UNION BANK OF INDIA. minimum 1000 branches; three financial years

UNION BANK OF INDIA Central Audit & Inspection Department IS Audit Cell CORRIGENDUM RFP for Outsourcing of IS Audit for 2012 13 Modified Eligibility Criteria & response/clarification to vendor queries 1 Modifications to Eligibility criteria clauses Eligibility criteria RFP Clause Should have conducted two Information System audits of data centers and other IT Infrastructure of banks in India (including all the following aspects), connected with a minimum 1000 branches, in any of the past three years: a) Vulnerability assessment of servers/security equipment/ network equipment; b) External attack and penetration test of equipments exposed to outside world through internet; (Conduct of audit of any one activity will not make the bidder eligible to participate) c) should have conducted application audit of Core Banking Solution in at least one Bank with a minimum 1000 branches; Eligibility criteria Modified RFP clause Should have conducted two Information System audits of data centers and other IT Infrastructure of banks in India (including all the following aspects), connected with a minimum 1000 branches, in any of the past five years: a) Vulnerability assessment of servers/security equipment/ network equipment; b) External attack and penetration test of equipments exposed to outside world through internet; (Conduct of audit of any one activity will not make the bidder eligible to participate) c) should have conducted application audit of Core Banking Solution in at least one Bank with a minimum 1000 branches; 2 Vendor should be having an average annual turnover of Rs. 50 (fifty) crore or more for each of the last three financial years Vendor should be having an average annual turnover of Rs. 5 (five) crore or more for each of the last three financial years Sr.No RFP Clause No RFP Clause Bidder's Query Bank's Response/Clarification 1 Bank's response / clarifications to to vendor queries Application Audit/ Pg. 10 Application Audit As per our understanding bank will provide UAT environment similar to production setup for application audit. Bank will provide test environment as per requirement.

Application Audit/ Pg. 10 Application Audit Kindly provide us detail of all applications covered under application audit (i.e. Name of application, role, OS, Database etc.) Please refer to "Point No. 4.1 III. Application Audit " for details. Each application has multiple servers as per it's hardware architecture and the systems use different databases also. All the components of the systems are listed in the RFP under Point No.3 Section III Systems description. 2 3 4 5 6 7 8 Application Audit/ Pg. 10 Scope of Work Related to IS Audit/ Point VII/ Pg. 12 Annexure I/ Pg. 31 Annexure I/ Pg. 31 Annexure I/ Pg. 31 Annexure I/ Pg. 31 Application Audit Risk Analysis List of Assets / Processes to be covered for IS Audit under this RFP List of Assets / Processes to be covered for IS Audit under this RFP List of Assets / Processes to be covered for IS Audit under this RFP List of Assets / Processes to be covered for IS Audit under this RFP Such documents as per availability will be shared Will we be provided with the BRS / SRS / CR / with the finally selected vendor Application documentation for application audits. Kindly provide detail of location wide assets (i.e. People, Process, technology etc.) to be covered under this activity. Kindly provide detail of Hardware Assets (i.e. Application Servers, Database Servers, Network Devices, Router, Firewall etc. hosted in Primary Data Center, DR Site Datacenter, Near DR Site Data Center and Outside Data Center etc.) covered under IS Audit. Kindly provide details of Hardware assets with respective locations, detail for application /systems hosted outside datacenter to be covered under IS Audit. Do we need to conduct onsite audit for application/system located outside datacenter. For DR Site Bangalore and Near DR Site Mumbai, can we conduct application audit and VAPT remotely from Bank's location in Mumbai. Please refer to Point No. 3 Section III Systems Description This information will be shared with the finally selected vendor. Systems Description is given in Point No. 3 Section III Systems Description. Yes. The Vendor has to conduct onsite Audit for applications/ systems located outside Datacenter. It is proposed that while VA can be performed remotely from Bank's location, PT Should be done from outside.

9 10 11 12 13 14 Annexure I/ Pg. 31 Annexure I & II/ Pg. 31 & 32 Annexure I & II/ Pg. 31 & 32 Annexure I & II/ Pg. 31 & 32 Annexure I & II/ Pg. 31 & 32 Annexure I & II/ Pg. 31 & 32 List of Assets / Processes to be covered for IS Audit under this RFP VAPT VAPT Penetration Testing VAPT VAPT As per our understanding bank will provide dedicated Desktop/Laptop with preloaded applications (i.e. MS Office etc.) with access of resources (i.e. Application System, Internet etc.) required for IS Audit team members. Kindly provide total number of Internal and external/public IP addresses to be covered under VAPT. Also provide details of static/ dynamic web pages for each application covered under VAPT. Do we need to conduct configuration audit for network and security devices (i.e. Switches, Router and Firewall) also, kindly provide details of devices (i.e. location wide IP address detail) Kindly provide number of public IP address against which PT is to be conducted. Will bank allow us to conduct PT from our office via internet? (1.) Number of Cycle for VAPT, (2.) Type of testing required (i.e. Grey Box, Black Box) What will be the time slot within the day given to us to carrying VAPT? Bank will provide sitting space with telephone facility. The selected vendor has to bring their laptops with all the required applications like MS Office and other tools for conducting Audit. Internet Access will not be provided. Vendor has to make their own arrangements. Need based access to Banks applications may be given subject to Internal Security Clearance. Such information will be shared with the finally selected Vendor. Configuration Audit of devices should be conducted on test check basis. Details of the devices will be shared with the finally selected vendor. Such information will be shared with the finally selected Vendor. The PT should be conducted from outside. The VAPT has to be conducted once for all the systems in one audit cycle. PT includes, among other things, both Grey Box and Black Box testing. Such tests should be planned in consultations with Banks' team which needs to be conducted in specified slack hours like after midnight.

15 16 17 18 19 20 21 NA NA What is timeline for execution of Audit? NA 4.2/ Pg. 12 NA 4.3/ Pg. 13 CAATs Section V: Term of Execution/ Pg. 13 Section V: Term of Execution/ Pg. 14 Automated Continuous 100% Transaction Audit The service provider should submit a detailed plan clearly indicating the tentative dates and estimated time for IS Audit of each phase/system. The assignment will be for conducting audit on time. Bank, at its option, will review and entrust the assignment either in full or in part subsequently. What lead time bank will allow to bidder for start of project from the date of PO/Work order. As per our understanding bidder has to prepare scope document and suggest tool for ACT, bank will be finally deciding on procurement and implementation of same. As per our understanding bidder has to prepare scope document and suggest tool for ACT, bank will be finally deciding on procurement and implementation of same. As per our understanding same need to be submitted by successful bidder before execution of project. As per our understanding first line to be read as "The assignment will be for conducting audit one time". NA NA Is there any restriction on running freeware tools The service provider will submit estimated time for IS Audit in their response. Ideally IS Audit (excluding compliance Audit) should be completed in 2 months time. The selected vendor should commence Audit within a week from the date of PO. Please be guided by the details given under point number 4.2. Procurement and implementation are excluded from the scope. Please be guided by the details given under point number 4.3. Procurement and implementation are excluded from the scope. Please refer to "Format V :Proposed methodology and work plan", which needs to be submitted by all the bidders giving timelines etc. The assignment will be for conducting one time Audit which should be done on time. The Compliance Audit should be performed after IS Audit. The selected vendor should procure and use only legally licensed tools without any recourse to Bank.

22 23 24 25 26 Annexure I/ Pg. 31 Annexure I/ Pg. 31 4.1 I (Scope of Work Related to IS Audit) 4.1 I (Scope of Work Related to IS Audit) 4.1 I (Scope of Work Related to IS Audit) 27 4.1 III (Application Audit) Systems housed outside Data Centre/ MICR Centers and manages clearing houses at six centers viz., Pune, Jamshedpur, Salem, Anand, Belguam and Kota. MICR Pune to be audited on sample basis. Systems housed outside Data Centre/ Point Of Sale (POS) terminals As per our understanding we need to audit only Pune location on sample basis, audit and onsite visit to rest of locations is not required. Kindly clarify on scope of audit for POS terminals. We assume that the source code review will not exceed for more than 5 applications. Please confirm if our assumption is correct. We assume that the requirements for "Application Review" is similar to the requirements mentioned in Section 4.1 III Application Audit. Please clarify if our understanding is correct. Please list the total number of vendors in scope for performing the Review of Outsourced Activities The RFP mentions that "The scope further includes Audit of all the Applications used by the Bank". Please provide the indicative list of applications in scope for this activity. Bank's Information Systems located in Mumbai, Banagalore,Ernakulam, MICR Centre at Pune, Cheque Truncation system at Delhi and outsourced Mobile banking systems at Chennai should be audited onsite. POS teminals are connected to service providers switch. The switch and connectivity are under scope of Audit. The Audit of end terminals is to be done on sample basis, covering different models. Source Code Review is not within the scope of this tender. Hence the Vendor need not do any Source Code Review. Appication Review is nothing but Application Audit for which the scope is specified in 4.1 III. Details of the outsourced activities are given under point no 3 Section III : System Description which may please be referred. Please refer to point no 4.1 III for indicative list of Applications.

28 Scope of Planning for VAPT 29 30 Scope of Planning for PT Application Penetration Testing Please provide the Number of units in scope w.r.t the following devices Networking devices, Operating System devices, Databases and Security and Management devices. Whether VA can be performed for a sample of 10% units mentioned in the above query.. Is authenticated (post login) testing expected? Bank is having approximately 20 IT Security devices, 50 Network devices, 195 servers and 16 public Ips. VA has to be conducted for all the Information Systems used by the Bank. PT will include authenticated testing as well as grey and black box testing 31 Application Penetration Testing 32 Application Penetration Testing 33 Application Penetration Testing 34 Application Penetration Testing 41 Internal Penetration Testing Number of pages (include sub modules if any) Number of privilege levels (include sub modules if any) Application available on Internet or Intranet Is application web based or installable? Please indicate whether you would like us to test the web applications also as part of this test. The selected vendor has to carry out Penetration Testing for all Applications, Operating systems,database systems, Security and Management systems to check for vulnerabilities like logical access, backdoor traps, guess passwords using password cracking tools, IP Spoofing, buffer overflows, session hijacks, accounts spoofing, frame spoofing, caching of webpages,cross site scripting, SQL injection,server authentication procedure etc. 35 Application Penetration Testing Application Protocol: http based / others 36 External Penetration Testing How many external IP addresses should be tested? 37 External Penetration Testing How many of the above IP addresses host a web application? Other details like IP addresses, application protocols will be shared with finally selected vendor. Please indicate whether you would like us to test 38 External Penetration Testing the web applications also as part of this test. Web applications are included for penetration test. 39 Internal Penetration Testing Number of internal IP addresses in scope 40 Internal Penetration Testing How many of the above IP addresses host a web application? Bank is using wireless LANs in DIT building at Powai, Mumbai and in Central Office building at Nariman Point, Mumbai.

42 Internal Penetration Testing 43 Wireless Penetration Testing 44 45 2.1 Bidder should be in net profit in at least two years out of last three financial years. Are all the IP addresses mentioned accessible from a single location or do we have to travel to each location to perform the test? Provide the details of the buildings which have separate wireless network. Please give the physical location of the Wireless networks. We request Bank to change the net profit as operating profit as observed in many other Union Bank RFP the said clause as "The bidder should have operating profit at least during last three financial years i.e. 2009 10,2010 11 and 2011 12 ". Request Bank to consider our request for operating profit. Regretted. Please be guided by RFP terms Regretted. Please be guided by RFP terms Bidder should have conducted two Information System audits of data centers and other IT Infrastructure of banks in India (including all the following aspects), connected with a minimum 1000 branches, in any 46 2.1 of the past three years: Bidder should have conducted application audit of Core Banking Solution in at least one Bank with a minimum 1000 47 2.1 branches; We request Bank to amend the said clause as "2 reference customers in BFSI in last 5years". Sify also has inhouse expertise as we have done VA on servers, network and security devices. We request Bank to also include Internet Banking ( retail and corporate internet banking web applications) in last 5 years in the said clause. Regretted. Please be guided by RFP terms

48 Vulnerability Assessment : 49 50 51 52 53 54 55 56 Application Security Test : Penetration Test Technical Audit (Configuration Review for Servers): Network Security Architecture Review (configuration Review for Devices and Network security Design) : Number of servers / Devices to be tested onsite / offsite. Number of locations need to be covered. Number of applications to be subjected to the audit. Number of Thick clients / thin clients subjected to the audit. Number of Dynamic and Static pages for each application. Number of input fields (approx.) for each application. Number of external IPs to be tested. (External Public IP addresses are expected) Number of Database servers /Web servers/ Application Servers /others servers to be audited Number of Network Devices to be audited VA has to be conducted for all the Information Systems used by the Bank. Bank's Information Systems located in Mumbai, Bangalore,Ernakulam, MICR Centre at Pune, Cheque Truncation system at Delhi and outsourced Mobile banking systems at Chennai. All applications that are in use by the bank as described under point no. 3 Section:III System Description Bank is not using any thin clients. Approximately 16 public Ips. All systems that are in use by the bank as described under point no. 3 Section:III System Description. The total number of servers are approximately 195. The descriptions of network is available under point no 3, section :III Systems Description. Approximate number is 50 network devices in DC and DR.

57 58 59 60 61 Mobile Application Security Test : Code Review : Number of locations to be covered Number of Mobile applications to be subjected to audit. Mobile Application platform to be audited. (Ex. Android, Symbian, java etc.) Number of applications to be subjected to audit. Number of lines of code for each application. Bank's Information Systems located in Mumbai, Bangalore,Ernakulam, MICR Centre at Pune, Cheque Truncation system at Delhi and outsourced Mobile banking systems at Chennai. Bank is using single Mobile Banking Solution outsourced to FSS tech, Chennai. The application server is Unix based. However the client application supports Symbian, Android, Java etc Source Code Review is not within the scope of this tender. Hence the Vendor need not do any Source Code Review. 62 63 64 Platform on which the applications have been built (dot net, java etc). What is the scope of the IS audit in terms of locations? How many outstation locations have been considered at each phase of the audit? Can we have more clarity on the number of locations in continuation to section 6.10? Bank's Information Systems located in Mumbai, Bangalore,Ernakulam, MICR Centre at Pune, Cheque Truncation system at Delhi and outsourced Mobile banking systems at Chennai. Bank's Information Systems located in Mumbai, Bangalore,Ernakulam, MICR Centre at Pune, Cheque Truncation system at Delhi and outsourced Mobile banking systems at Chennai.

65 66 67 68 69 70 71 72 Are we expected to audit any vendors and/or third parties as a part of this assessment? If yes, can we have a list of the same? As per section V, point 1, do we need to quote the approach an effort for all 3 phases of audits? Are the 3 phases broken up as per section 3 i.e. Phase 1: Core Banking related Systems, Phase 2: Important Systems housed in Data Centre, Phase 3: Systems housed outside Data Centre? Is the IS audit scope limited to the domains mentioned in section 4.1 (I)? Are we allowed to leverage on best practices to customize the checklist for audit? Is the DR site and Data Center a part of the IS audit? Is the risk assessment limited to information security or also extending to financial and market risks? Is the scope of CAAT primarily for financial controls? Outsourced activities are listed under point no 3.2 Outsourced Activities. In addition, Bank has outsourced monitoring of datacenter, network, IT security, mobile banking, ATM & ATM switch,and bank's website. The vendors quote should be strictly as per Format VI Commercial offer wherein the items to be quoted are mentioned. Yes Yes Selected Vendor is expected to use comprehensive checklists covering RBI guidelines, Govt of India guidelines and Industry standard best practices. Yes Please refer to point no 4. Section:IV Scope of Work Point VII Bank intends to purchase CAAT tools for carrying out information systems Audit, the scope of which is given under Point No. 4.3 CAATs

73 74 75 76 77 78 79 Vendor should have conducted application audit of Core Banking Solution in at least one Bank with a minimum 1000 branches. Does UBI also require a follow up audit? Are the training requirements as per Section 4 (VI) throughout the duration of the audit or just 1 single training program that will ensure knowledge transfer? Approximately how many information security policies, procedures and/or guidelines are we supposed to review? Are we expected to change/modify/re draft any new, missing or incorrect policies, procedures and/or guidelines? Will UBI allow sampling techniques to carry out the audit? Is there a specific time limit for each phase to get the audit done? MIEL has conducted the application audit of Core Banking Solution in Bank with a 320 branches The Selected Vendor has to carry out a Compliance Audit, the details of which are furnished under Point No. 5 Section V terms of execution of Work. The Training includes providing on the job training to Banks IS Audit team alongwith one structured classroom training for each Phase. Bank is having a Single information security policy which needs to be reviewed with other relevant policies and guidelines. The Selected vendor has to suggest improvements for policies Procedures Guidelines based on audit findings, guidelines of RBI & Govt. of India and industry best practices. Sampling techniques will be allowed wherever required except for VA. The service provider will submit estimated time for IS Audit in their response. It is expected that IS Audit (excluding compliance Audit) should be completed in 2 months time. Regretted. Please be guided by RFP terms

80 81 2.1 Vendor should be having an average annual turnover of Rs. 50 (fifty) crore or more for each of the last three financial years Service provider should be in net profit in at least two years out of last three financial years. Service provider should be having an average annual turnover of Rs. 50 (fifty) core or more for each of the last three financial years Request to consider the Rs. 50 Crore turnover for last 2 years Please clarify which years 2008 09, 2009 10, 2010 11, 2011 12. In B format II page 23 it is mentioned as 2008 09, 2009 10, 2010 11. The clause is modified as under. " Vendor should be having an average annual turnover of Rs. 5 (five) crore or more for each of the last three financial years " The years are 2008 09, 2009 10, 2010 11.

82 83 84 2.1 4.1.1 4.1.I Should have conducted two Information System audits of data centers and other IT Infrastructure of banks in India (including all the following aspects), connected with a minimum 1000 branches, in any of the past three years: a) Vulnerability assessment of servers/security equipment/ network equipment; b) External attack and penetration test of equipments exposed to outside world through internet; (Conduct of audit of any one activity will not make the bidder eligible to participate) c) should have conducted application audit of Core Banking Solution in at least one k ih i i Source code review (wherever source code is available) Business process Review Request you to please revise the time period and make it for five (5) years instead of three (3) years Please provide number of application for code review, also we will require details of thos applications which are: 1. Name of applications 2. Application Technology and database 3. Number of modules and pages/ forms. Please clarify scope of work of Business process Review with all line of businesses. The clause is modified as under: " Should have conducted two Information System audits of data centers and other IT Infrastructure of banks in India (including all the following aspects), connected with a minimum 1000 branches, in any of the past five years: a) Vulnerability assessment of servers/security equipment/ network equipment; b) External attack and penetration test of equipments exposed to outside world through internet; (Conduct of audit of any one activity will not make the bidder eligible to participate) c) should have conducted application audit of Core Banking Solution in at least one Bank with a minimum 1000 branches ;" Source Code Review is not within the scope of this tender. Hence the Vendor need not do any Source Code Review. Business process review covers all the business process applicable to different systems in use at the Bank.

85 86 87 4.1.IV 4.1.IV 4.1.III Evaluating completeness of procedures/ guidelines documents Evaluation of Hardware procurement and Maintenance Process. Review of all controls including boundary controls, input controls, communication controls, database controls, output controls, interfaces controls from security perspectives. Vulnerability Assessment and Penetration Tests (VAPT) Please mention which all procedures/ guidelines and documents are under scope of work Please clarify that whether it is limited to IT only? Yes it is limited to IT only. Please provide the list of application, interfaces and type of interfaces. Please mention exact count of servers, routers, switches and etc other devices under VAPT. In annexure application names are mentioned but we need exact count of devices in each application which is not provided. All the procedures/ guidelines and documents that are related to information systems as described under" point no 3. Section III. System Description." Detailed description of Information Systems of the Bank is available "Point 3. Section III: Systems Description". Approximately there are about 20 IT Security devices, 50 Network devices in DC & DR, 195 servers. 4.1.II Will the bank provide remote connection from Mumbai in order to connect servers and other devices outside Mumbai? Remote connection will not be provided. 88 Please let us know the physical location of devices and servers also. Mumbai, Bangalore, Ernakulam, Pune, Chennai, Delhi.

Section 2.1.v requires the service provider to have conducted IS Audit of data center and other IT infrastucture of banks, connected with minimum of 1000 branches, in the past three years around the areas of vulnerability assessment, external attack & penetration test and application audit of Core Banking Solution. Regretted. Please be guided by RFP terms We understand the review of the core banking solution to be more functional and hence would request if the criteria for the minimum number of branches (1000) be waived for us to apply. 89 90 91 Please clarify the objective of the source code review. Please provide the details of the applications, including their names, size and span, that would fall under the scope of the source code review. We understand that Annexure I provides a broader category of applications used by the bank. Please provide the detailed list of application along with a brief note on their respective functionalities. Source Code Review is not within the scope of this tender. Hence the Vendor need not do any Source Code Review. Description of Information Systems of the Bank is available under "Point 3. Section III: Systems Description"of RFP.

92 93 94 95 Please provide the below mentioned details to facilitate appropriate effort estimation on our part Number of application and database servers for all the applications mentioned in Annexure I List and number of network devices for the Enterprise network Number of IPs to be covered as part of Network Penetration Testing Number of servers / network devices to be covered as part of Vulnerability Assessment List and locations of vendors to whom Information technology / Information Security related work has been outsourced We understand that Vulnerability Assessment / Penetration Testing will be conducted only once during this project. Please clarify whether our understanding is correct. We understand that the application audit will be done using a risk based audit approach. Please clarify if this understanding is correct. Does the bank have an existing checklist/template for conducting the IS Audit? If yes would it be correct to assume that this checklist with be shared with the selected vendor? Description of Information Systems of the Bank is available "Point 3. Section III: Systems Description" of RFP Other details will be shared with the finally selected vendor. 50 Nos. of Network devices in DC & DR 16 Public IPs Details of the outsourced activities are given under point no 3 Section III : System Defination which may please be referred. In addition, Bank has outsourced monitoring of datacenter, network, IT security, mobile banking, ATM & ATM switch,and bank's website. VAPT should be carried out once only for different Information Systems during one audit cycle. Application Audit is not based on Risk Based Audit approach. The vendor has to carry out application audit as per the details provided under " Point no 4.Section IV: Scope of Work". Checklists are not available with the bank. The vendor has to share, their formats, checklists, scoring sheets, scripts, Audit accelerators etc.with the Bank, that will be used during the process of IS Audit.

What is the banks expectation around the following scope items Adherence to legal and statutory requirements Business process review All the legal and statutory requirements that are relevant to information systems are within the scope of Audit. Business process review covers all the business process applicable to different systems in use at the Bank 96 97 98 99 100 review effectiveness and effficiency of the applications We understand that we are expected to visit various locations for the IS audit. Request you to please provide the list of bank offices and their respective locations which will fall under the scope of the IS Audit. Are the vendors who provide outsourced services to the bank working within the bank environment and control? If not please provide details on the list of vendors, their locations and specific service provided relevant from the IS audit scope We understand that we are not required to visit vendor location for the purpose of the IS Audit for outsourced activities. Please clarify if this understanding is correct. We understand that the overseas branch at Hong Kong that is hosted from the bank's datacenter and is also under CBS. Is this a separate instance of the core banking solution? The Vendor has to review the effectiveness and efficiency of applications with referrence to Bank's Business goals. Bank's Information Systems located in Mumbai, Banagalore,Ernakulam, MICR Centre at Pune, Cheque Truncation system at Delhi and outsourced Mobile banking systems at Chennai. Details of the outsourced activities are given under point no 3 Section III : System Description which may please be referred. In addition, Bank has outsourced monitoring of datacenter, network, IT security, mobile banking, ATM & ATM switch,and bank's website. No. The selected vendor has to visit outsourced vendor locations for conducting IS Audit. Yes, It is a separate instance.

101 102 103 Page 6, Section III Page 7, As a part of providing Value added services (VAS), Bank has tied up with some broking companies where by the customers can do online trading of their shares and also with many other service providers to facilitate online utility bill payment, tax payments, e commerce, etc. IT Security Setup, consisting of multiple layered firewalls, Network based and Host based intruder detection systems, Network Intrusion Prevention System, two factor authentication systems, antivirus systems, Patch Management system, Network Access Control systems etc. Bank has also created VLANs, Please tell us more about your technical evaluation methodology. Since Core banking has Value added Services applicatons running. As part of IS Audit, does these application also be involved. If so, does third party devices present in DC, DR and Near site premises? For IS Audit and VA/PT on Servers and devices involved in DC and DR, do we have plan on Scheduled Assessment and testing period. Since the devices involved in VA/PT will be involved in production environment. If there is any performance degrade during the Assessment. Do we have any options in place to resolve the thresholds? Evaluation of technical proposals will be carried out as per the details given under Point No.6.11. Evaluation Procedure. The value added services mentioned are part of Internet Banking. Value added services in core banking application are also under the scope of IS Audit. There are no connected third party devices in DC, DR and Near site except for Network connectivity. Such tests have to be planned in specified slack hours and in consultation with the user department, so that the tests cause least inconvinience.

104 105 Page 7, II. Important Systems housed in Data Centre: Page 8, Matched Fund Transfer Price (MFTP) Bank has implemented an Enterprise Application Integration system (middleware) to seamlessly integrate Core Banking system with other applications like, Union Parivar, SWIFT, Treasury package etc. DR site for EAI is under development and is Matched Fund Transfer Price (MFTP) : Bank has purchased three modules of Oracle Financial Services Analytical Application (OFSAA) viz. Fund Transfer Pricing, Profitability Management and Asset Liability Management and the same is under implementation. The FTP module enables scientific transfer pricing of internal movement of funds and the Profitability Management module would enable computation of profitability under various dimensions after cost / income allocation. This ld f ilit t f Since DR site EAI is under development, What is the expectation for DR site Assessment on Under development tools and apps in context with IS Audit and VA PT? If the MFTP is involved in VAPT and IS Audit, do we have buffer or Schedule for production Oracle servers It is expected that the DR site will be fully operational by December 2012. Hence the selected vendor has to conduct IS Audit of fully operational DR after December, 2012. Currently MFTP solution is under implementation and is expected to go live by December,2012. Hence the vendor has to carry out IS Audit of MFTP solutions which includes VAPT of live servers.

106 Page 8, III. Systems housed outside Data Centre: Page 9, Outsouced Activities Bank has established MICR Centres and manages clearing houses at six centres viz., Pune, Jamshedpur, Salem, Anand, Belguam and Kota. Bank established a web based system for distribution of the clearing and ECS data to the member banks. Bank has a Credit Card system, which is outsourced to VIGPL for providing end to end services. The services mainly include issuance & maintenance of cards, maintaining credit card host for controlling 9 transactions, providing VAP and MIP connectivity and complying with the VISA and Master mandates, PIN Security, Billing and reconciliation thereof, providing interfaces with Bank for facilitating interaction through Bank s Call centre and also for facilitating withdrawal of Cash through ATMs. Any plan of including the sites outside the DC which process MICR? What will the scope of outsourced devices such as Card processing, POS (Point of Sale ) terminals of under Audit and VAPT? The vendor has to Audit one of the MICR centers i.e. Pune center, on test check basis. The vendor has to review various services provided by the Outsourced vendors.pos terminals are connected to switch. As such, the switch and network are under the scope of work. The end terminals have to be audited on as sample basis, covering different models. 107

108 109 Page 11, Application Audit Page 31, Annexure I, Page 11 IV SOW also includes.. The scope further includes Audit of all the Applications used by the Bank (FINACLE, KASTLE, LAS, MIS, etc., Systems housed outside Data Centre: Procedure / guidelines document Application audit involves Parameter Checks, SQL injection test, etc. may involve buffer overflow and application instability during testing. Do we have Schedule and backup of the apps involved in Application audit? What is the scope of the systems housed outside DC in this IS Audit List of documents and number of pages for each document is required for efforts estimation To carry out various tests the time lines have to be fixed in consultation with the user department, so that the test causes least inconvenience. The scope will be as mentioned in Point 4. Section IV : Scope of Work. All the procedures/ guidelines and documents that are related to information systems as detailed under " point no 3.Section.III : System Description" of RFP have to be reviewed. 110 Page 12 VI Training for IS Audit Team Total number of IS Audit team and number of training required. The IS Audit team consists of five officers. The Training includes providing on the job training to Banks IS Audit team alongwith one structured classroom training for each Phase. 111 112 113 Page 13 Section V Previous audit findings verification Compliance Audit for verification / confirmation How many observations were reported in 2010 & 2011? What is the maximum defined period by which bank will communicate to carry out compliance audit 2010 11 668 observations 2011 12 825 observations The user departments are expected to rectify and close the observations within 45 days, after which the compliance audit will start immediately.

114 115 116 Page 31 System placed outside DC Should we have to visit each location or connectivity will be provided to conduct system audit? What about physical security audit for these systems? The eligibility criteria does not state that the service provider should be CERT In empanelled auditing organisation (We may mention here that CERT In is the nodal agency for Cyber Security in India under Information Technology Act and has empanelled auditing organisation for rendering such services.) The turnover criteria is Rs. 50 Crore. It seems that this would favour only specific parties which may not specialise in IS Audit and their major activities (including turnover) is from areas other than IS Audit. We recommend that the turnover should be kept as Rs. 5 Crore in area of Information Security Banks systems are located at Mumbai, Bangalore, Ernakulam, Chennai, Delhi and Pune. The vendor has to visit these places to conduct IS Audit which includes Auditing of physical controls also. CERT In empanellment is desirable for this tender. The clause is modified as under. " Vendor should be having an average annual turnover of Rs. 5 (five) crore or more for each of the last three financial years " All the componenets of the systems are listed in the RFP under Point No.3 Section III Systems Description. The servers are located across Mumbai, Bangalore, Chennai, Ernakulam, Pune and Delhi. 117 List of location wise servers

118 119 120 Operating system and Database platforms used by the bank across Data centre/disaster Recovery sites are they owned by the bank or outsourced to some vendor? List of applications(along with brief functionality of the applications) for which code review is needed We have listed various applications and systems used by the Bank in RFP under Point No.3. Section III Systems Description. Each application has multiple servers as per its Hardware Architecture. Each of the systems uses different databases too. All the systems listed are under scope of IS Audit. While Data Center at Mumbai is owned by the Bank, The Disaster Recovery is located in Reliance Data Center at Bangalore. Source Code Review is not within the scope of this tender. Hence the Vendor need not do any Source Code Review.