a l l a h a b a d b a n k€¦ · delivery channels / cheque truncation system / financial...

RFP for IS Audit of CBS DC, DRS etc for Allahabad Bank & Allahabad UP Gramin Bank of 94

A L L A H A B A D B A N K

Information System Audit Cell

Head Office - Inspection Department

2ndFloor,14, India Exchange Place,

Kolkata – 700 001

West Bengal, India

RFP No.: HO/ISA/F-101/0182 Dated: 26/02/2018

Request for Proposal (RFP)

For

Information System Audit & VAPT of

Data Center / Disaster Recovery Site / Core Banking Solution /

Delivery Channels / Cheque Truncation System / Financial Inclusion Setup /

Integrated Treasury / Payment Gateway / ATM Switch etc.

and

all New and Proposed IT Solutions and Setups

of

Allahabad Bank and Allahabad UP Gramin Bank


OBJECTIVES

ALLAHABAD BANK, a leading Public Sector Bank having its Head Office at Kolkata,

with almost 3400 branches & offices has implemented key technology solutions like Core

Banking System (CBS), Internet Banking (e-banking), onsite / offsite ATMs, RTGS,

SFMS, NEFT, Integrated Treasury & Forex, FI, CTS, UPI, Mobile Banking, AEPS etc.

Similarly, its sponsored RRB viz. Allahabad UP Gramin Bank having its head office at

Banda having over 650 branches & offices, has also migrated its entire banking operations

to CBS platform.

While Allahabad Bank has implemented “B@ncs24” Software of M/s Tata Consultancy

Services Ltd, as the Core Banking Solution, Allahabad Bank UP Gramin Bank has

implemented “Finnacle” Software from M/s Infosys.

Primary Data Centre & CBS Office of Allahabad Bank is located at Navi Mumbai with

Disaster Recovery (DR) Setup at Lucknow. Likewise Primary Data Centre & CBS Project

Office of Allahabad UP Gramin Bank is located at Lucknow with DR Setup at Bangalore.

The Branches and Zonal Offices / Regional Offices of both the Banks are connected to

their respective CBS network through mix of technologies viz. Leased Line (through

Network Aggregations Points i.e. NAPs), VSAT, RF and MPLS cloud.

Both Allahabad Bank and Allahabad UP Gramin Bank aim to leverage centralized

solutions to support their growing business, improve operational efficiency, strengthen

multi-delivery channels and enhance focus on customer service with a commitment to

create a Customer Centric Organization.

This RFP seeks to engage a CERT-IN empanelled Information Systems Audit Firms,

which have the capability and experience, to conduct comprehensive Information Systems

Audit of critical IT infrastructure of the Bank and its sponsored RRB to make appropriate

recommendations, as stated under the Scope of Work.

This RFP is meant for the exclusive purpose of bidding as per the terms & conditions

and specifications indicated herein. It shall not be transferred, reproduced or

otherwise used for purposes other than for which it is specifically issued.


TABLE OF CONTENTS

Section Subject Page No

I Invitation for Bid (IFB) 4

II Instruction to Bidders (ITB) 7

III Conditions of Vendor Selection (CVS) 21

IV Conditions of Procurement (CP) 29

V Annexures and Formats 64


SECTION-I

INVITATION FOR BID (IFB)

REF NO:HO/ISA/F-101/0182 DATE: 26/02/2018

1. ALLHABAD BANK intends to conduct Information Systems Audit & VAPT of the CBS

infrastructure and associated IT Systems implemented in the Bank and in its sponsored Regional

Rural Bank viz. Allahabad UP Gramin Bank, through CERT-In empanelled reputed IS Audit

firms. Details of activities to be carried out are defined in Section IV of this Bid document under

the head “Condition of Procurement” (Scope of Work for IS Audit & VAPT). The scope of the

Audit is subjected to modification as required at any time prior to finalization of Audit. The

purpose of this RFP is to solicit proposal from qualified bidders for IS Audit & VAPT assignment

of CBS & allied infrastructure as per the Scope defined in this Bid document.

2. ALLAHABAD BANK invites sealed Technical Bid & Online Commercial Bid from eligible

bidders for IS Audit assignment.

3. The Contract shall be valid for a period of Two years and performance shall be reviewed

after one year. The Bank reserves the right to not to continue with the contract for the second year

if performance of the bidder is not satisfactory. The contract dates would be decided mutually

upon the commencement of the project.

4. If the selected bidder withdraws his proposal after selection or at the time of finalization of the

contract or disqualification on the detection of wrong or misleading detection of information in the

proposal, the Bid Security will be forfeited.

5. The complete RFP has also been published at the Bank’s official website www.allahabadbank.in

& Bank’s present E-Tender website www.tenderwizard.com for the purpose of downloading and

applications made on such a form shall be considered valid for participating in the tender process.

6. The bidder who has downloaded the RFP from the above website, is required to submit a non-

refundable fee of Rs. 4,000/- (Rupees Four Thousand only) in the form of Demand Draft or

Banker’s Cheque drawn in favor of Allahabad Bank payable at Kolkata at any time within the

last date and time of submission of bid, failing which the bid of the concerned bidder will not be

entertained.

7. Any bidder who is willing to participate in the Pre-bid meeting must purchase the bid documents

first through online payment or in the form of Demand Draft or Banker’s Cheque otherwise

they will not be allowed to participate in the pre-bid meeting. Bidders or its representative can

participate in the pre-bid the meeting to be held on 05th March 2018 at Head Office, IS Audit Cell,

2nd Floor, 14 India Exchange Place, Kolkata – 700 001.

8. Bidders are required to submit the Technical Bid in physical form, whereas the Indicative

Commercial Bid (ICB) is required to be submitted /uploaded online through e-Tendering process

only on or before the last date and time as mentioned in the RFP. The Language of Bid should be

in English.

9. A complete set of Request for Proposal (RFP) can also be obtained from the following address

during office hours on all working days between 10 A.M. to 4 P.M. either in person or by post on

submission of a written application along with a non-refundable fee of Rs. 4,000/- (Rs. Four

Thousand only) (Rs. 500/- extra in case of request by Courier) in the form of Demand Draft or

Banker’s Cheque drawn in favor of Allahabad Bank payable at Kolkata. The facility of on-line

submission of the non-refundable fee is also present. Any proposed bidder can submit the cost

http://www.allahabadbank.in/

http://www.tenderwizard.com/


of RFP on-line through Account No. 50198579666 having IFSC Code: ALLA0210032 and

produce the UTR No. or Journal No. of the said transaction for procurement of RFP Form.

Any Communications in this regard should be addressed to :

The Chief Manager,

Allahabad Bank, IS Audit Cell,

2ndFloor, 14 India Exchange Place,

Kolkata – 700001, India

Phone No. +91- 33- 22622287

Email: [email protected]

10. The Bid Details are as follows:-

10.1 Bid reference Ref no: HO/ISA/F-101/0182

dated 26/02/2018

10.2 Price of RFP Rs. 4,000/- (Rupees Four thousand only)

10.3 Courier Charges Rs. 500/- (if applicable) (Rupees Five

Hundred only)

10.4 Bid Security Amount Rs.2,00,000/- (Rupees Two Lakh only)

10.5 Date of Commencement of sale of RFP 26th February 2018 / 16:00 hrs.

10.6 Date and time for Pre-bid Conference 5th March 2018 / 15:00 hrs.

10.7 Place of Pre-bid Conference


2nd Floor, 14 India Exchange Place,


Phone No. - +91- 33- 22622287


10.8 Last Date and time for sale of RFP 15th March 2018 / 14:00 hrs

10.9

Last Date and time for submission of

Completed BID documents – (Both

Technical & Indicative Commercial)

15th March 2018 / 15:00 hrs

10.10 Date and time of opening of Technical Bids 15th March 2018 / 16:00 hrs.

10.11

Date and time of opening/downloading and

Reverse Auction of the Indicative

Commercial Bids

To be notified suitably to the Technically

Qualified Bidders

10.12 Place of submission & opening of Bids




10.13 Address for communication




Phone No. - +91- 33- 22622287


11. The Technical Bid and Online Commercial Bid must be submitted giving full particulars within

the time period specified as above.

mailto:[email protected]




12. All bids must be accompanied by a bid security as specified in the RFP and must be delivered at

the above office on or before specified date and time indicated above.

13. Technical Bids will be opened as per schedule specified in the RFP, in the presence of the bidder’s

representatives, who choose to attend the same. Technically qualified bids will be taken up for

further processing and Indicative Commercial Bids (ICB) of only the technically qualified bidders

will be opened.

14. Evaluation of the Commercial Bid: The lowest (L1) price arrived at on evaluation of the ICBs or

any price lower than the same, as bank may decide, will be fixed as the ceiling price. All the

qualified bidders will be advised for reverse auction process. Details of the Reverse Auction

Process are mentioned in Annexure-XIV.

15. Bidders who are technically qualified in terms of the relative Terms & Conditions of the RFP and

accept the Business Rules, Terms & conditions of Reversion Auction and submit the undertaking

and nomination form as per the prescribed format in Annexure-XV, can only participate in

Reverse Auction related to the procurement for which RFP is floated. The date & time of

commencement of Reverse Auction, its duration shall be communicated to the eligible Bidders

maximum a week prior to the Reverse Auction date

16. in the presence of their representatives on a specified date and time, which will be notified

separately.

17. No further discussion / interface will be granted to bidders whose bids have been technically

disqualified.

18. Non-attendance at the Bid opening will not be a cause for disqualification of a bidder.

19. Allahabad Bank reserves the right to accept or reject in part or full any or all the offers without

assigning any reasons whatsoever.

20. Interested bidders may obtain further information from Allahabad Bank, IS Audit Cell, Head

Office, 2nd Floor, 14, India Exchange Place, Kolkata-700001, India.

(Debjeet Barua)

Chief Manager – IS Audit

Allahabad Bank


SECTION II

INSTRUCTION TO BIDDERS (ITB)

I N D E X

S. No. Subject Page No

1 Introduction 8

2 Eligibility Criteria 8

3 Conflict of Interest 10

4 Two Bid Systems Tender 10

5 Non-Transferable Tender 12

6 Alternative Offers 12

7 Erasures & Alterations 12

8 Cost of Bidding 12

9 Contents of RFP 12

10 Clarification of RFP 12

11 Pre-Bid Meeting 12

12 Amendment of RFP 13

13 Language of Bid 13

14 Bid Security 13

15 Disclaimer 14

16 Format & Signing of Bids 14

17 Submission of Bids 14

18 Validity of Bid 16

19 Last date and time for Submission of Bids 16

20 Late Bids 16

21 Modification & Withdrawal of Bids 16

22 Bid Opening 17

23 Clarification of Bid 17

24 Preliminary Examination 18

25 Evaluation of Bids & Determination of L1 Bidder 18

26 Contacting the Purchaser 19

27 Post Qualification 19

28 Purchaser’s Right 20

29 Signing of Contract 20

30 No Commitment to Accept Lowest or Any Tender 20


SECTION II

Instruction to Bidders (ITB)

1. INTRODUCTION

1.1. Allahabad Bank, a body corporate established under the Banking Companies (Acquisition

and Transfer of Undertaking) Act 1970, having its Head Office at 2, Netaji Subhas Road,

Kolkata-700001, India, hereinafter called “The Bank / The Purchaser” interchangeably,

which term or expression unless excluded by or repugnant to the context or the meaning

thereof, shall be deemed to include its successors and permitted assigns, intends to issue this

bid document, hereinafter called Request for Proposal or RFP, to the vendors, hereinafter

called “Bidder” / “Information Systems Auditor” / “Vendor” interchangeably, for the

Information Systems (IS) audit and VAPT of “Core Banking Solution” and related

infrastructure including Network, Data Center and Disaster Recovery Site etc. implemented in

Allahabad Bank and its sponsored RRB viz. Allahabad UP Gramin Bank, from eligible

bidders satisfying the eligibility criteria set out in ensuing sections of this document.

1.2. This tender is meant for the exclusive purpose of bidding as per the terms & conditions and

specifications indicated. It shall not be transferred, reproduced or otherwise used for purposes

other than for which it is specifically issued.

1.3. The contents of this RFP for all intents and purposes are final. However Bank reserves the

right to make changes in requirements/scopes and the same will be communicated to the

bidders well in advance so as to allow the bidder sufficient time to prepare the proposal.

2. ELIGIBILITY CRITERIA

Before submitting the bid, the bidder must ensure that it fulfills the following eligibility criteria.

2.1 Bidder must submit a detailed statement of facts and profile of the company, Official Website

details along with the bid (Enclose Annexure – I (a)).

2.2 The bidder should be a Government organization / Public sector unit / Partnership firm /

Limited Company / Private Limited Company having its Registered Office in India. Relevant

documents of registration should be submitted as part of the proposal. For the purpose of

this bid any consortium will not be acceptable. (Enclose Annexure – I (b)).

2.3 The bidder organization should have been in existence for at least last 3 years as on the last

date of bid submission. The bidder should be empanelled by CERT-In as an IS Audit

Organization as on the date of RFP. Since current Cert-In empanelment is valid up to 31st

March, 2018, bidders are also required to submit proof that they have applied for fresh

empanelment with Cert-In. However, if the auditor is de-empanelled by Cert-In after the

expiry of current empanelment (i.e. March 31st 2018), the contract will stand terminated.

(Related documents should be submitted as part of the proposal). (Enclose Annexure – I

(b)). Fresh documentary evidence to be provided for Cert-In empanelment to the Bank, if it

decides to extends the order for next year.

2.4 The bidder should have a minimum turnover of Rs. 1.50 Crores (Rupees One Crore Fifty

Lacs) from Information Security / System audit / Vulnerability Assessment & Penetration

Testing / System review related activities (from operations in India) during each of the last

three financial years i.e. F.Y. 2014-15, 2015-16 and 2016-17.

2.5 Audited Balance Sheets and Profit & Loss Account reports for last 3(three) financial years’

shall be submitted along with the BID. Organizations where balance sheet / PL A/c are not

prepared, bidder should submit audited Income / Expenditure & Cash Flow statement for the

last three years. (Enclose Annexure –I (c)).


2.6 Bidders should have a positive net worth for each of the last 3 financial years (2014-15, 2015-

16 and 2016-17)

2.7 The bidder should have made net profits in succession for the past 3 years. The relevant

documents are to be submitted as part of the proposal. (Enclose Annexure –I (c)).

2.8 Bidders should have at least 3 years’ experience in the field of IS Audit & VAPT and should

have carried out similar work in the Government organization/ PSUs /Banks.

2.9 The bidder should not currently have been blacklisted by any Govt. Department /PSU/ PSE /

RBI / IBA or nationalized Banks. Self–declaration (Annexure XII) to that effect should be

submitted along with the technical Bid. (Enclose Annexure –I (d)).

2.10 To ensure audit independence, the bidder should not be a vendor / consultant for supply /

installation of Hardware / Software components of the Bank or involved in implementing

Security & Network infrastructure of the Bank, but excluding IS Audit Services, either

directly or indirectly through a consortium, in the past three years to Allahabad Bank.

(Enclose Annexure –I (d)).

2.11 The Bidder should not have conducted IS Audit & VAPT of Allahabad Bank during last two

years.

2.12 The Core Audit team assigned for IS Audit of the Auditee, should have at least 5 (FIVE)

qualified professionals with qualifications such as CGEIT (Certified in the Governance of

Enterprise IT), CISA (Certified Information System Auditor), CISSP (Certified Information

System Security Professional), CCNA (Certified Cisco Network Administrator), CCNE

(Certified Cisco Network Engineer), ISO 27001/BS7799 Lead Auditor, OCM (Oracle

Certified Master) & OCP (Oracle Certified Professional), out of which at least 2 persons

should be CISA qualified (including team leader for the proposed project). Bidder must

ensure that key project personnel to be deployed in this project have been actively involved

with live experience in similar projects in the past. Bidders should provide information about

such key project personnel who are proposed to be part of the IS Audit team along with the

Bid Document. Bidder should ensure that the members of Core Audit team are actively

involved in the conduct of the Audit throughout the period of the contract. (Enclose

Annexure –I (e), Annexure III & Annexure IV). Any changes in the team deployed for the

project should be advised to the Bank, at least one month in advance.

2.13 All members proposed by the bidder, as above, should be employees on the rolls of the

bidding Organization. No part of the engagement shall be outsourced by the selected bidder

to third party vendors. (Enclose Annexure –I (e), Annexure III and Annexure IV).

2.14 The bidder should have conducted minimum Two IS Audits of Data Centre / DRS etc.

during last Three years out of which at least one audit should be of any Bank in India. The

proposal should include certificates stating successful completion of the mentioned

audit engagements. The conduct of IS Audit as mentioned above should include:-

i. Vulnerability assessment of servers / security equipment / network equipment.

ii. External attack and Penetration Test of equipment exposed to outside world through

internet.

iii. Verification of compliance of systems and procedures as per Organization’s IT Security

Policy / guidelines.

(Individual conduct of any one of the activities as stated above (i-iii) will not be

accounted as IS Audit of Data Center / DRS in totality.)

(Enclose Annexure –I (f), Annexure II)


2.15 Bidder should have successfully conducted Product Audit of Banking Application Software /

Modules running in Banks. (Enclose Annexure –I (f)).

3. CONFLICT OF INTEREST

ALLAHABAD BANK requires that the selected bidder provide professional, objective, and

impartial advice, and at all times hold ALLAHABAD BANK’s interest’s paramount, strictly

avoid conflicts with other assignment (s) / job (s) or their own corporate interests, and act

without any expectation / consideration for award of any future assignment (s) from

ALLAHABAD BANK. Without limitation on the generality of the foregoing, the

selected bidder (including its personnel) having a business or family relationship with a

member of ALLAHABAD BANK’s staff who is directly or indirectly involved in any

part of (i) the preparation of the terms of reference of the assignment / job, (ii) the selection

process for such assignment / job, or (iii) supervision of the contract, may not be

awarded a contract, unless the conflict stemming from such a relationship has been

resolved in a manner acceptable to ALLAHABAD BANK throughout the selection process

and the execution of the contract. Employees of ALLAHABAD BANK shall not work as, for

or be a part of the firm / company of selected service provider.

4. TWO BID SYSTEM TENDER

Bidders are required to submit the Technical Bid in physical form, whereas the indicative

Commercial Bid is required to be submitted online on or before the last date and time

mentioned in RFP. The Language of Bid should be in English.

4.1 Separate Technical Bid duly sealed and super scribed ‘BID for IS Audit - Technical’

shall be submitted as per bid details given in the RFP.

4.2 The bidder has also to submit a soft copy of the complete technical bid in MS-word 2003 /

2007 format on a CD superscribing “Soft Copy of Technical Bid against RFP:– “HO/ISA/F-

101/0182 Dated : 26/02/2018” along with the technical bid. The bidder will not furnish the

softcopy of the commercial bid in the envelope meant for Technical Bid submission.

4.3 The bidder will take care of submitting the Bid properly filed and duly numbered so that the

papers are in order and not loose. The Bids, which are not sealed as indicated above, are also

liable for rejection.

4.4 The tender not submitted in the prescribed format or submitted incomplete in details is liable

for rejection. The Purchaser is not responsible for non-receipt of Bid within the specified date

and time due to any reason including postal delays or Holidays.

4.5 The Bidder has to submit the Technical and/or Commercial bid for any one or all the

Setups – a) Allahabad Bank Vertical – I (Part – I A of Condition of Procurement - CP),

b) Allahabad Bank Vertical – II (as per Part – I B of CP) and c) Allahabad UP Gramin

Bank (as per Part – II of CP). Any bidder can bid for all the three setups or any one or two

setups. Non-participation in all the three bids will not be a cause for disqualification of a

bidder but participation in bid for any one setup is compulsory.

4.6 Technical Bid (to be submitted in a sealed envelope)

a) The technical bid will be evaluated for technical suitability as well as for other terms and

conditions. Previous experience, methodology, professional skill sets available and

allocated for the project, number / nature of projects handled by the bidder for the Indian

Banking sector and Public sector Banks in particular etc. will be taken into consideration

while evaluating the technical bid.


b) It is mandatory to provide the technical details in the exact format of technical

specifications given in the RFP. Correct technical information of the Audit methodologies

being offered must be filled in. Filling of the information using terms such as “OK”,

“Accepted”, “Noted”, “Compliance” is not acceptable. The Purchaser reserves the right to

treat offers not adhering to these guidelines as unacceptable.

c) All the formats as specified in Annexures I (a) to 1 (f), II, III, IV, VI, VII, X,XII, XIV

& XV need to be filled in exactly as per the proforma given and any deviation is likely to

be a cause for rejection of the bid. The relevant information regarding IS Audit of CBS

DC, DRS etc. conducted by the bidder should be submitted along with the offer. Non-

submission or partial submission of the information along with the offer would result in

disqualification of the bid of the concerned bidder.

d) The Purchaser shall not allow / permit changes in the technical bid once it is submitted

after the date and time of submission is over.

e) The offer may not be evaluated by the Purchaser in case of non-adherence to the format or

partial submission of technical details as per the format given in the offer.

f) The authorised person of the firm / company shall sign in all the pages of the application

with seal of the company/ firm.

g) If the application is made by a partnership firm, a certified copy of the partnership deed,

current address of the firm and the full name and current address of all the partners of the

firm shall also accompany the application.

h) If the application is made by a limited company, it shall be signed by a duly authorised

person holding the power of attorney for signing the application in which case certified

copies of the power of attorney and the certification of incorporation, Memorandum of

Articles of Association shall accompany the application.

i) Price of RFP alongwith courier charge (in case RFP is downloaded and sent through

courier)

j) Bank may at its discretion abandon the process of the selection of IS Auditor at any time

before notification of award.

k) The Technical Bid must not contain any price information.

l) The Technical Bid shall comprise of

i. Covering letter in Company’s letter head duly signed by authorized signatory with

name, title and seal (Copy of letter of Authorization to be submitted).

ii. Table of Contents (List of documents enclosed).

iii. Duly filled up Annexures I (a) to I (f), II, III, IV, X, XII, XIV & XV with all the

supporting documents as required in the clause 2 of ITB i.e. the Eligibility Criteria

stated above.

iv. Bid Form (Annexure- VI)

v. Bid Security Form (Annexure VII) / Demand Draft

vi. Power of Attorney of the authorized signatory.

vii. Price of RFP along with the Courier Charge ( In case the RFP is downloaded and sent

through Courier)

4.7 The Bidder has to submit on-line Indicative Commercial Bid.


5. NON-TRANSFERABLE TENDER

This tender document is not transferable. Only the bidder, who has purchased this Tender in its

name or submitted the necessary RFP price (for downloaded RFP) will be eligible for participation

in the evaluation process.

6. ALTERNATIVE OFFERS

Each bidder should submit only one Bid. Alternative offers will not be acceptable.

7. ERASURES OR ALTERATIONS

The offers containing unauthenticated erasures or alterations will not be considered. Therefore,

there should be no unauthenticated hand written material, corrections or alterations in the offer. If

such unauthenticated erasures or alterations are present these should be signed in full by the person

or persons authorized for signing the bid. Any deviation may lead to the rejection of the bid.

8. COST OF BIDDING:

The Bidder should bear all the costs associated with the preparation and submission of their bid

and Bank will in no case be responsible or liable for these costs, regardless of the conduct or

outcome of the bidding process. Bids arriving beyond the stipulated time will not be accepted.

9. CONTENTS OF RFP:

9.1 The requirements, bidding procedures and contract terms are prescribed in the following :

a) Invitation for Bid (IFB)

b) Instruction to Bidders (ITB)

c) Condition of Vendor Selection (CVS)

d) Conditions of Procurement(CP)

e) Schedule of Requirements/ Specifications /Formats

9.2 The Bidder is expected to examine all instructions, annexures, specifications terms and

conditions in the Bidding Document. Failure to furnish all information required by the RFP or

submission of a bid not substantially responsive to the RFP in any aspect will be at the

Bidder’s risk and may result in the rejection of its bid.

10. CLARIFICATION OF RFP:

A prospective bidder requiring any clarification of the RFP may notify the Purchaser in

writing or by fax/e-mail at the Purchaser’s mailing address indicated in the Invitation for Bid

(IFB). The Purchaser will respond in writing to any request for Clarification of the RFP which

it receives up to 2 (two) working days prior to the date of Pre-Bid Meeting.

11. PRE-BID MEETING:

11.1 The prospective bidders who have purchased a copy of the RFP or submitted the bid price

(for downloaded RFP) may like to attend a pre-bid meeting to be held as indicated in the

Invitations for Bids (IFB) after publication of RFP and well before the last date for receipt

of bids. Up to a maximum of 2 (two) representatives of each prospective bidder will be

permitted to attend the pre-bid meeting.

11.2 The purpose of the meeting is to clarify issues and to answer questions on any matter that

may be raised up to that stage. The issues/questions to be raised must be in writing. The

Purchaser will have the liberty to invite its technical consultant or any outside agency,


wherever necessary, to be present in the pre-bid meeting to reply to the technical queries of

the bidders in the meeting.

11.3 Any modification of the RFP, which may become necessary as a result of the Pre-bid

Meeting, shall be made by the Purchaser exclusively through the issue of an Addendum and

will be sent to all prospective bidders who have purchased the RFP, allowing at least 3 days’

time prior to the last date for receipt of bids.

11.4 Non-attendance at the Pre-bid Meeting will not be a cause for disqualification of a bidder.

11.5 No costs incurred by the applicant in applying, in providing necessary clarifications or

attending discussions, conferences or site visits will be reimbursed by the Bank.

12. AMENDMENT OF RFP:

12.1 At any time prior to the last date and time for submission of bids, the Purchaser, for any

reason, whether at its own initiative or in response to a clarification requested by a

prospective Bidder, may modify the RFP by addendum.

12.2 All prospective Bidders who have purchased the RFP will be notified of the amendment in

writing through website or by fax or e-mail or through addendum and will be binding on

them.

12.3 In order to afford prospective Bidders reasonable time in which to take the amendment into

account in preparing their bid, the Purchaser, at its discretion, may extend the last date and

time for the submission of bid.

13. LANGUAGE OF BID:

The bid prepared by the Bidder, all correspondence and documents relating to the bid exchanged

by the Bidder & the Purchaser shall be written in English.

14. BID SECURITY:

14.1 The bidder shall furnish as part of its bid, bid security of Rs.2,00,000/- (Rupees Two

Lakh only). The bid security is required to protect the Purchaser against risk of bidder’s

conduct during the period of bid validity.

14.2 The bid security shall be denominated in INDIAN RUPEES only and shall be in any one

of the following forms.

14.3 A bank guarantee issued by a Scheduled Indian Bank or a Foreign bank located in India in

the Form (Annexure-VII) provided in the RFP and valid for forty five (45) days beyond

the validity of the bid; or

14.4 A Demand Draft or Pay Order issued in favor of “Allahabad Bank” and payable at

Kolkata.

14.5 Any bid not secured in accordance with ITB Clause-14.1 above will be rejected by the

Purchaser as non-responsive.

14.6 The bid security may be forfeited if a Bidder withdraws its bid during the period of bid

validity specified by the Bidder on the Bid Form.

14.7 The bid security of the unsuccessful bidders will be returned after the completion of the

process, whereas the bid security of the finally selected bidder will be returned after the


submission of the Performance security (Annexure VIII).

14.8 In exceptional circumstances, the Purchaser may solicit the Bidders’ consent to an

extension of the period of validity. The request and responses thereto shall be made in

writing or by fax/e-mail. The bid security provided under ITB Clause-14.1 shall also be

suitably extended. A bidder acceding to the request will neither be required nor be

permitted to modify its bid. A bidder may refuse the request without forfeiting its bid

security. In any case the bid security of the bidders will be returned after the completion of

the process.

15 DISCLAIMER:

The bank and / or its officers, employees disown all liabilities or claims arising out of any loss or

damage, whether foreseeable or not, suffered by any person acting on or refraining from acting

because of any information including statements, information, forecasts, estimated or projections

contained in this document or conduct ancillary to it whether or not the loss or damage arises in

connection with any omission, negligence, default, lack of care or misrepresentation on the part of

the Bank and / or any of its officers, employees

16. FORMAT AND SIGNING OF BID:

16.1 The Bidder shall prepare two copies of the Technical bid clearly marking “Original Bid”

and “Copy Bid” as appropriate. In the event of any discrepancy between them, the

Original shall govern. Original copy of bid security should be submitted with the Original

bid

16.2 The Original bid and copy of the bid shall be typed or written in indelible ink and shall be

signed by the Bidder or a person or persons duly authorised to bind the Bidder to the

Contract. All pages of the Bid except for un-amended printed literature shall be signed by

the person or persons signing the bid.

16.3 The bid shall contain no interlineations, erasures or overwriting except as necessary to

correct errors made by the bidder, in which case such corrections shall be signed by the

person or persons signing the bid

17 SUBMISSION OF BID:

Bidders are required to submit the Technical Bid in physical form, whereas the Commercial Bid

is required to be submitted online on or before the last date and time as mentioned in RFP.

17.1 Submission of Technical Bid:

17.1.1 The Bidders shall seal the original Technical Bid and copy Technical Bid separately in

two envelopes. Thus there will be two envelopes named as Original Technical Bid

and Copy Technical Bid. If above bids are found not properly sealed in respective

envelopes, the bid is liable for rejection.

17.1.2 The two envelopes for each Pack shall be marked as “ORIGINAL TECHNICAL

BID” and “COPY TECHNICAL BID”

17.1.3 In addition to the above marking, each envelope must be super-scribed with the

following information:-

i. RFP Reference Number.

ii. Technical Bid For IS Audit as Stated Above in Point No. 16.1.2.

iii. Do Not Open Before 15/03/2018 – 16:00 hrs.


iv. Name and Address of Bidder.

This will enable the Purchaser to return the bid unopened, in case it is declared

unacceptable for any reason whatsoever.

17.1.4 The two envelopes thus sealed containing the original & copy Technical Bid may be

put in an outer envelope also sealed and super scribed as stated above (ITB – 17.1.3)

shall be addressed to the Purchaser at the address given below:-

The Chief Manager (IS Audit)

Allahabad Bank, 2nd Floor,

14 India Exchange Place

Kolkata – 700 001

17.1.5 If the envelopes are not sealed and marked as required, the Purchaser will assume no

responsibility for the bid’s misplacement or premature opening. If envelope

earmarked as “Original Technical Bid” is found to contain “Copy Technical Bid”,

then that bid will be rejected.

17.1.6 Telex, Cable, Facsimile or E-mail Bids will be rejected.

17.1.7 The Bidders, who have submitted Technical Bids in Physical form are required to

submit ONLINE Indicative Commercial Bid as detailed in ITB - 17.2. The Bids of

those bidders who fail to submit ONLINE Commercial Bid as per ITB - 17.2 will not

be considered for Technical Bid Evaluation.

17.1.8 The Bidders are also required to submit Masked Indicative Commercial Bid

(without price details) as per Annexure-V.

17.2 Submission of Online Indicative Commercial Bid (Online E-Tendering) :-

17.2.1 The Bank will adopt e-Tendering process for online submission of Indicative

Commercial Bid. The bidder for e-Tendering process is M/s Antares Systems

Limited and the portal address for the same is www.tenderwizard.com/abbank,

wherein the necessary details for e-Tendering process are available. Online submitted

commercial bid will only be evaluated.

17.2.2 Indicative Commercial Bid of only those bidders will be opened / downloaded who

qualifies in Technical evaluation. The total cost will be calculated for each verticals

separately. The Bidder shall not add any condition / deviation in the Indicative

commercial bid. Any such condition / deviation may make the bid liable for

disqualification.

17.2.3 The prospective Bidders are advised to submit only the Indicative Commercial Bids

online. The following steps are to be taken for online submission of Indicative

Commercial Bids:

17.2.4 Registration with Bidder Portal www.tenderwizard.com/abbank.

17.2.5 The Bidder should possess valid Class III Digital Signature Certificate which is a

Mandatory requirement. (Indicative Commercial Bids will not be uploaded without

Digital Signature Certificate).

17.2.6 In case of any clarification/assistance Bidder may contact the following

representatives of M/s Antares Systems Ltd. before the schedule time of Online Bid

Submission.

Contact Persons:-

Mr. Kushal Bose : 07686913157

Mr. Debraj Saha : 09674758721

Mr. Tousik Ghosh : 09674758724

http://www.tenderwizard.com/abbank



E-mail:[email protected], [email protected],

[email protected]

17.1.3 Bidders are required to do Tender Request latest by 15:00 hrs on 15/03/2018 (Last Date

and time of sale of RFP) at the portal www.tenderwizard.com/abbank. Without the tender

request process within the said schedule, the bidder will not be able to submit the

Commercial bid online.

17.1.4 The prospective Bidders are advised to ensure on-line submission of Commercial Bid as per Bill of Material only in a single pdf file with name “Comm.pdf” of size less than 5MB, duly signed and stamped by the authorized signatory, latest by the last date and time of submission of Bids.

17.1.5 The Indicative and Final Commercial Bid should contain the Price Information only and to be submitted strictly as per the format provided in Annexure - V.

18 VALIDITY OF BID

Bid shall remain valid for 180 days after the date of opening of Technical Bid prescribed

by the Purchaser, pursuant to ITB clause-21. Therefore, the bid security will have to be

submitted for a period of (180+45) days. A bid valid for a shorter period shall be rejected by

the Purchaser as non-responsive.

19 LAST DATE AND TIME FOR SUBMISSION OF BID:

Bids must be received by the Purchaser at the address specified under IFB Clause 10.12 no

later than the time and date specified in the IFB clause 10.9. In the event of the specified date

for the submission of Bids being declared a holiday for the Purchaser, the bids will be received

up to the appointed time on the next working day.

The Purchaser may, at its discretion, extend the last date and time for submission of Bids by

amending the RFP in accordance with ITB Clause-12, in which case all rights and obligations

of the Purchaser and Bidders previously subject to the last date and time will thereafter be

subject to the last date and time as extended.

20 LATE BID:

Any bid received by the Purchaser after of the last date and time for submission of bids

prescribed by the Purchaser in Invitation for Bid will be rejected and returned unopened to the

Bidder.

21 MODIFICATION AND WITHDRAWAL FOR BID:

21.1 The Bidder may modify or withdraw its bid after the bid’s submission, provided that

written notice of the modification including substitution or withdrawal of the bids is

received by the Purchaser prior to the last date and time prescribed for submission of bids.

21.2 The Bidder’s modification or withdrawal notice shall be prepared, sealed, marked and

dispatched in accordance with the provisions of ITB Clause –17. A withdrawal notice may

also be sent by fax/e-mail but followed by a signed confirmation copy, postmarked no

later than the last date and time for submission of bids.

21.3 No bid may be modified subsequent to the last date and time for submission of Bids.






21.4 No bid may be withdrawn in the interval between the last date and time for submission of

bids and the expiration of the period of Bid validity specified by the Bidder on the Bid

Form. Withdrawal of the bid during this interval may result in the Bidder’s forfeiture of

its Bid security, pursuant to ITB Clause – 14.8.

22 BID OPENING

22.1 The Purchaser will open only the Technical Bids as per the schedule mentioned in IFB

clause 10.10. The Online Indicative Commercial Bids for technically qualified bidders will

be notified suitably subsequent to the technical evaluation. The Purchaser will notify the

opening of the Online Commercial bids to only the technically qualified bidders.

22.2 Attendance of all the authorized representatives of the bidders who are present at Bid

Opening will be taken in a register against name, name of the company and with full

signature.

22.3 The following details will be announced at the bid opening:

22.3.3 Bidder’s names

22.3.4 Bid Modifications or withdrawals

22.3.5 Bid Prices & Discounts if any (in case of Commercial bid opening)

22.3.6 Presence or absence of Bid Security (in case of Technical bid opening) and such

other details as the Purchaser, at its discretion, may consider appropriate.

22.4 Alterations in the bids, if any, made by the bidder / companies would be signed legibly to

make it perfectly clear that such alterations were present on the bids at the time of

opening. It would be ensured that alterations are signed by the bidder/company’s

executive who has signed the bid or by the bidder/company’s authorized representative.

22.5 Wherever any erasing or cutting is observed, the substituted words would be encircled and

initialed by the bank officer singly and the fact that such erasing /cutting of the original

entry were present on the bid at the time of opening will be recorded.

22.6 An “on the spot statement” giving details of the bids opened and other particulars as read

out during the opening of the bids will be prepared.

22.7 Bids (and modifications sent pursuant to ITB Clause-21.2) that are not opened and read

out at Bid opening shall not be considered further for evaluation, irrespective of the

circumstances. Such Bids will be returned unopened to the Bidders.

22.8 Indicative Commercial bids of those bidders who have not been technically qualified will

not be opened for further evaluation.

22.9 The Bidders, who have submitted Technical Bids in Physical form are required to submit

ONLINE Indicative Commercial Bid as detailed in ITB - 17.2. The Bids of those bidders

who fail to submit ONLINE Indicative Commercial Bid will not be considered for

Technical Bid Evaluation.

23 CLARIFICATIONS OF BID:

To assist in the scrutiny, evaluation and comparison of offers the Purchaser may, at its

discretion, ask some or all bidders for clarification of their offer. The request for clarification

and the response shall be in writing and no change in the price or substance of the bid shall be

sought, offered or permitted.


24 PRELIMINARY EXAMINATION:

24.1 The Purchaser will examine the bids to determine whether they are complete, whether

any computational errors have been made, whether required sureties have been furnished,

whether the documents have been properly signed and whether the bids are generally in

order.

24.2 The bids should be signed by a duly authorized representative of the bidder.

Documentary evidence in support thereof, is to be submitted along with the bid, if

applicable.

24.3 Arithmetical errors if any will be rectified on the following basis:

24.3.3 If there is discrepancy between the unit price and the total price that is obtained

by multiplying the unit price and quantity, the unit price shall prevail and the total

price shall be corrected.

24.3.4 If there is a discrepancy between words and figures, the amount in words will

prevail.

24.4 If the bidder does not accept the correction of errors as per ITB clause 22.4 & ITB Clause

22.5, its bid will be rejected

24.5 The Purchaser, at its discretion, may waive any nonconformity or irregularity in a Bid,

which does not prejudice or affect the relative ranking of any Bidder. This shall be

binding on all bidders and the Purchaser reserves the rights for such waivers.

24.6 Prior to the detailed evaluation, pursuant to ITB Clause-25, the Purchaser will determine

the substantial responsiveness of each bid to the RFP. For purposes of these clauses, a

substantially responsive bid is one, which conforms to all the terms & conditions of the

RFP without material deviations. Deviations from or objections or reservations to critical

provisions such as those concerning Bid Security, Performance Security, Warranty,

Force Majeure, Applicable Law and Taxes & Duties will be deemed to be material

deviation. The Purchaser’s determination of a Bid’s responsiveness is to be based on the

contents of the Bid itself without recourse to extrinsic evidence.

24.7 If a Bid is not substantially responsive, it will be rejected by the Purchaser and may not

subsequently be made responsive by the bidder by correction of the non-conformity.

25 EVALUATION OF BIDS & DETERMINATION OF L1 BIDDER

The Purchaser will evaluate and compare the bids, which have been determined to be

substantially responsive, pursuant to ITB Clause-24. Allahabad bank in its sole/absolute

discretion can apply whatever criteria deemed appropriate in determining the responsiveness of

the proposal submitted by the respondents. The Bank may reject any/all proposals at any stage

without assigning any reason thereof

25.1 Evaluation of Technical Bids:

The Technical Bids opened pursuant to ITB Clause-22 will be evaluated by the Purchaser

on the basis of following criteria:

a) Meeting of the eligibility criteria as stated in clause ITB clause 2.

b) Completeness of the Technical bid in all respects and availability of all

information/details asked for vide ITB Clause-3.5.


c) Full Responsiveness & commitment of the bidder towards scope and

deliverables as per RFP.

d) Experience, Expertise & Capabilities of the IS Auditor to meet all the

requirements specified in this document for undertaking the various IS Audit

assignments of the Bank

25.2 Evaluation of Commercial Bids & Determination of L1 Bidder (through Reverse

Auction Process)

The Indicative Commercial Bids (ICBs) of only technically qualified bidders pursuant to

ITB Clause 25.1 will be opened and evaluated by Allahabad Bank and the evaluation will

take into account the following factors:

25.1.1 The Commercial Bid (post reverse auction) would be evaluated based on

Total Cost of Audit as per Annexure V

25.1.2 The lowest (L1) price arrived at on evaluation of the ICBs or any price lower than

the same, as bank may decide, will be fixed as the ceiling price. All the qualified

bidders will be advised for reverse auction process. Details of the Reverse

Auction Process are mentioned in Annexure-XIV

25.1.3 The commercial bids, of all technically qualified bids will be evaluated (post

reverse auction) and compared among themselves to determine the lowest

evaluated Bid.

25.1.4 Evaluation will not be based on any conditional/additional discount.

25.1.5 The L1(Lowest) bidder will be decided on the basis of Total cost of Audit as

submitted by the Technically qualified bidders through Online Commercial Bids

as per format provided in Annexure –V pursuant to ITB Clause- 16.2 of RFP.

25.1.6 L1 bidders will be selected for a) Allahabad Bank Vertical – I, b) Allahabad Bank

Vertical – II and c) Allahabad UP Gramin Bank.

25.1.7 Bidders shall be considered separately as L1 bidder for each vertical. 25.1.8 It should be noted that for Allahabad UP Gramin Bank will be selected separately based

on L1 quote. If same bidder comes L1 both verticals, Bidder will be offered to choose one

of the vertical. For the left out vertical, L2 Bidder will be asked to match the L1 quote in

the vertical. In case, L2 Bidder-2 fail to match the L1 quote, L3 will be asked to match L1

quote. In case of disagreement by Bidder-2 & 3 separate bid will be invited for that

particular vertical.

25.1.9 The prevailing Purchase preference policy of Government of India for Public

Sector Enterprises (PSE) if any will be applicable. Preference will be given to PSEs

at the lowest acceptable price.

25.1.10 Failure or refusal to offer the services/goods at the price committed through

Online Commercial Bid shall result in forfeiture of the Bid Security and/or

Performance Security to Bank.

26 CONTACTING THE PURCHASER:

26.1 No Bidder shall contact the Purchaser on any matter relating to its Bid, from the time of

the bid opening to the time of final selection of the vendor.

26.2 Any effort by a Bidder to Influence the Purchaser in the Purchaser’s bid evaluation, bid

comparison or contract award decisions may result in the rejection of the Bidder’s bid.

27 POST QUALIFICATION:

27.1 In the absence of pre-qualifications, the Purchaser will determine to its satisfaction

whether the Bidder selected is qualified to perform the contract.

27.2 The determination will take into account the Bidder’s financial and technical capabilities.

It will be based upon an examination of the documentary evidence of the Bidder’s

qualifications submitted by the Bidder, as well as such other information as the Purchaser


deems necessary and appropriate, including details of experience and records of past

performance.

27.3 An affirmative determination will be prerequisite for selection. A negative determination

will result in rejection of the Bidder’s bid.

28 PURCHASER’S RIGHT:

28.1 The Purchaser reserves the right to accept or reject any bid, and to annul the bidding

process and reject all bids at any time prior to award of Contract, without incurring any

liability to the affected Bidder or Bidders or any obligation to inform the affected Bidder

or Bidders of the grounds for the Purchaser’s action. Bank reserves the right to modify

any terms, conditions and specifications of the RFP.

28.2 Bank reserves the right to obtain revised price bids from the bidder with regards to

changes in RFP clauses or if the Bank is not satisfied with the price offered.

28.3 Bank reserves the right to accept any Bid in part or whole.

29 SIGNING OF CONTRACT:

29.1 At the time when the Purchaser notifies the Bidder that its bid has been accepted, the

Purchaser will send the Bidder the Contract Form (Annexure-IX) provided in the RFP,

incorporating all agreements between the parties.

29.2 The bidders shall sign and date the contract and return it to the Purchaser along with the

required Performance Security within 21 (Twenty One) days of receipt of Contract Form.

29.3 Bank reserves the right to select the next ranked bidder if the selected bidder withdraws

his proposal after selection or at the time of finalization of the contract or disqualification

on detection of wrong or misleading information in the proposal.

29.4 In case the bidder fails to comply ITB Clause 29.1 and 29.2 or in case the bidder

withdraws his proposal after selection as per ITB Clause 29.3 the bid security of the

bidder will be forfeited.

29.5 The Bank will initially execute the IS Audit contract for a period of ONE year with the

successful L1 bidder. On completion of first year of Audit, Bank may, at its discretion,

renew the order for IS audit for the second year at the same price as quoted in the

Commercial Bid, subject to satisfactory performance by the bidder in the first year.

30 NO COMMITMENT TO ACCEPT LOWEST OR ANY BID

30.1 The Purchaser shall be under no obligation to accept the lowest or any other offer

received in response to this tender notice and shall be at liberty to reject any or all offers

including those received late or incomplete offers without assigning any reason

whatsoever.

30.2 Purchaser reserves the right to make any changes in the terms and condition of the

purchase.

30.3 Purchaser will not be obliged to meet and have discussions with any vendor and/or to

listen to any representations.


SECTION III

CONDITIONS OF VENDOR SELECTION (CVS)

I N D E X


1 Definition 22

2 Governing Language 22

3 Applicable Law 22

4 Notices 22

5 Performance Security 22

6 Vendor’s Integrity 23

7 Vendor’s Obligation 23

8 Project Management 23

9 Use of Contract Documents and Information 23

10 Patent Rights 23

11 Force Majeure 24

12 Termination for Convenience 24

13 Resolution of Disputes 24

14 Contract Amendment 24

15 Award of Contract 24

16 Assignment 25

17 Corrupt or Fraudulent Practices 25 18 Project Schedule 25 19 Terms of Payment 26 20 Indemnity 26

21 Change of Order 26 22 Delay in Vendors Performance 26 23 Liquidated Damage 27

24 Taxes & Duties 27 25 Site Readiness 27 26 Delivery Schedule 27

27 Order Cancellation 27 28 Publicity 28


SECTION III

Conditions of Vendor Selection (CVS)

1. DEFINITION:

(a) “The Contract” means the Contract entered into between the Purchaser and the vendors, as

recorded in the Contract Form signed by the parties, including all the attachments and

appendices thereto and all documents incorporated by reference therein.

(b) “The Solution/Services” means the IS Audit Services, which the vendor is required to provide

to the Purchaser in terms of the contract between the vendor and the Purchaser under the

Contract.

(c) “The Purchaser” means Allahabad Bank.

(d) “The Vendor” means the firm selected by the Purchaser for providing IS Audit services.

(e) “Day” means calendar day.

2 GOVERNING LANGUAGE:

The governing language of the contract shall be English. All correspondence and other documents

pertaining to the Contract which are exchanged by the parties shall be written in this language.

3. APPLICABLE LAW:

The contract shall be interpreted in accordance with the laws prevalent in India.

4. NOTICES:

Any notice given by one party to the other pursuant to this Contract shall be sent to the other

party in writing or by cable /fax/email and confirmed in writing to the other party’s address

specified below:

Purchaser: Allahabad Bank,

Information System Audit Cell,

Head Office, 2nd Floor,

14 India Exchange Place,

Kolkata – 700 001

Vendor: To be filled in at the time of contract signing.

A notice shall be effective when delivered or on the notice’s effective date, whichever is later

5 PERFORMANCE SECURITY:

5.1 The selected vendor has to furnish performance security (Annexure – VIII) to the Purchaser

for 5% of Bid Value at the time of signing of the contract.

5.2 The performance security should be furnished to the Head Office of the Purchaser.

5.3 The performance security is required to protect the Purchaser against risk of selected vendors

conduct during the Contract period.

5.4 The performance security shall be denominated in INDIAN RUPEES only and shall be of the

following forms:

5.4.1 A bank guarantee issued by a Scheduled Indian Bank or a Foreign bank located in India

in the Form (Annexure-VIII) provided in the RFP.


5.4.2 The Performance Security will be valid for 27 months from the date of signing the

contract.

5.4.3 The Performance Security of the vendor may be invoked in case of failure of the vendor

to meet the requirements of the Bank under the RFP.

5.4.4 The format of the said Performance Security is enclosed as Annexure VIII of section

V (Schedule of requirements).

6 VENDOR’S INTEGRITY:

The vendor is responsible for and obliged to conduct all contracted activities in accordance with

the contract exercising all means available to achieve the performance specified in the contract.

7 VENDOR’S OBLIGATIONS:

7.1 The vendor is obliged to work closely with the Purchaser, act within its own authority and

abide by directives issued by the Purchaser during the IS Audit activities.

7.2 The vendor is responsible for managing the activities of its personnel and will hold itself

responsible for any misdemeanors.

7.3 The vendor is under obligation to provide IS Audit services as per the contract to various

Offices of the Bank.

7.4 The vendor will treat as confidential all data and information about the Purchaser,

obtained in the execution of his responsibilities, in strict confidence and will not divulge

such information to any other party without the prior written approval of the Purchaser.

8 PROJECT MANAGEMENT:

The Bank and the vendor will nominate a Project Manager immediately on acceptance of the

order, who will be the single point of contact for the Project. However, for escalation

purpose, details of other persons will also be given.

9 USE OF CONTRACT DOCUMENTS AND INFORMATION:

9.1 The Vendor shall not, without the Purchaser’s prior written consent, disclose the Contract or

any provision thereof or any specification, plan, drawing, pattern, sample or information

furnished by or on behalf of the Purchaser in connection therewith, to any person other than

a person employed by the Vendor in the performance of the Contract. Disclosure to any

such employed person shall be made in strict confidence & shall extend only as far as

necessary for purposes of such performance.

9.2 The Vendor shall not, without the Purchaser’s prior written consent, make use of any

document or information except for purposes of performing the Contract.

9.3 Any document, other than the Contract itself, shall remain the property of the Purchaser and

shall be returned (in all copies) to the Purchaser on completion of the Vendor’s performance

under the Contract if so required by the Purchaser.

10 PATENT RIGHT:

10.1 The Vendor shall indemnify the Purchaser against all third party claims of infringement of

patent, trademark or industrial design rights arising from use of the Software package or

any part thereof in India and abroad.

10.2 In the event of any claim asserted by the third party of infringement of copyright, patent,


trademark or industrial design rights arising from the use of the solution or any part thereof

in India and abroad, the Vendor shall act expeditiously to extinguish such claims. If the

Vendor fails to comply and the Purchaser is required to pay compensation to a third party

resulting from such infringement, the Vendor shall be responsible for the compensation

including all expenses, court costs and lawyer fees. The Purchaser will give notice to the

Vendor of such claims, if it is made, without delay.

11 FORCE MAJEURE:

11.1 The vendor shall not be liable for forfeiture of its performance Security, liquidated

damages or termination for default, if and to the extent that it’s delay in performance or

other failure to perform its obligations under the contract is the result of an event of force

Majeure.

11.2 For purposes of this clause, “Force Majeure” means an event beyond the control of the

vendor and not involving the Vendor’s fault or negligence and not foreseeable. Such

events may include, but are not restricted to, acts of the Purchaser in its sovereign capacity,

wars or revolutions, fires, floods, epidemics, quarantine restrictions and freight embargoes.

11.3 If a Force Majeure situation arises, the Vendor shall promptly notify the Purchaser in

writing of such condition and the cause thereof. Unless otherwise directed by the

Purchaser in writing, the Vendor shall continue to perform its obligations under the

Contract as far as is reasonably practical, and shall seek all reasonable alternative means

for performance not prevented by the Force Majeure event.

12 TERMINATION FOR CONVENIENCE:

The Purchaser, by written notice sent to the vendor, may terminate the Contract, in whole or in

part, at any time for its convenience. The notice of termination shall specify that termination is

for the Purchaser’s convenience, the extent to which performance of work under the Contract is

terminated and the date upon which such termination becomes effective.

13 RESOLUTION OF DISPUTES:

13.1 The Purchaser and the vendor shall make every effort to resolve any disagreement or

dispute amicably by direct informal negotiation arising between them under or, in

connection with the Contract.

13.2 If, after thirty (30) days from the commencement of such informal negotiations, the

Purchaser and the vendor have been unable to resolve amicably a Contract dispute, either

party may require that the dispute be referred for resolution to the formal mechanisms .

These mechanisms may include, but are not restricted to, conciliation mediated by a third

party, adjudication in an agreed national forum and/or national arbitration.

14 CONTRACT AMENDMENT:

No variation in or modification of the terms of the Contract shall be made except by written

amendment signed by the parties.

15 AWARD OF CONTRACT:

The Bank intends to invite the bids for both the auditee locations simultaneously and stipulates as

under:

15.1 L1 bidders will be selected for a) Allahabad Bank Vertical – I, b) Allahabad Bank

Vertical – II and c) Allahabad UP Gramin Bank.


15.2 Bidders shall be considered separately as L1 bidder for each vertical.

15.3 If the same bidder stands as L1 bidder for both the verticals i.e Allahabad Bank Vertical

– I, Allahabad Bank Vertical – II, option will be given to that bidder to choose

between the two verticals. Then for remaining vertical Bank may permit the L2 Bidder

to match their quote with L1 bidder’s quote. In case L2 Bidder fails to match the L1

quote, option will be given to L3 bidder.

15.4 No such restriction applies on rates quoted for Allahabad UP Gramin Bank

16 ASSIGNMENT:

The vendor shall not assign, in whole or in part, its obligations to perform under the Contract,

except with the Purchaser’s prior written consent.

17 CORRUPT OR FRAUDULENT PRACTICES:

17.1 As per CVC directives it is required that Bidders/Suppliers/Contractors observes the

highest standard of ethics during the procurement and execution of such contracts. In

pursuance of this policy:

17.1.1 “Corrupt practice” means offering, giving, receiving or soliciting anything of

value to influence the action of a public official in the procurement process or in

contract execution;

And

17.1.2 “Fraudulent practice” means a misrepresentation of facts in order to influence a

procurement process or the execution of contract detrimental to interest of the

Purchaser and includes collusive practice among Bidders (prior to or after bid

submission) designed to establish bid prices at artificial non-competitive levels

and to deprive the Purchaser of the benefits of free and open competition.

17.2 The Purchaser will reject a proposal for award if it determines that the Bidder

recommended for award has engaged in corrupt or fraudulent practices in competing for

the contract in question.

17.3 The Purchaser will declare a firm ineligible, either indefinitely or for a stated period of

time, to be awarded a contract if at any time it determines that the firm has engaged in

corrupt or fraudulent practices in competing for, or in executing a contract.

18 PROJECT SCHEDULE:

The selected vendor has to depute its officials at a convenient place as decided by IS Audit

Cell, HO within 10 days from the date of signing of the contract, for holding a formal

meeting/kick start meeting. During the said meeting the vendor has to give a brief technical

overview / presentation regarding the technical methodology being adopted by them to

conduct the said audit, list of Tools to be used, details of the Core Audit team etc.

The vendor has to maintain the schedule time frame as mentioned below:-

• The timeframe for completion for Phase I of the project would be maximum 8 weeks

from the Kick start Meeting as mentioned above.

• The time frame for completion for Phase II would be maximum 2 weeks.

• An exercise to review the compliance with the findings and recommendations of IS

Audit has to be undertaken by the vendor (Phase-III). This exercise would be

undertaken preferably within 180 days from the date of completion of phase II.


However, Final date for the start of compliance Audit will be informed by the Bank in

due course of time.

The Final ISA certificate is to be issued within a week of Audit Compliance Review

19 TERMS OF PAYMENT:

19.1 The Vendor’s request(s) for payment shall be made to the Purchaser in writing,

accompanied by an invoice describing, as appropriate and services performed and by

documents submitted and upon fulfillment of other obligations stipulated in the Contract.

19.2 Payments shall be made promptly by the Purchaser but in no case later than sixty (60) days

of submission of an invoice/claim supported by all required documents by the Vendor.

19.3 Payment will be made to the Vendor in Indian Rupees only.

19.4 Payment Schedule:

Payment will be made on completion of following milestones

19.4.1 50% after completion of PHASE-I (Completion of conduct of IS Audit)

19.4.2 30% after completion of PHASE-II (submission and acceptance of IS Audit

Reports by the Bank)

19.4.3 20% after completion of PHASE-III (Review / compliance audit and submission

/ acceptance of reports thereof by the Bank)

** TDS would be deducted at source for any payment made by the Bank as per the

prevailing Rules of Government of India.

20 INDEMNITY:

20.1 The bidder (Contractor) will indemnify the Bank against all actions, proceedings, claims,

suits, damages and any other expenses for causes attributable to the vendor.

20.2 The total liability of the selected bidder under the contract will not exceed the total cost

of the project.

21 CHANGE OF ORDER:

21.1 The purchaser may at any time, by written order given to the vendor make changes within

the general scope of the purchase order in any one or more of the following:

21.1.1 The places of IS Audit.

21.1.2 The services to be provided by the vendor.

21.2 If any such changes causes an increase or decrease in the cost of, or the time required for

the vendors performance of any provisions under the contract, an appropriate adjustment

shall be made in the contract price or delivery schedule, or both and the contract shall

accordingly be amended. Any claims by the vendor for adjustment under this clause must

be asserted within 30 days from the date of the vendor’s receipt of the purchaser’s change

order.

22 DELAYS IN VENDOR’S PERFORMANCE:

22.1 Performance of the services shall be made by the vendor in accordance with the time

schedule specified by the purchaser in CVS clause 17.


22.2 If at any time during performance of the purchase order, the vendor should encounter

conditions impeding timely performance of the services, the vendor shall promptly notify

the Purchaser in writing of the fact of the delay, its’ likely duration and its causes. As

soon as practicable after receipt of the vendors notice, the purchaser shall evaluate the

situation and may at its discretion extend the vendors time for performance, with or

without liquidated damages in which case the extension shall be ratified by the parties by

amendment of the contract.

22.3 Except as provided under CVS clause 10, a delay by the vendor in its performance of

delivery obligations, shall render the vendor liable for imposition of liquidated damages,

pursuant to clause 22, unless an extension of time is agreed upon pursuant to clause

25without the application of liquidated damages.

23 LIQUIDATED DAMAGE:

Subjected to CVS clause 10, if the vendor fails to deliver or perform the services within the time

period(s) specified in the contract, the Purchaser shall, without prejudice to other remedies under

the contract, deduct from the contract price, as liquidated damages, a sum equivalent to 1 (One)%

of the delivered price of the contract or underperformed services for each week or part thereof of

delay until actual delivery or performance up to a maximum deduction of 10% of the contract

price. Once the maximum is reached the Purchaser may consider termination of the contract

pursuant to CVS Clause 11 and the Performance Security submitted may be invoked.

24 TAXES & DUTIES:

24.1 The vendor will be entirely responsible to pay all taxes including corporate tax, income

tax, license fees, duties etc. except Service Tax in connection with delivery of the

services at site.

24.2 Wherever the laws and regulations require deduction of such taxes at the source of

payment, the purchaser shall effect such deductions from the payment due to the vendor.

The remittance of amount so deducted and issue of certificate for such deductions shall

be made by the Purchaser as per the laws and regulations in force.

24.3 Service Tax should be clearly mentioned separately which will be paid by the Bank on

actual basis on production of proof.

24.4 Nothing in the contract shall relieve the vendor from his responsibility to pay any tax that

may be levied in India on income and profits made by the vendor in respect of this

contract.

25 READINESS OF AUDITEE LOCATION:

The vendor may perform a site inspection at his own cost to verify the appropriateness of the

sites/facilities before start of the IS Audit.

26 DELIVERY SCHEDULE:

The delivery of the Reports of Phase I & II should be effected within 10 (TEN) weeks from the

date of Kick start meeting as mentioned in Clause 17 of CVS

27 ORDER CANCELLATION:


The purchaser reserves the right to cancel the order in the event of one or more of the following

circumstances

27.1 Delay in start of Audit for a period of 30 days from the date of purchase order.

27.2 Breach by the vendor of any of the terms & conditions of the tender.

27.3 If the vendor goes into liquidation voluntarily or otherwise.

27.4 In addition to the cancellation of purchase order, the purchaser reserves the right to forfeit

the Performance security deposit/performance guarantee submitted by the vendor.

28 PUBLICITY:

Any publicity by the vendor in which the name of the Purchaser is to be used will be done only

with the explicit written permission of the Purchaser.


SECTION IV

CONDITIONS OF PROCUREMENT (CP)

I N D E X


1 Scope of Work

2 a) Allahabad Bank 30

3 b) Allahabad UP Gramin Bank 45

4 Method of Audit 59

5 Deliverables 60

6 Arbitration 62

7 Abbreviations Used in the Document 63


Scope of I.S. Audit / VAPT (FY 2018-19 & 2019-20)

Scope / functional areas to be covered during the proposed audit process for Allahabad Bank and its

sponsored RRB i.e. Allahabad UP Gramin Bank has been divided into two parts to avoid any

ambiguity and requirement for the two entities has been described separately under Part-I & II as

given hereunder;

Part I – Allahabad Bank

Overview of Scope

A) Vertical I

Information System Audit of Bank’s entire CBS and allied infrastructure including Hardware,

Operating System, Database, Application(s), Network including Facility, Process & People of

undernoted locations:

a) CBS Data Centre, Mumbai including

i. e-KYC interface

ii. FI Gateway

iii. Virtualization

iv. Aadhar Enabled Payment System (AEPS) interface

v. Rupay PIN Pad interface

b) CBS Project Office, Mumbai.

c) Network Operation Centre, Mumbai

i. Detailed Firewall configuration audit

ii. Network devices like IPS/IDS/ UTM, etc

d) ATM Back Office, Mumbai

e) Payment Gateway, Mumbai

f) Disaster Recovery Site (DRS), Lucknow including

i. e-KYC interface

ii. FI Gateway

iii. Aadhar Enabled Payment System, (AEPS) Interface

iv. Rupay PIN Pad Interface

v. Network Operation Centre

g) Outsourced IT activities of ATM Switch & ATM Facility Management.

h) Near DR Site, Mumbai

i) Information Technology Innovation Centre, Kolkata

j) Central Pension Processing Cell, Lucknow

k) Integrated Treasury Branch including SWIFT / Treasury Management Infrastructure,

Mumbai

k. Review of compliance against G.Gopalakrishna recommendation

l. Quality Assurance Audit on functioning of IS Audit System of the Bank to be

conducted at IS Audit Cell, Head Office.

m. Information System Audit of, undernoted setups of Cheque Truncation System/Grid

Infrastructure including Hardware, Operating System, Database, Application

Technology, Network including Facility, Process & People of

a. Northern Grid CTS Setup implemented at New Delhi and Lucknow

b. Western Grid CTS Setup implemented at Mumbai

c. Southern Grid CTS Setup implemented at Chennai & Mumbai


B) Vertical II

a) Vulnerability Assessment of business critical systems/servers (external) to be conducted

on monthly basis (detailed list of setups to be provided at the time of commencement of

Audit).

b) Vulnerability Assessment of entire Information System - internal (detailed list of setups

to be provided at the time of commencement of Audit) to be conducted on Quarterly

basis.

c) Penetration Testing of entire Information System to be conducted on quarterly basis

(detailed list of setups to be provided at the time of commencement of Audit).

d) IS Audit of existing and all new applications to be launched by the Bank, as and when

required (at the discretion of the Bank). A list of existing application is given below

which may vary from time to time as per requirement by the Bank :

1. Outsourced IT activities of hosting of Corporate internet Site

2. Internet Banking including SMS Banking

3. Mobile Banking including IMPS

4. Bancs@24

5. Inspection Module

6. Active Directory Services

7. CPPS ( Central Payment Processing System)

8. AUA/KUA

9. Biometric authentication System

10. CMS

11. Exim Bills-Trade Finance

12. Lotus Notes – Email alongwith Email Gateway – Policies / Rules configured

including review of rules done on specific date.

13. Aadhaar related applications as required by UIDAI/NPCI

14. E-Lobby

15. UPI – Any Revisions

16. Malware Audit of Selected ATMs

17. Customer Grievances Redressal System (CGRS)

18. Anti Money Laundering (AML)

19. ADF-MOC

20. Symantec Antivirus

21. CBS Helpdesk

22. HRMS application

23. DeVA ( Document Electronic Verification and Approval)

24. ASBA

25. UAE Money Exchange

26. SWIFT Related Applications

e) Cost of 50 Man-days are to be included in the commercial bid for the purpose of

special audit like Forensic Audit etc or any such type of which may be required by

the Bank from time – to – time. However, the cost of the same will be paid on actual

basis based on the number of man-days used. The bidders have to take up

specialised audit as per requirement of the Bank whenever needed as per discretion

of the Bank

f) Report submitted should be duly mapped with the scope of work defined above, for

each site, service, system and critical devices.

Detailed scope of IS Audit applicable for all locations as mentioned above:-

IS Audit will cover entire gamut of computerized functioning including e Delivery Channels &

functional areas with special reference to the following:


1. Policy, Procedures, Standard Practices & other regulatory requirements:

1.1 Information Security Governance, effectiveness of implementation of Bank’s IT Security

Policy & Procedures.

1.2 Compliance to National Critical Information Infrastructure Protection Center (NCIIPC)

guidelines. RBI guidelines on Information Security, Internet Banking & other delivery

channels.

1.3 Compliance to recommendations of G. Gopalakrisha Committee pertaining to continuous

auditing till implementation of Security Operation Centre (SOC) centrally from Data

Center Mumbai.

1.4 VISA, RuPAY& other regulatory guidelines.

1.5 CERT-In and DSCI Guidelines.

1.6 IT Act 2000, IT Amendment Act 2008 .

1.7 Best practices of the industry including ISACA’s Guidelines / COBIT / ISO standards.

1.8 Alignment of Bank’s IT strategy with Business strategy.

1.9 PCI-DSS guidelines.

1.10 NPCI guidelines.

2. Physical and Environmental Security:


2.2 Access control systems.

2.3 Assessment of vulnerability towards natural calamities.

2.4 Fire protection systems, their adequacy and state of readiness.

2.5 Assets safeguarding, handling of movement of Man /Material/ Media/ Backup / Software/

Hardware / Information.

2.6 Air-conditioning of DC/ DRC, humidity control systems.

2.7 Electrical supply, Redundancy of power level, Generator, UPS capacity.

2.8 Surveillance systems of DC / DRC.

2.9 Premises management.

2.10 Pest prevention (rodent prevention) systems.

2.11 Access given to various employee of the vendor/service provider

2.12 Vendor Audit Reports

2.12.1 For Existing Vendors – Regular Review

2.12.2 For New / Proposed Vendors – Vendor Evaluation Reports (before onboarding)

3. IT Architecture

a. Operating Systems Audit of Servers, Systems and Networking Equipment:

3.1 Setup & maintenance of Operating System Parameters.

3.2 OS Change Management Procedures– Version maintenance, hot-fixes &Service packs.

3.3 User account management including maintenance of sensitive User accounts - Use of

root and other sensitive passwords.

3.4 Use of sensitive system software utilities.

3.5 Vulnerability assessment & hardening of Operating Systems.

3.6 Users and Groups created, including all type of users’ management ensuring password

complexity, periodic changes etc.

3.7 File systems security of the OS.

3.8 Review of Access rights and privileges.

3.9 Services and ports accessibility.

3.10 Review of Log Monitoring, its’ sufficiency, security, preservation and backup.

3.11 Logs of Backend Database changes done in last One Month.

3.12 Adherence to licensing requirements.

3.13 Use of administrative shares, default login passwords, remote access / Net meeting or

any other such tool.

3.14 Implementation of ADS (Active Directory Services) or Group Policy

3.15 Periodic Patch and Antivirus update.


3.16 Remote access polices including Remote Desktop Management.

3.17 Registry settings, including registry security permissions.

3.18 Profiles and log-in scripts.

3.19 Unauthorized off port services running.

b. Application level Security Audit:

3.20 Logical Access Controls- To review all types of Application Level Access Controls

including proper controls for access logs and audit trails for ensuring Sufficiency &

Security of Creation, Maintenance and Backup of the same.

3.21 Input Controls.

3.22 Processing Controls.

3.23 Output Controls.

3.24 Monitoring of Access log.

3.25 Interface controls - Application interfaces with other applications and security in their

data communication.

3.26 Authorization controls such as Maker Checker, Exceptions, Overriding exception &

Error condition.

3.27 Data integrity & File Continuity Controls.

3.28 User ID / Password Management

3.29 Segregation of duties access control over development, test and production regions.

3.30 Review of Parameter maintenance process and controls implemented therein.

3.31 Change management procedures including testing, impact analysis documentation.

3.32 Identification of gaps in application security parameters.

3.33 Audit of management controls including system configuration/ parameterization

development.

3.34 Audit of controls over operations including communication network, data preparation

and entry, production, documentation and program library, Help Desk and technical

support, capacity planning and performance, Monitoring of outsourced operations,

availability of user & operation manuals.

3.35 Review of Software customization and adherence to SDLC Policy for such

customization.

3.36 Adherence to Legal & Statutory Requirements.

3.37 Audit trail / Audit log generation and management.

3.38 Recovery & Restart procedures.

3.39 If outsourced, escrow arrangement with application owner.

3.40 Auditing, both at client side and server side, including sufficiency and accuracy of

event logging, SQL prompt command usage, Database level logging etc.

3.41 Backup/Fallback/Restoration procedures and contingency planning alongwith

documentation

3.42 Sufficiency and coverage of UAT test cases, review of UAT defects and tracking.

3.43 Mechanism deployed by vendor and resolution including re-testing and acceptance.

Change management procedure during conversion, migration of data, version control

etc.

3.44 Adequacy of hardening of all Servers and review of application of latest patches

supplied by various vendors for known vulnerabilities as published by CERT-In, SANS

etc.

3.45 Application-level risks at system and data-level including:

i. system integrity risks

ii. system-security risks

iii. data risks

iv. system maintainability risks

3.46 Review of Software benchmark results and load and stress testing of IT infrastructure

performed by the Vendors.


3.47 Special remarks may also be made on following items- Hard coded user-id and

Password, Application level Recovery and restart procedures.

3.48 Review adequacy and completeness of controls

3.49 Review of access given to various employee of vendor/service provider.

c. Audit of DBMS and Data Security :

3.50 Authorization, authentication and access control are in place.

3.51 Physical access and protection.

3.52 Audit of data integrity controls including master table updates.

3.53 Confidentiality requirements are met.

3.54 Logical access controls which ensure access to data is restricted to authorized users.

3.55 Use of Data Repository Systems, Data Definition Language, Data Manipulation

Language (DML) and Data Control Language.

3.56 Audit of log of changes to Data Definitions.

3.57 Database integrity is ensured to avoid concurrency problems.

3.58 Protection of Sensitive Information during transmission and transport.

3.59 Separation of duties.

3.60 Catalog Server, Synchronization of control file and catalog server.

3.61 Database Backup Management.

3.62 Purging policy-procedures of Data Files.

3.63 Security of oracle systems files viz. control files, redo log files, archive log files,

initialization file, configuration file, Table space security & utilization etc.

3.64 Password checkup of Systems and Sys Users

3.65 Checking of database privileges assigned to DBAs and Users (privilege like ALTER

SESSION, ALTER SYSTM and BECOME USER etc.

3.66 To examine and review different types of Logs generated from users/ background/

memory process etc. and to examine the controls ensuring sufficiency & security of

creation, maintenance and backup of the same.

3.67 Procedures to ensure that all data are classified in terms of sensitivity by a formal and

explicit decision by the data owner and necessary safeguards for its confidentiality,

integrity and authenticity are taken as per IT Security Policy.

3.68 Patches and new versions are updated as and when released by vendor/ Research and

Development team

d. Network Security :

i. Network Security architecture of the entire network including :

3.69 Understanding traffic flow in the network at LAN & WAN level.

3.70 Review of appropriate segregation of network into various trusted zones. Analysis of

Network Security controls including logical locations of Security components like

firewall, IDS/IPS, proxy server, antivirus server, email Systems, VSAT IDUs etc. in

various zones.

3.71 Review of redundancy for Links and Devices in CBS Setup.

3.72 Review of security measures at the entry and exit points of the network.

3.73 Checking Inter-VLAN Routing and Optimization. Study of incoming and outgoing

traffic flow among web servers, application servers, database servers, DNS servers and

Active Directory.

3.74 Review of Routing policy, Route path and table audit.

3.75 Review of placement of security devices and DMZ's.

3.76 Routing protocols and security controls therein.

3.77 Audit of network architecture from disaster recovery point of view.

3.78 Access control for MZ, DMZ, NOC, WAN and for specific applications of the

respective zones.

3.79 Review of all types of network level access controls & logs, for ensuring sufficiency &

security of creation, maintenance and backup of the same.

3.80 Secure Network Connections for CBS, ATM and Internet Banking including Client /


browser based security.

3.81 Evaluation of centralized controls over Routers installed in Branches & their Password

Management.

3.82 Audit of VSAT & Wireless connectivity infrastructure.

3.83 Incident management: Audit of Incident Management and handling processes, roles and

responsibilities, incident response procedures, verification of incident reports and

effectiveness measurement, awareness of security incidents and events.

3.84 Audit of VLAN segregation, access to servers, encryption mechanisms for connectivity

and access, internet access management, remote access provisioning etc.

ii. Network Management Audit comprising of;

3.85 Process.

3.86 Risk Acceptance (Deviation).

3.87 Password management.

3.88 Authentication.

3.89 Network Information security administration.

3.90 Cryptography.

3.91 Policies and rule sets including ACLs (Access Control Lists).

3.92 Violation logging management.

3.93 Information storage & retrieval.

3.94 Audit trails.

3.95 PKI management.

3.96 PIN management.

3.97 Review access control documentation and configuration.

3.98 Obtaining information about the network architecture and address schema of the

network.

iii. Configuration Audit of Network Devices (Routers, Switches, Firewalls, IDS/IPS )

3.99 Routing protocol analysis.

3.100 Checking of HSRP configurations, if any, and its working.

3.101 Review of network device’s roles and configuration through configuration audit.

3.102 Configuration to defy common security attacks like IP spoofing, ICMP redirects etc.

3.103 Service proxies, circuit-level gateways and packet filters.

3.104 VPN configuration and encryption.

3.105 Updated version of OS / patches.

3.106 Auditing, logging, monitoring and alerting mechanism

3.107 Session management.

3.108 Domain name services.

3.109 Separate Config audit of Firewal rules and its review

3.110 Validation of following services for security, effectiveness and efficiency on all

Network devices:

i. IP directed broadcasts

ii. Incoming packets at the router sourced with invalid addresses

iii. TCP small services.

iv. UDP small services.

v. All source routing.

vi. All web services running on router.

vii. Logging & Auditing.

viii. Banner checking.

iv. Verification of Network Devices for any security threats including but not limited

to;

3.111 Smurf and SYN Flood

3.112 DoS Attacks, DDoS, spoofing, DNS poisoning, Loki etc.

3.113 Checking for all known Viruses, Trojans, root kits, Worms etc. & protection thereof.

3.114 Checking of VLAN architecture and Security measures


3.115 Communication Controls

3.116 Open TCP/UDP Ports

3.117 Firewall /ACLs (Access Control List)

v. Access control audit for all Networking Devices viz. Routers, Switches, IDS/ IPS,

VSAT Infrastructure Firewalls etc.

3.118 Routers/ switches/ Firewalls/ IDS/ IPS are using AAA (Authentication,

Authorization and Accounting) model for all user authentications.

3.119 Password enabled on the routers/switches in encrypted form and comply with

minimum characters in length

3.120 Privileges available to Systems Integrator and outsourced vendors.

3.121 Review of access lists for different network segments (to different outside

Networks).

3.122 Delegation of privileged use in accordance with job function.

3.123 Local and remote access to the Networking devices is limited & restricted.

3.124 Cyber incident observed during last six(6) months and availability of RCA ( Root

Cause Analysis) and/ or Forensic analysis.

vi. Network Traffic & Performance Analysis:

3.125 Packet flow performance.

3.126 LAN/WAN link utilization/quality analysis/ Bandwidth availability /Usage etc.

3.127 Congestion area at various topology layer and traffic pattern analysis

3.128 Capacity planning analysis including Scalability

3.129 Base line Configurations

3.130 Analysis of latency/Response time in traffic across various links

3.131 Analysis of load balancing mechanism

vii. Network Monitoring Software Review

3.132 Review of functional capabilities and effectiveness of NMS software.

3.133 Review of availability of tools to generate ad-hoc reports from system logs.

viii. Wireless Security Audit

Security Audit of Wireless networking infrastructure deployed by the Bank including

but not limited to Encryption technique, Authentication mechanism etc. of end points

uses technology like WLL, VSAT, RF, CDMA etc. for connectivity.

4 Backup & Recovery Testing:

4.1 Audit of Backup & recovery testing procedures.

4.2 Sufficiency checks of backup process.

4.3 Audit of access controls, movement and storage of backup media.

4.4 Audit of media maintenance procedures.

4.5 Security of removable media.

4.6 Controls for Prevention of Data Leakage through removable media or other means.

4.7 Media disposal mechanisms and Database archival & purging procedures.

4.8 Synchronization between DC & DRC databases.

4.9 DR Services to be up for Branches, as per RTO & RPO of BCP.

4.10 Purging of Data

5 Privacy, Data Protection & Fraud Prevention:

5.1 Assurance to the management on implementation of proper controls and periodic updation

of the same to prevent Cyber Frauds / IT Frauds and detection mechanism.

5.2 Isolation and confidentiality in maintaining bank’s customer information, documents,

records by the bank.

5.3 Review of documents / media retention policy.

5.4 Media control within the premises.

5.5 Procedures to prevent access to sensitive information and software from Computers, disks

and other equipment or media when they are disposed of or transferred to another user are

defined and implemented

5.6 Such procedures guarantee that data marked as deleted or to be disposed cannot be


retrieved by any internal or third party.

6 Business Continuity Management:

6.1 Review and assess the adequacy of recovery strategies deployed by bank including

cryptographic disaster.

6.2 Review the adequacy of processes for conducting business impact analysis, risk

assessment.

7 Review of BCP methodology covering the following:

7.1 Identification of critical business.

7.2 Owned and shared resources with supporting function.

7.3 Risk assessment on the basis of Business Impact Analysis (BIA).

7.4 Formulation of Recovery Time Objective ('RTO') and Identification of Recovery Point

Objective ('RPO').

7.5 Assurance from Service providers of critical operations for having BCP in place with

testing performed on periodic basis.

7.6 Maintaining of robust framework for documenting, maintaining and testing business

continuity and recovery plans by Bank and service providers.

7.7 Adequate insurance maintained to cover the cost of replacement of IT Resources in event

of disaster.

8 Review the effectiveness of DR Drill Process:

8.1 Review DR Drill activity with respect to documented procedures, highlight any

deviations from such procedures or improvements, if any, thereupon.

8.2 Review the overall effectiveness of DR drill and comment on the achievable Recovery

Time Objectives (RTO) and Recovery Point Objectives (RPO) vis-à-vis identified RTO

and RPO values during the BIA activity.

8.3 Data Backup – periodic media verification for its readability.

8.4 Offsite storage and movement of backups.

8.5 Restoration of backup at DRS.

8.6 Time delay in transmission and restoration of daily data at DRS.

8.7 Specify events which could restrict successful shifting to DRS in case of any disruptions

at main site.

8.8 Comment on success of Drill exercises.

9 Addressing of HR issues and training aspect including:

9.1 Providing for the safety and wellbeing of people at branch or location at the time of

disaster.

9.2 Participation in drills conducted by RBI for Banks using RTGS/ NDS/ CFMS services.

9.3 Security awareness training to staff.

10 Asset Inventory Management:

10.1 Records of assets maintained: Existence of Inventory Database &Controls, which identify

and record all IT assets and their physical location, and a regular verification schedule

which confirms their existence and updating.

10.2 IT assets classification, ownership definition & Labeling of Assets.

10.3 Checking for unauthorized software.

10.4 Software storage controls.

10.5 Proper usage policies for use of critical technologies by Outsourced Vendor/Employee.

10.6 Maintenance of Inventory logs for media.

10.7 Restriction of access to assets, management approval, authentic use of technology, access

control list covering list of employees and devices, labeling of devices, list of approved

products

10.8 Details of IT Assets deployed within the Bank, review and management thereof including

remarks on under-utilization, if any.

10.9 Proper utilization of infrastructure of IT Assets, license and Warranty / AMC details and

overloading of resources.


11 Human Resources:

11.1 Review of segregation of duties.

11.2 Communication of individual security Roles & Responsibilities to Employees

11.3 Prevention of unauthorized access of former employees

11.4 Close supervision of staff in sensitive position

11.5 People on notice period moved to non-sensitive role

11.6 Retired/Dismissed staff to be removed from the Active User List on immediate basis.

12 IT Financial Control:

12.1 Compliance of Outsourcing Policy.

12.2 Review of Coverage of confidentiality clause and clear assignment of liability for loss

resulting from information security lapse in the vendor contract.

12.3 Review of financial and operational condition of service provider with emphasis to

performance standards, confidentiality and security, business continuity preparedness.

13 IT Operations:

13.1 Application Security covering access control.

13.2 Business Relationship Management.

13.3 Customer Education and awareness for adaptation of security measures.

13.4 Mechanism for informing for deceptive domains, suspicious emails.

13.5 Review of monitoring of domain names to help prevent Entity for registering in deceptively

similar names.

13.6 Use of Internet as per the Bank’s Security Policy.

13.7 Issue and maintenance of Digital signatures.

13.8 Review of monitoring of system performance and resource usage to optimize Computer

resource utilization.

13.9 Personnel scheduling - Shift hand-over process

13.10 Day begin and Day end process: Audit of BOD/ EOD controls, control of transactions

affecting intermittent accounts, control of systems generated transactions.

13.11 Reviews of console log activity during system shutdown and hardware/ software

initialization

13.12 Processes documentation

13.13 Operational procedure for Data Center and DRS

13.14 Review of monitoring of operator log to identify variances between schedules and actual

activity.

13.15 Duty / Role segregation mechanisms/ procedures.

14 Capacity Management:

14.1 Service Continuity and availability management

14.2 Avoidance of single point failure through contingency planning

15 Change Management:

15.1 Implementation version control

15.2 Key parameters of applications in CBS application, Operating System, RDBMS and

Admin levels.

16 Record/Storage Media Management & Handling:

16.1 Consistency in handling and storing of information in accordance to its classification

16.2 Adherence to Policies for media handling, disposal and transit

16.3 Protection of records from loss, destruction and falsification in accordance to statutory,

regulatory, contractual and business requirement

16.4 Securing of confidential data with proper storage

16.5 Procedures of handling, storage and disposal of information and Storage media backups

16.6 Review of Retention periods and storage terms, as per regulatory requirements for:

i. Documents

ii. Data

iii. Programs

iv. Reports


v. Messages (incoming and outgoing)

vi. Keys, certificates used for their encryption and authentication.

vii. Log files for various activities

viii. Policy and Procedures for purging of data

16.7 Responsibilities for media library management and housekeeping procedures are

assigned to specific members of the IT function to protect media library contents

16.8 Housekeeping procedures are designed.

16.9 Standards are defined for the external identification of magnetic media and control of

their physical movement and storage to support accountability.

16.10 Systematic inventory of media library containing data, to ensure data integrity.

17 Project Management:

17.1 Information System Acquisition, Development and Maintenance.

17.2 New system or changes to current systems should be adequately specified, programmed,

tested, documented prior to transfer in the live environment.

17.3 Scrambling of sensitive data prior to use for testing purpose.

17.4 Release Management.

17.5 Access to computer environment and data based on job roles and responsibilities.

17.6 Segregation of development, test and operating environments for software.

17.7 Proper segregation of duties to be maintained while granting access in Development, test

and live environment.

18 Technology Licensing:

18.1 Review of software licenses.

18.2 Legal and regulatory requirement of Importing or exporting of software.

19 Review of Outsourcing Risks with vendors:

19.1 Service levels are defined and managed.

19.2 Non-Disclosure agreement NDA/Confidentiality clause is in place.

19.3 Review of access provided to third party contractors working onsite.

19.4 Responsibility and liability of vendors have been defined according to Security policy

and procedures of the Bank.

19.5 Service Level Agreements (SLAs): Audit of SLA management for all kinds of services

like Data Centre, DR site, ATM Switch, Internet Banking, Physical Security, Facility

Management, etc.

19.6 Monitoring of vendors activities as per SLAs.

19.7 Imposing penalties wherever there are deviations.

19.8 Formal agreements are executed which takes care of all the risks associated with

outsourcing.

20 Help Desk Audit:

20.1 Prioritization of reported problems.

20.2 Timely resolution of reported problems.

20.3 Problems and incidents reported are resolved, and the cause investigated to prevent any

recurrence

20.4 Incident handling

20.5 Trend analysis and reporting

20.6 Development of knowledge base

20.7 Root cause analysis

20.8 Problem tracking and escalation with proper documentation

20.9 Audit trails of problems and solutions

21 Anti-Virus:

21.1 Proactive virus prevention and detection procedures are in place and implemented Virus

definitions are updated regularly.

21.2 Review of monitoring of antivirus servers located at NAPs and other locations including

branch level clients for having updated latest versions and definitions.

21.3 Audit of anti-virus protection at host and at desktop levels, procedure of antivirus updates


at DC, Servers and Desktops, Gateway level AV protection etc.

22 ATM Switch & ATM Facility Management (Outsourced) & ATM Back Office:

22.1 Compliance of Service Level Agreement (SLA) with the outsourced ATM Switch

Vendor, (M/s FIS) & ATM facility management vendor (M/s FSS).

22.2 ATM Process Audit comprising ATM Operational Controls, Consortium issues,

Reconciliation, ATM Cash Management etc. including:

i. PIN Management

ii. Card Management

iii. Time Management in delivering ATM Cards/PINs to customers.

iv. Hot listing of cards.

v. Transactions & Reconciliation Management.

vi. Dispute Management

22.3 Analysis/Verification of Audit Logs /Audit Trails of Transactions, Exception List,

Incident management report etc.



22.5 Adequacy Of Operational Security features through Access Control, User Rights,

Logging, Data integrity, Accountability, Auditability etc. at the ATM Switch/ATM Back

Office.

22.6 Adequacy of contingency arrangement (Fallback / fail over procedures, Redundancy &

Back-up) in the event of System Breakdown/Failure w.r.t Recovery/Restart facilities,

Diagnostics for identification, Protection of Data, Backup facilities.

22.7 Adequacy of Data/Network Security features with respect to the connectivity between

ATM Switch (DC & DR Site), Bank’s CBS DC/DRS, ATM Back Office etc. Review of

adequacy/appropriateness of the security protocol implemented (IPsec, SSH, SSL etc.),

Network Security System Hardware/Software deployed (Firewall, IDS, Anti-Virus etc.),

Adequacy /Reliability /Redundancy of the Bandwidth provided etc.

22.8 Adequacy, generation & availability of Reports for accounting, regulatory, statutory,

reconciliation, MIS & statistical purpose covering all ATM transactions

22.9 Scalability & Interoperability for expanding network in future & sharing arrangements.

22.10 Connectivity to partner networks and two way authentication between Bank’s Server and

Third Party’s Server (in case of STP Transactions like online bills payment etc. for

Customers/ Users).

22.11 Adherence to various limits accepted with the Switch Vendor/Managed Services Vendors

in the SLAs w.r.t. Uptime/Availability/Penalties etc.

22.12 Verification of the detailed security procedures & processes of the ATM Switch vendor.

22.13 Adequacy of Physical/environmental Security Controls at the ATM Switch (DC & DR)

& ATM Back Office with special emphasis at Level 3 area (Hosting Server Rooms etc.).

Presence of Biometric Authentication devices for Access Control, Fire Detection

mechanisms & other Safety standards, Video Surveillance Systems/CCTV etc. to be

checked.

22.14 Analysis of Incident Management/ATM Monitoring Database/Reports/Logs etc.

generated & their resolution.

22.15 Audit of the Reconciliation activities being carried out w.r.t transactions involving

various Acquirer, Issuer, Merchant, Interchange, other stakeholders etc. found in the

ATM switch files with the transactions found in Host, Interchange & Partner Bank’s

switch. Also, Chargeback processing including VISA chargeback, NFS Chargeback etc.

to be checked for appropriateness.

23 Audit of Internet Banking & Mobile Banking Infrastructure:

23.1 Compliance of License agreement for all software supplied by the vendor with the

solution.


reconciliation, MIS & statistical purpose covering all Mobile banking transactions


23.3 Adherence to Operational/Statutory guidelines issued by RBI, NPCI, PCI-DSS & other

Regulatory bodies’ w.r.t Internet/ Mobile Banking Application.

23.4 Audit of various functionalities provided in the application like Fund transfer,

Transactions & queries, Cheque Book related etc.

23.5 Verification of the detailed security procedures & processes of the Internet

Banking/Mobile Banking Solution provider, Data & Operational Security setup &

establishing the adequacy of the same w.r.t. the current Setup.

23.6 Adequacy Of Operational Security features through Access Control, User Rights,,

Logging, Data integrity, Accountability, Auditability etc. for the Internet/Mobile

Application Solution

23.7 Adequacy of PIN/ Password Management Controls (Generation, Re-generation,

Authorization, Verifications etc.) of Internet Banking/ Mobile Banking & Key

Management features.

23.8 Audit of various security features including but not limited to Transaction level security,

Platform Security &reliability includes Database, Network & transmission Security,

Registration features, Administration Portal features, Call logging, tracking & Dispute

Resolution features etc.



23.10 Review of process of creation/management of internet & mobile banking IDs / 3D

security management / 2nd factor authentication etc. additional Security features.

23.11 Review to ensure strong access control measures & Confidentiality in the transmission,

processing or storing of customer data.

23.12 Compliance of SLA provisions with the service provider

24 Risk Analysis & Development of Risk Matrix/Profile:

24.1 The scope of work should be based upon Risk Analysis of the Information Systems of the

Bank, as per regulatory guidelines and will include following steps:

• Step 1: System Characterization

• Step 2: Threat Identification

• Step 3: Vulnerability Identification

• Step 4: Control Analysis

• Step 5: Likelihood Determination

• Step 6: Impact Analysis

• Step 7: Risk Determination

The Risk Analysis / Risk Matrix will be based on Adequacy of internal controls, business

criticality, regulatory requirements, amount or value of transactions processed, customer

facing systems, financial loss potential, number of transactions processed, availability

requirements, experience of management and staff, turnover, technical competence,

degree of delegation, technical and process complexity, stability of application, age of

system, training of users, number of interfaces, availability of documentation, extent of

dependence on the IT system, confidentiality requirements, major changes carried out,

previous audit observations and senior management oversight.

25 Audit of Integrated Treasury & Payment Gateway:

Bank has computerized integrated treasury system installed at Fort Mumbai. The Treasury

system is integrated with systems such as Reuters, Bloomberg, Payment system Gateway and

also SWIFT. Bank has also established a Payment Systems Gateway and connected it to RBI

through INFINET. Bank uses many applications such as PDONDS, CFTS, CFMS, SFMS,

RTGS, NEFT, etc., through the Payment Gateway System. Bank uses SWIFT system for

securely communicating the financial and non-financial messages with its counterparts

internationally

25.1 In addition to the IS Audit scope as defined above, Auditors should also look into the

following aspects w.r.t the specialized setup:


Integrated Treasury

i. Verification and evaluation of supervisory functions for Mid Office operations

ii. Adherence to FEDAI guidelines in the matter of assignment of roles and responsibilities

iii. Adherence to FEDAI guidelines pertaining to segregation of duties

iv. Implementation of authorized access mechanism to Dealers room including complete

restriction in usage of communication devices inside the Dealing Room.

v. Periodic reconciliation of Old entries

vi. Maintenance of minimum number of Nostro accounts to avoid idle balance outstanding

and charges incurred thereupon.

vii. System driven automated Rates and Deals on real time basis and adherence to

permissible time limit.

viii. Audit of Swift network connectivity at INTEGRATED TREASURY having interface

with CBS

ix. Justification of Penalty/ fine paid if, any

x. Documenting of dealer movement and monitoring of dealing hours

Payment Gateway & Other Office

xi. Audit of External network connectivity at Payment Gateway & other Offices facing the

external network.

xii. Verification of controls for RTGS, NEFT, SFMS, NDS –PDO, GILTS, CBLO etc. at

Payment Gateway, as per the regulators policies and Guidelines.

xiii. Review of BCP/DRP for the above setups

xiv. Compliance of SLA provisions with the concerned vendor

26 Audit of Financial Inclusion (FI) Infrastructure, DP & Online Share Trading:

26.1 Audit of External network connectivity for FI Infrastructure, USB infrastructure, POS

infrastructure & Online Share Trading infrastructure with Bank’s CBS network. Review

of network architecture security for these setups and adequacy of the security controls.

26.2 Verification of controls as per the Bank’s security policies, regulatory policies, PCI–DSS,

NPCI & other statutory guidelines.

26.3 Review of BCP/DRP for the above setups

26.4 Sample configuration checking of POS terminals & USB Laptops for compliance.

26.5 Compliance of SLA provisions with the concerned vendors

26.6 KBS server implemented by various Technical Service Providers (TSP)

26.7 Financial Inclusion Gateway of M/s FINO

26.8 Rupay card PIN based transactions using PIN Pad devices

26.9 Security Audit of transaction using Rupay Card and Aadhar Enabled Payment System.

27 General scope:

27.1 Review of Privileges available to Systems Integrator and Outsourced Vendors.

27.2 Evaluation of role, responsibility and accountability of IT Process owners.

27.3 Audit of DR Site including verification of systems / controls at the DR site, Assessment

of environment and procedures at the DR site, Parameter Management, Adequacy of

infrastructure, fallback procedures, Assessment of access control, comparisons of DR

Site setup with Data Centre with respect to infrastructure (Hardware, Application

Software, Systems Software etc.)

27.4 Vulnerability Assessment & IS Audit of Delivery channels, 3rd Party Products and

interfaces like Internet Banking, SMS Banking, e-Credit & e-Retail, corporate email

systems, Cash Management System, CIBIL, EXIM Bills, OGL, ALM, HRMS, RTGS,

NEFT, EMS (Tivoli), AML, CTS, DP Services, CMS Hub, Trade Finance, Government

Business, ATM Interface, SAS, Helpdesk module, E-mail System, and any other modules

integrated with the Core System, as on the date of the audit.

27.5 Audit of e-mail access and usage, mail size and restrictions, attachment restrictions, AV

& Spamming Control agents and archival for mail.

27.6 Software change management– Change and version control management, audit of


movement from development to test to production; data access & segregation, access

control to source code and libraries, audit of application development and maintenance

processes, user access controls to application and database, audit of patch updates and

upgrade processes.

27.7 Encryption standards/ message integrity standards, data privacy processes, efficiency of

audit trails, audit trail synchronization mechanisms.

27.8 Security in SDLC processes, security of application, security testing processes, in-built

security with the application development and maintenance procedures, license

management, escrow agreements.

27.9 Audit of issuance & usage of Digital signature as per Bank’s established guidelines &

procedures

27.10 Security Management:- Patch Management & AV processes, audit of roles and

responsibilities

27.11 The scope of work further includes guiding/helping the Bank staff in putting in place the

correct practices and conducting of a compliance audit

27.12 The scope of work also includes sharing with Bank’s IS Audit team all the formats, check

lists, scoring sheets, scripts etc. that will be used during the process of IS Audit. Bank’ IS

Audit team will be attached to the IS Audit team of the selected vendor, during the course

of audit. The external IS Auditor should explain, to the bank’s team, all the processes,

procedures involved in arriving at audit findings including interpretation of outputs

generated by various audit tools.

27.13 Audit of availability of Bank’s documented operating procedures for critical processes

like Backup, capacity planning, equipment maintenance, application monitoring, server

monitoring, networking monitoring, security monitoring etc.

Count Of Servers/Devices In Different Auditee Locations :- As per Annexure XIII(a)

C. Vulnerability Assessment (Internal) of Bank’s Server and networking devices

1. Port scanning of the servers, network devices and security devices/applications.

2. Analysis and assessment of vulnerabilities of entire network.

3. Network traffic observation for important and confidential information like username,

password flowing in clear text.

4. Comprehensive scanning of all IP address ranges in use to determine vulnerabilities

that may exist in network devices & servers, and to audit all responses to determine if

any risks exist.

5. Use vulnerability scanners to scan the critical/network devices and servers to determine

vulnerability exists.

6. Check for the known vulnerabilities in the Operating Systems and applications like

Browser, E-Mail, Web Server, Web Application Server, and FTP etc.

7. Check for unnecessary services/ applications running on network devices/ servers/

workstations.

8. Unauthorized access into the network and extent of such access possible

9. Unauthorized modifications to the network and the traffic flowing over network

10. SQL Injection, Cross Site Scripting, Information Leakage, Cookie handling, IP

Spoofing, Buffer overflow, Session hijacks, Farming, Phishing etc.

11. Extent of information disclosure from the network.

12. Spoofing of identity over the network

13. Controls against possibility of denial of services attacks.

14. Effectiveness of Virus Control systems in E-mail gateways

15. Control over network access points.

16. Possibility of traffic route poisoning

17. Review of IOS.

18. Checking Spanning Tree Topology

19. Bridging, Root bridges, designated port, root ports.


20. Checking Fault tolerance.

21. VTP security (VLAN Trunk Protocol) & VTP Modes

22. MAC Spoofing.

23. Checking Port duplex and speed setting.

24. Checking trunking on the ports and only necessary VLANs Allowed

25. Review with reference to “OWASP Top 20 Web Application Security Risks”

26. Vulnerability assessment of Wireless networks.

D. Penetration Testing (External) of Bank’s Internet facing Information Systems including Internet

Banking, Mobile Banking, SMS Banking, Bank’s Corporate Website, Financial Inclusion

Infrastructure, Wireless Infrastructure, DP & Online Share Trading Infrastructure, Integrated

Treasury Branch Etc.

(IP details to be provided at the time of Audit)


2. Penetration Testing (External).

3. Network traffic observation for important and confidential information like username,

password flowing in clear text.

4. Comprehensive scanning of all IP address ranges in use to determine vulnerabilities

that may exist in network devices & servers, and to audit all responses to determine if

any risks exist.

5. Check for the known vulnerabilities in the Operating Systems and applications like

Browser, E-Mail, Web Server, Web Application Server, and FTP etc.

6. Review of specific controls against Web Defacing and uploading of Trojan/ Virus/

Malware/ Spyware etc. on various servers and further spread of the same to

connected machines.

7. Attempt to guess passwords using password cracking tools.

8. Check for unnecessary services/ applications running on network devices/ servers/

workstations.



11. SQL Injection, Cross Site Scripting, Information Leakage, Cookie handling, IP

Spoofing, Buffer overflow, Session hijacks, Farming, Phishing etc.







18. Review of IOS.




22. MAC Spoofing.



25. Penetration Testing of Wireless networks etc.

26. Penetration testing should include network and application layer testing as well as

controls & processes around the networks & applications.


Part II – Allahabad UP Gramin Bank

OVERVIEW OF SCOPE:-

A) Information System Audit of Bank’s entire CBS and allied infrastructure, which includes

hardware, Operating System, Database, Application(s), Network including Facility, Process &

People of undernoted locations:

a. CBS Data Centre, Lucknow including

i. Biometric Solution

ii. e-KYC Solution

iii. SMS Alerts

iv. CPSMS

v. ALM Solution

vi. AML Solution

vii. Data Archival (Findart) Solution

viii. FI Gateway + FI servers

a. Aadhar Enabled Payment System (AEPS) interface

b. Rupay PIN Pad interface

ix. NACH- H2H

x. Prayas

xi. Mobile Banking + IMPS

xii. UPI Solution

xiii. Demographic Authentication Solution

xiv. HRMS

xv. CKYCR Solution

xvi. AUA- KUA Audit

xvii. RTGS/NEFT

xviii. Outsourced IT activities of hosting of Corporate internet Site

xix. Outsourced IT activities of ATM Switch & ATM Facility Management.

xx. IS Audit of existing (As above) and newly launched applications, as and when

required (at the discretion of the Bank) at the quoted rate and as per the provisions

of the current RFP

b. CBS Project Office, Lucknow

c. ATM Back Office, Lucknow

d. Disaster Recovery Site (DRS), Bangalore including

i. Biometric Servers

ii. e-KYC Server

iii. SMS Alert Server

iv. HRMS

v. Mobile Banking + IMPS

vi.

e. Outsourced ATM Switch at Mumbai

f. Quality Assurance audit on functioning of IS Audit Cell Head Office

(**Location of the above setups may change at the time of Audit)

B) Vulnerability Assessment & Penetration Testing (internal &external) of entire Information

System(detailed list of setups to be provided at the time of commencement of Audit). Such


VAPT process may be conducted on Quarterly or any other frequency as decided by the Bank, as

per the scope defined in the RFP, at the quoted rate which shall be valid up to 31st March, 2018.

C) Conduct of Application Security Audit/Product Audit of newly launched applications on per

instance basis, if required.

D) Report submitted should be duly mapped with the scope of work defined above, for each site,

service, system and critical devices.

Detailed scope of IS Audit applicable for all locations as mentioned above:-

IS Audit will cover entire gamut of computerized functioning including eDelivery Channels &

functional areas with special reference to the following:

1. Policy, Procedures, Standard Practices & other regulatory requirements:

1.11 Information Security Governance, effectiveness of implementation of Bank’s IT

Security Policy & Procedures.

1.12 Compliance to National Information Infrastructure Protection Center guidelines. RBI

guidelines on Information Security, Internet Banking & other delivery channels.

1.13 RuPAY& other regulatory guidelines.

1.14 CERT-In and DSCI Guidelines.

1.15 IT Act 2000, IT Act 2008 (amendment) act.

1.16 Best practices of the industry including ISACA’s Guidelines / COBIT / ISO standards.

1.17 Alignment of Bank’s IT strategy with Business strategy.

1.18 PCI-DSS guidelines.


2. Physical and Environmental Security:


2.14 Access control systems.

2.15 Assessment of vulnerability towards natural calamities.

2.16 Fire protection systems, their adequacy and state of readiness.

2.17 Assets safeguarding, handling of movement of Man /Material/ Media/ Backup /

Software/ Hardware / Information.

2.18 Air-conditioning of DC/ DRC, humidity control systems.

2.19 Electrical supply, Redundancy of power level, Generator, UPS capacity.

2.20 Surveillance systems of DC / DRC.

2.21 Premises management.

2.22 Pest prevention (rodent prevention) systems.

3. IT Architecture

a. Operating Systems Audit of Servers, Systems and Networking Equipment:

3.1 Setup & maintenance of Operating System Parameters.

3.2 OS Change Management Procedures– Version maintenance, hot-fixes &Service packs.

3.3 User account management including maintenance of sensitive User accounts - Use of root

and other sensitive passwords.

3.4 Use of sensitive system software utilities.

3.5 Vulnerability assessment & hardening of Operating Systems.

3.6 Users and Groups created, including all type of users’ management ensuring password

complexity, periodic changes etc.

3.7 File systems security of the OS.

3.8 Review of Access rights and privileges.

3.9 Services and ports accessibility.

3.10 Review of Log Monitoring, its’ sufficiency, security, preservation and backup.

3.11 Adherence to licensing requirements.

3.12 Use of administrative shares, default login passwords, remote access / Net meeting or any


other such tool.

3.13 Implementation of ADS (Active Directory Services) or Group Policy

3.14 Periodic Patch and Antivirus update.

3.15 Remote access polices including Remote Desktop Management.

3.16 Registry settings, including registry security permissions.

3.17 Profiles and log-in scripts.

b. Application level Security Audit:

3.18 Logical Access Controls- To review all types of Application Level Access Controls

including proper controls for access logs and audit trails for ensuring Sufficiency &

Security of Creation, Maintenance and Backup of the same.

3.19 Input Controls.

3.20 Processing Controls.

3.21 Output Controls.

3.22 Monitoring of Access log.

3.23 Interface controls - Application interfaces with other applications and security in their

data communication.

3.24 Authorization controls such as Maker Checker, Exceptions, Overriding exception &

Error condition.

3.25 Data integrity & File Continuity Controls.

3.26 User ID / Password Management

3.27 Segregation of duties access control over development, test and production regions.

3.28 Review of Parameter maintenance process and controls implemented therein.

3.29 Change management procedures including testing, impact analysis documentation.

3.30 Identification of gaps in application security parameters.

3.31 Audit of management controls including system configuration/ parameterization

development.

3.32 Auditof controls over operations including communication network, data preparation and

entry, production, documentation and program library, Help Desk and technical support,

capacity planning and performance, Monitoring of outsourced operations, availability of

user & operation manuals.

3.33 Review of Software customization and adherence to SDLC Policy for such

customization.

3.34 Adherence to Legal & Statutory Requirements.

3.35 Audit trail / Audit log generation and management.

3.36 Recovery & Restart procedures.

3.37 If outsourced, escrow arrangement with application owner.

3.38 Auditing, both at client side and server side, including sufficiency and accuracy of event

logging, SQL prompt command usage, Database level logging etc.

3.39 Backup/Fallback/Restoration procedures and contingency planning.

3.40 Sufficiency and coverage of UAT test cases, review of UAT defects and tracking.

3.41 Mechanism deployed by vendor and resolution including re-testing and acceptance.

Change management procedure during conversion, migration of data, version control etc.

3.42 Adequacy of hardening of all Servers and review of application of latest patches supplied

by various vendors for known vulnerabilities as published by CERT, SANS etc.

3.43 Application-level risks at system and data-level including:

i. system integrity risks

ii. system-security risks

iii. data risks

iv. system maintainability risks

3.44 Review of Software benchmark results and load and stress testing of IT infrastructure

performed by the Vendors.


3.45 Special remarks may also be made on following items- Hard coded user-id and Password,

Application level Recovery and restart procedures.

3.46 Review adequacy and completeness of controls

c. Audit of DBMS and Data Security :

3.47 Authorization, authentication and access control are in place.

3.48 Physical access and protection.

3.49 Audit of data integrity controls including master table updates.

3.50 Confidentiality requirements are met.

3.51 Logical access controls which ensure access to data is restricted to authorized users.

3.52 Use of Data Repository Systems, Data Definition Language, Data Manipulation

Language (DML) and Data Control Language.

3.53 Audit of log of changes to Data Definitions.

3.54 Database integrity is ensured to avoid concurrency problems.

3.55 Protection of Sensitive Information during transmission and transport.

3.56 Separation of duties.

3.57 Catalog Server, Synchronization of control file and catalog server.

3.58 Database Backup Management.

3.59 Purging policy-procedures of Data Files.

3.60 Security of oracle systems files viz. control files, redo log files, archive log files,

initialization file, configuration file, Table space security & utilization etc.

3.61 Password checkup of Systems and Sys Users

3.62 Checking of database privileges assigned to DBAs and Users (privilege like ALTER

SESSION, ALTER SYSTM and BECOME USER etc.

3.63 To examine and review different types of Logs generated from users/ background/

memory process etc. and to examine the controls ensuring sufficiency & security of

creation, maintenance and backup of the same.

3.64 Procedures to ensure that all data are classified in terms of sensitivity by a formal and

explicit decision by the data owner and necessary safeguards for its confidentiality,

integrity and authenticity are taken as per IT Security Policy.

3.65 Patches and new versions are updated as and when released by vendor/ Research and

Development team

d. Network Security :

i. Network Security architecture of the entire network including :

3.66 Understanding traffic flow in the network at LAN & WAN level.

3.67 Review of appropriate segregation of network into various trusted zones. Analysis of

Network Security controls including logical locations of Security components like

firewall, IDS/IPS, proxy server, antivirus server, email Systems, VSAT IDUs etc. in

various zones.

3.68 Review of redundancy for Links and Devices in CBS Setup.

3.69 Review of security measures at the entry and exit points of the network.

3.70 Checking Inter-VLAN Routing and Optimization. Study of incoming and outgoing

traffic flow among web servers, application servers, database servers, DNS servers

and Active Directory.

3.71 Review of Routing policy, Route path and table audit.

3.72 Review of placement of security devices and DMZ's.

3.73 Routing protocols and security controls therein.

3.74 Audit of network architecture from disaster recovery point of view.

3.75 Access control for MZ, DMZ, NOC, WAN and for specific applications of the

respective zones.

3.76 Review of all types of network level access controls & logs, for ensuring sufficiency &

security of creation, maintenance and backup of the same.


3.77 Secure Network Connections for CBS, ATM including Client / browser based security.

3.78 Evaluation of centralized controls over Routers installed in Branches & their Password

Management.

3.79 Audit of VSAT infrastructure.

3.80 Incident management: Audit of Incident Management and handling processes, roles and

responsibilities, incident response procedures, verification of incident reports and

effectiveness measurement, awareness of security incidents and events.

3.81 Audit of VLAN segregation, access to servers, encryption mechanisms for connectivity

and access, internet access management, remote access provisioning etc.

ii. Network Management Audit comprising :

3.82 Process.

3.83 Risk Acceptance (Deviation).

3.84 Password management.

3.85 Authentication.

3.86 Network Information security administration.

3.87 Cryptography.

3.88 Policies and rule sets including ACLs (Access Control Lists).

3.89 Violation logging management.

3.90 Information storage & retrieval.

3.91 Audit trails.

3.92 PKI management.

3.93 PIN management.

3.94 Review access control documentation and configuration.

3.95 Obtaining information about the network architecture and address schema of the network.

iii. Configuration Audit of Network Devices (Routers, Switches, Firewalls, IDS/IPS )

3.96 Routing protocol analysis.

3.97 Checking of HSRP configurations, if any, and its working.

3.98 Review of network device’s roles and configuration through configuration audit.

3.99 Configuration to defy common security attacks like IP spoofing, ICMP redirects etc.

3.100 Service proxies, circuit-level gateways and packet filters.

3.101 VPN configuration and encryption.

3.102 Updated version of OS / patches.

3.103 Auditing, logging, monitoring and alerting mechanism

3.104 Session management.

3.105 Domain name services.

3.106 Validation of following services for security, effectiveness and efficiency on all Network

devices:

i. IP directed broadcasts

ii. Incoming packets at the router sourced with invalid addresses

iii. TCP small services.

iv. UDP small services.

v. All source routing.

vi. All web services running on router.

vii. Logging & Auditing.

viii. Banner checking.

iv. Verification of Network Devices for any security threats including but not

limited to:

3.107 Smurf and SYN Flood

3.108 DoS Attacks, DDoS, spoofing, DNS poisoning, Loki etc.

3.109 Checking for all known Viruses, Trojans, root kits, Worms etc. & protection thereof.


3.110 Checking of VLAN architecture and Security measures

3.111 Communication Controls

3.112 Open TCP/UDP Ports

3.113 Firewall /ACLs (Access Control List)

v. Access control audit for all Networking Devices viz. Routers, Switches, IDS/ IPS,

VSAT Infrastructure Firewalls etc.:

3.114 Routers/ switches/ Firewalls/ IDS/ IPS are using AAA (Authentication, Authorization

and Accounting) model for all user authentications.

3.115 Password enabled on the routers/switches in encrypted form and comply with minimum

characters in length

3.116 Privileges available to Systems Integrator and outsourced vendors.

3.117 Review of access lists for different network segments (to different outside Networks).

3.118 Delegation of privileged use in accordance with job function.

3.119 Local and remote access to the Networking devices is limited & restricted

vi. Network Traffic & Performance Analysis:

3.120 Packet flow performance.

3.121 LAN/WAN link utilization/quality analysis/ Bandwidth availability /Usage etc.

3.122 Congestion area at various topology layer and traffic pattern analysis

3.123 Capacity planning analysis including Scalability

3.124 Base line Configurations

3.125 Analysis of latency/Response time in traffic across various links

3.126 Analysis of load balancing mechanism

vii. Network Monitoring Software Review

3.127 Review of functional capabilities and effectiveness of NMS software.

3.128 Review of availability of tools to generate ad-hoc reports from system logs.

4 Backup & Recovery Testing:

4.1 Audit of Backup & recovery testing procedures.

4.2 Sufficiency checks of backup process.

4.3 Audit of access controls, movement and storage of backup media.

4.4 Audit of media maintenance procedures.

4.5 Security of removable media.

4.6 Controls for Prevention of Data Leakage through removable media or other means.

4.7 Media disposal mechanisms and Database archival & purging procedures.

4.8 Synchronization between DC & DRC databases.

4.9 DR Services to be up for Branches, as per RTO & RPO of BCP.

4.10 Purging of Data

5 Privacy, Data Protection & Fraud Prevention:

5.1 Assurance to the management on implementation of proper controls and periodic

updation of the same to prevent Cyber Frauds / IT Frauds and detection mechanism.

5.2 Isolation and confidentiality in maintaining bank’s customer information, documents,

records by the bank.

5.3 Review of documents / media retention policy.

5.4 Media control within the premises.

5.5 Procedures to prevent access to sensitive information and software from Computers,

disks and other equipment or media when they are disposed of or transferred to another

user are defined and implemented

5.6 Such procedures guarantee that data marked as deleted or to be disposed cannot be

retrieved by any internal or third party.


6 Business Continuity Management:

6.1 Review and assess the adequacy of recovery strategies deployed by bank including

cryptographic disaster.

6.2 Review the adequacy of processes for conducting business impact analysis, risk

assessment.

7 Review of BCP methodology covering the following:

7.1 Identification of critical business.

7.2 Owned and shared resources with supporting function.

7.3 Risk assessment on the basis of Business Impact Analysis (BIA).

7.4 Formulation of Recovery Time Objective ('RTO') and Identification of Recovery Point

Objective ('RPO').

7.5 Assurance from Service providers of critical operations for having BCP in place with

testing performed on periodic basis.

7.6 Maintaining of robust framework for documenting, maintaining and testing business

continuity and recovery plans by Bank and service providers.

7.7 Adequate insurance maintained to cover the cost of replacement of IT Resources in event

of disaster.

8 Review the effectiveness of DR Drill Process:

8.1 Review DR Drill activity with respect to documented procedures, highlight any

deviations from such procedures or improvements, if any, thereupon.

8.2 Review the overall effectiveness of DR drill and comment on the achievable Recovery

Time Objectives (RTO) and Recovery Point Objectives (RPO) vis-à-vis identified RTO

and RPO values during the BIA activity.

8.3 Data Backup – periodic media verification for its readability.

8.4 Offsite storage and movement of backups.

8.5 Restoration of backup at DRS.

8.6 Time delay in transmission and restoration of daily data at DRS.

8.7 Specify events which could restrict successful shifting to DRS in case of any disruptions

at main site.

8.8 Comment on success of Drill exercises.

9 Addressing of HR issues and training aspect including:

9.1 Providing for the safety and wellbeing of people at branch or location at the time of

disaster.

10 Asset Inventory Management:

10.1 Records of assets maintained: Existence of Inventory Database &Controls, which identify

and record all IT assets and their physical location, and a regular verification schedule

which confirms their existence and updating.

10.2 IT assets classification, ownership definition & Labeling of Assets.

10.3 Checking for unauthorized software.

10.4 Software storage controls.

10.5 Proper usage policies for use of critical technologies by Outsourced Vendor/Employee.

10.6 Maintenance of Inventory logs for media.

10.7 Restriction of access to assets, management approval, authentic use of technology, access

control list covering list of employees and devices, labeling of devices, list of approved

products

10.8 Details of IT Assets deployed within the Bank, review and management thereof including

remarks on under-utilisation, if any.

10.9 Proper utilization of infrastructure of IT Assets, license and Warranty / AMC details and


overloading of resources.

11 Human Resources:

11.1 Review of segregation of duties.

11.2 Communication of individual security Roles & Responsibilities to Employees

11.3 Prevention of unauthorized access of former employees

11.4 Close supervision of staff in sensitive position

11.5 People on notice period moved to non-sensitive role

11.6 Retired/Dismissed staff to be removed from the Active User List on immediate basis.

12 IT Financial Control:

12.1 Compliance of Outsourcing Policy.

12.2 Review of Coverage of confidentiality clause and clear assignment of liability for loss

resulting from information security lapse in the vendor contract.

12.3 Review of financial and operational condition of service provider with emphasis to

performance standards, confidentiality and security, business continuity preparedness.

13 IT Operations:

13.1 Application Security covering access control.

13.2 Business Relationship Management.

13.3 Customer Education and awareness for adaptation of security measures.

13.4 Mechanism for informing for deceptive domains, suspicious emails.

13.5 Review of monitoring of domain names to help prevent Entity for registering in deceptively

similar names.

13.6 Use of Internet as per the Bank’s Security Policy.

13.7 Issue and maintenance of Digital signatures.

13.8 Review of monitoring of system performance and resource usage to optimize Computer

resource utilization.

13.9 Personnel scheduling - Shift hand-over process

13.10 Day begin and Day end process: Audit of BOD/ EOD controls, control of transactions

affecting intermittent accounts, control of systems generated transactions.

13.11 Reviews of console log activity during system shutdown and hardware/ software

initialization

13.12 Processes documentation

13.13 Operational procedure for Data Center and DRS

13.14 Review of monitoring of operator log to identify variances between schedules and actual

activity.

13.15 Duty / Role segregation mechanisms/ procedures.

14 Capacity Management:

14.1 Service Continuity and availability management

14.2 Avoidance of single point failure through contingency planning

15 Change Management:

15.1 Implementation version control

15.2 Key parameters of applications in CBS application, Operating System, RDBMS and

Admin levels.

16 Record/Storage Media Management & Handling:

16.1 Consistency in handling and storing of information in accordance to its classification

16.2 Adherence to Policies for media handling, disposal and transit

16.3 Protection of records from loss, destruction and falsification in accordance to statutory,

regulatory, contractual and business requirement


16.4 Securing of confidential data with proper storage

16.5 Procedures of handling, storage and disposal of information and Storage media backups

16.6 Review of Retention periods and storage terms, as per regulatory requirements for:

i. Documents

ii. Data

iii. Programs

iv. Reports

v. Messages (incoming and outgoing)

vi. Keys, certificates used for their encryption and authentication.

vii. Log files for various activities

viii. Policy and Procedures for purging of data

16.7 Responsibilities for media library management and housekeeping procedures are

assigned to specific members of the IT function to protect media library contents

16.8 Housekeeping procedures are designed.

16.9 Standards are defined for the external identification of magnetic media and control of

their physical movement and storage to support accountability.

16.10 Systematic inventory of media library containing data, to ensure data integrity.

17 Project Management:

17.1 Information System Acquisition, Development and Maintenance.

17.2 New system or changes to current systems should be adequately specified, programmed,

tested, documented prior to transfer in the live environment.

17.3 Scrambling of sensitive data prior to use for testing purpose.

17.4 Release Management.

17.5 Access to computer environment and data based on job roles and responsibilities.

17.6 Segregation of development, test and operating environments for software.

17.7 Proper segregation of duties to be maintained while granting access in Development, test

and live environment.

18 Technology Licensing:

18.1 Review of software licenses.

18.2 Legal and regulatory requirement of Importing or exporting of software.

19 Review of Outsourcing Risks with vendors:

19.1 Service levels are defined and managed.

19.2 Non-Disclosure agreement NDA/Confidentiality clause is in place.

19.3 Review of access provided to third party contractors working onsite.

19.4 Responsibility and liability of vendors have been defined according to Security policy

and procedures of the Bank.

19.5 Service Level Agreements (SLAs): Audit of SLA management for all kinds of services

like Data Centre, DR site, ATM Switch, Physical Security etc.

19.6 Monitoring of vendors activities as per SLAs.

19.7 Imposing penalties wherever there are deviations.

19.8 Formal agreements are executed which takes care of all the risks associated with

outsourcing.

20 Help Desk Audit:

20.1 Prioritization of reported problems.

20.2 Timely resolution of reported problems.

20.3 Problems and incidents reported are resolved, and the cause investigated to prevent any

recurrence

20.4 Incident handling


20.5 Trend analysis and reporting

20.6 Development of knowledge base

20.7 Root cause analysis

20.8 Problem tracking and escalation with proper documentation

20.9 Audit trails of problems and solutions

21 Anti Virus:

21.1 Proactive virus prevention and detection procedures are in place and implemented Virus

definitions are updated regularly.

21.2 Review of monitoring of antivirus servers located at various locations including branch

level clients for having updated latest versions and definitions.

21.3 Audit of anti-virus protection at host and at desktop levels, procedure of antivirus updates

at DC, Servers and Desktops, Gateway level AV protection etc.

22 ATM Switch & ATM Back Office:

22.1 Compliance of Service Level Agreement (SLA) with the outsourced ATM Switch

Vendor (M/s FIS).



i. PIN Management

ii. Card Management

iii. Time Management in delivering ATM Cards/PINs to customers.

iv. Hot listing of cards.

v. Transactions & Reconciliation Management.

vi. Dispute Management





22.5 Adequacy of Operational Security features through Access Control, User Rights,

Logging, Data integrity, Accountability, Auditability etc. at the ATM Switch/ATM Back

Office.

22.6 Adequacy of contingency arrangement (Fallback / fail over procedures, Redundancy &

Back-up) in the event of System Breakdown/Failure w.r.t Recovery/Restart facilities,

Diagnostics for identification, Protection of Data, Backup facilities.

22.7 Adequacy of Data/Network Security features with respect to the connectivity between

ATM Switch (DC & DR Site), Bank’s CBS DC/DRS, ATM Back Office etc. Review of

adequacy/appropriateness of the security protocol implemented (IPsec, SSH, SSL etc.),

Network Security System Hardware/Software deployed (Firewall, IDS, Anti-Virus etc.),

Adequacy /Reliability /Redundancy of the Bandwidth provided etc.


reconciliation, MIS & statistical purpose covering all ATM transactions

22.9 Scalability & Interoperability for expanding network in future & sharing arrangements.

22.10 Connectivity to partner networks and two way authentication between Bank’s Server and

Third Party’s Server.

22.11 Adherence to various limits accepted with the Switch Vendor/Managed Services Vendors

in the SLAs w.r.t. Uptime/Availability/Penalties etc.

22.12 Verification of the detailed security procedures & processes of the ATM Switch vendor.

22.13 Adequacy of Physical/environmental Security Controls at the ATM Switch (DC & DR)

& ATM Back Office with special emphasis at Level 3 area (Hosting Server Rooms etc.).

Presence of Biometric Authentication devices for Access Control, Fire Detection

mechanisms & other Safety standards, Video Surveillance Systems/CCTV etc. to be

checked.


22.14 Analysis of Incident Management/ATM Monitoring Database/Reports/Logs etc.

generated & their resolution.

22.15 Audit of the Reconciliation activities being carried out w.r.t transactions involving

various Acquirer, Issuer, Merchant, Interchange other stakeholders etc. found in the ATM

switch files with the transactions found in Host, Interchange & Partner Bank’s switch.

Also, Chargeback processing including VISA chargeback, NFS Chargeback etc. to be

checked for appropriateness.

23 Risk Analysis & Development of Risk Matrix/Profile:

23.1 The scope of work should be based upon Risk Analysis of the Information Systems of the

Bank, as per regulatory guidelines and will include following steps:

• Step 1: System Characterization

• Step 2: Threat Identification

• Step 3: Vulnerability Identification

• Step 4: Control Analysis

• Step 5: Likelihood Determination

• Step 6: Impact Analysis

• Step 7: Risk Determination

The Risk Analysis / Risk Matrix will be based on Adequacy of internal controls, business

criticality, regulatory requirements, amount or value of transactions processed, customer

facing systems, financial loss potential, number of transactions processed, availability

requirements, experience of management and staff, turnover, technical competence,

degree of delegation, technical and process complexity, stability of application, age of

system, training of users, number of interfaces, availability of documentation, extent of

dependence on the IT system, confidentiality requirements, major changes carried out,

previous audit observations and senior management oversight.

24 Audit of Ultra Small Branches Infrastructure (USB), Financial Inclusion (FI)

Infrastructure:

24.1 Audit of External network connectivity for FI Infrastructure, USB infrastructure with

Bank’s CBS network. Review of network architecture security for these setups and

adequacy of the security controls.

24.2 Verification of controls as per the Bank’s security policies, regulatory policies, PCI–DSS,

NPCI & other statutory guidelines.

24.3 Review of BCP/DRP for the above setups

24.4 Sample configuration checking of USB Laptops for compliance.

24.5 Compliance of SLA provisions with the concerned vendors.

25 General scope:

25.1 Review of Privileges available to Systems Integrator and Outsourced Vendors.

25.2 Evaluation of role, responsibility and accountability of IT Process owners.

25.3 Audit of DR Site including verification of systems / controls at the DR site, Assessment

of environment and procedures at the DR site, Parameter Management, Adequacy of

infrastructure, fallback procedures, Assessment of access control, comparisons of DR

Site setup with Data Centre with respect to infrastructure (Hardware, Application

Software, Systems Software etc.)

25.4 Vulnerability Assessment & IS Audit of Delivery channels, 3rd Party Products and

interfaces like corporate email systems, CIBIL, ALM, APBS, Data Archival Solution,

AML, Financial Inclusion, Helpdesk module, E-mail System and any other modules

integrated with the Core System, as on the date of the audit.

25.5 Audit of e-mail access and usage, mail size and restrictions, attachment restrictions, AV

& Spamming Control agents and archival for mail.

25.6 Software change management– Change and version control management, audit of


movement from development to test to production; data access & segregation, access

control to source code and libraries, audit of application development and maintenance

processes, user access controls to application and database, audit of patch updates and

upgrade processes.

25.7 Encryption standards/ message integrity standards, data privacy processes, efficiency of

audit trails, audit trail synchronization mechanisms.

25.8 Security in SDLC processes, security of application, security testing processes, in-built

security with the application development and maintenance procedures, license

management, escrow agreements.

25.9 Audit of issuance & usage of Digital signature as per Bank’s established guidelines &

procedures

25.10 Security Management:- Patch Management & AV processes, audit of roles and

responsibilities

25.11 The scope of work further includes guiding/helping the Bank staff in putting in place the

correct practices and conducting of a compliance audit

25.12 The scope of work also includes sharing with Bank’s IS Audit team all the formats, check

lists, scoring sheets, scripts etc. that will be used during the process of IS Audit. Bank’ IS

Audit team will be attached to the IS Audit team of the selected vendor, during the course

of audit. The external IS Auditor should explain, to the bank’s team, all the processes,

procedures involved in arriving at audit findings including interpretation of outputs

generated by various audit tools.

25.13 Audit of availability of Bank’s documented operating procedures for critical processes

like Backup, capacity planning, equipment maintenance, application monitoring, server

monitoring, networking monitoring, security monitoring etc.

Count Of Servers/Devices In Different Auditee Locations :- As per Annexure XIII(b)

1. Vulnerability Assessment & Penetration Testing (Internal & External) of Bank’s

Information Systems Including Bank’s Corporate Website, Financial Inclusion

Infrastructure, Ultra Small Branch Infrastructure etc. (detailed list of setups to be provided

at the time of Audit)


2. Penetration Testing (Internal and External).

3. Analysis and assessment of vulnerabilities of entire network.

4. Network traffic observation for important and confidential information like username, password

flowing in clear text.

5. Comprehensive scanning of all IP address ranges in use to determine vulnerabilities that may

exist in network devices & servers, and to audit all responses to determine if any risks exist.

6. Use vulnerability scanners to scan the critical/network devices and servers to determine

vulnerability exists.

7. Check for the known vulnerabilities in the Operating Systems and applications like Browser, E-

Mail, Web Server, Web Application Server and FTP etc.

8. Review of specific controls against Web Defacing and uploading of Trojan/ Virus/ Malware/

Spyware etc. on various servers and further spread of the same to clients/connected machines.

9. Attempt to guess passwords using password cracking tools.

10. Check for unnecessary services/ applications running on network devices/ servers/ workstations.



13. SQL Injection, Cross Site Scripting, Information Leakage, Cookie handling, IP Spoofing, Buffer

overflow, Session hijacks, Farming, Phishing etc.








20. Review of IOS.

21. Checking Spanning Tree Topology




25. MAC Spoofing.

26. Checking Port duplex and speed setting.



29. Penetration testing should include network and application layer testing as well as controls &

processes around the networks & applications, and should be conducted from both outside the

network trying to come in (External testing) and from inside the network (internal testing).

2. Product Audit of Applications Launched by the Bank

Product Audit of applications / modules as and when Bank launched by the Bank (either

integrated with Core Banking Solution or as standalone) within 31st March, 2016.

Audit Parameters to be included but not limited to:

➢ Functionality

➢ Adherence to Accounting Procedures/Guidelines/Mandates issued by RBI & other Regulatory

bodies

➢ Security (Logical Access, Change management, etc.)

➢ Reporting

➢ Online Help & Troubleshooting

➢ Controls for fraud/ forgery

➢ Error handling

➢ Emergency/ Crisis handling

➢ User’s feedback mechanism

Detailed Scope for Product Audit:-

1. Input Controls

2. Processing Controls

3. Output Controls

4. Review of product specific functionality& features

5. Logical Access Controls - To review Application Level Access Controls including proper

controls for access logs and audit trails for ensuring Sufficiency & Security of Creation,

Maintenance and Backup of the same.

6. Auditability both at Client & Server side including sufficiency & accuracy of event logging,

adequacy of Audit trails, SQL command prompt usage, database level logging etc.

7. Interface controls - Application interfaces with other applications and security in their data

communication.

8. Authorization controls such as Maker Checker, Exceptions, Overriding exception & Error

condition.

9. Data integrity & File Continuity Controls

10. User maintenance, password policies as per bank’s IT security policy with special reference to

use of hardcoded User Id & Password

11. Segregation of duties and accesses of production staff and development staff with access control

over development, test and production regions.

12. Review of all types of Parameter maintenance and controls implemented.

13. Change management procedures including testing & documentation of change.

14. Identify gaps in the application security parameter setup in line with the bank’s security


policies.

15. Audit of management controls including systems configuration/ parameterization & systems

development.

16. Audit of controls over operations including communication network, data preparation and entry,

production, file library, documentation and program library, Help Desk and technical support,

capacity planning and performance, Monitoring of outsourced operations.

17. Review of customizations done to the Software & the SDLC Policy followed for such

customization.

18. Adherence to Legal & Statutory Requirements

19. Suggestions for segregations of Roles/Responsibilities with respect to Application software to

improve internal controls

20. Review of documentation for formal naming standards, design process of job roles, activity,

groups, profiles, assignment, approval & periodic review of user profiles, assignment & use of

Super user access.

21. Sufficiency and coverage of UAT test cases, review of defects & tracking mechanism deployed

by vendor & resolution including re-testing & acceptance.

22. Backup/ Fallback/ Restoration/ Recovery & Restart procedures

23. Security in SDLC processes, security of application, security testing processes, in-built security

with the application development and maintenance procedures, license management, escrow

agreements.


1. Method of Audit to be followed:-

The Auditor has to undertake IS Audit in a phased manner as described below:

• Phase I – Conduct of IS Audit as per scope, evaluation & submission of preliminary

reports of IS Audit findings and discussion on the findings

• Phase II – Submission of final reports

• Phase III – Compliance review & certification

2. The activities covered under each Phase are appended below:

2.1 PHASE I

2.1.1 Conduct of Information Systems Audit as per the SCOPE OF IS AUDIT as

defined in section 1 of CP (Conditions for Procurement)

2.1.1.1 The Bank will call upon the vendor, on placement of the order, to carry out

demonstration and/ or walkthrough, and/or presentation and demonstration of all

or specific aspects of the IS Audit at the Bank’s desired location or, for a

walkthrough, at a mutually agreed location. All the expenses for the above will be

borne by the concerned vendor

2.1.1.2 Audit schedule to be provided 7 working days prior to the start of audit along

with the name of the auditors who will be conducting the audit. Resumes of the

auditors assigned above for the project to be provided to the Bank beforehand and

they should be deputed to the assignment only after Bank’s Consent.

2.1.1.3 Commencement of IS Audit of IT Setups / branches as per the scope of Audit

clause 1 of CP

2.1.1.4 Execute Vulnerability Assessment/External Attack Penetration testing of the

entire network including Internet Banking, Wireless network etc. as per the

scope of Audit clause 1 of CP on the written permission of the Bank and in the

presence of Bank’s Officials, Analysis of the findings and Guidance for

Resolution of the same

2.1.1.5 The auditors will be required to use only licensed version of tools, free from any

malwares, with prior permission of the Bank, strictly in “non-destructive” mode

only.

3. Detailing the Security Gaps

3.1 Document the security gaps i.e. vulnerability, security flaws, loopholes, etc. observed

during the course of review of CBS & other IT infrastructure of the Bank as per the scope

of Audit.

3.2 Document recommendations for addressing these security gaps and categorize the

identified security gaps based on their criticality, resource/effort requirement to address

them.

3.3 Chart a roadmap for the Bank to address these Security gaps and ensure compliance.

4 Addressing the Security Gaps

4.1 Help in Fixing/addressing the Security flaws, gaps, loopholes, shortfalls Vulnerabilities in

deployment of applications/systems which can be fixed immediately. If recommendations

for risk mitigation /removal could not be implemented as suggested, alternate solutions to

be provided.

4.2 Recommend fixes for systems vulnerabilities in design or otherwise for application systems

and network infrastructure.


4.3 Suggest changes/modifications in the Security Policies and Security Architecture including

Network and Applications of the Bank to address the same.

5 Submission of Preliminary Draft Report of IS Audit Findings:-

Vendor has to submit a preliminary draft report of the IS Audit findings as per the report format

provided in deliverable clause of CP.

6 Review & Acceptance of Preliminary Report

Vendor is required to discuss the preliminary report findings / observations / recommendations

/suggestions with the Bank prior to finalization and acceptance of the same by the Bank.

PHASE II

7 Final Reports of IS Audit Findings

Subject to the acceptance of the preliminary report by the Bank, the vendor has to submit the Final

report and Certificate for Completion of IS Audit as per the scope of IS Audit.

7.1 Final reports of the IS Audit findings will be submitted in four parts as detailed in clause 1.3 of

deliverables:-

• Executive summary

• Detailed findings / Checklists along with Risk Analysis, duly mapped with the scope of

work defined above, for each site, service, system and critical devices.

• In Depth Analysis of findings /Corrective measures and suggestions

7.2 Acceptance of Final Report by the Bank.

PHASE III

8 Compliance Review

An exercise to review the compliance with the findings and recommendations of IS Auditor will

be undertaken by the vendor preferably within 180 days from the date of completion of Phase II.

However, the final date for the start of compliance audit will be intimated by the Bank. This

exercise would encompass evaluation of the general/overall level of compliance undertaken by the

Bank against the shortcomings reported in the IS Audit reports.

9 Certification for Compliance & Final Sign Off

On completion of the compliance review process and before final sign off, the vendor will provide

the Bank an ISA compliance certificate including Certificate as per RBI guidelines for Internet

Banking.

10 Deliverables:-

The major deliverables in this project are noted below:-

10.1 Information Systems Audit as per the Scope of Audit clause 1 of CP

(Type - Services)

10.2 Vulnerability Assessment/Penetration testing of the entire network including Internet

Banking as per the scope of Audit clause 1 of CP, Analysis of the findings and guidance

for resolution of the same

(Type -Documentation & Service)


10.3 ISA Report

(Type - Documentation)

11 IS Audit Report-

Broadly the Audit Report should contain observations/recommendations keeping the undernoted

points in view:-

• Gaps, Deficiencies, Vulnerabilities observed in audit. Specific observations will be given

indicating name and important address of equipment.

• Risk associated with gaps, deficiencies, vulnerabilities observed.

• Analysis of vulnerabilities and issues of concern.

• Recommendations for corrective action.

• Category of Risk. Very High/ High/Medium/ Low.

• Summary of audit findings including identification tests, tools used and results of test

performed during IS Audit.

• Report on audit covering compliance status of the previous IS Audit.

• All observations will be thoroughly discussed with process owners before finalization of

report.

• IS Audit report should be submitted in the following order:

o Location

o Domain/Module

o Hardware

o Operating Systems

o Application

• Detailed report of network audit including VAPT with recommendations and suggestions.

• Detailed report of VAPT of Internet Banking

• Audit report shall incorporate a certificate that the report covers every area specified in the

scope of BID

As indicated earlier the ISA Reports have to be submitted in two stages

Preliminary draft report has to be submitted at the end of Phase I & Final Report during

Phase II.

Both the sets of reports would comprise of the following sub reports

i) Executive Summary

An executive summary should form part of the Final Report.

ii) Detailed Findings/Checklists with Risk Analysis

Detailed findings of the IS Auditor will be brought out in this report, covering in detail

all aspects viz.

• Identification of laws/gaps /vulnerabilities in the systems (specific to

equipment/resources indicating name and IP address of the equipment with Office

and Department name)

• Identification of threat sources

• Identification of Risk

• Identification of inherent weaknesses

• Servers/Resources affected with IP Addresses etc.

Report should classify the observations into Critical /Non Critical category and assess the

category of Risk Implication as Very High / High / Medium / Low Risk based on the


impact. The various checklist formats, designed and used for conducting the IS Audit as

per the scope, should also be included in the report separately for Servers (different for

different OS), RDBMS, Network equipment, security equipment etc. , so that they

provide minimum domain wise baseline security standard /practices to achieve a

reasonably secure IT environment for technologies deployed by the Bank. The reports

should be substantiated with the help of snap shots/evidences /documents etc. from where

the observations were made.

For continuous audit, the observations are to be submitted on a monthly basis and

exceptions, if any, are to be reported immediately. This audit and reporting shall not be

taken into account while arriving at the completion of Phase I.

iii) In Depth Analysis of findings /Corrective measures & suggestions

Findings of the entire IS Audit process should be critically analyzed and controls

should be suggested as corrective /preventive measures for strengthening / safeguarding

the IT assets of the Bank against existing and future threats in the short /long term.

Report should contain suggestions/recommendations for improvement in the systems

wherever required. If recommendations for risk mitigation /removal could not be

implemented as suggested, alternate solutions to be provided. Also, if the formal

procedures are not in place for any activity, the process and associated risks may be

evaluated and recommendations be given for improvement as per the best practices.

12 Provide Certification for the ISA (Type - Documentation & Service)

At the end of IS Audit process, the vendor will provide Bank certification for IS Audit

including a certificate as per RBI guidelines for Internet Banking.

13 Documentation Format

• All documents will be handed over in three copies, signed, legible, neatly and robustly

bound on A-4 size good-quality paper.

• Soft copies of all the documents properly encrypted in MS Word /MS Excel /PDF

format also to be submitted in CDs/DVDs along with the hard copies.

• All documents will be in plain English.

• All documents will be handed over in three copies, signed, legible, neatly and robustly

bound on A-4 size good-quality paper.

• Soft copies of all the documents properly encrypted in MS Word /MS Excel /PDF

format also to be submitted in CDs/DVDs along with the hard copies.

• All documents will be in plain English.

14 Arbitration

All disputes or differences between the parties will be resolved mutually. If amicable

settlement is not possible, then such disputes or difference arising under and out of or in

connection with the contract / agreement shall be referred to the arbitrator duly appointed by

mutual consent of parties herein and provisions of the Arbitrator & Conciliation Act’ 1996

shall apply to this reference of Arbitration and award passed by the arbitrator shall be final and

binding on both the parties. The place of arbitration will be Kolkata and the language of

arbitration will be English.


Abbreviations Used in This Document

1 ATM Automated Teller Machine 24 VAPT Vulnerability Assessment &

Penetration Testing

2 RTGS Real Time Gross Settlement 25 I S Audit Information Systems Audit

3 SFMS Structured Financial Messaging

System 26 RRB Regional Rural Bank

4 NEFT National Electronic Fund Transfer 27 IS Cell Information Security Cell

5 NAP Network Aggregation Point 28 UP Uttar Pradesh

6 SWIFT Society for Worldwide Interbank

Financial Telecommunication 29 ITIC-K

Information Technology

Innovation Centre-Kolkata

7 IFB Invitation for Bid 30 UAT User Acceptance Test

8 FI Financial Inclusion 31 COBIT

Control Objectives for

Information & related

Technology

9 CTS Cheque Truncation System 32 ISO International Organization for

Standardization

10 CBS Core Banking Solution 33 ISACA Information System Audit and

Control Association

11 RF Radio Frequency 34 SDLC System Development Life Cycle

12 MPLS Multi-Protocol Label Switching 35 MZ Militarized Zone

13 VSAT Very Small Aperture Terminal 36 DMZ De-Militarized Zone

14 PCI-DSS Payment Card Industry-Data

Security Standard 37 NOC Network Operation Centre

15 NPCI National Payment Corporation of

India 38 WAN Wide Area Network

16 CERT-

IN

Computer Emergency Response

Team-India 39 VLAN Virtual Local Area Network

17 DSCI Data Security Council of India 40 BCP Business Continuity Plan

18 UPS Uninterrupted Power Supply 41 TCP Transmission Control Protocol

19 IDS Intrusion Detection System 42 IPS Intrusion Prevention System

20 DNS Domain Name System 43 DDoS Distributed Denial of Service

21 BIA Business Impact Analysis 44 OWASP Open Web Application Security

Project

22 CLMS Centralized Log Management

System 45 CDMA Code Division Multiple Access

23 UDP User Datagram Protocol 46 SLA Service Level Agreement

47 ICB Indicative Commercial Bid


SECTION V

Annexures & Formats

I N D E X


Annexure –I(a) Profile of the Bidder 65

Annexure –I(b) Organizational Structure 66

Annexure – I(c) Financial Information 67

Annexure –I(d) Declaration by Bidder 68

Annexure –I(e) Manpower Details 69

Annexure –I(f) Experience & Expertise 70

Annexure –II Performance Statement 72

Annexure –III Team Profile 73

Annexure –IV CVs of Team Leads &Others 76

Annexure –V Format for Commercial Bid 77

Annexure –VI Bid Form 78

Annexure –VII Bid Security Form 79

Annexure –VIII Performance Security Form 80

Annexure –IX Contract Form 81

Annexure –X Technical Deviation 82

Annexure –XI Commercial Deviation 83

Annexure – XII Letter of Confirmation 84

Annexure – XIII(a) Server / Device Details &Auditee Locations

(Allahabad Bank)

85

Annexure – XIII(b) Server / Device Details &Auditee Locations

(Allahabad UP Gramin Bank)

86

Annexure – XIV Reverse Auction Process 87

Annexure - XV Compliance Statement and Nomination to Participate in

Reverse Auction Process

94


ANNEXURE –I(a) (TECHNICAL BID)

PROFILE OF THE BIDDER

Ref No:-HO/ISA/F-101/0182 Dated : 26/02/2018

DESRCRIPTION DETAILS

Registered name of the Bidder

Registered address of the Bidder

Address for correspondence of the Bidder Address:

STD- Phone:

e-mail Id:

FAX No:

Contact name of the official who can

commit on the contractual terms and the

name of an alternate official who may be

contacted in the absence of the former

Primary Contact:

Name:

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Alternate Contact:

Name :

Designation:

STD- Phone No:

Mobile Phone :

e-mail ID :

Contact addresses if different from above

Official Website Web Site URL :

Authorized Signatory with Seal

Date:

Place:


ANNEXURE –I (b) (TECHNICAL BID)

ORGANIZATIONAL STRUCTURE



Business Structure of the Bidder –Government

Organization / PSU / Partnership Firm /Limited

Co. / Private Ltd. Co. (enclose relevant

registration details)

Registered Office

BidderOrganization’s date of

inception/Commencement of Business

No. of completed years in existence as on the

last date of bid submission

Constitution

Name of Directors

Core Business of Bidder

Bidder is engaged in Information Systems

Audits since (month & year) & total experience

(in years/months) in IS Audit services

Whether Information Systems Audit is a core

function of the bidder?

Empanelment with CERT-Inas an IS Audit

Organization– current status(enclose

empanelment details)

Empanelment valid from :-

Empanelment valid up to :-

whether applied for fresh empanelment:-

Please provide date and reference no along with

the proof.

Whether submitting the Bid as a part of any

consortium (Yes/No)


Date:

Place:


ANNEXURE –I (c) (TECHNICAL BID)

FINANCIAL INFORMATION



Total turnover over the past three years from

operations in India 2014-2015 Rs.

2015-2016 Rs.

2016-2017 Rs.

Authenticated proof of Audited Balance-Sheet etc.

for the last 3 years

(enclosed relevant documents are ) :

1)

2)

3)

Turnover from IS Audit or/and Consultancy

services over the past three years 2014-2015 Rs.

2015-2016 Rs.

2016-2017 Rs.

Authenticated Proof of revenue from IS Auditor /

and Consultancy Services

(enclosed relevant documents are ) :-

1)

2)

3)

Net Profit of the Organization for last 3 years

2014-2015 Rs.

2015-2016 Rs.

2016-2017 Rs.

Authenticated proof of Audited Balance-Sheet and

Profit & Loss Account for last 3 years (enclosed

relevant documents are ) :

1)

2)

3)


Date:

Place:


ANNEXURE –I(d) (TECHNICAL BID)

DECLARATION BY BIDDER



Bidder warrants financial solvency i.e., ability

to meet all the debts as and when they fall due

(substantiate)

Bidder confirms that it has currently not been

blacklisted by any Govt. Department /PSU/

PSE orBanks or the bidder/firm is otherwise

not involved in any such incident with any

concern whatsoever, where the job undertaken

/ performed and conduct has been questioned

by any authority, which may lead to legal

action.

( Enclose a relevant declaration /confirmation

to this effect – Annexure XII)

(substantiate)

Bidder confirms that it has not been a vendor

/consultant for supply of Hardware/Software

components of the Bank or involved in

implementing security &network infrastructure

or providing services excluding IS Audit

services, either directly or indirectly through

a consortium, in the past three years to

Allahabad Bank

( Enclose a relevant declaration /confirmation

to this effect – Annexure XII)

(substantiate)

Bidder confirms that it has not rendered IS

Audit services to the Bank for two consecutive

years

(substantiate)


Date:

Place:


ANNEXURE –I (e) (TECHNICAL BID)

MANPOWER DETAILS



Number of professional manpower available

for IS Audit in the Organization. (mention

count for permanent employees only ) Sl Professional Number

1 CISA/CISM

2 CISSP

3 BS7799/ISO 27001 LA

4 CCNA/CCNE

5 DISA/ISA

6 OCP/OCM

7 OTHERS

TOTAL

Details Of Teamleads / Project leads/Key

Personnel,having prior IS audit experience

of DC/DRS etc. in a Bank or other

Organization, to be assigned for the

Allahabad Bank IS Audit Project.

(Enclose Individual curriculum vitae of

Team leads / Project leads and other key

personnel to be assigned for the Allahabad

Bank IS Audit project as per Annexure III

&IV).

Specify number of

CISA :

CISSP :

BS7799/ISO 27001 LA :

Any Other :


Date:

Place:


ANNEXURE –I (f) (TECHNICAL BID)

EXPERTISE & EXPERIENCE



Details of the assignments

where the bidder has

performed IS audit of Data

Centre / DRS & related

Infrastructure in a

Bank/Other Organization

During the past Three

Years

1.

2.

3.

4.

5.

IS Audits of DC/DRS etc.

carried out in Banks & other

Organizations out till

30/04/2016 (enclose relevant

PO details)

**should not include figures

of IS Audit carried out for

CBS branches

Sl No Bank Total no IS

Audit conducted

1 Public Sector Banks

2 Private Banks

3 Foreign Banks

4 Co-Operative Banks

5 Other Banks

6 Organizations other than

Banks


Total

Banks where IS Audit of

CBS Data Centre / DRS and

associated infrastructure was

undertaken by the Bidder till

30/04/2016including

VAPT/Product Audit.

(enclose relevant documents)

Explain audit experience in

B@ncs24 (Allahabad Bank) /

Finnacle (Allahabad UP

Gramin Bank) CBS

environment, if any

Sl

No.

Name of

the Bank

PSU/Private

/Foreign

Bank/Co-

operative Bank

Nature of

Audit(IS Audit

of DC/DR

/VAPT/

Product Audit)

Date of

Purchase Order

1

2

3

4

5

6

7

8

9

10

Details of Two Audits of

DC/DRS etc. connected with

minimum 200 Branches /

Offices (Including One Bank

in India) which were audited

by the Bidder during the past

Three years.

(Enclose separate sheet for

each Organization with

relevant Purchase Orders &

Audit completion certificate.

Also provide details of the

two Organizations in

Annexure II)


Date:

Place:


ANNEXURE –II (TECHNICAL BID)

PERFORMANCE STATEMENT OF THE BIDDER

(Only for Two Organizations as mentioned in Annexure:1(f)

Ref. No: HO/ISA/F-101/0182 Dated : 26/02/2018


Name of the Bank / Organization

Address of the Bank / Organization

Project Name(Mention only /VAPT & allied Infrastructure

related projects in Banks/other organizations /Product

Audit) (Enclose Purchase Order Copy)

Scope covered in the IS Audit Project

i. IS Audit of DC/DR (Y/N)

ii. VAPT/EAPT (Y/N)

iii. Product Audit(Y/N)

IS Audit start date

Current status of the Project whether completed(Date of

completion)

(Enclose completion certificate)

Duration of the Project

Contact person details from the Bank side

1)Name:-

2) Designation :-

3) Phone No. :-

4) Email Id :-

Names of project staff/ professionals involved

Nature of audit work that was outsourced (if any)


Date:

Place:


ANNEXURE –III (TECHNICAL BID)

PROFILE OF THE CORE AUDIT TEAM TO BE ASSIGNED FOR THE PROJECT


For ALLAHABAD BANK VERTICAL-I

Sln

o

Name Desgn. Part

Time/Full

Time

Role in IS

Audit(Task/Module)

Professional

Qualification

Years of IS

Audit Exp

1

2

3

4

5


Date:

Place:





For ALLAHABAD BANK VERTICAL-II

Sl

no

Name Desgn. Part

Time/Full

Time

Role in IS

Audit(Task/Module)

Professional

Qualification

Years of IS

Audit Exp

1

2

3

4

5


Date:

Place:





For ALLAHABAD UP GRAMIN BANK

Sl

no

Name Desgn. Part

Time/Full

Time

Role in IS

Audit(Task/Module)

Professional

Qualification

Years of IS

Audit Exp

1

2

3

4

5


Date:

Place:


ANNEXURE –IV (TECHNICAL BID)

INDIVIDUAL CVs FOR THE TEAM LEAD AND OTHER MEMBERS OF THE

CORE AUDIT TEAM TO BE ASSIGNED FOR THE PROJECT

(To be furnished on separate sheet for each member of the Core Audit team)



Name of the member

Role of the Member

Employee of the Audit firm / Company since:

Designation:

Educational Qualification:

Other Certifications/accreditations:

Employment history

Total IS Audit Experience

(no. of years, areas of experience)

Experience in similar IS Audit Projects over the past three years

(including client details, role of member, activities performed, duration of experience)

Sl No Client Organization

where the member was

involved in IS Audit

Duration of

involvement in

months& year

Details of assignment done & role assigned

* Separate sets of documents to be submitted for Vertical 1, Vertical 2 and Allahabad UP Gramin

Bank


Date:

Place:


ANNEXURE –V (COMMERCIAL BID)

FORMAT FOR COMMERCIAL BID (Cost for one year)

REF. No: HO/ISA/F-101/0182 Dated : 26/02/2018

Commercial Bid for Allahabad Bank (in INR) S

No

Particulars Amount excluding

GST per instance

(A)

GST as per the

current rate

applicable per

instance (B)

Amount per

instance

(C)=

(A)+(B)

Number of

instances

(D)

Total

amount

(E)=

(C) x (D)

1. Cost of IS Audit for entire CBS and allied

infrastructure for the scope defined under

Vertical – I in the RFP (Inclusive of all

fees & expenses)

1 (One)

TOTAL COST OF AUDIT – FOR Vertical I

(TOTAL COST OF AUDIT - VERTICAL I IN WORDS Rs…)

1. Cost of IS Audit, for the scope defined

under Vertical-II in the RFP (Inclusive of

all fees & expenses)

1 (One)

2. Cost of Vulnerability Assessment (VA) of

business critical systems (external) (Inclusive of all fees & expenses) under

Vertical – II.

12

(Twelve)

3. Cost of VA per instance-Internal as per the

scope defined in the RFP (Inclusive of all

fees & expenses) under Vertical – II.

4

(Four)

4. Cost of External Penetration Testing (PT)

per instance as per the scope defined in the

RFP (Inclusive of all fees & expenses)

under Vertical – II.

4

(Four)

5. Cost of 50 Man days as per the scope

defined in the RFP (Inclusive of all fees

& expenses) under Vertical – II.

50

(Fifty)

TOTAL COST OF AUDIT - FOR Vertical II (1+2+3+4)

(TOTAL COST OF AUDIT – VERTICAL II IN WORDS Rs…)

Commercial Bid for Allahabad UP Gramin Bank (in INR)

S

No

Particulars Amount excluding

GST per instance

(A)

GST as per the

current rate

applicable per

instance

(B)

Amount per

instance

(C)= (A)+(B)

Number of

instances

(D)

Total

amount

(E)=

(C) x

(D)

1. Cost of IS Audit, as per the scope defined

in the RFP (Inclusive of all fees &

expenses)

1 (One)

2. Cost of VAPT per instance (External &

Internal) as per the scope defined in the


4

(Four)

3. Cost of APPSec Audit / Product Audit per

instance as per the scope defined in the


1

(One)

TOTAL COST OF AUDIT ( 1+2)

(TOTAL COST OF AUDIT IN WORDS Rs…)


Date:

Place: Note:- ➢ The Commercial Bid should contain the Total Project cost, on a fixed cost Basis. Allahabad Bank will neither provide nor reimburse any

expenditure towards any type of Accommodation, Travel Ticket, Airfares, Train fares, Halting expenses, Transport, Lodging, Boarding etc.

➢ The Commercial prices as quoted above would be valid for a period of TWO years from the date of placing the first year order. On successful completion of first year Audit, Bank may, at its own discretion, place order for the second year at the same price as quoted above, subject to

satisfactory performance by the bidder in the first year.

➢ The prices quoted above should be inclusive of all taxes &Duties as applicable except Service Tax.

➢ Service Tax should be mentioned in the separate column as provided in the format

➢ Providing commercial proposal other than this format may lead to rejection of the bid.


ANNEXURE –VI (TECHNICAL BID)

BID FORM

To

Date:

Allahabad Bank,

Information Systems Audit Cell,

Head Office

2nd Floor, 14, India Exchange Place

Calcutta – 700 001

RFP Ref. No: HO/ISA/F-101/0182 Dated : 26/02/2018

Having examined the Request for Proposal (RFP) including all annexures, the receipt of which is

hereby duly acknowledged, we the undersigned offer to provide IS Audit services in conformity with

the said RFP in accordance with the Schedule of Prices indicated in the Commercial Offer and made

part of the Bid.

We undertake, if our bid is accepted, to deliver the services in accordance with the delivery schedule

specified in schedule of requirement.

We agree to abide by this bid for the period of 180 days after the date fixed for Technical bid opening

under Clause 19 of the Instruction to Bidders and it shall remain binding upon us and may be extended

at any time before the expiration of that period.

We undertake that, in competing for (and, if the award is made to us, in executing) the above contract,

we will strictly observe the laws against fraud and corruption in force in India namely “Prevention of

Corruption Act 1988”.

We understand that the Bank is not bound to accept the lowest of any bid the Bank may receive.

Dated this ________________ day of _____________ 2018.

----------------------------- --------------------------------

(Signature) (In the Capacity of)

Duly authorised to sign bid for and on behalf of

(Name & Address of Bidder) ________________________________

Business_________________________ Address________________


Bank


ANNEXURE –VII (TECHNICAL BID)

BID SECURITY FORM

(Format of Bank Guarantee for Bid Security)

(On a Non-Judicial Stamp Paper of Rs. 100.00)

To:

Date:

Allahabad Bank,


Head Office




WHEREAS ____________________ (hereinafter called “the Bidder”) has submitted its bid dated

_________ (date of submission of bid) for providing services of IS Audit________________________

(name and/or description of goods/Services) (hereinafter called “the Bid”).

KNOW ALL PEOPLE by these presents that WE __________ (name of bank) of ________ (name of

country) having our registered office at ____________________ (address of the Bank) (hereinafter

called “the Bank”) are bound unto ALLAHABAD BANK (hereinafter called “the Purchaser”) in the

sum of ________________ for which payment well and truly to be made to the said Purchaser, the

Bank binds itself, its successors and assigns by these presents. Sealed with the common seal of the

saidBank this _______ day of __________, 20___.

THE CONDITONS of this obligation are:

1. If the Bidder withdraws its Bid during the period of bid validity specified by the Bidder on the

Bid Form; or

2. If the Bidder, having been notified of the acceptance of its bid by the Purchaser during the

period of bid validity fails or refuses to execute the Contract Form if required;

We undertake to pay the Purchaser up to the above amount upon receipt of its first written demand,

without the Purchaser having to substantiate its demand, provided that in its demand the Purchaser

will note that the amount claimed by it is due to it owing to the occurrence of one or both of the two

conditions, specifying the occurred condition or conditions.

This guarantee will remain in force up to and including 45 days after the bid validity period of 180

days i.e. up to _________, and any demand in respect thereof should reach the Bank not later than the

above date.

Place:

SEAL Code No. SIGNATURE

NOTE: 1 Bidder should ensure that the Seal & Code no. of the Signatory is put by the Bankers,

before submission of BG.

2 Stamp Paper is required for the BG issued by the Banks located in India


ANNEXURE –VIII

PERFORMANCE SECURITY FORM

(Format of Bank Guarantee (BG) for Empanelment Security)

(On a Non-Judicial Stamp Paper of Rs. 100.00)

To:

Allahabad Bank,


Head Office




WHEREAS ____________________ (hereinafter called “the Bidder”) has submitted its bid dated

_________ (date of submission of bid) for providing services of IS Audit

________________________ (name and/or description of goods) (hereinafter called “the Bid”).

KNOW ALL PEOPLE by these presents that WE __________ (name of bank) of ________ (name of

country) having our registered office at ____________________ (address of bank) (hereinafter called

“the Bank”) are bound unto ALLAHABAD BANK (hereinafter called “the Purchaser”) in the sum of

________________ for which payment well and truly to be made to the said Purchaser, the Bank

binds itself, its successors and assigns by these presents. Sealed with the common seal of the said

Bank this _______ day of __________, 20___.

THE CONDITONS of this obligation are:

1. If the Vendor, having been notified as selected for providing IS AUDIT SERVICES to the

Purchaser, during the period of contract fails to perform obligations as vendor and fulfil

requirements as specified in the contract up to the desired level.

We undertake to pay the Purchaser up to the above amount upon receipt of its first written demand,

without the Purchaser having to substantiate its demand, provided that in its demand the Purchaser

will note that the amount claimed by it is due to it owing to the occurrence of the above condition,

specifying the occurred condition or conditions.

This guarantee will remain valid for a period of 27 months from the date of signing of the contract i.e.

from _________ to _________, and any demand in respect thereof should reach the Bank not later

than the above

Date.

Place:

SEAL Code No. SIGNATURE

NOTE: 1 The bidder should ensure that the Seal & Code no. of the Signatory is put by the Bankers,

before submission of BG.

2 Stamp Paper is required for the BG issued by the Banks located in India


Bank


ANNEXURE –IX

CONTRACT FORM

(Non-Judicial Stamp Paper of appropriate value)


CONTRACT NUMBER:

THIS AGREEMENT made the _________ day of ______, 20___ between ALLAHABAD BANK

(hereinafter “the Purchaser”) of one part and __________ (Name of Selected Vendor) of

____________ (City and Country of Vendor) (hereinafter “the Vendor”) of the other part:

WHEREAS the Purchaser is desirous that certain services should be provided by the Vendor, viz.

________________ ________________ (Brief description of Services) and has accepted a bid by the

Vendor for supply of software and services to meet its requirement from time to time.

NOW THIS AGREEMENT WITNESSETH AS FOLLOWS:

1. In this Agreement words and expressions shall have the same meanings as are respectively

assigned to them in the Conditions of Contract referred to.

2. The following documents shall be deemed to form and be read and construed as part of this

Agreement, viz.

(a) The RFP No. HO/ISA/F-101/0182 dated 26/02/2018 and all its addendums/

modifications

(b) The Bid form and price schedule submitted by the bidder and subsequent amendments

made into it as accepted by the bank.

(c) the Scope of works, deliverable

(d) the schedule of requirements

(e) the Conditions of Vendor Selection

(f) the Conditions of Procurement

(g) The Purchaser’s Notification of Selection of Vendor for IS Audit.

(h) Service level Agreement (SLA) &Purchase Order

3. In consideration of the payments to be made by the Purchaser to the Vendor in terms of Purchase

Order for IS Audit services placed by Head Office of the Purchaser, the vendor hereby covenants

with the Purchaser to provide the services therein in conformity in all respects with the provisions

of the contract.

4. The Purchaser hereby covenants to pay the vendor in consideration of the provision of services, the

Purchase Order Price or such other sum as may become payable under the provisions of the

Contract at the times and in the manner prescribed by the Contract.

IN WITNESS whereof the parties hereto have caused this Agreement to be executed in accordance

with their respective laws the day and year first above written.

Signed, sealed and Delivered by the

Said ________________________ (For the Auditor) in presence of _______________________

Signed, sealed and Delivered by the

Said ________________________ (For the Purchaser) in presence of ______________________


Bank


ANNEXURE – X ( TECHNICAL BID)

TECHNICAL DEVIATION STATEMENT


The following are the particulars of deviations from the requirements of the tender:-

CLAUSE DEVIATION REMARKS

(Including justification)

The eligibility criterion & offered IS Auditservices furnished in the bidding document shall prevail

over those of any other documents forming a part of our bid except only to the extent of deviations

furnished in this statement.

Dated ________________ Signature and seal of the

Bidder

Note: Where there is no deviation, the statement should be returned duly signed with an endorsement

indicating “No Deviations”.


ANNEXURE –XI (COMMERCIAL BID)

COMMERCIAL DEVIATION STATEMENT

REF. No:HO/ISA/F-101/0182 Dated : 26/02/2018

The following are the particulars of deviations from the requirements of the tender:

CLAUSE DEVIATION REMARKS

(Including justification)

The cost of offered IS AUDIT services furnished in the bidding document (Annexure V) shall prevail

over those of any others document forming a part of our bid except only to the extent of deviations

furnished in this statement.

Dated ________________ Signature and seal of the

Bidder

Note: Where there is no deviation, the statement should be returned duly signed with an endorsement

indicating “No Deviations”.


ANNEXURE –XII (TECHNICAL BID)

LETTER OF CONFIRMATION

The Deputy General Manager,

Allahabad Bank,


Head Office



RFP Ref. No.: HO/ISA/F-101/0182 Dated : 26/02/2018

Dear Sir,

We confirm that we will abide by the conditions mentioned in the Tender Document (RFP and

annexure) in full and without any deviation subject to Annexures X & XI.

We shall observe confidentiality of all the information passed on to us in course of the IS Audit

process and shall not use the information for any other purpose than the current tender.

We confirm that we have currently not been blacklisted by any Govt. Department / PSU / PSE / RBI

IBA or nationalized Banks or otherwise not involved in any such incident with any concern

whatsoever, where the job undertaken / performed and conduct has been questioned by any authority,

which may lead to legal action.

We also confirm that we are not a vendor /consultant to the bank and not involved in either supply /

installation of Hardware / Software, implementation of Security / Network Infrastructure of the Bank

or providing services excluding IS Audit services, in the past three years directly or indirectly through

a consortium.

Place:

Date: (Authorized Signatory)

SEAL


Annexure XIII (a)

Count Of Servers / Devices In Different Auditee Locations

(Allahabad Bank)

LOCATION

EQUIPMENTS

MUMBAI

(DC, PG, CBS PO, NDR,

Int. Treasury etc.)

(Total nos.)

LUCKNOW

(DRS)

(Total Nos.)

Servers (IBM -AIX

Server / Windows Server

/ Linux / Blade Server

etc.)

260 194

SAN Storage Systems

including SAN switch 22 26

Host Security Module 4 5

Firewall 6 6

IDS/IPS/UTM 4 6

Routers including Core

Routers 17 21

Switches including Core

Switches 26 36

(This is an indicative list of Infrastructure available with the Bank. Actual count may vary later

on. Details and other specifications will be provided at the time of commencement of audit)


Annexure XIII (b)

Count Of Servers/Devices In Different Auditee Locations

(Allahabad UP Gramin Bank)

LOCATION

EQUIPMENTS

Lucknow

(DC, CBS PO etc.)

(Total nos.)

Bangalore

(DRS)

(Total Nos.)

Servers (IBM -AIX

Server /Windows Server

/Linux etc.)

41 + 21 Third Party Servers 25

SAN Storage Systems

including SAN switch 4 4

Host Security Module 2 -

Firewall 4 4

IDS/IPS/UTM 4 4

Routers including Core

Routers 6 6

Switches including Core

Switches 8 8

(This is an indicative list of Infrastructure available with the Bank. Actual count may vary later

on. Details and other specifications will be provided at the time of commencement of audit)


Annexure XIV– Reverse Auction Process

Reverse Auction process

General guidelines

The detailed procedure and Business rules for the Reverse auction are as follows:

• The process of conducting the Reverse Auction will be done through M/s Antares Systems

Limited.

• Only technically qualified/short listed bidders will be invited to participate in the

Reverse auction process that will be conducted by an Auction company authorized by the

Allahabad Bank. Specific rules for this particular event viz., date and time, start price, bid

decrement value, duration of event etc. shall be informed by Allahabad Bank, well before the

event to the participating short listed bidders.

• The bidders should furnish indicative prices for the project in their Indicative

Commercial Bid (ICB) for finalizing the start bid amount for “Reverse auction”.

• The lowest Indicative commercial offer for two verticals of Allahabad Bank and ne setup of

Allahabad UP Gramin Bank (total cost) or any price decided by Allahabad Bank will be

taken as the starting bid of the Reverse Auction and Not for deciding the L-1 status. Bidders

should note that the indicative commercial bid is considered for the purpose of conducting

Reverse Auction process only.

• All participating bidders at the end of the Reverse Auction process shall be required to submit

the break-up of their Final price (last bid price) again as detailed on the next day before 5 PM at

Allahabad Bank, IS Audit Cell, 2nd Floor, 14, India Exchange Place, Kolkata -700001.

Please note that, failure or refusal to offer the services/goods at the price committed through Reverse

Auction shall result in forfeiture of the Bid Security Deposit to Bank. This is not withstanding

Allahabad Bank' right to take any other action deemed fit, including claiming damages & “Black

Listing” the bidder from participating in future Tenders that would be floated by the Allahabad bank

for a period found fit by the Allahabad bank.

• Allahabad bank reserves the right to reject any or all proposals. Similarly, they reserve the

right NOT to include any bidder in the final short-list, if found or otherwise proved to have

furnished wrong details / documents, at any point of time.

• The Indicative Commercial Bid should give all relevant price information and should

not contradict the Technical Bid and masked Indicative commercial bid in any manner.

• The bidder shall indicate on the appropriate Price Schedule, specifying the unit price of the

proposed service to be delivered.

• The bidders are advised in their own interest, to quote the best possible offer for each of the

item offered at the time of preparing ICB itself. The Indicative Commercial Bid and the final

Commercial Bid (Post Reverse Auction) shall be as per the format as mentioned in

Annexure-V.

Reverse Auction Business Rules

• The Allahabad Bank proposes to conduct services through Online E-Auction subject to

terms and conditions & schedule mentioned below:

•THE URL: - www.tenderwizard.com/abbank

• Usage of Digital signature is mandatory for participating through this portal.

• SCOPE OF AUCTION: Commercia l Offer for the selection of external auditors for IS Audit

& VAPT of scope defined under Vertical-I & Vertical-II of Allahabad Bank and for entire scope of



Allahabad UP Gramin Bank.

Online Auction Platform and Support Services will be provided by:

M/s Antares Systems Limited

For queries on Auction item, eligibility criteria, EMD, etc.:

Contact Persons from Antares Systems Ltd:

Contact Persons Mobile No.

Mr. Kushal 07686913157 Email: [email protected]

Mr. Tousik 09674758724 E-mail:[email protected]

Mr. Debraj Saha 09674758721 E-mail: [email protected]

Terms & Conditions of the Online Reverse Auction:

Definitions:

• Purchaser: - Purchaser referred herein, is the Allahabad Bank as defined in the Section 1

of the main RFP document.

• SERVICE PROVIDER: “Antares Systems Ltd” is an e-auction service provider appointed by

the Allahabad Bank to facilitate virtual auction. “Antares Systems Ltd” will only facilitate

online auction solution to process Allahabad bank’s procurement needs and are

considered as third party not particularly interested in the item/s being purchased/sold on

behalf of Allahabad bank.

• Bidder: – means the party or his authorized representative who has participated in the RFP/

Tender Process/ Reverse Auction, Technically qualified, having valid Digital Certificate, and

willing to complying with all the instructions, terms and conditions of RFP.

• All notices to the bidders shall be sent by E-mail, during the process of this auction by Allahabad

Bank and /or by the e-Auction service provider.

• All such notices sent by email by Allahabad Bank as well as by e-Auction services provider

shall, therefore, be deemed as valid notices. Hence bidders are required to indicate their own

corporate email id.

• The bidders who are qualified for bidding prices of offered products (on the basis of

evaluation of their technical offer) shall be required to participate in an electronic reverse

Schedule of Program: On-Line Reverse

Auction Date & Time

Date , Time of Auction Starting & Ending time

inclusive of extension time to be informed to the shortlisted vendors by

email/ on their given contact nos.

Decrement Value To be informed to the shortlisted bidders

well before the Reverse Auction.

Prior extension time (minutes) (if Required) To be informed well before the Reverse

Auction.

Number of Extensions (if Required) and

Extension time (if Required) (minutes)

To be informed well before the Reverse

Auction.


auction process to submit their price quotations against the items covered by this tender

within a limited time period on the date as announced by Allahabad Bank. Such bidders shall

be allowed to participate in the reverse auction using their secured user id & password along

with their digital signature to place their best bids during the auction period. The date & time

for conducting the reverse auction will be duly communicated to qualified bidders in

advance.

• Reverse auction is the simulation of the manual tendering process on the Internet. i.e., the

eligible bidders/contractors can log on to the internet site specified by the Bank, using

unique user Id & Password, which will be provided to them by the eReverse auction

service provider appointed by Allahabad Bank and place their price bids on-line. The eligible

bidders will be provided training by eReverse auction service provider on the methodology of

submitting the bids online. Instead of a onetime best price bid, the bidders shall now be able

to interact and react on the spot to the changing competitive bids, taking advantage of the

intrinsic transparency in the whole process.

• During eReverse auction process the bidders can respond on the spot to the price trends and can

offer their competitive bids. The logged in bidders will know the prevailing lowest bid at any

given point of time but not the identity of the other bidders.

• The bidders can place their bids from any place for which they need is a desktop computer

with a browser interface and good internet connectivity.

• Suggested system configuration for computers to be used for online bidding:

• It is suggested that hardware and software of the following specification be used by the

bidders for bidding so as to enable them to have better connectivity. • Processor Pentium V and above PC/Laptop with USB Ports

• Memory minimum 1 GB

• Operating system

• Windows 7 Professional



• Browser

• Internet explorer IE version 9 and above

• Mozilla Firefox 48 and above

• Google Chrome 42 and above

• UPS: Suitable UPS for uninterrupted power supply.

Allahabad Bank reserve their right not undertake any responsibility to procure any

permission/license etc. in respect of the auction item, if it so desires.

Eligibility of Bidders to participate in Reverse Auction:

• Bidders who are technically qualified in terms of the relative Terms & Conditions of the RFP

and accept the Business Rules, Terms & conditions of Reversion Auction and submit the

undertaking and nomination form as per the prescribed format in Annexure-XV, can only

participate in Reverse Auction related to the procurement for which RFP is floated.

• Bidders not submitting the above undertaking or submitting with deviations /

amendments thereto will be disqualified from further evaluation/ participation in the process

of relevant procurement.


• Bidders should ensure that they have valid digital certificate class III (Mandatory for login

and submit) well in advance to participate in the Reverse Auction. Bank and / or Service

Provider will not be responsible in case Bidder could not participate in Reverse Auction

due to non-availability of valid digital certificate.

• The bidders participating in Reverse Auction shall submit the following duly signed by

the same Competent Authority who signs the offer documents in response to the RFP

floated by Bank.

• Undertaking letter for acceptance of Business Rules for Online Reverse Auction and Letter

of Authority authorizing the name/s of official/s to take part in Reverse Auction as per

the Annexure XV (Compliance Statement and Nomination to participate in Reverse Auction)

• Agreement between Service Provider and Bidder. This format will be given by the service

provider prior to announcement of Reverse Auction. (???)

Reverse Auction Schedule:

• The date & time of commencement of Reverse Auction, its duration shall be communicated to

the eligible Bidders maximum a week prior to the Reverse Auction date.

• Bank reserves the right to postpone / change / cancel the Reverse Auction even after its

communication to Bidders without assigning any reasons therefore.

• Tentative Duration ::: Reverse Auction will be for a period of one hour. If a Bidder places a

bid price in last 10 minutes of closing of the Reverse auction, the auction period shall get

extended automatically for another 10 minutes. Maximum 3 extensions each of 10 minutes

will be allowed after auction period of 1 hour i.e. entire process can last maximum for 1 ½

hour only. In case there is no bid price in the last 10 minutes of closing of Reverse Auction,

the auction shall get closed automatically without any extension.

• The time period of Reverse Auction & Maximum number of its extensions & time are subject

to change and will be advised to eligible Bidders before the start of the Reverse Auction

event.

• During the Reverse Auction, if no bid is received within the specified time, the Bank, at its

discretion, may decide to revise Start price / scrap the reverse auction process / proceed with

conventional mode of tendering.

Bidding Currency:

• Bidding will be conducted in Indian Rupees (INR).

Total Cost of Ownership:

• TCO refers to aggregate amounts payable by the Bank for transfer of ownership.

• The TCO shall encompass but not limited to following:

a) Cost of the equipment /products.

b) Annual Maintenance Charges.

• The TCO for the project will be defined by the concerned department in the RFP/Bid

Document.

• The L1 bidder is arrived at based on the lowest TCO in reverse auction for Vertical-I,

Vertical-II of Allahabad Bank and for entire scope of Allahabad UP Gramin Bank

separately.

• Bank will pay the TCO price to the bidder as per the payment terms defined in RFP/Bid

Document

Start Price:

• Bidder needs to give their indicative sealed commercial Bid to the Bank separately for


each vertical.

• Bank shall determine the Start Price for Reverse Auction –

• on its own and / or

• Based on the indicative price information of Total Cost of Ownership (TCO) called

for separately from each Bidder during conclusion of Technical Evaluation or at

appropriate time before commencement of Reverse Auction.

• The start price of an item in online reverse auction is open to all the participating bidders.

Bidders are required to start bidding after announcement of Start Price and decrement

amount. Any bidder can start bidding, in the online reverse auction, from the decrement

price. Please note that the first online bid that comes in the system during the online reverse

auction cannot be equal to the auction's start price, and lesser than the auction's start price by

one decrement, or lesser than the auction's start price by multiples of decrement. The

subsequent bid that comes in to outbid the L1 rate will have to be lesser than the L1 rate by

one decrement value or in multiples of the decrement value. This process will be repeated

for all the three verticals.

Decremental Bid Value:

• The bid decrement value will be specified by Bank before the start of Reverse Auction event.

It can be a fixed amount.

• Bidder is required to quote his bid price only at a specified decremented value.

• Bidder need not quote bid price at immediate next available lower level, but it can be even at

2 / 3 / 4 ……….level of next available lower level Reverse Auction will be conducted on a

specific web portal meant for this purpose with the help of the Service Provider identified by the

Bank.

Web Portal and Access

• Reverse Auction will be conducted on a specific web portal meant for this purpose with

the help of the Service Provider identified by the Bank.

• Service Provider will make all necessary arrangement for fair and transparent conduct

of Reverse Auction like hosting the web portal, imparting training to eligible Bidders

etc., and finally conduct of Reverse Auction.

• Bidders will be participating in Reverse Auction event from their own office / place of

their choice. Internet connectivity and other paraphernalia requirements shall have to

be ensured by Bidder themselves.

• In the event of failure of their internet connectivity (due to any reason whatsoever it

may be) the service provider or bank is not responsible.

• In order to ward-off such contingent situation,

o Bidders are advised to make all the necessary arrangements / alternatives such

as back –up power supply, whatever required so that they are able to circumvent

such situation and still be able to participate in the reverse auction successfully.

o However, the vendors are requested to not to wait till the last moment to quote

their bids to avoid any such complex situations.

o Failure of power at the premises of vendors during the Reverse auction cannot

be the cause for not participating in the reverse auction.

o On account of this the time for the auction cannot be extended and BANK is not

responsible for such eventualities.

o Bank and / or Service Provider will not have any liability to Bidders for any

interruption or delay in access to site of Reverse Auction irrespective of the


cause.

o For making the process of Reverse Auction and its result legally binding on the

participating Bidders, Service Provider will enter into an agreement with each

Bidder, before the start of Reverse Auction event. Without this Bidder will not

be eligible to participate in the event. The format of the agreement is as per the

Format-Letter of Authority for Participation in Reverse Auction.

• Bank nor service provider / auctioneer is not responsible for consequential damages

such as no power supply, system problem, inability to use the system, loss of electronic

information, power interruptions, UPS failure, or any force majeure etc.

TRANSPARENCY IN BIDS

• All bidders will be able to view during the auction time the current lowest price in portal.

Bidder shall be able to view not only the lowest bid but also the last bid made by him at any

point of time during the auction time.

MASKING OF NAMES

• Bidder will be able to view the following on their screen along with the necessary fields in

Reverse Auction:

• Opening/ Starting Price for the auction

• Leading / Lowest Bid Price in Auction (only total price)

• Last Bid Price placed by the respective Bidder.

• Item Description

• Time Left for auction

• Names of bidders/ vendors shall be anonymously masked in the Reverse Auction process.

• After completion of Reverse Auction, the service provider / auctioneer shall submit a report to

the Bank with all details of bid and the original names of the bidders and also the L1 bidder

with his / their original names.

Finalization of the Successful Bidder

• At the end of Reverse Auction event Service Provider will provide the Bank all

necessary details of the bid prices and reports of Reverse Auction.

• Upon receipt of above information from Service Provider, Bank will evaluate the

same and will decide upon the winner i.e. Successful Bidder. Bank’s decision on

award of Contract shall be final and binding on all the Bidders.

• After the completion of the Auction event, all the Bidders have to submit the

Price Breakup as per the RFP immediately within 24 working hours without fail to

the Bank and to the Service provider for further proceedings.

• Any variation between the on-line Reverse Auction bid price and signed document

will be considered as sabotaging the tender process and will invite disqualification

of bidder/vendor to conduct business with Bank as per prevailing procedure.

• Successful Bidder has to give break-up of his last/lowest bid price as per Bill of

Material at the end of Reverse auction event within 24 working hours without fail.

• Successful Bidder is bound to supply at their final bid price of Reverse Auction. In

case of back out or not supply as per the rates quoted, Bank will take appropriate


action against such Bidder and / or forfeit the Bid Security amount, debar him

from participating in future Tenders/ Auctions

• In case Bank decides not to go for Reverse Auction related to the procurement for

which RFP is floated and price bids if any already submitted and available with

Bank shall be opened as per Banks standard practice.

Bidder’s Obligation:

• Bidder shall not involve himself or any of his representatives in Price manipulation of any

kind directly or indirectly with other suppliers / Bidders at any point of time. If any such

practice comes to the notice, Bank shall disqualify the vendor / bidders concerned from the

reverse auction process.

• Bidder shall not divulge either his Bid details or any other details of Bank to any other party

without written permission from the Bank.

Change in Business Rules, Terms & Conditions of Reverse Auction

• Any change in the Business Rules as may become emergent and based on the

experience gained shall be made only by a Committee consisting of Senior Executives

of Bank.

• Bank reserves the right to modify / withdraw any of the Business rules, Terms &

conditions of Reverse Auction at any point of time.

• Modifications of Business rules, Terms & conditions of Reverse Auction will be

made available on website immediately.

• Modifications made during the running of Reverse Auction event will be informed to

participating Bidders immediately.

Issue Resolution during the Reverse Auction Process:

• Bidders part icipat ing in the Reverse Auction process, if facing any issue can contact

the service provider M/s Antraes, at the contact details mentioned above.

• If the issue remains unresolved, then the bidder can contact Chief Manager-IS Audit Cell,

14, India Exchange Place, Kolkata 700 001

Errors and Omissions

• On any issue or area of material concern respecting Reverse Auction not specifically dealt

with in these Business Rules, the decision of the bank shall be final and binding on all

concerned.


Annexure XV:

Compliance Statement and Nomination to participate in Reverse Auction

(To be submitted by all the bidders)

To Date: ----------

The Chief Manager

Allahabad Bank,

IS Audit Cell,

14 India Exchange Place

Kolkata – 700 001,

India

DECLARATION

1 We ………………………….. (Name of the company) hereby confirm having Submitted our bid

for participating in Bank’s RFP Ref. No. HO/ISA/F-101/0182 dated 26/02/2018

for……………………………………………………………………………for Allahabad Bank

2 We confirm having read and understood the terms and conditions of the RFP as well as the

Procedures relating to the process.

3 We hereby undertake and agree to abide by all the terms and conditions stipulated by Allahabad

Bank in the RFP document including all annexes and the Procedure for Reverse Auction.

4 We shall participate in the on-line auction conducted by M/s. Antares System Ltd (or any other

auction service provider advised by the Bank) and submit our commercial bid. In doing so, we

shall abide by the procedures prescribed for online auction by the auction company.

5 We, hereby confirm that we will honor the Bids placed by us during the auction process, failing

which the EMD will be forfeited by the Bank and we shall be liable for any other consequential

action that may be taken by the Bank including any debarment from participation in future

procurement by the Bank.

6 We confirm having nominated our representative (Shri /Smt /Ms…………………………

designated as………………………of our company to participate in the Reverse auction on behalf

of the company. We undertake that the company shall be bound by the actions made by him during

the Reverse Auction process and thereafter.

7 We undertake to submit the confirmation of last bid price by us to the Auction Company /Bank

within 24 working hours of the completion of event and any other specific requirement

indicated in the RFP.

Signature with company seal

Name-

Company ‘Organization –

Designation in the Company/ Organization –

Address of Company/ ‘Organization’

Date:

Name of Authorized Representative-

Designation of Authorized Representative:

Signature of Authorized Representative