A Contract With Neustar


Request for Proposal (RFP) for. Corporate Agency Arrangement for General Insurance Business HO : Near Bajrang Bhawan, Delhi Road

Expression of Interest. Scanning of Documents

100 mbps dedicated uncompressed symmetric Internet Bandwidth (1:1) connectivity through optic fiber Leased Line at given location:

MODEL CONTRACTS FOR SMALL FIRMS LEGAL GUIDANCE FOR DOING INTERNATIONAL BUSINESS

PREQUALIFICATION DOCUMENT FOR CONSULTANTS FOR CIVIL WORKS. (Ref No. Secy/PPC/CVL/01)

STANDARD TENDER DOCUMENT FOR PROCUREMENT OF INSURANCE SERVICES

ANNEXURE - I MPD/EPC/TIC/ NR logo web application development dated: Page 1

Expression of Interest cum Request for Proposal (RFP)

TENDER NOTICE. SFI Manufacturing Private Limited (Co. Reg. No R) invites tenders for the following:

REQUEST FOR PROPOSALS BOND COUNSEL SERVICES FOR AFFORDABLE HOUSING RFP # Santa Ana Housing Authority

SUPPLY, DELIVERY, TRAINING, IMPLEMENTATION & COMMISSIONING OF SOFTWARE QUALITY ASSURANCE TESTING AND TEST AUTOMATION SOFTWARE SYSTEM.

BIHAR RURAL DEVELOPMENT SOCIETY (BRDS) RURAL DEVELOPMENT DEPARTMENT GOVERNMENT OF BIHAR MAIN SECRETARIAT PATNA BIHAR (INDIA)

For providing Facility Management Services of IT Infrastructure at College of Engineering Pune

QUOTATION DOCUMENTS TERMS AND CONDITIONS OF AGREEMENT

Request for Proposal For

Certificate of Entitlement (COE) Bidding Agreement. VENDOR S NAME (Addresses and details of Head Office and Branch Office)

DAYALBAGH EDUCATIONAL INSTITUTE DAYALBAGH, AGRA

SMARSH WEBSITE & HOSTING REPRESENTATIVE TERMS & CONDITIONS

Tender document. for. Providing Managed Internet Leased Line Network. at Chandigarh Police Headquarters, Sector 9, Chandigarh

TENDER FOR ANNUAL MAINTENANCE CONTRACT OF WEBSITEs OF O/O DIRECTORATE OF FILM FESTIVALS.

REQUEST FOR QUOTATIONS

APPLICATION FOR BOC INTERNET BANKING FACILITY. Name: Reg No: Address: Phone: Land. Mobile . Only Rs Cts 1 2 3

15 For clarification and other details Please contact: 1. Asst. Manager Please Note:

CORPBANK SECURITIES LIMITED (Wholly owned subsidiary of Corporation Bank) Veena Chambers, Mezzanine Floor, 21, Dalal Street, Fort Mumbai

Tender Notice. Tender no. : NTSC (O)/EM/F&F/ Date: 8th June, 2015

RFP for procurement of firewall appliances and related servers

Expression of Interest (EOI) For. Enterprise Content Management Solution (ECM)

TRADING FACILITY AGREEMENT INTERNET TRADING FACILITY

FINANCIAL INTELLIGENCE UNIT INDIA 6 th Floor, Hotel Samrat, Kautilaya Marg, Chanakya Puri, New Delhi

Maybank Kim Eng Securities Pte Ltd Terms and Conditions

388 Blohm Ave. PO Box 388 Aromas CA (831) FAX (831) ADDENDUM NO. 1

Following terms and conditions may be kept in view while submitting the bids :-

DISTRICT GOVERNMET OKARA. Tender Document For purchase of

National Small Industries Corporation Ltd NSIC Bhawan, Okhla Industrial Estate, Phase III New Delhi-20 Telephone:

Request for Proposals

Recitals. NOW, THEREFORE, the parties hereto agree as follows: Agreement

Transcription:

Request for Proposal For Managed Security Services for Security Operation Centre Tender No: HOIT/RFP/ 57 /2016-17 Dated: 30.05.2016 PUNJAB & SIND BANK (A Govt. of India Undertaking) Head office Information Technology Department Bank House, 21, Rajendra Place New Delhi-110008 www.psbindia.com Page 1 of 72

INDEX S. No. Detail Page No. From 1 Introduction 3 3 To 2 Disclaimer 3 Key Information about Tender 5 5 Chapter 1 Instructions to Bidders 6 15 5 Chapter 2- Terms and Conditions 16 23 6 Chapter 3 - Scope of Work 2 38 7. Chapter Service Level Agreement And Penalties 39 5 8. Chapter5 Project Team Structure 6 6 9. Chapter6 Project Timelines 7 7 10. Chapter7 Evaluation Methodology 8 8 11. Annexures and Formats 9 72 Page 2 of 72

1.1 About this Request for Proposal (RFP) INTRODUCTION Considering the fast paced threats in the IT environment, Punjab & Sind Bank (therein after referred as Bank ) has decided to strengthen its Information Security set up as per the guidelines in the Gopalakrishna Committee report on IT Security, released on 29th April, 2011. Note: This RFP should not be considered as a statement of intent for procurement unless a purchase order or letter of intent is published by the Bank, as an end result of this RFP process. This RFP document is meant for the exclusive purpose of Managed Security Services for Security Operation Centre for Punjab & Sind Bank at Punjab & Sind Bank as per the terms, conditions, and specifications indicated in this RFP and shall not be transferred, reproduced or otherwise used for purposes other than for which it is specifically issued. 1.2 About Punjab & Sind Bank Punjab and Sind Bank, a body constituted under Banking Companies Acquisition and Transfer of Undertakings Act, 1980 has its Head Office at 21, Bank House, Rajendra Place, New Delhi-110008. The Bank has three-tier administrative architecture having Head Office (H.O.) at 21, Bank House, Rajendra Place, New Delhi 110008, Zonal Offices (ZOs) at 22 locations and more than 100 branches across India. Bank envisages as one of the leading commercial Banks in the country. All the branches of the Bank are CBS enabled. Bank has deployed Finacle as a Core Banking Solution (CBS) for all its Branches. Apart from the Finacle Core Banking System (CBS), Bank has implementation following delivery channels: 1. ATM Debit Card (RuPay& Master Card) 2. Internet Banking For Retail & Corporate Customers 3. Mobile Banking. SMS Alerts Page 3 of 72

DISCLAIMER The information contained in this RFP document or any information provided subsequently to Bidder(s) whether verbally or in documentary form by or on behalf of the Bank, is provided to the Bidder(s) on the terms and conditions set out in this RFP document and all other terms and conditions subject to which such information is provided. This RFP is neither an agreement nor an offer and is only an invitation by Bank to the interested parties for submission of bids. The purpose of this RFP is to provide the Bidder(s) with information to assist the formulation of their proposals. This RFP does not claim to contain all the information each bidder may require. Each Bidder should conduct its own investigations and analysis and should check the accuracy, reliability and completeness of the information in this RFP and obtain independent advice, wherever necessary. Bank makes no representation or warranty and shall incur no liability under any law, statute, rules or regulations as to the accuracy, reliability or completeness of this RFP. Bank may in its absolute discretion, but without being under any obligation to do so, update, amend or supplement the information in this RFP. This is not an offer by the Bank but only an invitation to bid in the selection process initiated by the Bank. No contractual obligation whatsoever shall arise from the RFP process until a formal contract is executed by the duly authorized signatory of the Bank and the Bidder. Page of 72

KEY INFORMATION Particulars Tender Number Tender Title Participation Fee (Non-Refundable) Bid Security (EMD) Bid Validity Date of Publishing the tender on Bank s Website Details HOIT/RFP/57/2016-17 Request for Proposal For Managed Security Services for Security Operation Centre Rs. 20,000/-(Rs. Twenty Thousand Only) Rs. 25,00,000/- (Rs. Twenty Five Lakhs only) 180 days 30.05.2016 11.00 Hrs Last Date for submission of Pre-Bid Query Date and Time for Pre Bid Meeting Last Date and time for submission of Bids Date and Time of Opening of Technical Bids Date and Time of Commercial Bids (through Reverse Auction) Place of Opening of Bids Contact Persons for any clarifications/ Submission of Bids 06.06.2016 (Queries must be mailed to hoit.tenders@psb.co.inonly quoting tender reference number in the subject.) 09.06.2016 11.30 Hrs 29.06.2016 15:00 Hrs 29.06.2016 15:30 Hrs To be notified later to the qualifying bidders only. Punjab & Sind Bank Head Office Information Technology Department Bank House, 2 nd Floor, 21, Rajendra Place, New Delhi 110008 AGM IT Contact Numbers 011-25861325, 25861095 Page 5 of 72

CHAPTER 1 - INSTRUCTIONS TO BIDDERS 1.1 Minimum eligibility Criteria for the Bidders Only those Bidders who fulfill the eligibility criteria for Primary Bidder and OEMs Members are eligible to submit response to this RFP. The bidder is required to provide factually correct responses to the RFP. Adequate justification for the response (including the technical and other requirements) should be provided as part of the response. In case the bank finds any response to be inadequate, the bank has the right to ask for additional explanation/ justification. In the event of any discrepancy in the response submitted by the bidder, the bank reserves the right to disqualify/ blacklist the bidders. The Bank reserves the right to verify/ evaluate the claims made by the Bidder independently. Any deliberate misrepresentation will entail rejection of the offer. Bank reserves the right to change the eligibility criteria to ensure inclusivity. The Bidder should possess the requisite experience, resources and capabilities in providing the services necessary to meet the requirements, as described in the tender document. The bidder must also possess the technical know-how and the financial wherewithal that would be required to successfully implement the replication solution and support services/ solutions sought by the Bank for the entire period of the contract. The Bid must be complete in all respects and should cover the entire scope of work as stipulated in the document. Bidders not meeting the Eligibility Criteria will not be considered for further evaluation. The Minimum Eligibility Criteria for the bidder shall be as under:- Sr. Details No. The bidder should be a registered corporate in 1. India registered under the Companies Act, 1956 or a company/statutory body owned by Central / State Government. The bidder should have made an average annual 2. turnover of Rs. 10 Crore per annum in the last three Financial Years (FY 2012-13, 2013-1, 201-15) 3. (i.e. The 2012-13& Bidder must 2013-1) have positive net worth in last 3 financial years (i.e. FY 2012-13, 2013-1, 201-15). The bidder should own and have been managing well established Security Operations Centre (SOC) in India for the last 5 years. The bidder should have at least one scheduled commercial Bank/ Financial Institution having a network of more than 100 branches as active customer for Managed Security Service or SOC for at least last 3 year that are being serviced from this SOC. Support documents. Copy of incorporation / commencement certificate, Sales Tax / VAT/registration certificates Audited Balance Sheets Audited Financial Statements (and Annual Reports, if applicable) for the last three financial years, viz. 2012-13, 2013-1 and 201-2015 is to be furnished. CA certificate regarding positive net worth needs Year wise to be Copies furnished of purchase orders showing SOC services provided to customer/s. Attach copies of orders by active customer. Page 6 of 72

5 The bidder should have provided/ be providing SOC/ Managed Security Services including log monitoring & co-relation for minimum 100 devices to at least one scheduled commercial bank in India. 6 The SOC offering managed security services should be ISO 27001 certified. 7 The bidder should have the DR Site of similar capacity for their SOC in India. 8. The bidder should not be existing System Integrator (for Network Infrastructure/ Facility Management) for the Bank to avoid conflict of interest. 9. The proposed products/ tools (i.e. SIEM, WAF, PIM. Anti-Phishing) must be successfully implemented in at least one Scheduled commercial Bank in India 10 The bidder should have minimum 10 skilled staff with professional certifications like CISA/ CISSP / CEH / CCSP / CCNA or OEM certified for the product proposed. 11. The bidder should deploy industry standard license tools. 12. 13. SIEM tool deployed must be in the Leader or Challenger Quadrant of latest published Gartner s Report for SIEM. The bidder should not have been put in the negative list or Blacklist by any public sector bank /Government organization for breach of applicable laws or violation of regulatory prescriptions or breach of agreement for providing the SOC services. 1 The service provider shall not assign or sub-contract the assignment or any part thereof to any other person/firm. 15 Bidder should have Digital Signatures to participate in Reverse Auction 16 Bidder should have successfully integrated the Finacle CBS Application with SOC in at least one Bank in India. Letter from client on client letter Head/ commissioning report along with name and designation and Landline telephone contact details Please provide the copy of ISO 27001 certificate. Self-Declaration with details of DR Bidder under taking should be submitted in this regard. Letter from client on client letter Head/ commissioning report along with name and designation and Landline telephone contact details CVs Product Brochure Gartner report Self-certificate The vendor must submit a Letter of Undertaking. Details of certificates to be furnished. Letter from client on client letter Head/ commissioning report along with name and designation and Landline telephone contact details. Photocopies of relevant documents / certificates, duly stamped and signed must be submitted as proof in support of the claims made. The Bank reserves the right to verify /evaluate the Page 7 of 72

claims made by the Bidder independently. The decision of the Bank in this regard shall be final, conclusive and binding upon the Bidder. 1.2 Cost of Tender The tender document may also be downloaded from The Bank s official website www.psbindia.com. The bidder downloading the tender document from the website is required to submit a non-refundable fee as mentioned in Key-Information in the form of Demand Draft or Pay Order in favour of PUNJAB & SIND BANK, payable at New Delhi, at the time of submission of the technical bid, failing which the bid of the concerned Bidder will be rejected. It may be noted that amount will not be refunded to any prospective bidder under any circumstances including cancellation of RFP. 1.3 Language of the Bid The bid as well as all correspondence and documents relating to the bid exchanged by the Bidder and The Bank shall be in English language only. 1. Bid Currency & Price Structure Prices shall be expressed in the Indian Rupees only. The bidder must quote price exclusive of all applicable taxes and duties. The cost will not depend on any variation in dollar exchange rate/change in tax structure. 1.5 Two Bid System a. The Bid Proposal being submitted would be binding on the Bidder. As such it is necessary that authorized personnel of the firm or organization must sign the Bid. The designated personnel should be authorized by a senior official of the Organization having such authority to do so. The same person or a different person should be authorized who should have Digital Certificate issued in his name and should have authority to quote offer price during On-line Reverse Auction. The details of Digital Certificate like Name, Digital Key details, Issuing Authority and validity etc. are to be provided. The Xerox copy of necessary Original Resolutions/ Authority/ Power of Attorney having authority to authorize the person to submit Bid Documents/ participate in Online Reverse Auction, on behalf of the Company shall be enclosed. The proposal must be accompanied with an undertaking letter duly signed by the designated personnel providing a Bid commitment. The letter should also indicate the complete name and designation of the designated personnel. b. The bidder shall submit his response to the present tender separately in two parts Technical Bid or TB and Indicative Commercial ( Indicative Commercial Bid or ICB). Technical Bid will contain product specifications whereas the indicative Commercial Bid (ICB) will contain the estimated pricing information. In the first stage, only the Technical Bids shall be opened and evaluated as per the criterion determined by the Bank. Those bidders satisfying the technical requirements as determined by the Bank in its absolute discretion shall be short-listed for opening their Indicative (Estimated) Price. The indicative prices are to fix the start price for on-line Reverse Auction. The shortlisted vendors shall be intimated the date and time for participating in the On-Line Reverse Auction. Bidder should be agreeable to accept the offer at the price quoted in Reverse Auction, in case bidder is identified/ selected as L1 Bidder. In order to participate in online reverse auction, bidders should have Digital Signature. c. E-auction vendor engaged by the bank for providing e-tendering services for Punjab & Sind Bank. E-Auction vendor will train the bidders for this purpose and they will have to abide by the E-Business Rules framed by the service provider and duly approved by the Bank. The E-business Rules shall be shared with Shortlisted bidder before Reverse Auction. For more information on participating for this reverse auction. The details of E- auction bidder will be given to the technically qualified/shortlisted bidders The Bank Page 8 of 72

reserves the right to accept or not to accept any bid or to reject a particular bid at its sole discretion without assigning any reason whatsoever. d. The Indicative (Estimated) Price of only technically qualified & short-listed vendors shall be opened to fix the Start price for online Reverse Auction. The Bank shall, however, may follow any other basis to determine the start price for on-line Reverse Auction. e. Bid documents shall be submitted in a Single sealed envelope, including Demand Draft/Purchase Order towards cost of RFP, Bid Security (EMD) and other required documents as mentioned in the tender and a sealed envelope containing Indicative (Estimated) Price, duly super-scribing the envelope with the reference of this RFP, due date, name of the Bidder with contact details, Offer reference number etc. Bid document should be duly filed and all the pages of Bid including Brochures should be made in an organized, structured, and neat manner. Brochures / leaflets etc. should not be submitted in loose form. All the pages of the submitted Bid Documents should be serially number numbered with the Bidder s seal duly affixed with the Signature of the Authorized Signatory on each page. Documentary proof, wherever required, in terms of the RFP shall be enclosed. f. The Bids containing erasures or alterations will not be considered. There should be no hand-written material, corrections or alterations in the Bids. Technical details must be completely filled in. Correct technical information of the product being offered must be filled in. g. The technical and indicative commercial bids should be submitted in Hard copy and Soft copy. The soft copy should be in a CD with the name of the bidder and the type ( Technical Bid, Indicative Commercial Bid ) clearly indicted on the CD. The CD should be included in the respective sealed cover. h. The technical and indicative commercial bids should be submitted in Hard copy and Soft copy. The soft copy should be in a CD with the name of the bidder and the type ( Technical Bid, Indicative Commercial Bid ) clearly indicted on the CD. The CD should be included in the respective sealed cover. i. In case of any discrepancy between the Hard Copy and the Soft Copy documents, the signed Hard Copy shall be considered as final 1.6 Formation of Technical Bid The Technical offer/technical bid must be made in an organized and structured manner. The Technical Bid shall contain the following documents and should be properly sealed and marked as Bid for managed security services for security operation Centre, Tender Reference Number, Bidder s name and Address in the following forms:- 1. Tender Covering letter duly signed by the authorized signatory (Annexure I) 2. Executive Summary. 3. Certificate of Incorporation of the bidder.. FORMAT - 1 Financial details 5. FORMAT - 2 Prime Bidder s Undertaking Letter 6. FORMAT - 3 Channel Partner/ Dealership/experience letter from OEM 7. FORMAT - Confirmation of Soft Copy 8. FORMAT - 5 Compliance Statement 9. FORMAT - 6 Prime Bidder s Undertaking Letter 10. FORMAT - 7 Confirmation to Deliver 11. FORMAT - 8 Undertaking of Authenticity for Appliance and Server Supplies 12. FORMAT - 9 Confirmation of Past Experience for Solution 13. Enclosed copies of reference letter /credential letters 1. List of quality certifications, if any Page 9 of 72

15. Quality/ Performance/ Benchmark Certifications for the products offered 16. DD for Cost of Bid 17. ANNEXURE I -Tender Covering Letter 18. ANNEXURE II - Bidder s Information 19. ANNEXURE III - Performa for the Bank Guarantee for Earnest Money Deposit 20. ANNEXURE IV - Acceptance of Scope of Work 21. ANNEXURE V - Format of Performance Guarantee 22. ANNEXURE VI - PREBID QUIRY FORMAT 23. ANNEXURE VII - Technical Requirements 2. ANNEXURE VIII - Indicative Commercial Bill of Materials. 25. ANNEXURE IX - Technical requirement of Managed Security Services 26. ANNEXURE X - Non-Disclosure Agreement 27. Soft copy of the technical bid in formats supported by Microsoft Office Suite of Products 28. Any other documents, forms, letters etc supporting above information. 29. The Bidder must provide a Masked Bill of Material. The Masked Bill of Material should contain a replica of the bidder s final Unmasked bill of material with prices masked. Note: All Claims made by the Bidder will have to be backed by documentary evidence. The bidder is expected to examine all instructions, forms, terms and specifications in the RFP. Failure to furnish all information required or to submit a Bid not substantially responsive to the in every respect will be at the Bidder s risk and may result in the rejection of the Bid. 1.7 Submission of bids The Bank expects the bidders to carefully examine all instructions, terms and conditions mentioned in this RFP document before submitting its unconditional compliance as part of the RFP. Failure to furnish all information required or submission of an RFP not substantially responsive to the RFP in every respect will be at the bidder s risk and may result in the rejection of its response. Bids duly sealed should be submitted, in person, on or before the last Date and Time for bid submission at the address mentioned below. Any other mode of submission, e.g. by courier, fax, e- mail etc. will not be accepted. Punjab & Sind Bank, Head Office Information Technology Department, Bank House, 2 nd Floor, 21, Rajendra Place, New Delhi 110008 1.8 Cost of Preparation and Submission of Bid The Bidder shall bear all costs associated with the preparation and submission of its Bid and the Bank will in no case be responsible or liable for these costs, regardless of the conduct or outcome of the Bidding process. If any information / data / particulars are found to be incorrect, bank will have the right to disqualify / blacklist the company and invoke the bank guarantee/ forfeit the EMD. All communications, correspondence will be only to the prime bidder. Any partner/sub contractor has to communicate only through the prime bidder. The prime bidder will act as the single point of contact for the bank. Bank reserves it right to cancel the order even after placing the letter of Intent (LOI) / Purchase Order, if bank receives any directions / orders from Statutory Body / RBI/Govt. of India in a nature that binds the bank not to take the project forward. Page 10 of 72

1.9 Late bids Any bid received after the due date and time for receipts of bids as prescribed in this RFP will be rejected and returned unopened to the Bidder. 1.10 Earnest Money Deposit (EMD) Non-submission of Earnest Money Deposit as mentioned in Key-Information will lead to outright rejection of the Offer. The EMD is to be submitted in the shape of Financial Bank Guarantee from any scheduled commercial Bank valid for minimum 225 Days from the date of Bid Submission Date. EMD of unsuccessful Bidders will be returned to them on completion of the procurement process. The EMD of successful Bidder(s) will be returned within 30 days on submission of Performance Bank Guarantee. The Earnest Money Deposit may be forfeited under the following circumstances: a. If the Bidder withdraws its bid during the period of bid validity (180 days from the date of opening of the technical bid). b. If the Bidder makes any statement or encloses any form which turns out to be false, incorrect and/or misleading at any time prior to signing of contract and/or conceals or suppresses material information; and / or c. In case of Technically qualified bidder, if the bidders fails: To participate in Reverse Auction To accept bid after submitting the bid in online reverse auction d. In case of the successful Bidder, if the Bidder fails: To Accept the bid submitted during Reverse Auction To sign the contract in the form and manner to the satisfaction of the Bank. To furnish performance Bank Guarantee in the form and manner to the satisfaction of the Bank. 1.11 Performance Bank Guarantee The Bank will require the selected Bidder to provide a Performance Bank Guarantee, within 15 days from the date of acceptance of the order or signing of the contract whichever is earlier, for a value equivalent to 10% of the contract value with validity of 63 months. (or extended period, if any). The selected Bidder shall be responsible for extending the validity date and claim period of the Performance Guarantee as and when it is due. In case the selected Bidder fails to submit performance guarantee within the time stipulated, The Bank, at its discretion, may cancel the order placed on the selected Bidder without giving any notice. Bank shall invoke the performance guarantee in case the selected Bidder fails to discharge their contractual obligations during the period or Bank incurs any loss due to Bidder s negligence in carrying out the project implementation as per the agreed terms & conditions. 1.12 Erasures or Alterations The Bid should contain no alterations, erasures or overwriting except as necessary to correct errors made by the Bidder, in which case corrections should be duly stamped and initialed / authenticated by the person/(s) signing the Bid. The Bidder is expected to examine all instructions, forms, terms and specifications in the bidding documents. Failure to furnish all information required by the bidding documents or submission of bid not substantially/conclusively responsive to the bidding documents in every respect will be at the Bidders risk and may result in rejection of the bid. 1.13 Opening of bids Technical Bid offer will be opened on the date and time mentioned in the bid Key-Information in the presence of the Bidders who choose to attend on the said date and time. Page 11 of 72

The Bank will evaluate the technical and techno functional response to the RFP of the Bidders who are found eligible as per the eligibility criteria mentioned in the RFP. There will be no scoring involved in the eligibility evaluation. Bids of only those Bidders who have been found to be in conformity of the eligibility terms and conditions during the preliminary evaluation would be taken up by the Bank for further detailed evaluation. The Bidders who do not meet the eligibility criteria and all terms during preliminary examination will not be taken up for further evaluation. During evaluation of the Bids, the Bank at its discretion may ask a bidder for clarification of its bid. The request for clarification and the response shall be in writing, and no change in the price or substance of the bid shall be sought, offered or permitted. 1.1 Evaluation Process of the Bids The Evaluation will be a two-stage process: 2. Technical Evaluation- Compliance to Minimum eligibility Criterion - Acceptance to all terms and conditions of RFP - Completeness of Bid as per RFP requirement - Acceptance to Scope of RFP - Technical Evaluation 3. Commercial Evaluation Bidding through online Reverse Auction The evaluation by the Bank will be undertaken by a committee of internal which would have Bank officials and may include Consultants. The decision of the committee shall be considered final. 1.1.1 Preliminary Scrutiny a. The Bank will examine the Bids to determine whether they are complete, required formats have been furnished, the documents have been properly signed, and the Bids are generally in order. b. The Bank may, at its discretion, waive any minor infirmity, non-conformity, or irregularity in a Bid, which does not constitute a material deviation. c. The Bank will first examine whether the Bid and the Bidder is eligible in terms of Eligibility Criteria. The bids not meeting the Minimum Eligibility Criteria shall not be considered for further evaluation. d. Prior to technical evaluation, the Bank will determine the responsiveness of each Bid to the Bidding Document. For purposes of these Clauses, a responsive Bid is one, which conforms to all the terms and conditions of the Bidding Document without material deviations. Deviations from, or objections or reservations to critical provisions, such as those concerning Bid Security, Applicable Law, Bank Guarantee, Eligibility Criteria, will be deemed to be a material deviation. e. The Bank s determination of a Bid s responsiveness will be based on the contents of the Bid itself, without recourse to extrinsic evidence. f. If a Bid is not responsive, it will be rejected by the Bank and may not subsequently be made responsive by the Bidder by correction of the non-conformity. 1.1.2 Clarification of bids To assist in the scrutiny, evaluation and comparison of offers/bids, The Bank may, at its sole discretion, ask some or all Bidders for clarification of their offer/bid. The request for such clarifications and the response will necessarily be in writing and no change in the price or substance of the bid shall be sought, offered or permitted. Any decision of The Bank in this regard shall be final, conclusive and binding on the Bidder. 1.15 Address for Submission of Bid and communication Offers should be addressed to the following office at the address given below: Page 12 of 72

Assistant General Manager (IT) Punjab & Sind Bank, Head Office Information Technology Department, Bank House, 2 nd Floor, 21, Rajendra Place, New Delhi - 110008 1.16 No commitment to accept lowest or any bid The Bank shall be under no obligation to accept the lowest or any other offer received in response to this tender notice and shall be entitled to reject any or all offers including those received late or incomplete. Bank reserves the right to make changes in the terms and conditions of purchase. Bank will be under no obligation to have discussions with any bidder, and/or entertain any representation. 1.17 Right To Accept Any Bid And To Reject Any Or All Bids PUNJAB & SIND BANK reserves the right to accept or reject in part or full any or all offers without assigning any reason thereof even after issuance of letter of Intent. Any decision of Punjab & Sind Bank in this regard shall be final, conclusive and binding upon the bidders. The Bank reserves the right to accept or reject any Bid in part or in full, and to annul the Bidding process and reject all Bids at any time prior to contract award, without thereby incurring any liability to the affected Bidder or Bidders or any obligation to inform the affected Bidder or Bidders of the grounds for Bank s action. During any stage of evaluation process, if it is found that the bidder does not meet the eligibility criteria or has submitted false /incorrect information the bid will be summarily rejected by the Bank and no further correspondence would be entertained in this regard. Bank further reserves the right to amend, rescind, reissue or cancel this RFP and all amendments will be advised to the Bidder and such amendments will be binding upon them. The Bank also reserves its right to accept, reject or cancel any or all responses to this RFP without assigning any reason whatsoever. Further please note that the bank would be under no obligation to acquire any or all the items proposed. No contractual obligation whatsoever shall arise from the RFP process unless and until a formal contract is signed and executed by duly authorized officials of Punjab & Sind Bank and the bidder. 1.18 Correction of Errors Bidders are advised to exercise greatest care in entering the pricing figures. No corrigenda or requests for prices to be corrected will be entertained after the bids are opened. If there are any corrections in the bid document, the authorized signatory should initial them all, failing which the figures for such item shall not be considered. Discrepancies in bids will be corrected as follows: Where there is a discrepancy between the amounts in figures and in words, the amount in words shall prevail. Where there is a discrepancy between the unit rate and the line item total resulting from multiplying the unit rate by the quantity, the unit rate will govern unless, in the opinion of Bank, there is an obvious error such as a misplacement of a decimal point, in which case the line item total will prevail Where there is a discrepancy between the amount mentioned in the bid and the line item total present in the schedule of prices, the amount obtained on totaling the line items in the Bill of Materials will prevail The amount stated in the correction form, adjusted in accordance with the above procedure, shall be considered as binding, unless it causes the overall price to rise, in which case the bid price shall prevail. Based on the Bank s requirements as listed in this document, the bidder should identify and offer the best-suited solution / bill of material for the product that would meet the Bank s requirements and quote for the same. Page 13 of 72

1.19 Soft copy of tender document The soft copy of the tender document will be made available on the Bank s website https://www.psbindia.com. However, the Bank shall not be held responsible in any way, for any errors / omissions /mistakes in the downloaded copy. The bidder is advised to check the contents of the downloaded copy for correctness against the printed copy of the tender document. The printed copy of the tender document shall be treated as correct and final, in case of any errors in the soft copy. 1.20 Bid validity period Bids shall remain valid for 180 (one hundred eighty) days after the date of bid opening prescribed by the Bank. The Bank holds the rights to reject a bid valid for a period shorter than 180 days as nonresponsive, without any correspondence. In exceptional circumstances, The Bank may solicit the Bidder s consent to an extension of the validity period. The request and the response thereto shall be made in writing. Extension of validity period by the Bidder should be unconditional and irrevocable. The Bid Security provided shall also be suitably extended. A Bidder acceding to the request will neither be required nor be permitted to modify its bid. A Bidder may refuse the request without forfeiting its bid security. In any case the bid security of the Bidders will be returned after completion of the process. 1.21 Pre-bid meeting For clarification of doubts of the bidders on issues related to this RFP, the Bank intends to hold a Pre- Bid Meeting on the date and time as indicated in the RFP in Key-Information. For any clarification with respect to this RFP, the bidder may send an email to hoit.tenders@psb.co.inby last date of submission of queries as defined in Key-Information in this document. The format to be used for seeking clarification is mentioned in Pre-bid Query Format. It may be noted that all queries, clarifications, questions etc., relating to this RFP, technical or otherwise, must be in writing only and should be sent to the email-id as stated earlier. Only two (i.e. maximum) authorized representatives of the bidders will be allowed to attend the meeting. 1.22 Award of contract Following evaluation, a contract may be awarded to the bidder whose bid meets the requirements of this RFP and provides the best value to the Bank from both a techno-functional and commercial point of view. The Bank reserves the right to award the contract in whole or in part. The acceptance of the bid, subject to contract, will be communicated by way of placing a purchase order in writing at the address supplied by the bidder in the bid document. Any change of address of the bidder should therefore be notified promptly to the Assistant General Manager (IT) at the address given in this RFP. 1.23 Contract Period The contract period will be for the periods of Five Years from the date of purchase order. However the bank may consider an exit option if no reasonable solution is obtained. Further Bank reserves the right to extend the contract on the same terms & conditions, but not more than one year. On the completion of selection process, the selected vendor need to execute a comprehensive Service Level Agreement (SLA) with the Bank for Five Years Contract period covering all terms and conditions of this RFP and agreement. The agreement will be based on the bidder s offer document with all its enclosures, modifications arising out of negotiation / clarification etc., and will include the following documents: Page 1 of 72

1.2 Signing of contract The successful bidder(s) shall be required to enter into a contract with Bank, within thirty (30) days of the award of the work or within such extended period, as may be specified by Bank. This contract shall be based on this RFP document (read with addendums/corrigendum/clarifications), LOI, Purchase order and such other terms and conditions as may be determined by Bank to be necessary for the due performance of the work, as envisaged herein and in accordance with the bid. However the terms and conditions of purchase order and RFP shall constitute a binding contract till such a contract is issued. 1.25 Confidentiality of the Bid Document The Bidder, irrespective of his/her participation in the bidding process, shall treat the details of the documents as secret and confidential. Page 15 of 72

CHAPTER 2 - TERMS AND CONDITIONS 2.1 PAYMENT TERMS Payment for SOC services will be made on quarterly in arrears on the basis of actual availability of services / Signoff from 1st Year to 5th Year i.e., 20 quarters from date of sign-off of the project on submission of invoice and other supporting documents The selected vendor will make payment request to bank in writing, accompanied by an invoice, along with the relevant reports in proof of services performed and by documents submitted pursuant to terms & conditions of the RFP/SLA. Upon fulfillment of other obligations stipulated in the Contract, payment based on the basis of agreed Rates will be made by the bank 2.2 PAYING AUTHORITY The payments as per the Payment Schedule covered shall be paid by HO IT Department, Punjab & Sind Bank, 2 nd Floor, 21 Bank House, Rajendra Place, New Delhi - 110008. 2.3 DELAYS IN THE BIDDER S PERFORMANCE The bidder must strictly adhere to the implementation schedule, as specified in the purchase contract, executed between the Parties for performance of the obligations, arising out of the purchase contract and any delay in completion of the obligations by the Bidder will enable Bank to resort to any or both of the following: i. Claiming Liquidated Damages ii. Termination of the purchase agreement fully or partly and claim liquidated damages. iii. Forfeiting of Earnest Money Deposit / Invoking EMD Bank Guarantee 2. LIQUIDATED DAMAGES The Bank will consider the inability of the bidder to deliver the services within the specified time limit as a breach of contract and would entail the payment of Liquidated Damages on the part of the bidder. The liquidated damages represent an estimate of the loss or damage that the Bank may have suffered due to delay in performance of the obligations (relating to service delivery, training, acceptance) by the bidder. Installation will be treated as incomplete in one / all of the following situations: Non-delivery of any services mentioned in the order Non-delivery of supporting documentation No integration System operational, but unsatisfactory to the Bank Bank may at its option demand and recover from the successful bidder(s) Bank may at its option demand and recover from the successful bidder(s) an amount equivalent to 0.5 percent of the incomplete portion of services for every week of delay or part thereof. Once the maximum is reached, the Bank may consider termination of the contract. Similarly for delay in services, Further, the Bank also reserves the right to cancel the order and invoke the Bank Guarantee/Performance Guarantees in case of inordinate delays in the delivery/ installation of the equipment. Bank may foreclose the bank guarantee without any notice. In the event of Bank agreeing to extend the date of delivery at the request of successful bidder(s), it is a condition precedent that the validity of Bank guarantee shall be extended by further period as required by Bank before the expiry of the original bank guarantee. Failure to do so will be treated as breach of contract. In such an event Bank, however, reserves its right to foreclose the bank guarantee. Page 16 of 72

2.5 SUBCONTRACTING The Vendor shall not subcontract or permit anyone other than its personnel to perform any of the work, service or other performance required of the Vendor under the contract without the prior written consent of the Bank. 2.6 CONTRACT TERMINATION/ ORDER CANCELLATION The Bank reserves the right to terminate the contract / cancel the order placed on the selected Bidder and recover expenditure incurred by The Bank under the following circumstances:- a. The selected Bidder commits a breach of any of the terms and conditions of the bid and fails to meet agreed uptime. b. The Bidder goes into liquidation, voluntarily or otherwise. c. An attachment is levied or continues to be levied for a period of seven days upon effects of the bid. d. If the selected Bidder fails to complete the assignment as per the time lines prescribed in the RFP and the extension if any allowed, it will be a breach of contract. The Bank reserves its right to cancel the order in the event of delay and forfeit the bid security as liquidated damages for the delay. e. If deductions of account of liquidated damages exceeds more than 10% of the total contract price. f. In case the selected Bidder fails to deliver the services as stipulated in the schedule, The Bank reserves the right to procure the same or similar product from alternate sources at the risk, cost and responsibility of the selected Bidder. g. The Bank reserves the right to recover any dues payable by the selected bidder from any amount outstanding to the credit of the selected Bidder, including the pending bills and/or invoking The Bank guarantee under this contract. h. The Bank reserve its right to cancel the order in the event of one or more of the following situations, that are not occasioned due to reasons solely and directly attributable to the Bank alone. a. Delay in customization / implementation / takeover of services beyond the specified period that is agreed in the contract that will be signed with the successful vendor. b. Serious discrepancy in the quality of services. i. The Bank reserve its right to terminate the contract in the event of change in bank policy/ administrative exigency after providing notice period of six months. 2.8 Exit option and Reverse transition a) The Bank reserves its right to cancel the order in the event of happening of one or more of the situations as mentioned in the contract termination/order Cancellation clause b) Notwithstanding the existence of a dispute, and/or the commencement of arbitration proceedings, the bidder should continue to provide the facilities to the Bank. c) Reverse transition mechanism would be activated in the event of cancellation of the contract or exit by the parties or 6 months prior to expiry of the contract. The bidder should perform a reverse transition mechanism to the Bank or its selected vendor. The reverse transition mechanism would facilitate an orderly transfer of services to the Bank or to an alternative 3rd party / vendor nominated by the Bank. Where the Bank elects to transfer the responsibility for service delivery to a number of vendor s,bank will nominate a service provider who will be responsible for all dealings with the bidder regarding the delivery of the reverse transition services. d) Knowledge Transfer: The bidder shall provide such necessary information, documentation to the Bank or its designee, for the effective management and maintenance of the Deliverables under this Page 17 of 72

contract. bidder shall provide documentation (in English) in electronic form where available or otherwise a single hardcopy of all existing procedures, policies and programs required to support the Services. Such documentation will be subject to the limitations imposed by bidder s Intellectual Property Rights of this Agreement. e) The parties shall return confidential information, Data and will sign off and acknowledge the return of such confidential information. f) The bidder shall provide all other services as may be agreed by the parties in connection with the reverse transition services. However, in case any other services, in addition to the above are needed, the same shall be scoped and priced. g) The bidder recognizes that considering the enormity of the assignment, the transition services listed herein are only indicative in nature and the bidder agrees to provide all assistance and services required for fully and effectively transitioning the services provided by the bidder under the scope, upon termination or expiration thereof, for any reason whatsoever. h) The cost for reverse transition if any should be part of the commercial offer. i) During which the existing bidder would transfer all knowledge, know how and other things necessary for the Bank or new bidder to take over and continue to manage the services. The bidder agrees that the reverse transition mechanism and support during reverse transition will not be compromised or affected for reasons whatsoever be for cancellation or exist of the parties. h) The Bank shall have the sole and absolute discretion to decide whether proper reverse transition mechanism over a period of 6 months, has been complied with. In the event of the conflict not being resolved, the conflict will be resolved through Arbitration. i) The Bank and the bidder shall together prepare the Reverse Transition Plan. However, the Bank shall have the sole decision to ascertain whether such Plan has been complied with. j) The bidder agrees that in the event of cancellation or exit or expiry of the contract it would extend all necessary support to the Bank or its selected vendors as would be required in the event of the shifting of the site. k) The bidder shall handover the complete data to bank after termination of contract/expiry of contract. 2.10 E F F E C T S OF TERMINATIONS a) The bidder agrees that it shall not be relieved of its obligations under the reverse transition mechanism notwithstanding the termination of the assignment. b) Same terms (including payment terms) which were applicable during the term of the contract should be applicable for reverse transition services c) The bidder agrees that after completion of the Term or upon earlier termination of the assignment the bidder shall, if required by the Bank, continue to provide facility to the Bank at no less favorable terms than those contained in this tender document. In case the bank wants to continue with the bidder's facility after the completion of this contract then the bidder shall offer the same or better terms to the bank. Unless mutually agreed, the rates shall remain firm. Page 18 of 72

d) The Bank shall make such prorated payment for services rendered by the bidder and accepted by the Bank at the sole discretion of the Bank in the event of termination, provided that the bidder is in compliance with its obligations till such date. However, no payment for costs incurred, or irrevocably committed to, up to the effective date of such termination will be admissible. There shall be no termination compensation payable to the bidder. e) Termination shall not absolve the liability of the Bank to make payments of undisputed amounts to the bidder for services rendered till the effective date of termination. Termination shall be without prejudice to any other rights or remedies a party may be entitled to hereunder or at law and shall not affect any accrued rights or liabilities or either party nor the coming into force or continuation in force of any provision hereof which is expressly intended to come into force or continue in force on or after such termination. f) Upon cancellation of contract/completion of period of service, the bidder should handover the peaceful legal possession of all the assets provided and obtains discharge from the Bank. The Bank also reserves the right to assign or allot or award the contract to any third party upon cancellation of the availed services. 2.7 AUDIT BY THIRD PARTY Punjab & Sind Bank reserves the right to inspect and/or conduct audit at the bidder s site of any procedures, services and functionality offered by the selected vendor under this agreement. Punjab & Sind Bank will undertake audits by itself or through its designated company for audits on regular basis to audit the procedures, services and functionality for conformance as per this agreement. Vendor undertakes to take all necessary steps, at no additional costs to Punjab & Sind Bank, to rectify any nonconformance items as indicated by the auditors. 2.8 DISPUTE RESOLUTION MECHANISM The Bidder and The Bank shall endeavor their best to amicably settle all disputes arising out of or in connection with the Contract in the following manner:- I. The Party raising a dispute shall address to the other Party a notice requesting an amicable settlement of the dispute within seven (7) days of receipt of the notice. II. The matter will be referred for negotiation between General Manager of The Bank / Purchaser and the Authorized Official of the Bidder. The matter shall then be resolved between them and the agreed course of action documented within a further period of 15 days. In case any dispute between the Parties, does not settle by negotiation in the manner as mentioned above, the same may be resolved exclusively by arbitration and such dispute may be submitted by either party for arbitration within 20 days of the failure of negotiations. Arbitration shall be held in New Delhi and conducted in accordance with the provisions of Arbitration and Conciliation Act, 1996 or any statutory modification or re-enactment thereof. Each Party to the dispute shall appoint one arbitrator each and the two arbitrators shall jointly appoint the third or the presiding arbitrator. The Arbitration Notice should accurately set out the disputes between the parties, the intention of the aggrieved party to refer such disputes to arbitration as provided herein, the name of the person it seeks to appoint as an arbitrator with a request to the other party to appoint its arbitrator within 5 days from receipt of the notice. All notices by one party to the other in connection with the arbitration shall be in writing and be made as provided in this tender document. The arbitrators shall hold their sittings at New Delhi. The arbitration proceedings shall be conducted in English language. Subject to the above, the courts of law at New Delhi alone shall have the jurisdiction in respect of all matters connected with the Contract/Agreement. The arbitration award shall be final, conclusive and binding upon the Parties and judgment may be entered thereon, upon the application of either party to a court of competent jurisdiction. Each Party shall bear the cost of preparing and Page 19 of 72

presenting its case, and the cost of arbitration, including fees and expenses of the arbitrators, shall be shared equally by the Parties unless the award otherwise provides. The Bidder shall not be entitled to suspend the Service/s or the completion of the job, pending resolution of any dispute between the Parties and shall continue to render the Service/s in accordance with the provisions of the Contract/Agreement notwithstanding the existence of any dispute between the Parties or the subsistence of any arbitration or other proceedings. Notwithstanding the above, the Bank shall have the right to initiate appropriate proceedings before any court of appropriate jurisdiction, should it find it expedient to do so. 2.9 JURISDICTION The jurisdiction of the courts shall be in New Delhi. 2.10 NOTICES Notice or other communications given or required to be given under the contract shall be in writing and shall be faxed/e-mailed followed by hand-delivery with acknowledgement thereof, or transmitted by pre-paid registered post or courier. Any notice or other communication shall be deemed to have been validly given on date of delivery if hand delivered & if sent by registered post than on expiry of seven days from the date of posting. 2.11 AUTHORIZED SIGNATORY The selected Bidder shall indicate the authorized signatories who can discuss and correspond with the bank with regard to the obligations under the contract. The selected Bidder shall submit at the time of signing the contract a certified copy of the resolution of their board, authenticated by the company secretary, authorizing an official or officials of the Bidder to discuss, sign agreements/contracts with The Bank, raise invoice and accept payments and also to correspond. The Bidder shall provide proof of signature identification for the above purposes as required by the bank. 2.12 FORCE MAJEURE Force Majeure is herein defined as any cause, which is beyond the control of the selected Bidder or The Bank as the case may be which they could not foresee or with a reasonable amount of diligence could not have foreseen and which substantially affect the performance of the contract, such as:- Natural phenomenon, including but not limited to floods, droughts, earthquakes and epidemics Acts of any government, including but not limited to war, declared or undeclared priorities, quarantines and embargos Terrorist attack, public unrest in work area Provided either party shall within 10 days from occurrence of such a cause, notify the other in writing of such causes. The Bidder or The Bank shall not be liable for delay in performing his/her obligations resulting from any force Majeure cause as referred to and/or defined above. Any delay beyond 30 days shall lead to termination of contract by parties and all obligations expressed quantitatively shall be calculated as on date of termination. Notwithstanding this, provisions related to indemnity, confidentiality survives termination of the contract. 2.13 CONFIDENTIALITY The selected vendor acknowledges that all material information which has or will come into its possession or knowledge in connection with this agreement or the performance hereof, consists of confidential and proprietary data, whose disclosure to or use by third parties will be damaging or cause loss to PUNJAB & SIND BANK. The vendor agrees to hold such material and information in strictest confidence and not to make use thereof other than for the performance of this agreement to release it only to employees requiring such information and not to release or disclose it to any other party. The vendor agrees to take appropriate action with respect to its employees to ensure that the obligations of non-use and non- disclosure of confidential information under this agreement can be fully satisfied. Page 20 of 72

Punjab & Sind Banks' logs and data (including location details) is confidential and should NEVER be disclosed to any institutions or used by the vendor for purpose other than scope of work. The selected vendor will take suitable steps to ensure the confidentiality of the Punjab & Sind Banks' data. This step should include having the employees assigned to Punjab & Sind Banks' work sign a 'Confidentiality Agreement'. The selected vendor undertakes not to keep this data with its company after the end of this agreement. This clause will outlive the agreement date. 2.1 OWNERSHIP AND RETENTION OF DOCUMENTS The Bank shall own the documents, prepared by or for the selected Bidder arising out of or in connection with the Contract. Forthwith upon expiry or earlier termination of the Contract and at any other time on demand by The Bank, the Bidder shall deliver to The Bank all documents provided by or originating from The Bank / Purchaser and all documents produced by or from or for the Bidder in the course of performing the Service(s), unless otherwise directed in writing by The Bank at no additional cost. The selected Bidder shall not, without the prior written consent of The Bank/ Purchaser, store, copy, distribute or retain any such Documents. The selected Bidder shall preserve all documents provided by or originating from The Bank / Purchaser and all documents produced by or from or for the Bidder in the course of performing the Service(s) in accordance with the legal, statutory, regulatory obligations of The Bank /Purchaser in this regard. 2.15 PATENT RIGHTS In the event of any claim asserted by a third party of infringement of copyright, patent, trademark, industrial design rights, etc., arising from the use of the Goods or any part thereof in India, the Vendor shall act expeditiously to extinguish such claim. If the Vendor fails to comply and the Bank is required to pay compensation to a third party resulting from such infringement, the Vendor shall be responsible for the compensation to claimant including all expenses, court costs and lawyer fees. The Bank will give notice to the Vendor of such claim, if it is made, without delay. The Vendor shall indemnify the Bank against all third party claims. 2.16 COMPLIANCE WITH STATUTORY AND REGULATORY PROVISIONS It shall be the sole responsibility of the Vendor to comply with all statutory, regulatory & Law of Land and provisions while delivering the services mentioned in this RFP. 2.17 INDEMNITY The selected vendor has to undertake to indemnify Punjab & Sind Bank and its officers, employees and agents against liability, including costs, for actual or alleged direct or contributory infringement of, or inducement to infringe, any Indian or foreign patent, trademark or copyright, arising out of the performance of this contract. The selected vendor shall have to undertake to indemnify Punjab & Sind Bank and its officers, employees and agents against liability, including costs, for actual or alleged direct or contributory infringement or misuse by vendor of, any license issues arising out of the execution of this contract. 2.18 LEGAL COMPLIANCE The successful bidder hereto agrees that it shall comply with all applicable union, state and local laws, ordinances, regulations and codes in performing its obligations hereunder, including the procurement of licenses, permits and certificates and payment of taxes where required. If at any time during the term of this agreement, the Bank is informed or information comes to the Bank's attention that the Successful bidder is or may be in violation of any law, ordinance, regulation, or code (or if it is so decreed or adjudged by any court, tribunal or other authority), the Bank shall be entitled to terminate this agreement with immediate effect. Page 21 of 72

The Successful bidder shall maintain all proper records, particularly but without limitation accounting records, required by any law, code, practice or corporate policy applicable to it from time to time including records, returns and applicable documents under the Labour Legislation. The Successful bidder shall ensure payment of minimum wages to persons engaged by it as fixed from time to time under the Minimum Wages Act, 198. In case the same is not paid, the liability under the act shall solely rest with the successful bidder. 2.19 GOVERNING LAW AND RESOLUTION OF DISPUTES All disputes or differences whatsoever arising between the parties out of or in relation to the construction meaning and operation or effect of the Contract / Tender Documents or breach thereof shall be settled amicably. If, however, the parties are not able to solve them amicably, the same shall be settled by arbitration in accordance with the applicable national laws, and the award made in pursuance thereof shall be binding on the parties. Any appeal will be subject of the exclusive jurisdiction of courts at Delhi and the language of the arbitration proceedings and that of all documents and communication between the parties shall be in English. The laws applicable to this contract shall be the laws in force in New Delhi, India. The contract shall be governed by and interpreted in accordance with Indian law. The successful bidder(s) shall continue work under the Contract during the arbitration proceedings unless otherwise directed in writing by the Bank or unless the matter is such that the work cannot possibly be continued until the decision of the arbiter, as the case may be, is obtained. The venue of the arbitration shall be in Delhi. 2.20 CONFLICT OF INTEREST The Bidder shall disclose to the Bank in writing all actual and potential conflicts of interest that exist, arise or may arise (either for the Bidder or the Bidder s team) in the course of performing the Service(s)as soon as practical after it becomes aware of that conflict. 2.21 INSPECTION OF RECORDS Subject to receipt of prior written notice, all Vendor records with respect to any matters covered by this Tender shall be made available to the Bank or its designees and regulators including RBI, at any time during normal business hours, as often as the Bank deems necessary, to audit, examine, and make excerpts or transcripts of all relevant data. Said records are subject to examination. Bank s auditors would execute confidentiality agreement with the Vendor, provided that the auditors would be permitted to submit their findings to the Bank pertaining to the scope of the work, which would be used by the Bank. The cost of the audit will be borne by the Bank. The scope of such audit would be limited to Service Levels being covered under the contract, and financial information would be excluded from such inspection, which will be subject to the requirements of statutory and regulatory authorities. Such audit shall be conducted within normal working hours of the Vendor and the Bank s auditors shall comply with confidentiality and security requirements as specified by the Vendor. 2.22 DATA OWNERSHIP The customer LOGS and any data (including location details) provided by Punjab & Sind Bank to vendor is exclusively the property of Punjab & Sind Bank. The various compiled/correlation data, information which is required/ used by the solutions mentioned in this RFP shall remain the property of Bank. 2.23 PUBLICITY Any publicity by either party in which the name of the other party is to be used should be done only with the explicit written permission of such party. 2.2 SOLICITATION OF EMPLOYEES Page 22 of 72

Both the parties agree not to hire, solicit, or accept solicitation (either directly, indirectly, or through a third party) for their employees directly involved in this contract during the period of the contract and one year thereafter, except as the parties may agree on a case-by-case basis. The parties agree that for the period of the contract and one year thereafter, neither party will cause or permit any of its directors or employees who have knowledge of the agreement to directly or indirectly solicit for employment the key personnel working on the project contemplated in this proposal except with the written consent of the other party. The above restriction would not apply to either party for hiring such key personnel who (i) initiate discussions regarding such employment without any direct or indirect solicitation by the other party (ii) respond to any public advertisement placed by either party or its affiliates in a publication of general circulation or (iii) has been terminated by a party prior to the commencement of employment discussions with the other party. 2.25 COMPLIANCE WITH LAWS The bidder should adhere to laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities. Bidder is to ensure that all the proposed solutions are compliant to all existing regulatory guidelines of GOI /RBI and also adheres to requirements of the IT Act 2000 (including amendments in IT Act 2008) and Payment and Settlement Systems Act 2007 and amendments thereof. A self-declaration to this effect is to be submitted by the bidder. The Bank reserves the right to conduct an audit / ongoing audit of the services provided by the bidder. The Bank reserves the right to ascertain information from the banks and other institutions to which the bidders have rendered their services for execution of similar projects. The Vendor shall undertake to observe, adhere to, abide by, comply with and notify the Bank about all laws in force or as are or as made applicable in future, pertaining to or applicable to them, their business, their employees or their obligations towards them and all purposes of this Tender and shall indemnify, keep indemnified, hold harmless, defend and protect the Bank and its employees/ officers/ staff/ personnel/ representatives /agents from any failure or omission on its part to do so and against all third party claims or demands of liability and all consequences that may occur or arise for any default or failure on its part to conform or comply with the above and all other statutory obligations arising there from. Compliance in obtaining approvals/permissions/licenses: The Vendor shall promptly and timely obtain all such consents, permissions, approvals, licenses, etc, as may be necessary or required for any of the purposes of this project or for the conduct of their own business under any applicable Law, Government Regulation/Guidelines and shall keep the same valid and in force during the term of the project, and in the event of any failure or omission to do so, shall indemnify, keep indemnified, hold harmless, defend, protect and fully compensate the Bank and its employees/ officers/ staff/ personnel/ representatives/agents from and against all third party claims or demands of liability and all consequences that may occur or arise for any default or failure on its part to conform or comply with the above and all other statutory obligations arising there from and the Bank will give notice of any such claim or demand of liability within reasonable time to the Vendor. This indemnification is only a remedy for the Bank. The Vendor is not absolved from its responsibility of complying with the statutory obligations as specified above. Indemnity would be limited to court and arbitration awarded damages and shall exclude indirect, consequential and incidental damages. However indemnity would cover direct damages, loss or liabilities suffered by the Bank arising out of claims made by its customers and/or regulatory authorities. Page 23 of 72

CHAPTER - 3 SCOPE OF WORK 3.1 Intended Principles of the SOC The principles that form the underlying platform for the SOC Services are as follows. The services offered should follow from these principles. The bidder herein after called as Security Integrator or Vendor or SI, or Managed Security Service Provider is expected to adhere to these principles while submitting their response: 3.1.1 Functional Principles: The intent for SOC Service/ Solution is covered in the below functional principles: Prevention & Identification of Information Security Vulnerabilities: The SOC Services/ Solution should be able to identify information security vulnerabilities in Bank s environment and prevent these vulnerabilities. Incident Management: Reporting of information security incidents through the use of appropriate tools. Track and monitor the closure of these information security incidents and escalation of these incidents to appropriate teams/ individuals in the Bank. Continuous Improvement: Continuously improve SOC Services/ Solutions. 3.1.2 Scalability Principles The services/ solutions offered should be modular, scalable, and should be able to address Bank s requirements during the period of contract. 3.1.3 Availability Principles The services/ solutions in scope should be designed with adequate redundancy and fault tolerance to ensure compliance with SLAs for uptime as outlined in this RFP. 3.1. Performance Principles The services/ solutions offered should not have any significant impact on the existing infrastructure/ business of the Bank either during installation or during operation of SOC. Based on the above principles, the following services/ solutions have been identified to enhance the security posture of the Bank: Security Information and Event Management (SIEM) Web Application Firewall (WAF) Anti-Phishing, Anti-Trojan, Anti-Malware, and Anti-rouge (for Mobile App) Services Privilege Identity Management Solution (PIM) Risk Assessment The Bidders who wish to take up the project shall be responsible for the following at Bank s Data Centre (DC) and Disaster Recovery Site (DR) both: Implementation of the respective services/ solutions including configuration, customization as per the requirement of the Bank. To provide a comprehensive single dashboard view of the security risks/ incidents for the Bank. Page 2 of 72

Work/ Liaison with the existing System Integrator(s) and various application vendors of the Bank for integration the services/ solutions with existing application platforms, servers, security devices, storage environments, enterprise network, and security solutions, etc. Development of operating procedures in adherence with the Bank s policies. Adherence to agreed Service Level Agreements (SLA) and periodic monitoring and reporting of the same to designated team and official of the Bank. Continual improvement of the Security Operations Services as defined in the SLA. Providing of appropriate ticketing tools for Reporting and logging of information security incidents. Secured Link (with necessary bandwidth) from Bank s DC (and DR) to vendor s SOC (DC & DR), along with servers, solutions, software, database, storage, and networking equipments etc. required at Bank s DC and DR, without any additional cost to the Bank. The raw log collection and storage should be at Bank s premise only. All the devices, hardware, software, database, storage, solutions, services, links required at Bank s premises shall be on lease/ service model. All devices/ applications SIEM integration cost will be bear by the bidder. M/s Wipro Ltd is our system integrator for bank DC and DR. Bank will not pay any cost to M/S wipro or bidder/vender. The vendor shall conduct a System Study of the Bank s overall Infrastructure w.r.t. implementation of Solutions/ Services mentioned in this RFP and submit a Solution/ Service wise project plan, and also monitor the same during the project rollout. 3.2 General Scope of Work for Solution/ Service This section refers to broad set of requirements for all solutions/ services to be deployed/ provided to the Bank. Where server(s) or other equipment(s) is required to be deployed at Bank s DC, DR for any solution/ services the hardware should be designed to ensure the SLA mentioned in the RFP and the same should also be scalable. The bidder is required to size the hardware as per the Scope of Work of the RFP. 3.2.1 SECURITY INFORMATION & EVENT MANAGEMENT (SIEM) The SIEM solution/ service are expected to collect logs from security and network devices, servers and various application security logs. The bidder is expected to perform the following as part of the SIEM for the Bank: Solution/ Service Implementation: Implement the SIEM to collect logs from the identified devices, applications, and databases etc. Develop parsing rules for non-standard logs. Design and Implement correlation rules of the SIEM solution/ service and also based on the use-cases defined in the RFP and provide by the Bank during the contract period. 2X7 log monitoring Rapid real-time response to incidents Evaluation of incidents Forensics to identify the origin of threats, mitigation thereof, initiation of measures to prevent recurrence. 2X7 log monitoring for identified devices and applications. Page 25 of 72

The SIEM solution/ service shall also have capability such that Bank Team can also execute the queries to identify custom made scenarios/incidents. Training: Provide training to the identified Bank personnel/ team on the solution/ services, and functionality to be provided before the implementation of solution/ services. Provide hands-on training to the bank personnel/ team on SIEM policy configuration, alert monitoring, etc. - post implementation. Ongoing Operations: Monitor the SIEM alerts and take appropriate action as per the SLA defined in the RFP. Perform on-going optimization, configure additional use-cases, and suggest improvements as a continuous improvement process. Perform log backup and archival (of servers at Bank s DC and DR) as per Bank s policy requirements, and applicable legal and statutory requirements Ensure that SLA is maintained as defined in the RFP. SOC Monitoring: The SIEM solution/ service should be able to collate logs from the devices, applications, and databases etc. mentioned in the scope for Bank, including the solutions/ services deployed as part of this RFP. The configured correlation alerts should be provided to Bank through appropriate tool. The alerts should also be escalated to Bank as per defined escalation matrix. Storage: The SIEM solution/ services should be able to maintain 6 months of logs online. In addition, the bidder should provide for near line storage secondary storage for archiving logs for up to 1 years and offline storage for storage of logs for up to 9 years. The bidder is responsible for sizing the storage adequately based on the EPS estimate given for Bank in the detailed scope of work at Bank s premise. The bidder is responsible for automated online replication of logs from DC to DR for redundancy. Network links, bandwidth and associated hardware for Replication will be provided by the vendor/bidder without any extra cost to the bank. The solution should be capable of automatically moving the logs from device to archival storage based on the ageing of the logs. The logs should also be available online to the device for easy correlation. The storage should have Write Once Read Many (WORM), Encryption, Index and Search, Retention and Disposal functionality. The backup solution with tape library should be provided by bidder/vendor. The cartridge tapes will be provided by the bank as per estimated requirement given by bidder /vendor quarterly. The bidder is expected to size the storage as per the requirements mentioned in the Scope of Work in this RFP. The solution should also be scalable to expand storage based on the peak EPS requirement of the Bank. Security & Network Devices to be monitored Security & Network devices to be monitored by SIEM include but are not limited to the following: Page 26 of 72

Security & Network Devices to be monitored S. No Device Type Count DC DR CBS HO 1 Firewalls 6 6 2 1 2 Routers 8 6 2 2 3 Layer 2 Switches 9 9 5 5 Layer 3 Switches 2 2 2 2 5 IPS/ IDS/ NIPS/ HIPS 2 2 - - 6 NAC 8 8 - - 7 Encryption Devices - - 8 Access Control Devices - - 9 Antivirus - - - - 10 DB Log Management - - - - 11 Security Solutions for - - - - Email 12 Security Solutions for - - - - Web 13 Integrated Security - - - - Manager 1 Network Access Control - - - - 15 LAN Management System - - - - Servers The following servers need to be monitored by SIEM include but not limited to: Servers S. No Device Type Count DC DR CBS HO 1 Load Balancers - - 2 Web Servers 9 9-3 Application Servers 9 9 5 5 Database Servers 16 16 5 5 TOTAL = 38 38 10 1 Key Applications Applications to be monitored by SIEM include but not limited to: Key Applications to be monitored S. No Key Applications Vendor Type Timeline for Integration 1 Finacle CBS Infosys Mandatory Within 8 Months 2 Internet Banking Infosys Mandatory 3 Web Proxy Gateway Mandatory Database Activity Monitoring McAfee Mandatory 5 Biometric Application SmartChip Ltd Mandatory 6 Integrated Treasury M/s Polaris Mandatory Page 27 of 72

(Lasersoft) 7 Financial Inclusion Gateway TCS Mandatory 8 Mobile Banking FSS Mandatory 9 Interface/ Application to SWIFT 10 Email Microsoft Optional 11 Directory Services Microsoft Optional 12 GBM Accel Frontline Optional 13 DAR Veermati Optional 1 ADF MIS Nelito Optional 15 AML Infrasoft Optional 16 Enterprise Management IBM Tivoli Optional System 17 HRMS - Optional 18 Risk Management/ ALM Suryasoft Optional BALM 19 Locker Wipro Optional 20 CPSMS Intelliswift Optional 21 Other in-house & Third Party Applications - Optional Globsys Optional Within 6 Months of Bank giving its order for the Application. Note: Before the implementation of solution/service, the bidder is required to study the Bank environment and identify any additional Security & Network Devices, Servers, Software, Database, and applications that need to be monitored by SIEM. The Bidder shall also submit the report on the same to the Bank. Any new Security & Network Devices, Servers, Software, Databases, and applications introduced in Bank environment during the contract period should also be monitored by the SIEM and bidder shall integrate the same with SIEM with no extra cost to the Bank. Sizing The expected EPS count for the Bank should be a minimum of 10,000 and scalable to 30,000. The bidder needs to provide SIEM solution/services that cater to the minimum requirement. The bidder needs to provide details of how the solution/service can scale to the maximum EPS count and the additional cost in buckets of 5000 EPS if the Bank wants to upgrade the SIEM solution. Other Requirements - Management of Security devices/ solutions including rule base audit, management of devices and creation of rules during non-business hours. - Monitoring 2x7 logs and audit trails for the security events - To detect known as well as unknown attacks and raising alerts on any suspicious events that may lead to security breach into Bank s environment. - Monitoring of 2x7 performance and service availability so that the desired state and integrity of the devices/ solutions and services levels are maintained. - To be able to support and provide scalability for any additions/ modifications or integration of applications, services, devices and networks with the existing architecture. - Providing initial review (Level 1) of security incidents and its determination, if escalation to Level 2, 3 supports is warranted. - Carrying out event analysis with the statistical events correlation rules. This should include the correlation of the events from the devices/ solutions under scope. Page 28 of 72

- Creation and adding custom correlation rules for the Bank s devices under scope. SOC will review and fine-tune rules as and when required. - Providing online secured portal (web-based Dashboard) for viewing real-time monitoring data of all the security devices/ solutions in scope. - To Develop & recommend improvement plans for the SOC monitored Bank s facilities as needed to maintain an effective and secure computing environment. The activity to be carried out as when required by the Bank. - Monitoring alerts and events reported by devices under the SOC scope; to record the incidents, classify, and recommend remedial action. All types of incidents will have to be reported immediately as per the escalation matrix which will be prepared during go live. - Initiation of prompt corrective countermeasures to stop/ prevent attacks as per predetermined procedures. - Complete analysis and correlation of logs from all the devices/solutions/applications under scope. - Carrying out due forensic activities to identify the origin of threat, mitigation steps and measures to prevent recurrence. - Preparation of the daily, weekly, monthly reports to summarize the list of incidents, security advisories, vulnerability management, and other security recommendations. It should include the operations trend analysis with the reports correlation of the present and past data. - The Bidder need to connect SOC to Bank s DC and DR by using links of adequate bandwidth. The network equipments at Bank s end and SOC end will be arranged by the Bidder. The monitoring & uptime of link will also be bidder s responsibility. The space and infrastructure at the SOC for installing the equipments like WAN cabling, LAN cabling, Power etc for should be provided by bidder at no additional cost to the Bank. - Bidder SOC would deploy problem management, change management, trouble ticket system and escalation workflow as per ISO 27001 standards. - The bidder should ensure that the SIEM (Security Information and Event Management) manager used in the SOC would always be up to date in terms of SIEM tool product releases, version upgrades, patches and other service pack. - The Log Correlation- The logs generated from devices (say Firewall), and the switch, NIDS, Server, HIDS and various applications should be relate to each other to get the exact threat/vulnerability, and the level of access by the user i.e. up to which layer the user/unauthorized user has reached. 3.2.2 PRIVILEGED IDENTITY MANAGEMENT (PIM) The bidder is expected to provide the following solution/ services: Solution Implementation: Implement the solution/ service for the devices/ administrators identified by the Bank. The PIM solution/service shall be deployed by the Bidder on Bank s DC and DR Site on service model. However, the admin control of the PIM solution/service shall be with Bank team. Training: Provide training to the identified Bank personnel/ Team on the solution/ services functionality to be provided before the implementation of solution. Page 29 of 72

Provide hands-on training to the bank personnel/ team on PIM operations post implementation. Solution Integration: Integrate PIM with SIEM to generate alerts for any PIM violations and provide dashboard view for the same. Monitoring: Monitor events from PIM and take appropriate action on an on-going basis. Improve the policies configured on an on-going basis to reduce the occurrence of false positives. The devices in scope for PIM solution are same as that mentioned in SIEM Scope section. The total number of administrators for these devices/ servers is around 100 (However Bidder is required to assess the number of administrators before delivery of solution). The solution should scalable to cover administrators added in future during the contract period, without extra cost the Bank. Note: Before the delivery of solutions, the bidder is required to study the Bank environment and identify any additional Security & Network Devices, Servers, Software, Database, and applications that need to be monitored by SIEM. The Bidder shall also submit the report on the same to the Bank. Any new Security & Network Devices, Servers, Software, Databases, and applications introduced in Bank environment during the contract period should also be monitored by the SIEM and bidder shall integrate the same with SIEM with no extra cost to the Bank. 3.2.3 WEB APPLICATION FIREWALL (WAF) The bidder is required to provide the following solution/services. The WAF solution/service shall be deployed by the Bidder on Bank s DC and DR Site on service model. However, the admin control of the WAF solution/service shall be with Bank team. Solution Implementation: Deploy the WAF for the in-scope web applications identified by the Bank. Configure the policies. Training: Provide training to the identified Bank personnel/ team on the solution/ service architecture, and functionality to be provided before the implementation of solution. Provide hands-on training to the Bank personnel/ team on WAF policy configuration, alert monitoring, and etc- post implementation. Solution Integration: Integrate WAF solution/ service with SIEM solution/ services to provide a single view of events generated. Monitoring: Monitor events from WAF and take appropriate action on an on-going basis. Improve the policies configured on an on-going basis to reduce the occurrence of false positives. Page 30 of 72

Below is a list of applications to be covered by the WAF. The WAF should be scalable to handle up to 1000 https transactions per second and 100Mbps of throughput. WAF Requirements (at banks premises DC and DR) Sr No Application 1 Internet Banking 2 Mobile Banking 3 Email Intranet Portal 5 FI Web Application Note: Before the delivery of solutions, the bidder is required to study the Bank environment and identify any additional Applications that need to be covered by WAF. The Bidder shall also submit the report on the same to the Bank. Any new Applications launched in Bank environment during the contract period should also be covered by the WAF and bidder shall integrate the same with WAF with no extra cost to the Bank. 3.2. ANTI-PHISHING, ANTI-TROJAN AND ANTI-MALWARE SCANNING SERVICES The bidder is required to perform the following activities: 2x7 scanning of critical websites and Mobile Apps (identified by the Bank) for antiphishing, anti-trojan, and anti-malware service. The Bank may also ask the vendor to scan websites and Mobile App launched by the Bank in future and the same is to be scanned without any cost to the Bank. Continuous update to Bank as per SLA section of this RFP. Initiate response as per Bank s request. Perform forensics analysis as and when required. Takedown of websites and Mobile App as per Bank s request. A dashboard view of the risks and threats identified through the Anti-Phishing and threat intelligence services is presented to the Bank. The Bank should be provided with appropriate online access to the dashboards. Monitoring all major mobile app marketplaces for counterfeit, copycat apps, or apps infringing trademarks, linking to pirated content, attempting phishing attacks or distributing malware. Prompt submission of enforcement notices and for the removal of rogue or infringing apps. Forensics to identify the origin of threats, mitigation thereof, initiation of measures to prevent recurrence. 2X7 malware scanning of Internet banking and corporate website, WAN and other networks, point of entries. Malware scanning includes Anti-Trojan activities also. Below is a list of websites and Mobile App for which the Bank requires anti-phishing, anti-malware and anti- Trojan services as per the technical requirements: Anti-Phishing Services Requirements S No Website/ Mobile App 1 www.psbindia.com 2 www.psbonline.co.in 3 https://www.psbmobile.com/mpaypsbwap/psb PSB Mobile Banking App Page 31 of 72

The vendor shall proactively monitor Bank s sites for any phishing attempts and advise the Bank about the incident with details. Services shall include the following: - To protect Websites from Phishing and alert the Bank authorities concerned, immediately if Bank s Brand/ logo is targeted in Phishing attacks. Upon detection, solution provider shall work to shut down the phishing site and submit us the report. - Rapid response to phishing attacks - Track hosting of phishing sites through digital watermark. - Tracking new Domain Name Registrations to detect any spoofed or similar site being registered, this will include brand abuses too. - Monitoring Spam traps. - Monitoring anti-phishing forums. - Web site analysis. - Initiating takedown of the phishing sites/ mailboxes - Feeding adequate number of wrong user-ids/ passwords through automated tools to phishing site. - Analyzing web server logs and application logs to track the Phisher s identity. - Analyzing application logs to identify Phisher-initiated transaction. - Benchmarking Bank s website and suggesting controls required to minimize impact from phishing attacks. - Assisting the Bank for coordination with law enforcement, regulatory, statutory and other agencies like CERT-IN, Banking Ombudsman, RBI, NPCI, MoF, IBA, CERSAI and UIDAI etc. - Providing alerts on detection of phishing sites, daily status report on the phishing site detected and the action taken. - Providing Anti-Rogue services detects and shuts down rogue mobile apps on mobile stores and internet. - Online Dashboard to be provided for Anti-phishing and Anti-rogue services. - Forensics to identify the origin of threats, mitigation thereof, initiation of measures to prevent recurrence. Phishing Site Takedown Services - The bidder shall bring down the detected phishing site and deactivate the site at the earliest. - Keep track of the site brought down for reactivation for at least 2 months. The reactivated sites are to be brought down without any additional charges during this period of 2 months. - Provide Reports on the takedown activities and the status of the phishing site on daily basis. - Report on phishing trend in India and across the globe. 3.2.5 FORENSIC INVESTIGATION - The vendor shall address the challenges and risks of doing business in today's environment and assist in dealing with complex issues of fraud, regulatory compliance as business disputes can detract from efforts to achieve Bank s Potential. Better management of fraud risk and compliance exposure is a critical business priority. Page 32 of 72

- The vendor shall provide effective remedial solution of intricacies related to Forensic Investigation of crime of any type and assist in proper dispensation of justice for at least 12 incidents in a year. - The bidder shall have skill sets to provide fraud investigation on banks IT infrastructure and Banking related processes. - Coordinate with IT team and help them Contain attack & restore services. - The vendor shall facilitate the Bank in investigation of IT frauds and mitigation measures on the same. 3.2.6 OTHER SECURITY SERVICES Security Intelligence Services - The Bidder shall regularly track and advise the Bank about new global security threats and vulnerabilities. The advisories shall be customized to suit the Bank s information security infrastructure. The Bidder shall advise upgrades/ changes in the security infrastructure of the Bank against evolving threats and responsibilities. Onsite team shall track impact of new vulnerabilities and threats on Bank s assets. - The Bidder should advise and coordinate implementation of controls to mitigate new threats - The Bidder or their onsite team shall ensure adequacy, appropriateness and concurrency of various policies and guidelines in place and shall provide Information Security consultancy for newer technology deployment for new and existing applications and products. - Onsite Team shall track and support implementation and coordinate for closure of vulnerabilities on assets that are affected. The Bidder shall provide a security dashboard for online view of the global vulnerabilities and threats applicable to the bank s environment, number of assets affected and status of mitigation. - The bidder shall guide and recommend the Bank w.r.t any change required in the existing infrastructure of Bank for deployment of new application and services, which can have security implication to Bank, like- changing of rule in Firewall, Router, IPS, IDS, and application/ server configurations. - The bidder shall enable the Bank to participate in the Cyber Security Mock Drill and Cyber Security Assessment conducted by Ministry of Finance/ CERT-In as and when required by the same, with no extra cost to the Bank. The Bidder shall provide MOCK drill environment and also implement the recommendations of such drills/ assessment to improve cyber security posture of the Bank. - SOC team shall identify evolving vulnerabilities and threats to IT infrastructure assets, deployed in the bank. This includes o Top global attack sources o Top global attack targets o New Vulnerabilities and advisories o New Attack vectors o Worms & Virus outbreaks - Vendor SOC should have access to and track leading security databases including but not limited to: o NIST, OEM sites corresponding to JKB assets & platforms, CERT-IN, OWASP, OVAL, CVE, Anti-virus vendors, National Vulnerability Database, SANS Page 33 of 72

o Vendor should also consider inputs from within the bank network as discovered through monitoring and vulnerability management service from time to time - Vendor should provide countermeasures, patches and recommended workarounds to remediate vulnerabilities as and when they are discovered. Security Advisory Services - The vendor should regularly track and advise the Bank about new global security threats and vulnerabilities. - The advisories should be customized to suit the Bank s security infrastructure. Advise upgrades/ changes in the security infrastructure of the Bank against evolving threats and responsibilities. - The bidder shall providing Risk Assessment Services to the Bank. - The vendor shall assist the Bank in formulation and review of various Policies and Plans, like- IT Security Policy, BCP-DR Plan, Cyber Fraud Policy, Digital Evidence Policy, Migration Policy, Biometric Policy, MDM Policy, Hardening Policy, and IS Audit Policy etc. The vendor shall also assist the Bank in development of necessary procedures for the same. - The vendor shall carry out vulnerability scanning before deployment of an application, module and prepare a standard check list for compliance. - Assess the current environment and set up a baseline security level for all applications. - Drive the implementation of the baseline security for all applications - Ensure that the baseline is maintained on an ongoing basis and hence applications are secured against all risks at any point in time - Ensure that new applications of bank rolled out with appropriate security baseline - Review of Policies, Guidelines, Business Continuity Plan, Disaster Recovery Plan, IS Audit Reports: o Regular review of Information Security Policy and Information Security Guidelines, Business Continuity Plan, Disaster Recovery Review Plan, and other related documents like Data Centre Operations Manual and suggesting, vetting, incorporating necessary changes commensurate with the security, operational, and technology risks. o Evaluation of Information Security related audit observations of the bank and facilitating the rectification thereof. - Bidder would conduct security awareness training (not certification training) for Bank nominated persons once in a quarter. The Bank will arrange the training facility, computers, stationeries, projectors etc. This training program would be a classroom session only and would cover a precirculated training agenda on the e-security technology. The training can also be through Video Conferencing and/or Webinar to cover all Branch, Zone, Other Office staffs/ vendors. - The vendor shall assist the Bank in planning, execution, and implementation of information security related initiatives/projects/programs in the Bank. - The vendor shall assist the Bank in development/review, monitoring, testing, and implementation of BC and DR Planning. - The vendor shall participate in the periodic DC-DR Drill activity of the Bank and suggest and assist in implementation of enhancements in the DC-DR Drill process. - For any new applications rollout by the Bank, the vendor shall do network requirement assessment and advise the Bank. Page 3 of 72

Risk Assessment Services - The vendor shall conduct periodic IT Risk Assessment and ensure adequate, effective, and tested controls for people, processes, and technology to enhance Information Security. - The vendor shall conduct IT Risk Assessment of new products and services. - The vendor shall review the change management requests related to IT Security Activities/ Access Permission and report to the Bank the resulting threat perception in Bank environment. - The vendor shall review the information security incidents and activities across the Bank. - The Risk Assessment services should be undertaken to assess Bank s security threats and risks. - Provide risk assessment and recommendations on a periodic basis as required to mitigate risks. - Provide risk assessment, designs and recommendations for Integration of the security devices with the network components/authentication systems to strengthen the overall security posture of Bank. - Provide risk assessment and mitigating measures in respect ofo integrating various systems in the Bank s environment o integrating third parties through extranets o outsourcing arrangements - Design and update Risk Assessment templates on platforms, infrastructure integration, application security assessment, vulnerability assessment, outsourcing, processes, people etc. - Vendor should devise Risk Assessment methodology covering Value of Asset, threat, probability of occurring of threat, impact of the threat etc. in consultation with the Bank. - Assist in implementing various guidelines like RBI Guidelines on Cyber Security, Electronic Banking etc, and guidelines of other agencies like- UIDAI, NPCI, IBA, MoF, CERT-In etc. - Provide Bank with a root cause analysis of downtime due to faults, security events including preventive measures being taken to prevent future similar incidents and outages. - Participate in technical and business planning sessions to establish security standards, Architecture and project initiatives to improvise the design from information security standpoint and provide recommendations. - Vendor should ensure continuous training and best practice updates for onsite team and Bank Team from its backend resources. Monitoring, Reporting and Security Dashboard: Under these services the Bidder must provide an application/ online portal to maintain an online repository that lists the existing and emerging risks with respect to IT infrastructure assets of the Bank and has the following features: Security dashboard should provide the status of security across the IT infrastructure. Security dashboard also contain comprehensive baseline of risks across IT infrastructure o Security Advisories. o Proactive alerts and alarms. o Unified HTTPS portal for Trouble Ticket Management & Escalation Workflow. o Unified HTTPS portal for the security events reports, device reports and Monthly Analysis Reports Security dashboard should provide various reports such as following which Bank needs to submit/ report to the regulatory, statutory, and other relevant agencies on periodic basis:- Page 35 of 72

o Information security events report which occur during the period. An information security event is an identified occurrence of a system, service or network state, indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. o Frequency of Information Security Incidents: - Total number of information security incidents during the period. An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. o Number of information security incidents pertaining to RBI-owned payment and settlement systems (RTGS, NEFT) during the period. An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. o Number of instances during the period where banks systems were subject to unauthorized access, including the instances of password sharing, (successful or unsuccessful) by banks employees and contractors, from within the bank or outside bank premises. Note: The vendor shall provide new reports and customize existing reports as per RBI, MoF, NPCI, IBA, UIDAI, GOI, Bank s etc. requirements, without any cost to the Bank. Since the bank is looking to obtain many services, it will be difficult to track the activities and important alerts and reports from all these services. Moreover, since most of these services are interrelated, correlated information will help the bank in taking important decisions. The Bidder shall provide a unified portal that will meet this requirement. Security Service Desk System Service desk should be configured, maintained and updated to record all agreed upon SLA breaches. Bank should be able to generate reports to validate the service availability through comprehensive web-based portal (dashboard). The portal shall be accessed by Bank users with individual login credentials. 3.3 General Responsibilities of the Service/ Solution Provider 3.3.1 Training Pre-Implementation: Provide training to the identified Bank personnel/ team on the solution/ service architecture, functionality, and the design for each solution/ service under the scope of this RFP. Post Implementation: Provide hands-on training to the Bank personnel/ team on SIEM operations, alert monitoring, policy configuration for all solutions/ services etc. 3.3.2 Implementation & Integration Implementation of the specified solutions/ services required by Bank as per the technical requirement of the solutions/ services which are detailed in the RFP. Page 36 of 72

20 days before implementation of the solutions/ services, the bidder is required to review the Bank environment and specify any additional requirements that the Bank may need to provide for the implementation of the solutions/ services. The bidder is responsible to ensure that the solutions/ services comply with Bank s information security policies and industry leading latest standards (such as ISO 27001 etc.) and any applicable laws and regulations. The solutions/ services proposed should be provided for minimum 5 years. SIEM solution/ service to provide a single view of events generated. Any interfaces required with existing applications, servers, devices, and infrastructure within the Bank should be developed by the bidder (no cost to the Bank) for successful implementation of the SOC Services/ Solution as per the defined scope of work for the Bank. The bidder shall be responsible for timely compliance for IS Audit observations conducted by Bank through its Internet Audit team and third party Audit agency. The primary responsibility of integration of solutions/ services with existing Bank s SI/vendors lies with the SI selected through this RFP. The selected bidder shall liaison with exiting System Integrator and various vendors of the Bank. Development and implementation of processes for management and operation of the SOC including (but not limited to) the following processes: Incident and Escalation management processes Daily standard operating procedures Training procedures and material Reporting metrics and continuous improvement procedures Data retention and disposal procedures BCP and DR plan and procedures for SOC The technical bid should include an overview of the processes mentioned above. Develop Escalation Matrix in order to handle Information Security Incidents efficiently. Provide necessary documentation for the operation, integration, customization, and training of each of the solutions in scope. 3.3.3 Monitoring The bidder should monitor SOC Services/ Solutions and events from each solutions/ services and devices already present in the Bank s environment on a 2x7x365 basis and suggest and take appropriate action on an on-going basis. 3.3. Continuous Improvement Improve the policies configured on an on-going basis to reduce the occurrence of false positives. 3.3.5 Solution/ Service Acceptance The Bank/appointed consultant in coordination with the bidder shall conduct an Acceptance test wherein the bidder has to demonstrate the implementation of the solution as per the requirements of the Bank as per this RFP. The bidder shall submit the detailed reports of the test outcomes to the Bank. 3.3.6 SLA Compliance The bidder shall ensure compliance with SLAs as defined in the RFP. Page 37 of 72

3.3.7 Business continuity The bidder is responsible for defining a DR/ BCP plan for Bank and the SOC operations and also ensures that periodic tests are conducted as per the testing calendar of the Bank. 3.3.8 Period of Contract Bidder is required to provide the services for a period of 5 years. Post completion of the contract or in the event of early termination, the bidder should provide support for transition of the services to the nominated members of the Bank (and) to a third party vendor nominated by the Bank. The bidders are expected to provide technical and commercial proposals in accordance with the terms and conditions contained herein. Evaluation criteria, evaluation of the responses to the RFP and subsequent selection of the successful bidder will be based entirely on Bank s discretion. Their decision shall be final and no correspondence about the decision shall be entertained. Page 38 of 72

Service Level Agreement and Penalty CHAPTER SERLIVE LEVEL AGREEMENT AND PENALTIES The vendor needs to execute a Service Level Agreement with the Bank covering all terms and conditions of this tender. Vendors need to strictly adhere to Service Level Agreements (SLA).Services delivered by vendor should comply with the SLA mentioned in the table below. The vendor should generate SLA reports for tracking the delivery of services. SLA will be reviewed on a quarterly basis and based on the review payments for the services will be done. The SLA reports should be integrated with the dashboards. Thus enabling bank to continuously track the SLA. The SLA violation will attract penalties as per the terms of the RFP. S N Service Area SLA Penalty 1 2x 7 Security Log Monitoring Services of inscope devices and applications (SIEM service). 2*7 monitoring of security events to detect all internal & external attacks and raise the alerts for any suspicious events Incident Initial response should be initiated a) within 15 minutes for very high and high priority incidents b) within 30 minutes for medium priority incidents c) within 60 min for low priority alerts Closure of raised alerts in a) within 15 Minutes for very high and high priority events b) within 30 Minutes for medium priority events c) within 60 min for low priority alerts Revision of log baseline should be completed and after verification by bank official should be published on dashboard before 15th of the subsequent month on quarterly basis Review of logs & monitoring of access to assets by all users The penalty for breach of SLA will be as follows: - Very high and high priority incidents:@rs.1,00,0000/ instance - Medium priority incidents:@ Rs. 50,000/instance - Low priority alerts: @ Rs. 20,000/instance - Delay of monthly/ quarterly report:@ Rs. 20,000/instance Page 39 of 72

should be completed and after verification by bank official published on dashboard before 15th of the subsequent month on quarterly basis Agreed/customizable daily & monthly reports should be submitted on next day and by 7th of subsequent month Respectively. Review of rule base, signatures of in-scope security devices should be submitted by 15th of the subsequent month on quarterly basis Review of audit logs should be completed and after verification by bank official published on dashboard before 07th of the subsequent month on quarterly basis 2 2x7 PIM Services 2*7 monitoring of all events and raise the alerts for any suspicious events Incident Initial response should be initiated a) within 15 minutes for very high and high priority incidents b) within 30 minutes for medium priority incidents c) within 60 min for low priority alerts Closure of raised alerts in a) within 15 Minutes for very high and high priority events b) within 30 Minutes for medium priority events c) within 60 min for low priority alerts Review of logs & monitoring of access to assets by all users should be completed and after verification by bank official The penalty for breach of SLA will be as follows: - Very high and high priority incidents:@rs. 1,00,000/instance - Medium priority incidents:@ Rs. 30,000/instance - Low priority alerts: @ Rs. 20,000/instance - Delay of monthly/ quarterly report:@ Rs. 20,000/instance Page 0 of 72

published on dashboard before 15th of the subsequent month on quarterly basis Agreed/customizable daily & monthly reports should be submitted on next day and by 7th of subsequent month Respectively. Review of audit logs should be completed and after verification by bank official published on dashboard before 07th of the subsequent month on quarterly basis 3 2x 7 WAF Services 2*7 monitoring of all events and raise the alerts for any suspicious events Incident Initial response should be initiated a) within 15 minutes for very high and high priority incidents b) within 30 minutes for medium priority incidents c) within 60 min for low priority alerts Closure of raised alerts in a) within 15 Minutes for very high and high priority events b) within 30 Minutes for medium priority events c) within 60 min for low priority alerts Review of logs & monitoring of access to assets by all users should be completed and after verification by bank official published on dashboard before 15th of the subsequent month on quarterly basis Agreed/customizable daily & monthly reports should be submitted on next day and by 7th of subsequent month The penalty for breach of SLA will be as follows: - Very high and high priority incidents:@ Rs. 50,000/instance - Medium priority incidents:@ Rs. 30,000/instance - Low priority alerts: @ Rs. 20,000/instance - Delay of monthly/ quarterly report:@ Rs. 20,000/instance Page 1 of 72

Respectively. Review of audit logs should be completed and after verification by bank official published on dashboard before 07th of the subsequent month on quarterly basis 2 X 7 Remote management of security devices supplied by vendor/bidder Review of rule base, signatures of in-scope security devices should be submitted by 15th of the subsequent month on quarterly basis Review of Users accounts for the in-scope security devices should be completed and after verification by bank official published on dashboard before 15th of the subsequent month on quarterly basis Configuration management and recovery testing reports should be completed and after verification by bank official published on dashboard before 07th of the subsequent month on monthly basis Fault management report with full root cause analysis supported by OEM's observation/ recommendation should be submitted within 7 days of closure of the ticket with vendor Quarterly performance management reports should be completed and after verification by bank official published on dashboard before 07th of the subsequent month on quarterly basis Risk Management reports for the in scope security devices under the scope of MSS should be submitted by 30th of Delay of monthly/quarterly report:@ Rs. 50,000/instance Page 2 of 72

5 Anti-phishing Services 6 Anti Malware and Anti Trojan scanning Services 7 Security Service desk System subsequent month on half yearly basis. Updated status of security metrics defined by the bank should be completed and after verification by bank official published on dashboard before 07th of the subsequent month on quarterly basis Review of audit logs should be completed and after verification by bank official published on dashboard before 07th of the subsequent month on quarterly basis 2X7X365 monitoring The phishing alert should be raised for in circulation phishing email within 3 hours. Benchmarking reports and suggest controls required to minimize impact from phishing attacks should be submitted and after verification by bank official published on dashboard before 31st of the subsequent month on half yearly basis 2X7X365 monitoring Alert within 15 minutes for code injection attempts and attacks Alert Initial remedial response within 30 minutes with action plan on locking/ containment/recovery Resolution within 60 minutes Report on SLA breaches generated by security service desk system should be submitted on quarterly basis before 15th of subsequent month - Takedown for a phishing URL/ Mobile App will be chargeable only if it is taken down within 10 hours of Detection and penalty will be charged @Rs. 30,000/hour delay (after 10 hour) - Delay of monthly/ quarterly report:@ Rs. 20,000/instance The penalty for breach of SLA will be as follows: - Alert within 15 minutes for code injection attempts and attacks: @ 50,000/ hour of delay for every - Instance Initial remedial response within 30 minutes with action plan on locking/ containment/ recovery : @ 50,000 / hour of delay for every instance - Resolution within 60 minutes: @ 30,000 / hour of delay for every instance Delay of monthly/quarterly report:@ Rs. 1,00,000/ week Page 3 of 72

7 Security Dashboard 8 Continual Improvement Uptime for Security dashboard should be 95 % on monthly basis (2X7 basis) SLA reports as agreed upon by the bank should be generated on daily/monthly/quarterly frequency on next day/15th of subsequent month/15th of subsequent month respectively The bidder/vendor is expected to improve the operations on an ongoing basis. The penalty for breach of SLA will be as follows: - Uptime for Security dashboard should be 95% on monthly basis (2X7 basis):@ 1,00,000 per quarter - Delay of monthly/quarterly report:@ Rs. 50,000/ week - Quarterly reports need to be provided by the 5th day of each quarter beginning The SI is expected to provide a quarterly report of the new improvements suggested, action plans, and the status of these improvements to the bank. - Delay of monthly/ quarterly report:@ Rs. 50,000/ week Improvement areas could include: process changes/ training resulting in efficiency/ SLA improvement, new correlation rules to identify threat patterns etc 9 Periodic Review The bidder/vendor is expected to conduct a monthly review meeting with bank officials resulting in a report covering details about current SOC SLAs, status of operations, key threats and new threats identified, issues and challenges etc. 10 Security Intelligence Advisories within 12 hours of vulnerability disclosure/global threat detection. - Monthly meeting to be conducted on the 25th (tentatively) of each month. - A delay of more than three days will incur a penalty @30,000/- day. A delay of more than 2 hours will incur a penalty @50,000/- 2 hour. 11 Implementation timeline penalty Initiation & Resolution of remedial/ mitigatory measures to thwart such security vulnerabilities within 2 hours. Schedule of implementation/delivery mentioned in chapter 7 (Project timeline) of this RFP document. For any delay beyond timelines mentioned. The Bank reserves the right to charge Penalty at the rate of 0.5% of the cost of the Contract price of the delayed/ undelivered services per week, subject to a maximum of 10% of the Total Cost of the Contract price of the service. Page of 72

The connotation of Very High, high, and medium referred in this SLA is as under: Very High Priority- System Down. System is not operational. Some examples of very high Priority calls include: system hang (unable to save work in progress); system functionality failure causes data losses or renders system unusable; functionality failure renders system ineffective; system malfunction causes mission-critical applications to restart, hang, or suspend; a security breach vulnerability is identified. High Priority - System Impaired. System is not operating with full capability but is still operational. Some examples of high Priority calls include: impaired or broken functionality with significant impact to applications; frequent application failure, but no data loss; serious but predictable management system failure; significant system performance degradation. Medium Priority - System Operation Normal. System is up and running with limited or no significant impacts. Some examples of Medium Priority calls include: bugs which cause limited or no direct impact to performance and functionality; request to replace a bug or a work-around; limited impact defective functionality; system performance support questions and issues. Page 5 of 72

CHAPTER 5 PROJECT TEAM STRUCTURE All team resources included in the implementation should be on the payroll of SI or OEM. OEMs shall provide on-site resources for their respective solutions during the implementation phase in case the bidder is not able to resolve the Bank s queries/ delays in implementation or as necessitated by the banks. 5.1 Manpower Resource Allocation for the Project - At least four resources should be allocated for Punjab & Sind Bank for the full project contract duration as Security Analyst. They should have professional qualifications like CISSP/ CEH/ CCSP/ CISA/ CISM or OEM Certified for the product/ solution. Resume/ CV for each of these members should be provided to the Bank. They should have experience in a Bank/Financial Institution for SOC implementation of at least 1 year each, with the Services/ Solutions mentioned in the RFP. The vendor shall submit the proof of the experience. - The service provider shall depute one Security Analyst at Bank s premises for the project during the contract period. He/she should have professional qualifications like CISSP/ CEH/ CCSP/ CISA/ CISM security or OEM Certified for the product/ solution. Resume/ CV should be provided to the Bank. He/ She should have experience in a Bank/Financial Institution for SOC implementation of at least 3 years, with the Services/ Solutions mentioned in the RFP. The vendor shall submit the proof of the experience. 5.2 Roles & Responsibilities Vendor Project Sponsor A senior management member from the vendor shall be identified as the Project Sponsor; her or his responsibilities are outlined below: Primarily accountable for successful implementation of the project as per the scope of the RFP and also timelines. Act to remove critical project bottlenecks. Liaison with Bank s SI and other vendors to remove the bottlenecks. Identification of working team members, Manpower Resource allocation, and team leads. Single point of contact for Bank s senior management. Team Lead Lead daily implementation effort. Report on progress Bank. Identify and report any risks to Banks. Ensure implementation timelines are met to achieve desired result. Monitor Change management activities. Monitor Quality and risk related activities. Identify and implement best practices in Bank. Periodic reporting to bank on the status, issues/ challenges faced and how these are handled at other banks. Perform acceptance testing for each device/solution/ services. Page 6 of 72

CHAPTER 6 PROJECT TIMELINES Successful bidder is required to keep the following timelines in regard to the implementation of solutions/ services in Bank. T denotes the date of release of PO to the Bidder. For example: T+3 represents that the solution needs to be implemented within 3 months of the release of the PO. Project Completion Time line: Total 8 months The schedule of activities towards completion of the project is given below: Time T T + 2 months T + months T + 6 months T + 8 months Activity Purchase order Anti-Phishing service availability WAF service availability PIM service availability SIEM service availability T= Date of purchase order Page 7 of 72

CHAPTER 7 EVALUATION METHODOLOGY The Bank will open the technical bids on the stipulated day in the presence of authorized representatives of the bidders. The technical bid will be opened first and evaluated for technical requirements as per the stipulations. (a) Technical Evaluation The Bank will adopt bidder evaluation processes as detailed hereunder. As part of Technical Evaluation, Bank authorized representatives will visit bidder s SOC. It will be bidder s responsibility to demonstrate their compliance towards technical specification and all services/ solutions mentioned in the RFP. 1. The technical response to the RFP and bidder s compliance to the required terms & condition and scope of specifications as specified in Annexure-IX will be evaluated. The technical response to the RFP need to be substantiated by necessary documents, proofs, certificate, records etc. (b) Commercial Evaluation The Commercial Offer of only those bidders shall be opened who have scored minimum 70% in Technical Evaluation. Reverse auction shall also be conducted by the Bank. Bank will open the commercial offer of all the technically qualified Bidders before the reverse auction process to arrive at the opening price (start price) for the Reverse Auction. However there would be no compulsion on the part of the Bank to accept these prices as Bench Mark for determining the Start Bid price and the Bank may at its discretion use any other process/ methodology to determine the Start Bid Price without having to disclose the basis to the Bidders. All technically qualified Bidders would participate in the reverse auction through the e- tendering process. The bidder has to participate in the e-tendering process adopted by the Bank and comply with the procedure mentioned in the e-tendering process prescribed by the Vendor appointed by the Bank for e-tendering. L1 bidder will be selected on the basis of the lowest Total Cost of Ownership (TCO) criteria. No Negotiation It is absolutely essential for the bidders to quote the lowest price at the time of making the offer in their own interest. No Bidder shall contact the Bank on any matter relating to its offer from the time of offer opening to the time the Contract is awarded. Any effort by a bidder to influence the Bank in its decision on offer evaluation, comparison or contract award decisions may result in the rejection of the Bidder s offer. Page 8 of 72

ANNEXURE I -Tender Covering Letter The Assistant General Manager - IT Punjab & Sind Bank, Bank House, 21, Rajendra Place, New Delhi -110008 Dear Sir, Sub: Request for Proposal for Managed Security Services for Security Operation Centre - Tender Ref No. dated With reference to the above RFP, having examined and understood the instructions including all annexure, terms and conditions forming part of the Bid, we hereby enclose our offer for RFP for Managed Security Services for Security Operation Centre in the RFP document forming Technical as well as Commercial Bids being parts of the above referred Bid. In the event of our selection by The Bank for Managed Security Services for Security Operation Centre, we will submit a Performance Guarantee for a sum equivalent to 10% of the total cost of ownership on anticipated volume for five years valid for a period of 66 months in favour of PUNJAB & SIND BANK effective from the month of execution of Service Level Agreement or successful go live whichever is earlier. Further we agree to abide by the terms and conditions of this tender and our offer shall remain valid for 180 days from the date of commercial bid opening and our offer shall remain binding upon us which may be accepted by the Bank any time before expiry of 180 days. Until a formal contract is executed, this tender offer, together with the Bank s written acceptance thereof and Bank s notification of award, shall constitute a binding contract between us. We understand that The Bank is not bound to accept the lowest or any offer the Bank may receive. We also certify that we have not been blacklisted by any PSU Bank/IBA/RBI during the last five years and also at the time of bid submission. Dated this day of, 2016 Signature: (In the Capacity of) Page 9 of 72

ANNEXURE II - Bidder s Information The Assistant General Manager (IT) Punjab & Sind Bank, HO Information Technology Department, Bank House, 2 nd Floor, 21, Rajendra Place, New Delhi -110008 Sir, Reg: RFP for Managed Security Services for Security Operation Centre With reference to RFP No dated (Read with its Addendums/Corrigendum/Amendments), we hereby submit necessary information hereunder:- 1. Name & address of the Company with direct phone numbers 2. Name of the company 3. Registration No. and date of establishment. Website Address 5. Email Address 6 Details of : Description of business and business background Service Profile & client profile Domestic & International presence Alliance and joint ventures 7. Detail of Tender Fee and Earnest Money Deposited. 8. Figures for last 3 years (in Crores with two decimal):- Annual Turnover Profit 2012-13 2013-1 201-15 9 Income Tax PAN 10 Details of similar assignments executed by the bidder Page 50 of 72

(Name of the Bank, time taken for execution of the assignment and documentary proofs from the Bank are to be furnished) 11 Details of inputs required by the bidder to execute the agreement 12 Details of the bidder s proposed methodology/approach for providing services to the Bank with specific reference to the scope of work. DECLARATION 1. I/We hereby declare that the terms and conditions of the tender stated herein and as may be modified/mutually agreed upon are acceptable and biding to me/us. We understand and agree and undertake that:- 1. The Bank is not bound to accept the lowest bid or may reject all or any bid at any stage at its sole discretion without assigning any reason therefore. 2. If our Bid for the above job is accepted, we undertake to enter into and execute at our cost, when called upon by the Bank to do so, a contract in the prescribed form. Unless and until a formal contract is prepared and executed, this bid together with your written acceptance thereof shall constitute a binding contract between us. 3. We have read and understood all the terms and conditions and contents of the RFP and also undertake that our bid conform to all the terms and conditions and do not contain any deviation and misrepresentation. We understand that bank reserve the right to reject our bid on account of any misrepresentation/deviations contained in the bid.. Bank may accept or entrust the entire work to one Bidder or divide the work to more than one bidder without assigning any reason or giving any explanation whatsoever and the Bank s decision in this regard shall be final and binding on us. 5. If our bid is accepted, we are to be jointly and severally responsible for the due performance of the contract. 6. Bidder means the vendor who is decided and declared so after examination of commercial bids. Name of person Authorized to sign Mobile No. Email Date: Place: SIGNATURE & STAMP OF AUTHORISED SIGNATORY Page 51 of 72

ANNEXURE III - Performa for the Bank Guarantee for Earnest Money Deposit (To be stamped in accordance with stamp act) Ref: Bank Guarantee # Date: Punjab & Sind Bank Information Technology Department 21, Rajendra Place, Bank House, New Delhi 110008 Dear Sir, In accordance with your bid reference No. Dated M/s having its registered office at herein after Called bidder) wish to participate in the said bid for Managed Security Services for Security Operation Centre. An irrevocable Financial Bank Guarantee (issued by a nationalized /scheduled commercial Bank) against Earnest Money Deposit amounting to Rs. (Rs. ) valid up to is required to be submitted by the bidder, as a condition for participation in the said bid, which amount is liable to be forfeited on happening of any contingencies mentioned in the bid document. M/s having its registered office at has undertaken in pursuance of their offer to Punjab & Sind Bank (hereinafter called as the beneficiary) dated has expressed its intention to participate in the said bid and in terms thereof has approached us and requested us (Name of Bank) (Address of Bank) to issue an irrevocable financial Bank Guarantee against Earnest Money Deposit (EMD) amounting to Rs (Rupees ) valid up to. We, the (Name of Bank) (Address of Bank) having our Head office at therefore Guarantee and undertake to pay immediately on first written demand by Punjab & Sind, the amount Rs. (Rupees ) without any reservation, protest, demur and recourse in case the bidder fails to Comply with any condition of the bid or any violation against the terms of the bid, Without the beneficiary needing to prove or demonstrate reasons for its such demand. Any Such demand made by said beneficiary shall be conclusive and binding on us irrespective of any dispute or difference raised by the bidder. This guarantee shall be irrevocable and shall remain valid up to. If any further extension of this Guarantee is required, the same shall be extended to such required period on receiving instructions in writing, from Punjab & Sind Bank, on whose behalf guarantee is issued. "Not withstanding anything contained herein above Our liability under this bank guarantee shall not exceed Rs. (Rupees ). This bank guarantee shall be valid up to. We are liable to pay the guaranteed amount or any part thereof under this bank guarantee only if you serve upon us a written claim or demand, on or before before 1.30 hours (Indian Standard Time) where after it ceases to be in effect in all respects whether or not the original bank guarantee is returned to us." In witness whereof the Bank, through its authorized officer has set its hand stamped on this Day of 2016 at Name of signatory Designation Bank Common Seal Page 52 of 72

ANNEXURE-IV Acceptance of Scope of Work (On Bidder s letter head duly stamped and signed by Authorized Signatory) RFP Reference No Date: The Assistant General Manager-IT Punjab & Sind Bank Bank House, 21, Rajendra Place, New Delhi - 110008 Dear Sir, Reg: Request for Proposal for Managed Security Services for Security Operation Centre. We hereby undertake that we have read and understood the complete scope of work mentioned in the Section 3 - Scope of Work and elsewhere in the said Tender Document (Read with Addendums /Corrigendum and response to queries). We further undertake the Cost per transactions includes all the cost of services mentioned in the document and bank shall not be liable to pay any other/additional cost except whatever quoted by us due to any omission of factoring the cost of any services whatsoever mentioned in the document. I further undertake that all desired clarifications, if any, have been obtained by us as to interpretations of the Scope of work. We undertake to comply with the complete Scope of work mentioned in the tender document. Yours faithfully, (Signatures) Authorized Signatory Designation Bidder s name Page 53 of 72

ANNEXURE-V Format of Performance Guarantee Tender Reference No: Date The Assistant General Manager -IT Punjab & Sind Bank, HO IT Department, 21, Rajendra Place, New Delhi 110008 Dear Sir, 1. WHEREAS pursuant to a Request for Proposal dated.. (hereinafter referred to as RFP, issued by Punjab & Sind Bank, Bank House, 21, Rajendra Place, New Delhi in response of (Vendor / Service Provider), a Company registered under the Companies Act, 1956 and having its Registered / Corporate Office at has awarded the Contract valued Rs.and appointed.as Vendor / Service Provider for for Managed Security Services for Security Operation Centre vide Appointment letter / Purchase Order No dated..on the terms and conditions as set out inter-alia in the said RFP and in the Appointment Letter / Purchase Order. 2. WHEREAS you have in terms of the said Appointment letter / Purchase Order called upon (Vendor / Service Provider to furnish a Performance Guarantee, for Rs.Rupees only), equivalent to..of the Contract value, to be issued by a Bank in your favour towards due performance of the Contract in accordance with the specifications, terms and conditions of the said Appointment letter / Purchase Order and an Agreement entered / to be entered into in this behalf. 3. WHEREAS (Vendor / Service Provider) has approached us for issuing in your favour a performance Guarantee for the sum of Rs.. (Rupees.). NOW THEREFORE in consideration of you having awarded the Contract to...inter-alia on the terms & conditions that provides a performance guarantee for due performance of the terms and conditions thereof. We,.Bank, a body corporate constituted under having its Head office at (give full address) and a branch inter-alia at. India at the request of do hereby expressly, irrevocably and unconditionally undertake to pay merely on demand from you and without any demur without referring to any other source, Rs.(Rupees only) against any loss or damage caused to or suffered by or that may be caused to or suffered by you on account of any breach or breaches on the part of of any of the terms and conditions of the Contract and in the event of committing any default or defaults in carrying out any of the work or discharging any obligation under the said Contract or otherwise in the observance and performance of any of the terms and conditions relating thereto including non-execution of the Agreement as may be claimed by you on account of breach on the part of.of their obligations or default in terms of the said Appointment letter / Purchase Order.. Notwithstanding anything to the contrary contained herein or elsewhere, we agree that your decision as to whether the..has committed any such breach / default or defaults and the amount or amounts to which you are entitled by reasons thereof will be binding on us and we shall not be entitled to ask you to establish its claim or claims under this Guarantee, but will pay the same forthwith on demand without any protest or demur. Any such demand made by you shall be conclusive as regards the amount due and payable by us to you. Page 5 of 72

5. This Guarantee shall be valid up to.. plus 3 (three) months of the Claim period from the expiry of said guarantee period. Without prejudice to your claim or claims arisen and demanded from or otherwise notified to us in writing before the expiry of the said date which will be enforceable against us notwithstanding that the same is or are enforced after the said date. 6. You will have the fullest liberty without our consent and without affecting our liabilities under this Guarantee from time to time to vary any of the terms and conditions of the said appointment letter or the Contract to be made pursuant thereto or extend the time of performance of the Contract or to postpone for any time or from time to time any of your rights or powers against the and either to enforce or forbear to enforce any of the terms and conditions of the said appointment letter or the Contract and we shall not be released from our liability under Guarantee by exercise of your liberty with reference to matters aforesaid or by reason of anytime being given to or any other forbearance, act or omission on your part or any indulgence by you or any other act, matter or things whatsoever which under law relating to sureties, would but for the provisions hereof have the effect of releasing us from our liability hereunder provided always that nothing herein contained will enlarge our liability hereunder beyond the limit of Rs.. (Rupees only) as aforesaid or extend the period of the guarantee beyond.(date) unless expressly agreed to by us in writing. 7. This Guarantee shall not in any way be affected by you are taking or giving up any securities from or any other person, firm or company on its behalf or by the winding up, dissolution, insolvency as the case may be of. 8. In order to give full effect to the Guarantee herein contained, you shall be entitled to act as if we were your principal debtors in respect of all your claims against.hereby guaranteed by us as aforesaid and we hereby expressly waive all our rights of suretyship and other rights, if any, which are in any way inconsistent with any of the provisions of Guarantee. 9. Subject to the maximum limit of our liability as aforesaid, this Guarantee will cover all your claim or claims against from time to time arising out of or in relation to the said appointment letter / Contract and in respect of which your claim in writing is lodged on us before expiry of Guarantee. 10. Any Notice by way of demand or otherwise hereunder may be sent by special courier, telex, fax, e-mail or registered post to our Head Office / Local address as aforesaid and if sent accordingly it shall be deemed to have been given when the same has been posted. 11. This Guarantee shall not be affected by any change in the constitution of or nor shall it be affected by any change in your constitution or by any amalgamation or absorption thereof or therewith but will enure to the benefit of and be available to and be enforceable by the absorbing or amalgamated company or concern. 12. This Guarantee shall come into force from the date of its execution and shall not be revoked by us any time during its currency without your previous consent in writing. 13. We further agree and undertake to pay you the amount demanded in writing irrespective of any dispute or controversy between you and in any suit or proceeding pending before any court, Tribunal or Arbitrator relating thereto, our liability under these presents being absolute and unequivocal. The payments so made by us shall be a valid discharge of our liability for payment hereunder and shall have no claim against us for making such payment. 1. We have the power to issue this Bank Guarantee in your bank s favour as the undersigned has full power to execute this Bank Guarantee under the Power of Attorney issued by our Bank. Page 55 of 72

15. Our authority to issue this guarantee may be verified with our Controlling Office situated at (full details of persons to be contacted address and phone Numbers etc). 16. Notwithstanding anything contained herein above; i) Our liability under this Guarantee shall not exceed Rs (Rupees only ) ii) This Guarantee shall be valid and remain in force up to plus the Claim period of 6 (Six) months and including the date and iii) We are liable to pay the guaranteed amount or any part thereof under this Guarantee only and only if you serves upon us a written claim or demand for payment on or before the expiry of this Guarantee. Dated this the day of 2016. Signature and Seal of Guarantors Vendor s Bank Page 56 of 72

ANNEXURE-VI PREBID QUIRY FORMAT Sr. no Page No. Clause Number RFP clause Bidders remark Page 57 of 72

ANNEXURE VII Technical Requirements <<< Enclosed Separately. >>> Annexure VIII Indicative Commercial Bill of Materials. <<< Enclosed Separately. >>> Annexure-IX Technical requirement of Managed Security Services <<< Enclosed Separately. >>> Page 58 of 72

Annexure-X Non-Disclosure Agreement This Non-Disclosure Agreement made and entered into at on this XXXX day of XXXXX. BY AND BETWEEN XXXXXXX, a company incorporated under the Act, XXXX having its registered office at XXXXXXX (hereinafter referred to as the firm / Company which expression unless repugnant to the context or meaning thereof be deemed to include its permitted successors) of the ONE PART; AND Punjab & Sind Bank, a body corporate, established under the Banking Companies (Acquisition and Transfer of Undertakings) Act 1970 and having its Head Office at 21, Rajendra Place, New Delhi 110008 (Hereinafter referred to as Bank which expression shall unless it be repugnant to the subject, meaning Or context thereof, be deemed to mean and include its successors and assigns) of the OTHER PART. The Firm / Company and Punjab & Sind Bank are hereinafter collectively referred to as the Parties and individually as the Party WHEREAS: 1. Punjab & Sind Bank is engaged in the business of providing financial services to its customers and intends to engage an independent entity for Managed Security Services for Security Operation Centre for the Bank. 2. In the course of such assignment, it is anticipated that Punjab & Sind Bank or any of its officers, employees, officials, representatives or agents may disclose, or deliver, to the Firm / Company some Confidential Information (as hereinafter defined), to enable the Firm / Company to carry out the aforesaid professional services assignment ( hereinafter referred to as " the Purpose"). 3. The Firm / Company is aware and confirms that all information, data and other documents made available in the RFP/Bid Documents/Agreement /Contract or in connection with the Services rendered by the Firm / Company are confidential information and are privileged and strictly confidential and or proprietary of Punjab & Sind Bank. The firm / Company undertake to safeguard and protect such confidential information as may be received from Punjab & Sind Bank. NOW, THEREFORE THIS AGREEMENT WITNESSED THAT in consideration of the above premises and the Punjab & Sind Bank granting the firm / Company and or his agents, representatives to have specific access to Punjab & Sind Bank property / information and other data it is hereby agreed by and between the parties hereto as follows: 1. Confidential Information: Page 59 of 72

(i) Confidential Information means all information disclosed/furnished by Punjab & Sind Bank to the firm / Company whether orally, in writing or in electronic, magnetic or other form for the limited purpose of enabling the Firm / Company to carry out the proposed assignment, and shall mean and include data, documents and information or any copy, abstract, extract, sample, note or module thereof, explicitly designated as "Confidential"; Provided the oral information is set forth in writing and marked "Confidential" within seven (7) days of such oral disclosure. (ii) The firm / Company may use the Confidential Information solely for and in connection with the Purpose and shall not use the Confidential Information or any part thereof for any reason other than the Purpose stated above. Confidential Information in oral form must be identified as confidential at the time of disclosure and confirmed as such in writing within seven (7) days of such disclosure. Confidential Information does not include information which: (a) Is or subsequently becomes legally and publicly available without breach of this Agreement by either party, (b) Was rightfully in the possession of the firm / Company without any obligation of confidentiality prior to receiving it from Punjab & Sind Bank, (c) Was rightfully obtained by the firm / Company from a source other than Punjab & Sind Bank without any obligation of confidentiality, (d) Was developed by for the firm / Company independently and without reference to any Confidential Information and such independent development can be shown by documentary evidence, or is/was disclosed pursuant to an order of a court or governmental agency as so required by such order, provided that the firm / Company shall, unless prohibited by law or regulation, promptly notify Punjab & Sind Bank of such order and afford Punjab & Sind Bank the opportunity to seek appropriate protective order relating to such disclosure. (e) The recipient knew or had in its possession, prior to disclosure, without limitation on its confidentiality; (f) Is released from confidentiality with the prior written consent of the other party. The recipient shall have the burden of proving hereinabove are applicable to the information in the possession of the recipient. Confidential Information shall at all times remain the sole and exclusive property of the disclosing party. Upon termination of this Agreement, Confidential Information shall be returned to the disclosing party or destroyed, if incapable of return. The destruction shall be witnessed and so recorded, in writing, by an authorised representative of each of the parties. Nothing contained herein shall in any manner impair or affect rights of Punjab & Sind Bank in respect of the Confidential Information. In the event that any of the Parties hereto becomes legally compelled to disclose any Confidential Information, such Party shall give sufficient notice to the other party to enable the other Party to prevent or minimize to the extent possible, such disclosure. Neither party shall disclose to a third party any Confidential Information or the contents of this Agreement without the prior written consent of the other party. The obligations of this Clause shall be satisfied by handling Confidential Information with the same degree of Page 60 of 72

care, which the receiving party applies to its own similar confidential information but in no event less than reasonable care. The obligations of this clause shall survive the expiration, cancellation or termination of this Agreement 2. Non-disclosure: The firm / Company shall not commercially use or disclose any Confidential Information or any materials derived there from to any other person or entity other than persons in the direct employment of the Firm / Company who have a need to have access to and knowledge of the Confidential Information solely for the Purpose authorized above. The firm / Company shall take appropriate measures by instruction and written agreement prior to disclosure to such employees to assure against unauthorized use or disclosure. The Firm / Company may disclose Confidential Information to others only if the Firm / Company has executed a Non-Disclosure Agreement with the other party to whom it is disclosed that contains terms and conditions that are no less restrictive than these presents and the Firm / Company agrees to notify Punjab & Sind Bank immediately if it learns of any use or disclosure of the Confidential Information in violation of terms of this Agreement. Notwithstanding the marking and identification requirements above, the following categories of Information shall be treated as Confidential Information under this Agreement irrespective of whether it is marked or identified as confidential: a) Information regarding Punjab & Sind Bank and any of its Affiliates, customers and their accounts ( Customer Information ). For purposes of this Agreement, Affiliate means a business entity now or hereafter controlled by, controlling or under common control. Control exists when an entity owns or controls more than 10% of the outstanding shares or securities representing the right to vote for the election of directors or other managing authority of another entity; or b) Any aspect of Punjab & Sind Bank's business that is protected by patent, copyright, trademark, trade secret or other similar intellectual property right; or c) Business processes and procedures; or d) Current and future business plans; or e) Personnel information; or f) Financial information. 3. Publications: The Firm / Company shall not make news releases, public announcements, give interviews, issue or publish advertisements or publicize in any other manner whatsoever in connection with this Agreement, the contents / provisions thereof, other information relating to this Agreement, the Purpose, the Confidential Information or other matter of this Agreement, without the prior written approval of Punjab & Sind Bank.. Term: This Agreement shall be effective from the date hereof and shall continue till expiration of the Purpose or termination of this Agreement by Punjab & Sind Bank, whichever is earlier. The Firm /Company hereby agrees and undertakes to Punjab & Sind Bank that immediately on termination of this Agreement it would forthwith cease using the Confidential Information and further promptly return or destroy, under information to Punjab & Sind Bank, all information received by it from Punjab & Sind Bank for the Purpose, whether marked Confidential or otherwise, and whether in written, graphic or other tangible form and all copies, abstracts, extracts, samples, notes or modules thereof. The Firm /Company further agree and undertake to Punjab & Sind Bank to certify in writing upon request of Page 61 of 72

Punjab & Sind Bank that the obligations set forth in this Agreement have been complied with any provisions of this Agreement which by their nature extend beyond its termination shall continue to be binding and applicable without limit in point in time except and until such information enters the public domain. 5. Title and Proprietary Rights: Notwithstanding the disclosure of any Confidential Information by Punjab & Sind Bank to the Firm / Company, the title and all intellectual property and proprietary rights in the Confidential Information shall remain with Punjab & Sind Bank. 6. Remedies: The Firm / Company acknowledges the confidential nature of Confidential Information and that damage could result to Punjab & Sind Bank if the Firm / Company breaches any provision of this Agreement and agrees that, if it or any of its directors, officers or employees should engage or cause or permit any other person to engage in any act in violation of any provision hereof, Punjab & Sind Bank may suffer immediate irreparable loss for which monetary compensation may not be adequate. Punjab & Sind Bank shall be entitled, in addition to other remedies for damages & relief as may be available to it, to an injunction or similar relief prohibiting the Firm / Company, its directors, officers etc. from engaging in any such act which constitutes or results in breach of any of the covenants of this Agreement. Any claim for relief to Punjab & Sind Bank shall include Punjab & Sind Bank's costs and expenses of enforcement (including the attorney's fees). 7. Entire Agreement, Amendment and Assignment: This Agreement constitutes the entire agreement between the Parties relating to the matters discussed herein and supersedes any and all prior oral discussions and / or written correspondence or agreements between the Parties. This Agreement may be amended or modified only with the mutual written consent of the Parties. Neither this Agreement nor any right granted hereunder shall be assignable or otherwise transferable. 8. Governing Law: The provisions of this Agreement shall be governed by the laws of India and the competent court at Bangalore shall have exclusive jurisdiction in relation thereto even though other Courts in India may also have similar jurisdictions. 9. Indemnity: The Firm / Company shall defend, indemnify and hold harmless Punjab & Sind Bank, its affiliates, subsidiaries, successors, assigns, and their respective officers, directors and employees, at all times, from and against any and all claims, demands, damages, assertions of liability whether civil, criminal, tortuous or of any nature whatsoever, arising out of or pertaining to or resulting from any breach of representations and warranties made by the Firm / Company and/or breach of any provisions of this Agreement, including but not limited to any claim from third party pursuant to any act or omission of the Firm / Company, in the course of discharge of its obligations under this Agreement. 10. General: The Firm / Company shall not reverse - engineer, decompile, disassemble or otherwise interfere with any software disclosed hereunder. Page 62 of 72

All Confidential Information is provided as is. In no event shall the Punjab & Sind Bank be liable for the inaccuracy or incompleteness of the Confidential Information. None of the Confidential Information disclosed by Punjab & Sind Bank constitutes any representation, warranty, assurance, guarantee or inducement with respect to the fitness of such Confidential Information for any particular purpose. Punjab & Sind Bank discloses the Confidential Information without any representation or warranty, whether express, implied or otherwise, on truthfulness, accuracy, completeness, lawfulness, and merchantability, fitness for a particular purpose, title, non-infringement, or anything else. 11. Waiver: A waiver (whether express or implied) by Punjab & Sind Bank of any of the provisions of this Agreement, or of any breach or default by the Firm / Company in performing any of the provisions hereof, shall not constitute a continuing waiver and such waiver shall not prevent Punjab & Sind Bank from subsequently enforcing any of the subsequent breach or default by the Firm / Company under any of the provisions of this Agreement. In witness whereof, the Parties hereto have executed these presents the day, month and year first herein above written. For and on behalf of XXXXX For and on behalf of Punjab & Sind Bank XXXXXXX XXXXX (Designation) Page 63 of 72

FORMAT - 1 Financial details Sr. No. Field 2012-13 2013-1 201-15 Audited / Provisional (A) (A) (A) 1. 2. Paid up Capital 3 Tangible Net Worth Total Assets 5 Total Sales (net of excise) 6 PBDIT 7 8 Profit after Tax Revenue from Information Security Services Please fill all the above columns (do not leave any column blank) & attach audited Balance Sheets and Profit & Loss statements for the last three years. For item no 8 Provide copies of PO/ letter of engagement. Date: Signature of Authorized Official with Seal Page 6 of 72

FORMAT - 2 Prime Bidder s Undertaking Letter From: Date: To Asstt General Manager HO IT Dept Punjab & Sind Bank Rajendra Place, New Delhi Dear Sir, We, the undersigned, as prime bidder, confirm the below: Neither we nor our Promoters / Directors are defaulters to any financial institution We have not been reported against by any Public Sector Bank or Indian Banks Association for any malpractice, fraud, poor service, etc We have have not been blacklisted by any Government authority or Public sector Undertaking (PSU) as on date of submission of the tender Yours faithfully, (Authorized Signatory) In the capacity of Duly authorized to sign the Bid for and on behalf of Note: This letter should be on the letterhead of the Prime Bidder duly signed by an authorized signatory. Page 65 of 72

FORMAT - 3 Channel Partner/ Dealership/experience letter from OEM To, Asstt General Manager HO IT Dept Punjab & Sind Bank, Rajendra Place, New Delhi Place: Date: Dear Sir, We hereby certify that M/S (Name & Address) is an Authorised Channel Partner/ Authorised Dealer/system integrator (Strike out the not applicable) for Supply, installation and maintenance of. (Equipment details) of. (Specify Make) manufactured by our company for the last. (Specify) years. Further, we certify that the Authorised Channel Partner/ Authorised Dealer ship agreement with M/S is in force and is valid up to. (Specify Period). Further, we hereby certify that M/S is authorised to participate in the tender process for Managed Security services for Security Operation Centre on our behalf and submit bids. We undertake that the solution proposed in the response to this RFP is a licensed version of the product and has enterprise support from our company. We hereby undertake that the Model offered & empanelled will be available & supplied during the tenure of contract. We also undertake that none of the proposed solution will open/ contact any undeclared channel outside the respective bank s environment. We further certify that application/ software /solution provided by us is free of malware at the time of sale, free of any obvious bugs, and free of any covert channels in the code (of the version of the application being delivered as well as any subsequent versions/modifications done). A violation of the above would be considered as a breach of security and respective participating banks may proceed against us as they deem fit. Also, we confirm that our solution is implemented by M/S in following organizations 1) 2) Further, we confirm that the undersigned is authorised to issue this letter. We also undertake that we will provide software patches for the solutions/ software provided by us for the duration of 5 years. Yours Faithfully, (Name, Designation, Address, Phone Number of the Authorised Signatory with Company Seal) Note: This format has to be issued by Original Equipment Manufacturer on their Letter Head duly signed by authorised signatory/signatories Page 66 of 72

FORMAT - Confirmation of Soft Copy To Asstt General Manager HOIT Dept Punjab & Sind Bank Rajendra Place, New Delhi Dear Sir, Sub: RFP for Selection of Security System Integrator for Managed Security Services for Security Operation Centre for Punjab & Sind Bank Further to our proposal dated XXXXXXX, in response to the Request for Proposal (Bank s tender No. hereinafter referred to as RFP ) issued by Punjab & Sind Bank ( Bank ) we hereby covenant, warrant and confirm as follows: The soft-copies of the proposal submitted by us in response to the RFP are identical with the hard-copies of aforesaid proposal submitted by us, in all respects. Yours faithfully, Authorised Signatory Designation Bidders corporate name Page 67 of 72

FORMAT - 5 Compliance Statement We certify that except for the following deviations, we agree to abide by all other clauses, terms, conditions and specifications mentioned in the RFP. Main RFP / Annexure No. Clause / Sub Clause No. Deviation Specific Page no. of the Response Place: Date: Signature of Authorised signatory (With seal) Note: If there are no deviations the bidder has to give his response by writing NIL in the statement Page 68 of 72

FORMAT - 6 Prime Bidder s Undertaking Letter From: Date: To Asstt General Manager HOIT Dept, Punjab & Sind Bank, Rajendra Place, New Delhi Dear Sir, We, the undersigned, as prime bidder, having examined the complete RFP document (along with its annexure), do hereby offer to supply, install, configure and provide maintenance support for all the solutions as per the Scope of Work in full conformity of your requirements as elaborated in above said RFP for the amounts mentioned by us in the Commercial Bid or such other sums as may be agreed to between us. We hereby agree to all the terms and conditions stipulated in the RFP except for the variations and deviations of requirements as mentioned by us in the Compliance Statement, submitted along with our Technical Proposal. We agree to implement the project in bank as per the conditions mentioned in the RFP. We agree to abide by our Offer for a period of 6 months from the date of last day of Bid submission and it shall remain binding on us for acceptance at any time before the expiration of this period. We understand that you are not bound to accept the lowest or any bid you may receive. We undertake, if our Bid is accepted, to provide Contract Performance Guarantee, ATS/AMC Performance Guarantee in the form and in the amounts and within the times stipulated in the RFP. Yours faithfully, (Authorised Signatory) In the capacity of Duly authorized to sign the Bid for and on behalf of Page 69 of 72

To Asstt General Manager (IT) HOIT Dept, Rajendra Place, New Delhi Dear Sir, FORMAT - 7 Confirmation to Deliver 1 Having examined the Tender Documents including all Annexure, the receipt of which is hereby duly acknowledged, we, the undersigned offer to supply, install, configure and support all the items mentioned in the Request for Proposal and the other schedules of requirements and services for your bank in conformity with the said Tender Documents in accordance with the schedule of Prices indicated in the Price Bid and made part of this Tender. 2 If our Bid is accepted, we undertake to comply with the delivery schedule as mentioned in the Tender Document. 3 We agree to abide by this Tender Offer for 180 days from date of Tender (Commercial Bid) opening and our Offer shall remain binding on us and may be accepted by the Bank any time before expiry of the offer. This Bid, together with your written acceptance thereof and your notification of award, shall constitute a binding Contract between us. 5 We undertake that in competing for and if the award is made to us, in executing the subject Contract, we will strictly observe the laws against fraud and corruption in force in India namely Prevention of Corruption Act 1988. 6 We agree that the Bank is not bound to accept the lowest or any Bid the Bank may receive. 7 We certify that we have provided all the information requested by the bank in the format requested for. We also understand that the bank has the exclusive right to reject this offer in case the bank is of the opinion that the required information is not provided or is provided in a different format. Dated this..by.20 Authorised Signatory (Name: Contact Person, Phone No., Fax, E-mail) Note: This letter should be on the letterhead of the Vendor duly signed by an authorized signatory. Page 70 of 72

FORMAT - 8 Undertaking of Authenticity for Appliance and Server Supplies Sub: Ref: 1. Your Purchase Order No. ------------------- dated-------. 2. Our invoice no/quotation no. -------------- dated--------. With reference to the supplied/quoted to you vide our invoice no/quotation no/order no. Cited above, ---- We hereby undertake that all the components/parts/assembly/software used in the appliance /server running the software solution under the above like Hard disk, Monitors, Memory etc shall be original new components/parts/assembly/software only, from respective OEMs of the products and that no refurbished/duplicate second hand components/parts assembly / software are being used or shall be used. We also undertake that in respect of licensed operating system if asked for by you in the purchase order, the same shall be supplied along with the authorized license certificate (e.g. Product Keys on Certification of Authenticity in case of Microsoft Windows Operating System) and also that it shall be sourced from the authorised source (e.g. Authorized Microsoft Channel in case of Microsoft Operating System). Should you require, we hereby undertake to produce the certificate from our OEM supplier in support of above undertaking at the time of delivery/installation. It will be our responsibility to produce such letters from our OEM supplier's at the time of delivery or within a reasonable time. In case of default and we are unable to comply with above at the time of delivery or during installation, for the IT Hardware/Software already billed, we agree to take back the appliance/server without demur, if already supplied and return the money if any paid to us by you in this regard. We (system OEM name) also take full responsibility of both Parts & Service SLA as per the content even if there is any defect by our authorized Service Centre/ Reseller/SI etc. Authorised Signatory Name: Designation: Place: Date: Page 71 of 72

FORMAT - 9 Confirmation of Past Experience for Solution Sub: Ref: We hereby confirm that the solution was successfully implemented at the (location) in our organisation. We confirm that the information provided in the below table is accurate to the best of our knowledge. Organisation Name Device Sizing parameters Locations Covered Implementation Scope (Refer Annexure 3) Specifics Eg: SIEM Eg: 15000 EPS scalable to 0000 EPS Eg: Data Center, DR, Head office etc. Eg: Integration with : Timelines (months from PO release date) Eg: 3 months Authorised Signatory Name: Designation: Place: Date: Page 72 of 72

Annexure-IX Service Provider's Compliance to Technical requirement of Managed Security Services Bidder is expected to mark S/C/N for each requirement in the table below. S: Feature/Capability is provided as standard. Bidder will get Maximum Marks (M) for that point C: Feature/Capability is not provided as standard, but will be customized. Bidder will get half of Maximum Marks (M/2) for that point N: Feature/Capability is not provided even after customization. Bidder will get zero mark for that point Bidder to score minimum 70% marks to qualify for commercial evaluation. Page 1 of 30

Security Log Monitoring Services Sr No Requirements S/C/N Maximum Marks 1. Bidder must implement 2*7 monitoring of security events to detect attacks and raise the alerts for any suspicious events that may lead to security breach in bank s environment & block the same. 2. Bidder must detect both internal & external attacks 3. Bidder must implement tools and processes for detection and correlation of events from multiple sources in the purview of the services sought. Bidder must provide coordinated rapid response to any security incident. Bidder should work with Bank s team to limit the extent of attack and for restoration of services 5. Bidder must develop log baselines for all the platforms in the bank. Bidder must coordinate with respective IT teams for deployment of baselines 6. Bidder must provide multiple reports to the bank including top attackers, attacks, attack targets, trends etc. Bidder must provide daily and monthly reports. Bidder must also have the provision to provide bank reports on demand on a case to case basis with no extra cost. 7. Bidder must conduct forensic analysis for security incidents and facilitate mitigation thereof 8. Bidder must do root cause analysis for security Incidents and coordinate implementation of controls to prevent recurrence 9. Bidder must deploy industry standard tools for log analysis [furnish full details of the tools/ functionality/ deliverables separately] and correlation 10. The solution provided must be OS/Application/Hardware independent. 11. Solution must support for both agent and agent-less architecture 12. Agent must be light and non interfering 13. Must support events collection from wide range of network & security devices, viz. Routers, Switches, Firewalls, IDS/IPS, Proxy hosts and systems like Windows, Solaris & Linux. It must also support event collection from databases, web servers, AV agents & Vulnerability Scanners 1. The solution must support at least 3000 events per second for real-time Remark* Page 2 of 30

analysis 15. Solution must not be an open-source or freeware tool and an established OEM should support it 16. Solution must provide support for the Integration of Security Logs from Existing Routers and L3/L1/L2/L/L5 Switches. 17. Solution must have the capability to integrate logs from existing Operating Systems, Database Servers & Application Servers 18. Solution must have the capability to integrate information from leading vulnerability scanners 19. Solution must have the capability to track router access-list violations 20. Solution must ensure log transmission between Agent & Manager is done securely using industry recognized standard algorithms 21. Tool must offer correlation of the events / aggregated events from multiple firewalls, IDS/IPS and other network, security devices & applications security logs 22. Even during heavy log generation peaks/connectivity issues, the proposed solution must have caching/storage mechanisms to collect events and correlate thereafter 23. Solution must have the ability to map real time attacks to the vulnerability state of the target 2. Event correlation capability of the tool should consider attributes like log events, asset, vulnerability, business value in the threat calculation. 25. Solution must support the normalization of the data for the collection of logs from disparate devices 26. Solution must support filtering of noise events from being sent to SOC by the agents deployed on bank assets 27. Solution must support creation of custom correlation rules 28. Solution must be capable of freely customizing the format and frequency of Reporting 29. Solution must be capable of creating Custom Reports 30. Solution must support role based administration 31. Solution must support the audit trail of administrative access & configuration changes Page 3 of 30

32. Solution must be capable of compressing the collected log file data during network transport 33. Solution must be capable of validating the authenticity and integrity of log data 3. Solution must be capable of assisting in finding log entries on originating systems for use in forensic investigations 35. Solution must provide a security portal to view real time dashboards corresponding to monitoring data 36. Evidences for security incidents should be made available for legal and regulatory purposes Security Log Monitoring Services Sr No Requirements S/C/N Maximum Marks 1. Bidder must have capability for 2x7x365 monitoring of phishing attacks targeting the Bank 2. Bidder must have capability for real time alerting of the Bank if a phishing site is detected 3. Bidder must have capability for real time analysis of referrer logs of Bank s web server. Bidder must have capability for monitoring of similar sounding domain name registrations and alerting the Bank if this is detected 5. Monitoring spam traps to detect phishing mails 6. Bidder must have capability for real time mechanism for analysis of new websites to detect if a phishing site is being created targeting the Bank 7. Bidder must have capability to take alternative response mechanisms other than web site take down to minimize impact of phishing attack 8. Bidder must have capability for notifying Internet Explorer, Firefox about detected sites for blocking these at browser level 9. Bidder must provide assistance to bank in identifying customers affected by phishing and for coordination with law enforcement agencies, CERT-In etc. 10. Bidder must do benchmarking of Bank s internet banking site and suggest controls required to minimize impact from phishing attacks Remark* Page of 30

11. OEM selected for anti-phishing & takedown services should have minimum experience of 03 years in Online Fraud Monitoring and Prevention services, should have its own fraud intelligence network / database and should have an experience of shutting down at least 100,000 online attacks in last one year. Malware Scanning Services Sr No Requirements S/C/N Maximum Marks 1. Bidder must have capability for 2X7 monitoring for Malicious Mobile Code (MMC) infection of Internet Banking and Corporate website 2. Bidder must have capability for real time detection of MMC infection/injection 3. Solution must be a tool based automated solution with e-mail & SMS alerts. Solution must support scanning to a depth of at multiple pages 5. Solution must support scanning of static and dynamic links 6. Solution must support checking all website links against well known global black lists 7. Bidder must manage incidents for MMC infection/injection including solution, coordination for recovery in the shortest possible time 8. Solution must be independent of application Platform 9. Solution must provide online interface to see previous online reports of all the websites under monitoring 10. Bidder must track hosting of phishing sites through digital watermark 11. Feed adequate number of wrong user-ids / passwords through automated tools to phishing site 12. Solution must monitor web server referrer logs 13. Analyze web server logs and application logs to track the Phisher s identity 1. Analyze application logs to identify phisher-initiated transaction Security Intelligence & Advisory Services Sr No Requirements S/C/N Maximum Marks 1. Identification of evolving vulnerabilities and threats to IT infrastructure Remark* Remark* Page 5 of 30

assets, deployed in the bank. This includes i. Top global attack sources ii. Top global attack targets iii. Vulnerabilities iv. Attack forms v. Worms & Viruses 2. SOC must send timely security advisories for evolving vulnerabilities and threats as & when arise. Advisories should also detail mitigation measures. Security advisories must visit Bank at least once in a month. 3. Bidder must track impact of new vulnerabilities and threats on Bank s assets. Bidder should track, coordinate and facilitate for closure of vulnerabilities on assets that are affected. The security dashboard should give an online view of the global vulnerabilities and threats applicable to the Bank s environment, number of assets affected and status of mitigation. Security Service Desk System Requirements Sr No Requirements S/C/N Maximum Marks 1. The tool should be customized with forms, fields, workflows corresponding to security monitoring, incident management. 2. The service desk should be configured with escalation workflows. 3. Service desk should be a web based portal with ready access to service requests.. Bank must be provided access to generate reports from the service desk portal. 5. Service desk must support concurrent login for at least three users including Bank users or its system integrator 6. Service desk should contain at least the request Number, description of request, date &time of opening, update and closure, asset details for which the service has been opened 7. SLA data should be captured in service desk with compliance details Remark* Page 6 of 30

Security Dashboard Services Sr No Requirements S/C/N Maximum Marks 1. The dashboard must be web based online portal 2. The dashboard must integrate with the following a Asset database b Security event/log monitoring tool c Security Intelligence 3. Dashboard must display asset list and capture details including name, location, owner, value, business unit, IP address, platform details.. Dashboard must display risk baseline corresponding to multiple categories for IT infrastructure, applications and processes 5. The dashboard must display the security status of IT infrastructure assets in the scope 6. Dashboard must capture the status of applications in the bank. Dashboard should have a graphical display of application security status based on locations, business units 7. Dashboard must capture risks in each asset. Dashboard must have the provision to click on the asset and track mitigation status corresponding to risks 8. There should be a graphical representation of risks across business units/locations. Dashboard should support drill down graphs to move to the level of individual assets and should support wide array of analytics and intelligence capabilities. 9. The bank must be able to benchmark and track mitigation for new global threats and vulnerabilities using the dashboard. The applicability of new threats to the Bank s assets should also be displayed. A drill down of assets affected by new threats, vulnerabilities and status of mitigation should be supported. 10. SLA data must be captured in the dashboard with compliance details Remark* Page 7 of 30

SL. No. SIEM S/C/N Maximum Marks Remark* 2 3 5 6 7 8 9 10 11 12 General The solution should support log collection, correlation and alerts for the number of devices mentioned in scope. The solution should be able to conduct agent less collection of logs except for those which cannot publish native audit logs The solution should have connectors to support the listed devices/ applications, wherever required the vendor should develop customized connectors at no extra cost Log Collection and Management All logs should be Authenticated (time-stamped), encrypted and compressed before transmission The solution should be able to continue to collect log data during database backup, de-fragmentation and other management scenarios, without any disruption to service The solution should support log collection from all operating systems and their versions including but not limited to Windows, AIX,Unix, Linux, Solaris servers etc. In case the connectivity with SIEM management system is lost, the collector should be able to store the data in its own repository. The retention, deletion, synchronization with SIEM database should be automatic but it should be possible to control the same manually. The solution shall allow bandwidth management, rate limiting, at the log collector level. The solution should ensure that the overall load on the network bandwidth at DC, WAN level is minimal The solution should provide time based, criticality based store and forward feature at each log collection point The solution should have the capability to compress the logs by at least 70% for storage optimization. Page 8 of 30

13 1 15 16 17 18 19 It should be possible to configure event collectors to also send the event data in its original format to the central correlation engine The data archival should be configured to store information in tamper proof format and should comply with all the relevant regulations. Traceability of logs shall be maintained from the date of generation to the date of purging. The system shall be able to capture all details in raw log, events and alerts and normalize them into a standard format for easy comprehension. It should be feasible to extract raw logs from the SIEM and transfer to other systems as and when required. Should support the following log collection protocols: Syslog over UDP / TCP, Syslog NG, Secure POP3 / Secure XML, SDEE, SNMP Version 2 & 3, ODBC, FTP), Windows Event Logging Protocol, XML, NetBIOS, Netflow at a minimum The solution should prevent tampering of any type of logs and log any attempts to tamper logs Correlation 19 SIEM must allow the creation of an unlimited number of new correlation rules Solution should be able to perform the following correlations (but not limited to): Rule based, Vulnerability based, Statistical based, Historical based, 20 Heuristics based, Behavioral based etc. 21 The system/solution should have the ability to correlate all the fields in a log 22 The solution should be able to parse and correlate multi line logs 23 2 25 The Solution should gather information on real time threats and zero day attacks issued by anti-virus or IDS/ IPS vendors or audit logs and add this information as intelligence feed in to the SIEM solution via patches The solution should allow a wizard based interface for rule creation. The solution should support logical operations and nested rules for creation of complex rules The central correlation engine database should be updated with real time security intelligence updates from OEM Page 9 of 30

26 27 28 29 30 31 32 33 Dashboard and Reporting The dashboard should be in the form of a unified portal that can show correlated alerts/ events from multiple disparate sources such as security devices, network devices, enterprise management systems, servers, applications, databases, etc Events should be presented in a manner that is independent of device specific syntax and easy to understand for all users The dashboard should show the status of all the tools deployed as part of the SOC, including availability, bandwidth consumed, system resources consumed (including database usage) It should be possible to categorize events while archiving for example, events for network devices, antivirus, servers etc. Any failures of the event collection infrastructure must be detected and operations personnel must be notified as per SLA. The device Health monitoring must include the ability to validate that original event sources are still sending events The solution should generate the following reports (but not restricted to): User activity reports, Configuration change reports, Incident tracking report, Attack source reports etc. In addition, the solution should have a reporting writing tool for development of any ad-hoc reports. The Dashboard design for the solution should be editable on an ad hoc basis as per the individual user need The system should display all real time events. The solution should have drill down functionality to view individual events from the dashboard 3 The solution should allow applying filters and sorting to query results. The solution should allow creating and saving of ad hoc log queries on archived and retained logs. These queries should be able to use standard syntax such as 35 wildcards and regular expressions. 36 The solution should provide event playback for forensic analysis. 37 The solution should allow for qualification of security events and incidents for reporting purpose. The solution should be able to generate periodic reports (weekly, monthly basis) for such qualified security events/ incidents. Page 10 of 30

38 39 0 1 2 3 5 6 7 8 9 50 51 Should provide summary of log stoppage alerts and automatic suppression of alerts. Should generate e-mail and SMS notifications for all critical/high risk alerts triggered from SIEM The solution should allow users to initiate and track alert related mitigation action items. The portal should allow reports to be generated on pending mitigation activities Solution should be able to provide asset details such as Asset owner, location, events & incidents, vulnerabilities and issue mitigation tracking mapped to individual assets/users Solution should provide knowledge base and best practices for various security vulnerabilities Dashboard should display asset list and capture details including name, location, owner, value, business unit, IP address, platform details Dashboard should capture the security status of assets and highlight risk level for each asset. This should be used to capture security status of bank, status of different business units within the bank, status of key locations etc. Dashboard should support reporting for consolidated relevant compliance across all major standards and regulatory requirements. This includes (but not limited to) ISO 27001, RBI regulations, IT ACT, PCI DSS standards etc Dashboard should support different views relevant for different stake holders including top management, operations team, and Information Security Department Dashboard should support export of data to multiple formats including CSV, XML, Excel, PDF, word formats Dashboard views should be customizable as per user rights and access to individual components of the application. Administrators should be able to view correlated events, packet level event details, real-time raw logs and historical events through the dashboard. Senior Management should be able to view compliance to SLA for all SOC operations and solutions The system should permit setting up geographical maps/images on real time dashboards to identify impacted areas and sources of alerts. Page 11 of 30

The solution should have the capability to identify which queries and indexes 52 have been searched most to improve the query response time Solution hould have the ability to perform free text searches for events, 53 incidents, rules and other parameters. Event and Incident Management The system should identify the originating system and user details while 5 capturing event data. 55 It should be possible to automatically create incidents and track their closure The event should reach the SOC monitoring team within 30 seconds of the log 56 being captured 57 Pre-defined parsers are available for parsing logs for the following applications: Finacle Flexcube 58 Bancs The solutions should be able to collect and parse logs from Base2 ATM switches and any other ATM switch logs. 59 The solution should be able to conduct full packet capture for data 60 61 The solution should offer a means of escalating alerts between various users of the solution, such that if alerts are not acknowledged in a predetermined timeframe, that alert is escalated to ensure it is investigated. Storage The vendor should provide for adequate storage to meet the EPS and retention requirements of the bank. SI shall be responsible for upgrade of the storage to meet the bank's requirements as above at no additional cost. The SI should provide adequate justification for the storage size proposed as part of the response. 62 The solution should be able to store both normalized and RAW logs Page 12 of 30

63 6 The platform should provide tiered storage for the online, archival, and backup and restoration of event log information. The Tier I and II storage should have the capability to authenticate logs on the basis of time, integrity and Origin 65 The storage solution should have the capability to encrypt the logs in storage 66 67 68 69 System should have capacity to maintain the logs for 90 days on Tier I storage and older logs should be archived on Tier II storage and Tier 3 storage Solution should be capable of retrieving the archived logs for analysis, correlation and reporting purpose automatically. Solution Should be able to part and filter logs before storage on the basis of type of logs; date etc Solution should be capable to replicate logs in Synchronous as well as Asynchronous mode. 70 It should be possible to define purging and retention rules for log storage. 71 The solution should come with built-in functionality for archiving data. Integration 72 Receive database alerts from DAM Integrate with NBA, IPS, IDS, Firewall, Proxy etc. to identify network security 73 issues 7 Integrate with DLP solutions to identify misuse of sensitive information. Integrate with PIM and other Directory solution to relate security events to user 75 activities 76 Integration with Vulnerability Assessment tools to identify security events 77 Integrate with GRC solution to capture compliance against security policies 78 Should be able to integrate with physical access control systems. Page 13 of 30

79 Integrate with existing helpdesk/ incident management tools Should be able to integrate with bank's existing backup solution for performing 80 backup of the SIEM. Should be able to integrate with Internet Banking, Core Banking solution, RTGS/NEFT, ATM and credit card etc. and address the use cases mentioned in 81 the RFP at a minimum. 82 83 8 85 86 Connector Development tool/sdk availability for developing collection mechanism for home-grown or any other unsupported applications The system should have out of the box rules for listed IDS/IPS, firewalls routers, switches, VPN devices, antivirus, operating systems, Databases and standard applications etc. Availability The SI should prepare a DR plan for switch over in case the DC operations are down The solution should have high availability feature built in. There should be an automated switch over to secondary collector in case of failure on the primary collector. No performance degradation is permissible even in case of collector failure. The storage solution should have adequate redundancy for handling disk failures Scalability 87 The solution should be scalable as per bank roadmap for expansion Solution should support integration with big data storage configuration such as 88 Hadoop etc Page 1 of 30

S. No Web Application Firewall S/C/N Maximum Marks Remark* 1 2 The appliance based solution should support Inline bridge mode of deployment and should have a built-in bypass for both "fail-open" and "fail-close" mode. The Web application firewall should address Open Web Application Security Project (OWASP) Top Ten security vulnerabilities such as SQL Injection, Cross- Site Scripting (XSS), Broken Authentication and Session Management and those listed in NIST SP800-95 guidelines. The solution should prevent the following attacks (but not limited to): Brute force Access to predictable resource locations Unauthorized navigation Web server reconnaissance 3 HTTP request format and limitation violations (size, unknown method, etc.) Use of revoked or expired client certificate File upload violations Should have DLP features to identify and block sensitive information such as credit card numbers, PAN Numbers, Aadhar Numbers 5 Should support positive and negative security model 6 Should have the ability of caching, compression of web content and SSL acceleration. 7 Should have integrated SSL Offloading capabilities, further the solution should support SSL and/or TLS termination, or be positioned such that encrypted transmissions are decrypted before being inspected by the WAF. 8 Should have integrated basic server load balancing capabilities Page 15 of 30

9 10 11 12 13 1 Should meet all applicable PCI DSS requirements pertaining to system components in the cardholder data environment, should also monitor traffic carrying personal information Should have the ability to inspect web application output and respond (allow, block, mask and/or alert) based on the active policy or rules, and log actions taken. Should inspect both web page content, such as Hypertext Markup Language (HTML), Dynamic HTML (DHTML), and Cascading Style Sheets (CSS), and the underlying protocols that deliver content, such as Hypertext Transport Protocol (HTTP) and Hypertext Transport Protocol over SSL (HTTPS). (In addition to SSL, HTTPS includes Hypertext Transport Protocol over TLS.) WAF should support dynamic source IP blocking and should be able to block attacks based on IP source Should inspect Simple Object Access Protocol (SOAP) and extensible Markup Language (XML), both document- and RPC-oriented models, in addition to HTTP (HTTP headers, form fields, and the HTTP body). Inspect any protocol (proprietary or standardized) or data construct (proprietary or standardized) that is used to transmit data to or from a web application, when such protocols or data are not otherwise inspected at another point in the message flow. 15 WAF should support inline bridge or proxy mode of deployment. 16 WAF should have an option to configure in Reverse proxy mode as well. 17 18 19 Actions taken by WAF to prevent malicious activity should include the ability to drop requests and responses, block the TCP session, block the application user, or block the IP address. Transactions with content matching known attack signatures and heuristics based should be blocked. The WAF database should include a preconfigured comprehensive and accurate list of attack signatures. Page 16 of 30

The Web application firewall should allow signatures to be modified or added 20 by the administrator. The Web application firewall should support automatic updates (if required) to the signature database, ensuring complete protection against the latest 21 application threats. 22 WAF should be able to restrict the number of files in a request. WAF support the following normalization methods: URL-decoding (e.g. %XX) Null byte string termination Self-referencing paths (i.e. use of /. / and encoded equivalents) Path back-references (i.e. use of /.../ and encoded equivalents) Mixed case Excessive use of whitespace 23 Comment removal (e.g. convert DELETE/**/FROM to DELETE FROM) Conversion of (Windows-supported) backslash characters into forward slash characters. Conversion of IIS-specific Unicode encoding (%uxxyy) Decode HTML entities (e.g. c, ", ª) Escaped characters (e.g. \t, \001, \xaa, \uaabb) 2 WAF should support different policies for different application sections 25 26 27 The Web application firewall should automatically learn the Web application structure and elements. The Web application firewall learning mode should be able to recognize application changes as and when they are conducted The WAF should have the ability to perform behavioral learning to examine traffic and highlight anomalies and provide recommendations that can be turned into actions such as apply, change and apply, ignore etc. Page 17 of 30

28 29 30 The Web application firewall should support line speed throughput and submillisecond latency so as not to impact Web application performance. For SSL-enabled Web applications, the certificates and private/public key pairs for the Web servers being protected need to be up loadable to the Web application firewall. The Web Application Firewall should have "anti automation" protection which can block the automated attacks that use hacking tools, scripts, frame work etc. 31 The Web application firewall should have an out-of band management port. 32 33 3 The Web application firewall should support web based centralized management and reporting for multiple appliances. Bank should be able to deploy the Web application firewall and remove the Web application firewall from the network with minimal impact on the existing Web applications or the network architecture. The Web application firewall should be able to integrate with web application vulnerability assessment tools (Web application scanners) 35 WAF should be able to integrate with the existing/ proposed SIEM solution. 36 37 38 The Web application firewall should be able to generate custom or pre-defined graphical reports on demand or scheduled. The Web application firewall should provide a high level dashboard of system status and Web activity. Should be able to generate comprehensive event reports with filters: a. Date or time ranges b. IP address ranges c. Types of incidents d. Geo Location of attack source d. Other (please specify). Page 18 of 30

39 0 1 2 3 The following report formats are deemed of relevance: Word, RTF, HTML, PDF, XML, etc. Unique transaction ID should be assigned to every HTTP transaction (a transaction being a request and response pair), and included with every log message. Access logs can periodically be uploaded to the logging server (e.g. via FTP, SFTP, WebDAV, or SCP). Web application firewall should provide notifications through Email, Syslog, SNMP Trap, Notification via HTTP(S) push etc. WAF should be able to log full session data once a suspicious transaction is detected. Should be simple to relax automatically-built policies 5 The solution should provide the admin to manually accept false positives 6 Should be able to recognize trusted hosts 7 8 9 50 The WAF in passive mode should be able to provide impact of rule changes as if they were actively enforced The solution should be capable of performing or integrating with third party vulnerability scanners to provide virtual patching capabilities Should support clustered deployment of multiple WAFs sharing the same policy. The solution should support virtual environments Page 19 of 30

51 The solution should support all operating systems and their versions including but not limited to Windows, AIX, Unix, Linux, Solaris, HP Unix S. No Priviledge Identity Management S/C/N Maximum Marks Remark* 1 Should control commands the privileged user is authorized to perform 2 Should provide the feature of keystroke logging for privileged users 3 Should support multi factor authentication for privileged users 5 6 Solution should be able to conduct session log capture for privileged users Solution should be able to conduct session video recording for privileged users The video recorded should be of minimal size and the recording should not impact user work and system performance 7 Solution should be able to provide time based sessions for privilege users 8 9 10 Support delegation by identity administrator to another person for a specific period of time Support for reminders to identity administrators who are required to perform workflow tasks System should support denial of access protection by blocking repeated password failures on multiple administrator accounts in the directory. 11 Should be able to delegate privileged access to commands or applications. 12 System should enforce segregation of duties as defined by the bank. Page 20 of 30

13 System should provide audit information on where privileged accounts are enabled, which users have access to these and if this access is as per bank policies including password requirements. 1 System should include an encrypted vault for privileged user credentials. 15 16 17 18 System should ensure tamper proof storage of password, credentials, recordings, and logs. System should be able to develop privileged identity management audit reports for PCI DSS, RBI guidelines etc. Should include a software development kit to facilitate integration with home-grown/ in-house applications Should be able to integrate with existing AAA authentication devices, directory services etc. 19 Support for database-maintained change log for event triggered updates 20 21 22 23 2 25 26 Solution should identify what information has changed and synchronize only that information Solution should have template-based workflows for user account creation, management, group assignments, de-activation and deletion Changes to template should be configurable to effect changes to all users created based upon template Support for event-driven and request driven account de-activation (i.e., not deletion) with or without workflow approval Support both workflow for disabling and deletion of accounts in separate steps as per Bank's requirements. Support event-driven and request-driven account re-activation with or without workflow approval Support removal of accounts from target system groups upon deletion of user account Page 21 of 30

27 28 29 30 31 32 Should have the capability to support retry of failed creation, failure reporting mechanism, commit and rollback capabilities Solution should be able to trigger additional workflows based from a single initial workflow The system should ensure that the dependencies for a given workflow are satisfied during the spawning process System should ensure that workflow access is in congruence with user roles System should allow user to initiate multiple workflow requests at one time System should ensure that an overriding workflow that can be used to cancel the effects of a workflow 33 System should have a web based GUI for designing workflows 3 Automated creation, pending workflow approval(s) of user and group accounts based on attribute information 35 Should be able to handle access to mobile devices and applications 36 Should have a set of out-of-the-box reports to satisfy compliance requirements which should include:(but not limited) User logins and account details. Periodicity of access to specific accounts Periodicity of changes to user details including passwords 37 System should support scheduled report generation 38 System should support integration with external GRC, SIEM and HRMS 39 Provide a built-in query tool for ad-hoc reporting Page 22 of 30

0 1 2 3 5 Support for password push to selectable target systems (i.e., the user or administrator is allowed to specify which systems have the same password Delegated Administrators (e.g., Help Desk, Data Center, administrators) can escalate to 2nd level support (e.g., IT Security) Should control the following: Systems the user can access, methods of access such as local, remote, SSH, Telnet etc, sources of access such as workstation, IP address, VPN etc. Approver should be able to authenticate to the identity management system to access the workflow inbox and perform the workflow activity Should be able to authenticate users on the basis of the following: User name and password, Digital certificates,one-time passwords, Biometrics(such as fingerprints, iris scans etc.), Smart cards and tokens etc. Support for bulk password updates or resets based upon administratordefined groups of users 6 System should imbibe password controls as per Bank's requirements. 7 8 System should support user maintenance auditing (identity updates, password changes, self administration, etc.) The following events should be registered for audit purposes(but not limited to ): Authentication events Authorization events Directory object modification Page 23 of 30

9 50 51 52 53 Should support historical reporting that includes tracking of changes to user objects over a period of time The auditing solution within PIM should correlate events to a particular identity even if the name of the object representing that identity has changed Audit dashboard should list issues such as unauthorized access provisioning, bypasses of workflows, list of users deactivated post due date etc. System should have a password check-in and check-out feature for privileged users. This should be based on appropriate workflows. System should enforce automatic change in password on first time sign in to prevent the admin to reuse the same password again. 5 System should have the ability to control periodic password changes. 55 56 57 58 59 System should have the ability to control where a privileged user can access a device/application on the basis of IP addresses. System should be able to control the number of users who can access common/shared privileged IDs at any point of time. If the privileged users attempt to block session recordings, system should have the ability to raise appropriate alerts. System should be able to automatically change privileged passwords for critical applications/ databases on a periodic basis. The system should then be able to provide access to applications that require to connect to these critical systems. The solution should not act as a single point of failure for privilege access to systems and it should be possible to recover passwords during outages. Page 2 of 30

S. No Anti-Phishing S/C/N Maximum Marks Remark* 1 2 3 5 6 7 8 9 10 11 12 13 The vendor should have the capability for 2x7x365 monitoring of phishing attacks targeting the Bank (Logo, URLs, Domain, digital watermark, Mobile App etc.) The vendor should have the ability to detect, monitor and shutdown all kinds of incidents such as Phishing, Pharming, Brand Abuse, Fraudulent Emails,etc. The vendor should report the activation/reactivation of phishing site and Mobile App as per SLAs defined in the RFP. The vendor should assist the Bank (as per the SLAs') on remedial measures in case of identification of phishing sites and Mobile App. The vendor should monitor and review Web-server referrer logs. The vendor should track new domain name registrations to detect any spoofed site being registered. The vendor should review web server logs and application logs to identify phisher identity and transactions initiated by phisher and time of initiating attack, possible users/customers impacted. The vendor and system should monitor and log all pharming and phishing attempts. Identify email addresses that are being used for sending spoofed emails to the Bank customers & employees. The vendor should review Bank's websites and Mobile Apps on a periodic basis and suggest anti phishing measures to be taken. The vendor should assist the Bank for coordination with law enforcement agencies like CERT-IN, Cyber Crime Cells, RBI, Third Party Auditors etc. The vendor should support forensic investigation for phishing incidents. Data sources monitored by the Vendor should include (but not be limited to): - Domain Names Databases - Monitor Hacker Forums Page 25 of 30

- Junk E-mail messages - Abuse Mailbox - Internet Relay Chat - Usenet Data - Web server logs - Internet Banking Consumer reported sites 1 The Vendor should maintain or have direct access to data from Honey-pots or network of sensors to collect data on Trojans The vendor should monitor networks known to be source of attacks and/or points of 15 collection of compromised data, compromised devices, Malicious URL s, malicious command and control sites. 16 The vendor should monitor Trojans that are specifically targeted at the Banking sector 17 The vendor should identify compromised areas in the Bank's network and inform the Bank as per defined SLAs. 18 In case of an attack, vendor should identify and report the extent of damage that has been done to Bank's environment. The forensic data to be collected for the Trojans should include but not limited to the 19 following Tools used in attacks, Compromised data, Account Information, Compromised credit cards/debit cards issued by Bank, Email addresses, Customer profiles etc. 20 The vendor should be able to shutting down of Trojans, malware, phishing sites, and phishing Mobile App irrespective of region of origin or browsers or ISPs. 21 The vendor should monitor similar domain name registrations. 22 The vendor should monitor spam traps to detect phishing mails. 23 The vendor should also support scanning of static as well as dynamic links/pages. 2 Vendor should be able to take counter measures including (but not limited to) Page 26 of 30

25 26 A) Bring websites and Mobile App down that are capable of causing phishing attacks. B) Baiting C) Automated Dummy responses to Phishing site. D) Notify various internet browsers about detected sites for blocking these at browser level. The vendor should have a DR set up to ensure continuity of services in case of failure of main site. Vendor should conduct periodic training for Bank's staff on Best practices to avoid phishing attacks. 27 Vendor should be able to identify and report to the bank if a user is found to be using a webservice such as internet banking for more than a specified period of time 28 29 Vendor should be able to identify and report to the bank if access to blocked ports on a webserver is sought by an external user Monitoring all major mobile app marketplaces for counterfeit, copycat apps, or apps infringing trademarks, linking to pirated content, attempting phishing attacks or distributing malware. Prompt submission of enforcement notices and for the removal of rogue or infringing apps. S. No Other General Requirements S/C/N Maximum Marks Remark* 1 2 3 Security All proposed solutions should be IPv6 compatible from Day 1. The bidder should migrate to IPv6 as and when the bank decides to migrate to IPv6 for devices in scope. All solutions should support 256 bit or higher encryption for transfer of information All solutions should support User Authentication Mechanism such as Directory Services and AAA as deployed in the banks environment. The systems should be able to align to the bank's authentication requirements including password policy. Page 27 of 30

5 6 7 8 9 10 11 12 13 1 15 Any changes to the solutions deployed should be logged including changes to database such as Update, insert, delete, select etc.(dml), Schema/Object changes(ddl), Manipulation of accounts, roles and privileges (DCL), Query updates. The proposed solutions should maintain the audit trail for the management activities of individual users and administrators accessing and using the application The systems should have a mechanism for protection of unauthorized access on the Log Database by system administrator and should maintain an auditable chain of custody. Solutions should provide for Discretionary Access Control (DAC) and Role-Based Access Control (RBAC) and provide access based on the least privilege criteria All devices should comply with FIPS-10-2 standard for cryptographic modules All solutions deployed in inline mode should have built in bypass (fail open ) for inline mode. All appliances should have dual power supply to ensure redundancy All devices/appliances should be rack mountable and 1U/2U type only All the proposed solutions should support external storage such as SAN storage The solutions should support virtual environments Support The bidder shall ensure that all deployed devices shall have the latest patches/ security upgrades. The bidder should develop following processes for the operation of the SOC (but not limited to) 1. Configuration and Change Management 2. Incident and Escalation management processes 3. Daily standard operating procedures. Training procedures and material 5. Reporting metrics and continuous improvement procedures 6. Data retention and disposal procedures Page 28 of 30

7. BCP and DR plan and procedures for SOC 16 17 18 19 20 21 22 23 2 25 26 27 28 29 8. Security Patch management procedure The bidder should ensure the SLAs are adhered to and should provide the bank with periodic reports of the performance against the defined SLAs The bidder should provide continuous threat updates from sources such as CERT, ISAC, NIST, RBI etc. The bidder should assist the bank in performing analysis and optimization of log collection process Technical Support should be available through OEM or the registered partners of OEM and as per defined SLAs The bidder should develop, update and maintain log baselines for all platforms at the Bank The bidder should maintain a knowledge base of alerts, incidents and mitigation steps Evidence for any security incident should be made available for legal and regulatory purposes The bidder should have a Comprehensive system documentation, user guides and online help for devices. The bidder should ensure that events occurring at any of the devices/ applications etc are logged and displayed at the SIEM within 30 seconds of their occurrence. All solutions should be scaleable as per Banks fiture requirements. Bidder Resources All the resources provided for monitoring of the product & administration of the solution should be OEM certified. Certificates have to be submitted at the time of bidding In case of exigencies even during off business hours / Bank holidays, the resources may be required to be present onsite Personnel deployed in the Bank premises shall comply with the Bank s Information Security Requirements. The SOC should be supported by 3 shifts for 2/7 operations, and the resources should be able to support and analyze data received Page 29 of 30

Presentation and Onsite Inspection Presentation by the bidder on all the modules/ solutions mentioned in the RFP. 50 1 Presentation should cover minimum aspect of the project, such as (not limited to)- Functional Principles, Scalability Principles, Availability, and Performance Principles, also SLA compliance, implementation methodology and continuance improvement. 2 Onsite visit to clients where the services/solutions mentioned in this RFP are currently 50 running. Other Requirements 1 Integration of SIEM with CBS Finacle Application 20 * Provide adequate reference to product manuals/ documentation to substantiate how the product confirms to each requirement. Page 30 of 30

S. No Other General Requirements Essential (E) Compliance Remarks Preferable (P) Yes/No Security 1 All proposed solutions should be IPv6 compatible from Day 1. The bidder should migrate to IPv6 as and when the bank decides to migrate to IPv6 for devices in scope. E 2 All solutions should support 256 bit or higher encryption for transfer of information E 3 All solutions should support User Authentication Mechanism such as Directory Services and AAA as deployed in the banks environment. The systems should be able to align to the bank's authentication requirements including E password policy. Any changes to the solutions deployed should be logged including changes to database such as Update, insert, delete, select etc.(dml), Schema/Object changes(ddl), Manipulation of accounts, roles and privileges (DCL), Query E updates. 5 The proposed solutions should maintain the audit trail for the management activities of individual users and administrators accessing and using the application E 6 The systems should have a mechanism for protection of unauthorized access on the Log Database by system administrator and should maintain an auditable chain of custody. E 7 Solutions should provide for Discretionary Access Control (DAC) and Role-Based Access Control (RBAC) and provide access based on the least privilege criteria E 8 All devices should comply with FIPS-10-2 standard for cryptographic modules E 9 All solutions deployed in inline mode should have built in bypass (fail open ) for inline mode. E 10 All appliances should have dual power supply to ensure redundancy E 11 All devices/appliances should be rack mountable and 1U/2U type only E 12 All the proposed solutions should support external storage such as SAN storage E 13 The solutions should support virtual environments E Support 1 The bidder shall ensure that all deployed devices shall have the latest patches/ security upgrades. E 15 The bidder should develop following processes for the operation of the SOC (but not limited to) 1. Configuration and Change Management 2. Incident and Escalation management processes 3. Daily standard operating procedures. Training procedures and material 5. Reporting metrics and continuous improvement procedures 6. Data retention and disposal procedures 7. BCP and DR plan and procedures for SOC 8. Security Patch management procedure E

16 The bidder should ensure the SLAs are adhered to and should provide the bank with periodic reports of the performance against the defined SLAs E 17 The bidder should provide continuous threat updates from sources such as CERT, ISAC, NIST, RBI etc. E 18 The bidder should assist the bank in performing analysis and optimization of log collection process E 19 Technical Support should be available through OEM or the registered partners of OEM and as per defined SLAs E 20 The bidder should develop, update and maintain log baselines for all platforms at the Bank E 21 The bidder should maintain a knowledge base of alerts, incidents and mitigation steps E 22 Evidence for any security incident should be made available for legal and regulatory purposes E 23 The bidder should have a Comprehensive system documentation, user guides and online help for devices. E 2 The bidder should ensure that events occurring at any of the devices/ applications etc are logged and displayed at the SIEM within 30 seconds of their occurrence. E 25 All solutions should be scaleable as per Banks fiture requirements. E Bidder Resources 26 All the resources provided for monitoring of the product & administration of the solution should be OEM certified. Certificates have to be submitted at the time of bidding E 27 In case of exigencies even during off business hours / Bank holidays, the resources may be required to be present onsite E 28 29 Personnel deployed in the Bank premises shall comply with the Bank s Information Security Requirements. The SOC should be supported by 3 shifts for 2/7 operations, and the resources should be able to support and analyze data received E E

Security Service desk system Sl no. Requirement Available/need customization Remark 1 The tool should be customized with forms, fields, workflows corresponding to security monitoring, incident management, infrastructure and application baseline security, secure commissioning of new servers and applications. 2 The service desk should be configured with escalation workflows 3 Service desk should be a web based portal with ready access to service requests Bank should be able to generate reports on demand from the service desk portal 5 Service desk should support concurrent login for at least three users 6 Service request should contain at least the request Number, description of request, date & time of opening, update and closure, asset details for which the service has been opened, action taken 7 Service desk should have provision for escalation of incident by bank officials 8 Service desk should be configured, maintained and updated to record all agreed upon SLA breaches 9 Bank should be able to generate reports on demand from the service desk portal

Annexure VIII ICB Sr No Commercial Format for Managed Security Charges Description of Solution Total Cost for five years Quantity Cost for one Year Total Cost for 5 years Q to be filled by bidder to be filled by bidder 1 Security Information and Event Management (SIEM) 1 Annual service cost (B) =B x 5 Application monitoring including integration with addition in dashboard @Rs. Per(R) 1.1 application 20 =R xq =B x 5 Database monitoring including integration with addition in dashboard @Rs. Per 1.2 (R)database instance 20 =R xq =B x 5 Network equipment monitoring including integration with addition in dashboard @Rs. 1.3 (R)Per database instance 20 =R xq =B x 5 Operating System monitoring integration with addition in dashboard @Rs. (R) Per 1. database instance 20 =R xq =B x 5 Web Application Firewall (WAF) - on bank's premises (DC and DR) on lease model include 2 hardware, software, storage etc. (i.e. complete solution) 1 Annual service cost (B) =B x 5 3 Privilege Identity Management Solution (PIM) - on bank's premises (DC and DR) on lease model include hardware, software, storage etc. (i.e. complete solution) 1 Annual service cost (B) =B x 5 OTHER SECURITY SERVICES Security Intelligence Services, Security Advisory Services, Risk Assessment Services as per the scope in the RFP. 1 Annual service cost (B) =B x 5 5 Anti-Phishing, Anti-Trojan, Anti-Malware, and Anti-rouge (for Mobile App) Services for inscope websites and Mobile Apps 1 Annual service cost (B) =B x 5 7 To provide solutions for Monitoring, Reporting and Security Dashboard - To Bank unlimited users. 1 Annual service cost (B) =B x 5 8 Onsite resource 1 Annual service cost (B) =B x 5 9 FORENSIC INVESTIGATION unit rate @Rs. (Z) 12 incidents per year 12 incidents per year = Z x 12 x 5 10 Charges for taking down per site / Mobile App: unit rate @Rs. (Y) 50 incidents per year 50 incidents per year = Y x 50 x 5 Total Cost of Ownership for the Project for 5 Years = Note: (a) Bank may add further devices under the scope of the project at a future date. In case the Bank adds devices at a later date then it will be at no additional cost to the Bank. (b) Charges for forensic investigation for 12 incidents per annum is taken for the purpose of calculation of TCO; however actual payment shall be on per incident basis @ unit rate. (c) Charges for bringing down 50 phishing sites/mobile App per annum is taken for the purpose of calculation of TCO; however actual payment shall be on per incident basis @ unit rate. d) Quantities mentioned are indicative only actual quantities may vary (e) The bidder to quote total price excluding taxes. Taxes shall be payable extra on actual basis. (f) PIM will be cosidered as Aplication and WAF will be considered as Network device for the purpose of integration

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information