1

Request for Proposal SELECTION OF THIRD PARTY AUDITOR (TPA) CONSULTANT FOR HARYANA SHEHRI VIKAS PRADHIKARAN TO PERFORM THE APPLICATION REVIEWS AND IT SECURITY AUDIT & RISK MANAGEMENT AUDIT SERVICES OF VARIOUS APPLICATION AND INFRASTRUCTURE AT HSVP.

RFP Reference no : GM(IT)/HSVP/2018/211018

Dated: 23/10/2018

Haryana Shehri Vikas Pradhikaran Information Technology Wing

C-3, Sector 6, Panchkula, Haryana Phone: 0172-2569504

E-mail:query@hsvphry.org.in www.hsvphry.org.in

2

TABLE OF CONTENTS

TABLE OF CONTENTS............................................................................................................................................................................... 2

1 LETTER OF INVITATION .................................................................................................................................................................. 3

2 INFORMATION TO BIDDER: DATA SHEET ............................................................................................................................. 4

2.1 INTRODUCTION ............................................................................................................................................................................................. 4

2.2 CLARIFICATION AND AMENDMENT TO RFP DOCUMENTS .............................................................................................. 6

2.3 PREPARATION OF PROPOSAL ............................................................................................................................................................ 6

2.4 SUBMISSION, RECEIPT AND OPENING OF PROPOSALS .................................................................................................. 7

2.5 PRE-QUALIFICATION CRITERIA ......................................................................................................................................................... 8

2.6 TECHNICAL EVALUATION .................................................................................................................................................................... 11

2.7 EVALUATION PROCESS........................................................................................................................................................................ 15

2.8 FINANCIAL EVALUATION ...................................................................................................................................................................... 16

2.9 FINAL EVALUATION .................................................................................................................................................................................. 16

2.10 AWARD OF CONTRACT ......................................................................................................................................................................... 16

2.11 CONFIDENTIALITY .................................................................................................................................................................................... 16

3 SCOPE OF WORK ........................................................................................................................................................................... 17

3.1 PAYMENT TERMS ............................................................................................................................................................................................. 20

3.2 DRAFT CONTRACT ................................................................................................................................................................................... 20

4 APPENDICES ..................................................................................................................................................................................... 21

4.1 ADDITIONAL INFORMATION RELATED TOTHE PROJECT ............................................................................................. 21

4.2 FORMATS FOR SUBMISSION OF PROPOSAL ........................................................................................................................ 22

4.3 CHECKLIST FOR PREQUALIFICATION CRITERIA .................................................................................................................................... 23

4.4 CHECKLIST FOR TECHNICAL EVALUATION ............................................................................................................................................. 25

4.5 SUGGESTED FORMAT OF CURRICULUM VITAE (CV) FOR PROJECT STAFF .......................................................................... 28

4.6 FINANCIAL PROPOSAL SUBMISSION FORM (TO BE SUBMITTED ONLY ONLINE) .......................................................... 29

3

1 LETTER OF INVITATION

HSVP Invites bides from the eligible Cert-In empanelled bidders for the bidders for the Selection of Consultant to perform the Gap Assessment for IT Security Audit infrastructure & Risk Management Audit Services of Various applications at HSVP.

Yours faithfully,

Chief Administrator,

Haryana Shehri Vikas Pradhikaran

4

2 INFORMATION TO BIDDER: DATA SHEET

2.1 INTRODUCTION

1. The name of the Client is: Haryana Shehri Vikas Pradhikaran(HSVP)

The address and telephone numbers of the Client‟s Office are:

2. Name of the Assignment: SELECTION OF THIRD PARTY AUDITOR (TPA) CONSULTANT FOR HARYANA SHEHRI VIKAS PRADHIKARAN TO PERFORM THE GAP ASSESSMENT FOR IT SECURITY AUDIT INFRASTRUCTURE & RISK MANAGEMENT AUDIT SERVICES OF VARIOUS APPLICATION AT HSVP.

3. The method of selection is: QCBS, whose bids are responsive, based on minimum qualification criteria/documents as in Pre-Qualification Criteria and score at least 70% in technical scoring will be considered technically qualified. The financial proposal of all technically qualified bidders will be opened.

4. The bidder are invited to submit a Pre-Qualification, Technical Proposal, in the formats specified in this RFP. Responses should be in English Language. The Proposal will be the basis for contract on QCBS selectionand for ultimately signing of a contract with the selected firm.

5. The bidder must familiarize themselves with HSVP‟s focus and applicable local conditions and take them into account in preparing their Proposals. A brief description of the work carried out by HSVP and the Acts under administrative purview is provided in the Appendix to this document.

6. Key Events and Dates

S.No Event Details

1 RFP available on website https://etenders.hry.nic.in and hsvphry.org.in

25-Oct-2018

2 Last date for sending written clarifications through e-mail on query@hsvphry.org.intill 12:30 PM

05-Nov-2018

Information Technology Wing

Haryana Shehri Vikas Pradhikaran

C-3, Sector 6, Panchkula, Haryana

Phone: 0172-2569504

E-mail:queryhuda@gmail.com

www.hsvphry.org.in

5

Note 1: Submission of Documents - Online Bidders will also require to physically submit the Bid Document cost / EMD and other document related to prequalification, technical parameter / Technical bid etc. The documents duly binded, properly tagged and numbered along with EMD and cost of the Tender shall be sent through speed post or courier and should reach in the office of General Manager(IT), HUDA, C-3, Sector-6, Panchkula by 27.11.2018 till 12:00 Noon.

Note 2: The commercial bid should only be submitted through online mode only.

3 Pre Bid Meeting at 03:00 PM in the Conference, Hall, HSVP, Sec-6, Panchkula.

14-Nov-2018

4 Response to the queries, along with Addendum to the RFP, if any, will be available on HUDA website www.hsvphry.org.in

19-Nov-2018

5 Bid submission date& Time till 3:00 pm 26-Nov-2018

6

Prequalification/Technical Bid

Opening at 3:00 pm

27-Nov-2018

7 Date of Technical Presentation To be conveyed

8 Commercial Bid Opening To be conveyed

9 Venue for Pre-Bid Conference Conference Hall, Haryana Shehri Vikas Pradhikaran, C-3, Sector 6, Panchkula, Haryana

10 Cost of RFP Document Rs 5000/-

11 Earnest Money Deposit Rs 10 Lac

12 Performance Bank Guarantee 10% of the order value with a validity of six months more than the expiry of contract dates. The Performance guarantee is to be submitted by the successful bidder within 15 days of the award of the contract.

6

Note3: In case bidder needs any clarification or for participating in the pre bid meeting, the bidder has to first deposit the cost of RFP- Rs 5000/- by DD in favor of the Chief Administrator, HUDA” payable at Panchkula. Other bidders, who do not have any query, can deposit the cost of RFP along with the bid.

7. HSVP will provide relevant information/documents available with it for carrying out the present assignment to the selected bidder only.

8. The HSVP will provide limited office space with basic furniture and utilities to the engaged Consultant. Telephones, office and computing equipment, including computers, printer, photocopier, fax machine, internet / e-mail connection, modem etc. and transport arrangements required for this engagement will be the responsibility of the Consultant.

9. Please note that (i) the costs of preparing the proposal and of negotiating the contract, including a visits to the HSVP, are not reimbursable; and (ii) the HSVP is not bound to accept any of the Proposals submitted. (iii) HSVP reserves the right to cancel the tender anytime without specifying any reason thereof.

2.2 CLARIFICATION AND AMENDMENT TO RFP DOCUMENTS

1. Bidders may request a clarification with regard to any part of the RFP document on or before05-Nov-2018 till12:30 pm. Any request for clarification must be sent in writing by paper mail or e-mail to the HSVP‟s address indicated in the Data Sheet. The clarifications would be issued by19-Nov-2018, and shall be published on the Websites HSVP

2. The address for requesting clarifications is:

E-mail:query@hsvphry.org.in

3. Pre bid queries for clarification of the proposal: All queries regarding the bid shall be sent by 05-Nov-2018, till 12:30 pm on email at query@hsvphry.org.in with the Header: “Clarification and amendment to RFP documents for “RFP: SELECTION OF THIRD PARTY AUDITOR (TPA) CONSULTANT FOR HARYANA SHEHRI VIKAS PRADHIKARAN TO PERFORM THE APPLICATION REVIEWS AND IT SECURITY AUDIT & RISK MANAGEMENT AUDIT SERVICES OF VARIOUS APPLICATION AND INFRASTRUCTURE AT HSVP” along with the name and contact number of the official. The bidders can also meet the General Manager (IT) between 10am to 1 pm on working days. The perquisite for the above is that the bidder has to register in IT wing by depositing 5000- in cash or DD in favor of Chief Administrator, HSVP.

4. A pre-bid conference will be held at Conference Hall, HSVP, C3, Sector-6, Panchkula, Haryanaon 14-Nov-2018, at 3pm.

2.3 PREPARATION OF PROPOSAL

1. Bidder are requested to submit the Proposals in English language. Any printed literature furnished by the bidder can be submitted with the bid; provided that it is accompanied by an English translation in which case, for purposes of interpretation of the bid, the English translation shall govern.

2. The bidding comprises of two tier system: Pre-qualification, Technical bid& Selection will based on section 2.9i.e, Final Evaluation.

3. In preparing the Technical Proposal, bidders are expected to examine the documents comprising this RFP in detail. The proposal should cover all the aspects of the terms of reference (specified in section 3). Any bid not found responsive to the terms of reference shall be rejected. Material deficiencies in providing the information requested may also result in rejection of the Proposal.

7

4. While preparing the Technical Proposal, bidders must give particular attention to the following:

a. The bidder shall not associate with individual Consultant(s) and / or other firms or entities in a joint venture relationship to outsource/sub-contract a part or whole of services desired of the bidder as a part of this assignment.

b. The key professional staff proposed should be permanent or on roll employees of the firm. Key professionals selected for the project shall not be changed during the duration of the project without prior notice of 60 days toHSVP. Key resources shall be changed only after approval from HSVP. Any change in resources without prior approvals from HSVP shall result in termination of the engagement.

c. Alternative professional staff shall not be proposed, and only one curriculum vitae (CV) may by submitted for each position.

d. Except as specifically provided, the Technical Proposal shall not include any information relating to the Financial bid.

5. In preparing the Financial Proposal, Bidders are expected to take into account the requirements and conditions of the RFP document.

6. The Financial Proposal should be exclusive of all applicable taxes, duties, fees, levies, and other charges imposed under the applicable local laws.

7. Bidders should express the price of their services in INR only.

8. The proposals and quoted rates must remain valid for 180 days after the date of opening of the financial proposals. During this period, the bidder is expected to keep available the professional staff proposed for the assignment. The HSVP will make its best effort to complete negotiations within this period.

9. Earnest money deposit: The proposal must be accompanied by earnest money deposit of Rs. Rs 10 Lacs in the form of Demand Draft of any nationalized bank payable to „The Chief Administrator HSVP‟ without which the proposal will be rejected outright. Earnest money deposit will not be accepted

in cash or any other manner. No interest is payable on the amount of E.M.D.

10. The Earnest money deposit will be returned along with necessary endorsement for payment to the bidders whose offers are not accepted by the Authority within two months of the placing of final order to the successful bidder. However for the successful bidder, the Earnest money deposit so submitted will be refunded on submission of Bank guarantee against security deposit.

2.4 SUBMISSION, RECEIPT AND OPENING OF PROPOSALS

1. Each Bidder shall submit only one Proposal through https://etenders.hry.nic.in portal.

2. Technical Proposal Contents: The technical Proposal should contain:

a. Technical Proposal Submission Form (as in Section 4.2)

b. Checklist for Pre-Qualification Criteria along with relevant documentation showing the proof of eligibility as outlined in the Pre-qualification Criteria (as in Section 4.3)

c. Checklist for Technical Evaluation (as in Section 4.4)

8

d. A declaration of any actual or potential conflict of interest.

3. The Financial Proposal should only indicate prices without any condition or qualification whatsoever and should exclusive of all applicable taxes, duties, fees, levies and other charges levied by Central & State, as may be applicable in relation to activities proposed to be carried out. Any upward or downward revision in taxes, duties, fees, levies and other charges levied by Central & State during the period of contract shall be to the HSVP‟s account (to be submitted online only).

4. Bidders should express the price of their services in INR only.

5. Proposals and quoted price must remain valid for 180 days after the date of opening of financial

proposals.

6. From the time the bids are opened to the time the contract is awarded, if any Bidders wish to contact the HSVP on any matter related to its proposal, it should do so in writing at the address of the HSVP‟s office indicated in Para 3 of Section 2.4 above. Any effort by the Bidder to influence the HSVP in the HSVP‟s proposal evaluation, proposal comparison or contract award decisions may result in the rejection of the proposal.

2.5 PRE-QUALIFICATION CRITERIA

Before opening and evaluation of their technical proposals, bidders are expected to meet the following pre-

qualification criteria. Bidders failing to meet these criteria or not submitting requisite supporting documents /

documentary evidence for supporting prequalification criteria are liable to be rejected summarily.

2.5.1 PRE QUALIFICATION CRITERIA TABLE

S.No Criteria Whether Met Reference Details

1

A Company/ Limited Liability Firm registered in India, along with a valid Service Tax registration and been in operation for a period of at least five (5) years at the time of bid submission.

Yes/No Certificates of incorporation

/ registration as may be applicable

2 The bidder should be CERT-In empanelled IT Security Auditing Organization.

Yes/No Certificate of Empanelment

3 The Bidder should not be a System Integrator involved in delivering solution or services to HSVP

Yes/No Self-Certification by the

authorized signatory

4 Bidder should have office in (Chandigarh/ Panchkula/ Mohali/ Delhi/ Gurgaon).

Yes/No Self-Certification by the

authorized signatory

9

S.No Criteria Whether Met Reference Details

5

Any organization debarred / black-listed by Central / State Government in India, at the time of submission of the RFP, shall not be allowed to participate in this tender. Bidder need to submit a self-certification in this regard

Yes/No Declaration letter by an Authorized Signatory

6 The bidder would undertake not to sub-let any part of the deliverable or any part of the work defined for TPA.

Yes/No Undertaking

7

The bidder should satisfy following financial criteria:-

Yes/No

Extracts from the audited Profit & Loss and Balance

Sheet; Latest Annual Report; Certificate from the

statutory auditor

Annual Turnover during each of the last five financial years (i.e. FY 2013-2014, 2014-2015, 2015-16, 2016-17, 2017-2018), should have been a minimum of Rs. Hundred Crore (100) Cr. that is generated from services relating to Information Technology (IT) Consulting/audit and IT Program/Project Management (i.e. revenue should be on account of IT Solutions consulting other than related to supply of hardware/IT infrastructure and their associated maintenance services, packaged software, etc.)

8

a. The bidder should have worked on Security Audit engagements for applications and infrastructure in government sector/PSU/Financial Institution.

b. Bidder must have experience in Third party Audit in minimumtier 3 Data Center.

Yes/No Description of project/

Work Orders.

10

S.No Criteria Whether Met Reference Details

9

Should submit an escalation matrix with contact details with mobile & email address up to head of the organization

Yes/No Escalation matrix

10

The bidder must have a team of professionals having valid professional certifications (CISA/ CISSP/ ISO 27001/ITIL/ ISO 20000) and must have on its payroll

Yes/No Undertaking by the authorized signatory.

The proposals meeting the above qualification criteria will be evaluated as per the Technical Evaluation

criteria. Agencies / firms should clearly indicate, giving explicit supporting documentary evidence, with respect

to the above, in absence of which their proposals may be rejected.

11

2.6 TECHNICAL EVALUATION

The technical proposals of only those bidders, who qualify in the evaluation of the prequalification proposals, shall be considered.

Financial Proposals will not be opened until the technical evaluation has been completed.The technical proposals of only those bidders, who qualify in the evaluation of the prequalification proposals, shall be opened. The Technical Evaluation Committee, at its sole discretion, would evolve a further benchmark scoring pattern within the allocated marks for each line item indicated in the table below

Technical Evaluation Criteria

S. No Evaluation Criteria Details Break-up

1. Certificate of Empanelment (5 Marks)

The bidder should be a CERT-In empanelled IT Security Auditing Organization.

Empanelment Certificate copy/evidence

5 Marks

2. Relevant Experience (20Marks)

Experience of the bidder in Govt/ PSU/ Financial Institutionas third party auditor for minimum Tier 3 Data Centre.

Experience of one project carries one mark. Maximum marks obtainable by the bidder is 10 Marks.

10 Marks

Number of projects

(One project = 1 Mark)

12

Technical Evaluation Criteria

Experience of the bidder in IT consulting/ ISMS projects for government sector/PSU/Financial Institution.

Number of projects

(One project = 2 Mark)

Experience of one project carries two mark. Maximum marks obtainable by the bidder is 10 Marks

10 Marks

3. Approach and Methodology (15 Marks)

Project Understanding, Approach & Methodology

• Understanding of project needs, requirements, Scope of work – 7marks • Clarity & adequacy of Approach and Methodology and Solution Proposed –8 marks

15 Marks

4. Resource Profile (30 Marks)

CVs of team Proposed along with Resource wise Roles & Responsibilities in the Project

Experience as per criteria/details in Employee Section

30 Marks

Project Manager (As per the proposed profiles by Bidder total marks awarded upto - 10 Marks)

TPA Consultant – (Security)(3+ Years) - 5Marks

TPA Consultant – (Security) (5+ Years) - 7Marks

Certification (CEH/ CISA/ CISSP) – 3 Marks

13

Technical Evaluation Criteria

TPA Consultant – (3+ Years) - 5marks

TPA Consultant – (5+ Years) - 10marks

5. Presentation by Bidder (25 Marks)

Presentation by Bidder on their Understanding and Proposed Approach for the project

25 Marks

6. Local Project Office (5 Marks)

Has a Local Office at Chandigarh/ Panchkula/ Mohali/Delhi/Gurgaonfor the duration of the project

5 Marks

Total 100 Marks

The Technical Bid will be examined by the evaluation committee on the basis of responsiveness to the scope of work, applying the broad evaluation criteria and points system specified above & detailed below.

2.6.1 APPROACH AND METHODOLOGY (TECHNICAL SOLUTION DOCUMENT):

The bidder will detail his understanding of project requirements, needs and scope of work as a part of this technical solution document.

The bidder is required to prepare a technical solution document underlining the approach and methodology and substantiate this with a task break down structure as demonstration of understanding and visible accomplishment of the requirements related to this engagement.

(a) A cohesive stage wise work break down structure describing the duration and effort of each of the significant tasks along with allocation of the named resource would be assumed to reflect the consultant understands of the project.

(b) Consultant will list out services to be provided by him towards the accomplishment of the engagement requirements (

(c) He will also list out his expectations from HSVP and its System Integrator(s) and describe the process to meet these expectations.

14

This evaluation shall be based on the Technical solution document provided by the bidder. The documents (including presentation if any) submitted for this purpose will be considered to be a commitment from consultant.

2.6.2 RESOURCE PROFILE

It is required that the bidders submit CVs of all key personnel proposed for the project. The format for the CV is in Section 4.5. Successful bidder will provide a panel of minimum 3 persons for selection TPA, Full time TPA and Technology expert of desired qualifications for selection by HSVP whenever required at the start of audit process or replacement of existing resource.

The Consulting team shall consist of at the minimum the following resources listed below. Marks to be allocated for relevance of Experience and certifications to the assignment

1) Project Manager(Offsite)– The relevant qualification experience & expertise of the Project Manager will be proposed by bidder, submitted along with technical Bid & will be further evaluated & marks will be awarded accordingly.

2) TPA Consultant- Security (Onsite) – B.E. / B. Tech with 5+ years of experience and any one of the Information security Certificates –ITIL/CISA/CEH/CISSP/ISO27001. This consultant will be deployed onsite for conducting security audit as per timelines given scope of this RFP. He shall be responsible for both external and internal vulnerability assessment and gap implementation for applications and infrastructure

(a) Experience in monitoring of large scale IT/e-Governance projects/PSU/Financial Institutions.

(b) Experience in deployment of IT applications in tier 3 DC.

(c) Experience in Black Box Penetration/ VA/PT.

(d) Experience in management of Data Centre Infrastructure.

(e) Experience as ITIL framework ,ISMS, ISO27001 controls, EMS & BMS Suites etc

(f) Experience in pre hosting assessment and Configuration management of Network and security devices.

(g) Experienced in Security Architecture. Experience in datacenter audit like SLA monitoring, Infrastructure (IT and Non-IT) audit, data center infrastructure management.

(h) Preparing network and data center architecture documents

(i) Experience in handling network and data center performance management tools and preparing performance statistics reports for network, data center and hosted applications.

(j) Experience in data center capacity planning and building. Preparing Capacity utilization reports for data center

(k) Call center operations audit and performance audit.

(l) Experience in deployment of IT applications.

(m) Experience as Systems administrator for Windows platform

15

(n) Experience in configuration and management of Network and security devices

(o) Exposure to virtualization/ cloud environment.

3) TPA Consultant- (Onsite) – B.E/ B. Tech with 3+ years of experience. The consultant will be deployed onsite at HSVP location. He shall be responsible for writing security policy, application security audit, ensuring ISMS compliance and gap implementation.

(a) Exposure and knowledge in implementation of applications/ software and related ICT.

(b) Hands on experience in Open Standard Platforms and development Technologies.

(c) Experience in preparing process flow and functional requirements documents for applications

(d) Conversant with latest technology platforms such as J2EE, Dot Net, XML etc.

(e) Exposure to conducting code reviews.

(f) Conversant with Database management system such as Oracle/SQL etc.

(g) Conversant with the use of software development best practices, tools and technologies to monitor application performance, improve end user experience.

(h) Experience in working on as-Is, to-be, Requirement gathering, process mapping, DPR preparation for applications.

(i) Experience in monitoring of large scale IT/e-Governance application projects.

(j) Conducting UAT for new and upgraded applications.

4) Additional need base part time or Full time resources required to be deployed to meet and deliver project objectives.

2.7 EVALUATION PROCESS

The proposal review committee may require verbal/written clarifications from the bidders including presentations, if considered necessary to support bid evaluation. The primary function of clarifications in the evaluation process is to clear ambiguities and uncertainties arising out of the evaluation of the bid documents. Verbal clarifications provide the opportunity for the committee to state its requirements clearly and for the bidder to more clearly state its proposal.

Depending on the evaluation methodology mentioned above, each Technical Bid will be assigned a technical score (TS) out of a maximum of 100 points as per the aforementioned Technical Evaluation Criteria.

The minimum technical score required to qualify for the financial evaluation is 70

After the technical evaluation is completed, the HSVP shall notify and intimate those bidders, whose proposals were considered non-responsive to the RFP and Terms of Reference or not qualified for the financial evaluation, indicating that their Financial Proposals will be returned unopened after completing the selection process. The HSVP shall simultaneously notify the bidders, whose proposals have qualified for further evaluation, indicating the date and time set for opening the Financial Proposals. The notifications will be hosted on HSVP website.

16

2.8 FINANCIAL EVALUATION

Only Bidder and those bidders who qualify the Technical Evaluation shall be considered for financial evaluation. The Financial Proposals of such bidders shall be opened in the presence of the bidders‟ representatives who choose to attend. The name of the proposed price shall be read aloud. The HSVP shall prepare minutes of the proceedings.

The bidder should be careful in submitting the financial proposal. The evaluation committee will take the total amount quoted in Section 4.6 as the final bid value.

2.9 FINAL EVALUATION

Bidder who score more than 70% of marks in Technical Qualification will qualify for the Commercial Evaluation.

a) The Financial Bids of technically qualified bidders will be opened.

b) Final evaluation shall be done on “Quality & Cost Based Selection” method (QCBS).

c) A composite score shall be calculated for technically qualified bids only. The weightage for the composite evaluation shall be awarded as below:-

i. Technical – 70%

ii. Commercial – 30%

d) Bidder with the highest final Score (FS1) (Final Score = TS*0.70 + CS*0.30) will be considered as successful bidder (rounded off to 2 decimal places).

e) In case of a tie in the final score, the bidder having highest technical score will be considered eligible for award of contract

f) For commercial bid evaluation, the bid price will be exclusive of all taxes and levies and shall be in Indian Rupees and mentioned separately. Though, bidder to provide the final amount exclusive of taxes, as applicable during the bid submission.

g) Any conditional bid would be rejected.

h) Arithmetical errors will be rectified on the following basis: “If there is a discrepancy between the unit price and the total price that is obtained by multiplying the unit price and quantity, the unit price shall prevail and the total price shall be corrected. If there is a discrepancy between words and figures, the amount in words will prevail”.

2.10 AWARD OF CONTRACT

1. The contract will be awardedas per section2.9 Final Evaluation.

2.11 CONFIDENTIALITY

Subject to the other provisions of this RFP, information relating to evaluation of proposals and recommendations concerning award of contract shall not be disclosed to the bidders who submitted the proposals or to other persons not officially concerned with the process.

17

3 SCOPE OF WORK

This engagement involves requirement of consultants for the following activities:

1) Third Party Risk Assessment of the current software and infrastructure being operated at HSVP.

2) Perform various activities like the Penetration Testing, Vulnerability Assessment of all web applications,

servers, security and network devices and provide Recommendations for best practices

3) Network, systems and Application Performance monitoring, Hardware Sizing and Load testing in order to

assess the system against various disasters.

4) Formation & Implementation of Backup policies and data archiving techniques used at HSVP.

5) Formation & Implementation of Patch management, System updates process at HSVP.

6) In addition to the various audit activities listed above the consultant shall also assist the department with,

application process reviews, management of Change requests for applications, application detailed analysis,

end user feedback and requirement gathering for applications, best practices for software development, UAT

of applications, Software documentation like (FRS and SRS), DPRs , meeting reports and minutes

7) The consultant shall also monitor all the third party vendors engaged with HSVP for managing various

application and data center. Consultant shall study the respective engagement contracts for all such third

party vendors and prepare a Project delivery status sheet / trackers / Risk matrices for all such vendors and

give monthly updates to HSVP regarding their progress for their respective engagements.

8) The reports will be submitted for the above mentioned activities. All reports shall be followed by a suggested

mitigation plan. This plan will finalized by HSVP in consultation with Service provider and TPA. Service

provider will implement the mitigation plan and TPA will carry out test/ assessment till all reported risks,

vulnerabilities and deficiencies are plugged.

The broad objectives of having TPA are to ensure that:

The Data Centre operations and management control processes are adequate and functioning as intended.

Administrative control of data and its confidentiality, security and privacy is with the State Government de-jure

and de-facto.

Conducting application reviews, process reviews and performance review to ensure all the applications are up-

do-date and

Significant financial, managerial, and operating information is accurate, reliable, and timely.

Interaction with the various stakeholders occurs as needed.

Security and operational Risks are appropriately identified and managed.

The Data Centre Operator‟s actions are in compliance with laid down policies, standards, procedures, and

applicable laws and regulations.

Quality and continuous improvement are fostered in the HSVP DC& DR operations and management

processes.

Note*** Not limited to scope mentioned in RFP& Deliverables.

Scope Deliverables &Assignments:

18

S.No Audit Area Deliverables Periodicity

1 Audit Activity Audit framework, Audit plan, related procedures and templates and trackers related to reporting of progress of third party vendors engaged at HUDA.

Once every year (subject to

annual review) every year it would

be reviewed internally and need to be updated for new checkpoints

etc.

2 DC

Infrastructure Audit

Inventory audit report including executive summary, checklist and compliance

Quarterly

3

Operations and Management Process and

control

Audit report including but not limited to following checkpoints related to processes followed by the vendor for its Data Centre Management deliverables : Data Centre Management team, skills, facility management services, change management procedures, IT Infrastructure operations – hardware, software , Electricity and Diesel consumption, PAC cooling, backup procedures, antivirus measures, trainings, network and security administration, performance monitoring, capacity utilization, patch management . The audit report shall also emphasize specifically the efficacy of incident management and asset management.

Every Quarter

4 SLA Audit

Quarterly SLA audit report : The Audit report should include all the SLA parameters as agreed by the Data Centre Operator, its conformance/deviation to the SLA and recommend penalties for the Data Centre Operator for its quarterly payments

Quarterly

5 Call center

Audit

Review of the various processes at Call Centre for information security aspects.

Report document covering, executive summary, and a detailed report. The report also provides guidelines on how to close/mitigate reported findings. Best practices and recommendations to be included in the report.

Six monthly

19

S.No Audit Area Deliverables Periodicity

6

Security and Compliance

Audit Security and

Compliance Audit

Security Audit reports including but not limited to following checkpoints/controls: • Vulnerability assessment and Black Box Penetration testing report. The final Report with Executive Summary should include: Identification of vulnerabilities, Evaluation of potential risks, Prioritization of risks, estimated cost to affect remedies. VA/PT tools should be non-intrusive and non-destructive. The tool, test schedule and potential impact to be approved by SIA before deployment. • Compliance to DC Policy Guidelines

Six monthly

7 Application

security Audit

A detail report will be submitted with security status and discovered vulnerabilities, weaknesses and mis-configurations with associated risk levels and recommended actions for risk mitigations.

Summary and detailed reports on security risk, vulnerabilities and audit with the necessary countermeasures and recommended corrective actions

Six Monthly ( separate report for all

applications)

8 Datacenter and

Network performance

Detailed network and system performance reports with capacity utilization and hardware obsolescence statistics.

Recommendation for improved performance

Quarterly

9 Application

Performance

Load and stress testing report for all applications with detailed findings.

Recommendations for improved performance

Six monthly ( separate report for all

applications)

10 Application

Process review

Detailed application analysis and review of all functional processes and business process in the applications

Upgraded process meeting technical requirements and complying with agreed standards, implementation methodology and tools.

Annually ( separate report for all applications)

11 Functional

testing and UAT

Report document covering, tests conducted for updated applications, and a detailed test results. The report also provides guidelines on how to close/met reported functional gaps.

Annually.

12 Monthly Report Monthly status update for the project. Monthly status updates for all third party vendors.

Monthly

20

3.1 PAYMENT TERMS

The payment to the selected bidder shall be processed on quarterly basis at the end of each quarter on submission of report and fulfilment of other contractual obligations upon submission of the invoice along with respective deliverable and all other supporting documents and deliverable reports for the respective Quarter.

3.1.1 PENALTY

3.1.1.1 Any delay (attributed to the successful bidder) in delivery of above project deliverables or absence resources deployed at HSVP will entail imposition of penalty @ 1% per week of the total project cost.

3.1.1.2 Full Time resources shall be required to maintain an attendance of 90% per quarter failing which will invite a penalty of Rs. 5000/- per day per resource.

3.1.1.3 Deployment of onsite resources need to serve a 60 days‟ notice period to HSVP .In case of any breach, equivalent to one quarter of total payment due for that quarter to be deducted along with the displeasure notice to the company.

3.2 DRAFT CONTRACT

Draft Contract Document as provided by HSVP that will be entered with the CONSULTANT is provided along with the RFP as a separate document. This shall be uploaded on the website of HSVP.

21

4 APPENDICES

4.1 ADDITIONAL INFORMATION RELATED TOTHE PROJECT

4.1.1 ORGANIZATION OVERVIEW

The Haryana Shehri Vikas Pradhikaran Authority (HSVP), a statutory body of Haryana Govt. was constituted under the Haryana Urban Development Authority Act, 1977. Before the constitution of HSVP, the Department Of Urban Estates, which was established in the year 1962, used to look after the work concerning planned development of urban areas and it functioned under the aegis of the Town & Country Planning Department. The functioning of the Urban Estates Department was earlier regulated by the Punjab Urban Estates (Development & Regulations) Act, 1964 and rules made there under and the various development activities used to be carriedout by different departments of the State Govt. such as P.W.D (B&R), Public Health, Haryana State Electricity Board etc. But it was observed that the involvement of several agencies in the development of Urban Estates at various places had given rise to problems of coordination with the result that growth of most of Urban Estates became slow and caused unnecessary dissatisfaction among the plot-holders in particular and public in general. Besides, as the Department had to follow the financial rules and regulations of Govt., the arrangement of finances and sanction of estimates took a long time and the development works had not kept pace with the required standards of physical development. It was also considered that being Govt. department, it was unable to raise resources from various lending institutions although there were various financial institutions in the country to finance urban development programmes which could be availed of. Thus in order to overcome all these difficulties and to achieve the expeditious development of urban estates, it was felt that the Department. Of Urban Estates should be converted into such a body which could take up all the developmental activities itself and provide various facilities in the urban estates expeditiously.

4.1.2 FUNCTIONS CARRIED OUT BY THE AUTHORITY

The Authority has taken over work which was being handled by individual departments. The main functions of Haryana Shehri Vikas Pradhikaran are as under:-

• To promote and secure development of urban areas with the power to acquire, sell and dispose off property, both movable and immovable

• To acquire, develop and dispose land for residential, industrial and commercial purpose

• To make available developed land to Haryana Housing Board and other bodies for providing houses to economically weaker sections of the society ; and

• To undertake building works.

22

4.2 FORMATS FOR SUBMISSION OF PROPOSAL

[Location, Date]

To

<ADDRESS>

Phone:

Fax:

e-mail:

Dear Sir/Madam,

Sub: <SUBJECT>

We, the undersigned, offer to provide the consulting services for the above in accordance with your Request for Proposal dated ________, and our proposal. We are hereby submitting our proposal, which includes this Technical proposal, and a Financial Proposal sealed under a separate envelope. Our proposal is binding upon us. We understand you are not bound to accept any Proposal you receive.

Yours sincerely,

Authorized Signatory,

Name and Title of Signatory,

Name of the Firm:

Address:

Telephone No:

Fax No:

E-mail:

23

4.3 CHECKLIST FOR PREQUALIFICATION CRITERIA

IMPORTANT INSTRUCTION: Bidder is requested to conform to respective sections of the RFP

Document when responding to this section:

S. No

Criteria Whether Met Reference Details

1

A Company/ Limited Liability Firm registered in India, along with a valid Service Tax registration and been in operation for a period of at least five (5) years at the time of bid submission.

Yes/No Certificates of incorporation

/ registration as may be applicable

2 The bidder should be CERT-In empanelled IT Security Auditing Organization.

Yes/No Certificate of Empanelment

3 The Bidder should not be a System Integrator involved in delivering solution or services to HSVP

Yes/No Self-Certification by the

authorized signatory

4 Bidder should have office in (Chandigarh/ Panchkula/ Mohali/ Delhi/ Gurgaon).

Yes/No Self-Certification by the

authorized signatory

5

Any organization debarred / black-listed by Central / State Government in India, at the time of submission of the RFP, shall not be allowed to participate in this tender. Bidder need to submit a self-certification in this regard

Yes/No Declaration letter by an Authorized Signatory

6 The bidder would undertake not to sub-let any part of the deliverable or any part of the work defined for TPA.

Yes/No Undertaking

7 The bidder should satisfy following financial criteria:-

Yes/No

Extracts from the audited Profit & Loss and Balance

Sheet; Latest Annual Report; Certificate from the

statutory auditor

24

S. No

Criteria Whether Met Reference Details

Annual Turnover during each of the last five financial years (i.e. FY 2013-2014, 2014-2015, 2015-16, 2016-17, 2017-2018), should have been a minimum of Rs. Hundred Crore (100) Cr. that is generated from services relating to Information Technology (IT) Consulting/audit and IT Program/Project Management (i.e. revenue should be on account of IT Solutions consulting other than related to supply of hardware/IT infrastructure and their associated maintenance services, packaged software, etc.)

8

a. The bidder should have worked on Security Audit engagements for applications and infrastructure in government sector/PSU/Financial Institution.

b. Bidder must have experience in Third party Audit in minimum tier 3 Data Center.

Yes/No Description of project/

Work Orders.

9

Should submit an escalation matrix with contact details with mobile & email address up to head of the organization

Yes/No Escalation matrix

10

The bidder must have a team of professionals having valid professional certifications (CISA/ CISSP/ ISO 27001/ITIL/ ISO 20000) and must have on its payroll

Yes/No Undertaking by the authorized signatory.

25

4.4 CHECKLIST FOR TECHNICAL EVALUATION

IMPORTANT INSTRUCTION: Bidder is requested to conform to respective sections of the RFP

Document when responding to this section:* Assignments ongoing or completed

Technical Evaluation Criteria

S. No Evaluation Criteria Details Break-up

1. Certificate of Empanelment (5 Marks)

The bidder should be a CERT-In empanelled IT Security Auditing Organization.

Empanelment Certificate copy/evidence

5 Marks

2. Relevant Experience (20Marks)

Experience of the bidder in Govt/ PSU/ Financial institutions as third party auditor for minimum Tier 3 Data Centre.

Experience of one project carries one mark. Maximum marks obtainable by the bidder is 10 Marks.

10 Marks

Number of projects

(One project = 1 Mark)

Experience of the bidder in IT consulting/ ISMS projects for government sector/PSU/ Financial Institution with minimum tier 3 Data Centre

Number of projects

(One project = 2 Mark)

Experience of one project carries two mark. Maximum marks obtainable by the bidder is 10 Marks

10 Marks

3. Approach and Methodology (15 Marks)

26

Technical Evaluation Criteria

Project Understanding, Approach & Methodology

• Understanding of project needs, requirements, Scope of work – 7 marks • Clarity & adequacy of Approach and Methodology and Solution Proposed –8 marks

15 Marks

4. Resource Profile (30 Marks)

CVs of team Proposed along with Resource wise Roles & Responsibilities in the Project

Experience as per criteria/details in Employee Section

30 Marks

Project Manager (As per the proposed profiles by Bidder total marks awarded upto - 10 Marks)

Consultant – 1 (5+ Years) - 3 Marks

Consultant – 1 (7+ Years) - 5 Marks

Consultant – 1 (10+ Years) - 7 marks

Certification (CEH/ CISA/ CISSP) – 3 Marks

Consultant – 2 (3+ Years) - 3 marks

Consultant – 2 (5+ Years) - 5 marks

Consultant – 2 (7+ Years) - 10 marks

5. Presentation by Bidder (25 Marks)

Presentation by Bidder on their Understanding and Proposed

25 Marks

27

Technical Evaluation Criteria

Approach for the project

6. Local Project Office (5 Marks)

Has a Local Office at Chandigarh/ Panchkula/ Mohali/Delhi/Gurgaon for the duration of the project

5 Marks

Total 100 Marks

28

4.5 SUGGESTED FORMAT OF CURRICULUM VITAE (CV) FOR PROJECT

STAFF

IMPORTANT NOTE: Please limit each CV to two pages

Proposed Area of work:

Name of the Firm

Name of the Staff

Designation in the Firm/Entity:

Date of Birth and Nationality:

No. of years with Firm/Entity _________________________

Total Experience ______________________

Relevant Year of Experience_________

Proficiency in English Language: _____________________________________

Educational Background:

[College/university and other specialized/management/professional education with institution/university name, year of completion and name of degree/diploma obtained]

Employment Record:

[Starting with present job, list in reverse chronological order employment data, listing positions held, dates, name of employer, job title and locations of work. Provide very briefly the types of activities performed during the most recent ten year period]

Competencies, Achievements and Relevant Experience

[Give a description of staff member’s in-depth and successful experience in maximum five assignments most pertinent to tasks on this assignment. Details required are as under:

Name and Objective of Assignment, Role on the assignment, Year and Duration of assignment, Location, Name of HSVP and a description of the key activities performed by the staff member and staff member’s contribution to the project.]

Roles & Responsibilities in the phase wise scope of Project: List out the roles and responsibilities assigned to the resource

Visible/Measurable Deliverables of the resource in the phase wise scope of project: Clearly list

out the project deliverables of the resource.

29

4.6 FINANCIAL PROPOSAL SUBMISSION FORM (TO BE SUBMITTED ONLY ONLINE)

Part A: Project Cost exclusive of applicable taxes

Level Project cost in INR (excluding applicable taxes)

Total Cost of engagement for providing services as per scope of work mentioned in RFP for a period of 2 years.

* Project Management for a period of two years from the date of appointing the SI