rfp website security audit of delhi govttte.delhigovt.nic.in/doit/doit_it/it...

Web Security Audit – Request for Proposal

Department of IT, GNCT Delhi Page 1 of 56

REQUEST FOR PROPOSAL (RFP)

FOR

WEBSITE SECURITY AUDIT OF

DELHI GOVERNMENT DEPARTMENTS,

AUTONOMUS & LOCAL BODIES

DEPARTMENT OF INFORMATION TECHNOLOGY

Government of N.C.T of Delhi

B-Wing, 9th floor

Delhi Secretariat, New Delhi – 110 002

http://www.it.delhigovt.nic.in



Summary Sheet

Name of the Department: Department of Information Technology.

Govt. of N.C.T of Delhi

Date of issue of R.F.P: 22nd October, 2007

Last Date and Time for submission of

queries by E-mail : [email protected] :

1st November, 2007 by 6.00 P.M

Answers to the Bidder’s Questions will

be available at www.it.delhigovt.nic.in :

7th November, 2007

Last Date and Time for Receipt of

Proposal:

14th November, 3 P.M

Date and Time of Opening of Technical

Bids:

14th November, 3.30 P.M

Place of Opening of Bids: Conference Hall of Information Technology

Department, Room No. 902, B Wing, Level 9,

Information Technology Department, Delhi

Secretariat, New Delhi

Address for Communication: Deputy Secretary (Information Technology),

Department of Information Technology,

9th Level, B-Wing,

Delhi Secretariat, New Delhi 110002

Note:

• This bid document is not transferable.

• Bids without relevant documents as specified in this RFP , should be summarily

rejected .



Disclaimer

The information contained in this Tender Document or subsequently provided to Bidder(s)

or Applicants whether verbally or in documentary form by or on behalf of Secretary,

Department of Information Technology, Government of N.C.T of Delhi or any of their

employees or advisors, is provided to the Bidder(s) on the terms and conditions set out in

this Tender Document and all other terms and conditions subject to which such information

is provided.

This Tender Document is not an agreement and is not an offer or invitation by the

Secretary, Department of Information Technology, Government of N.C.T of Delhi to any

party other than the Applicants who are qualified to submit the Bids (“Bidders”). The

principle of this Tender Document is to provide the Bidder(s) with information to support

the formulation of their Proposals. This Tender Document does not purport to contain all

the information each Bidder may entail. This Tender Document may not be apposite for all

persons, and it is not possible for the Secretary, Department of Information Technology,

and Government of N.C.T of Delhi of their employees, or advisors to consider the

investment objectives, financial situation, and particular needs of each Bidder who reads or

uses this Tender Document. Each Bidder should conduct its own investigations and

analysis and should check the accuracy, reliability and completeness of the information in

this Tender Document and where necessary obtain independent advice from appropriate

sources. The Secretary, Government of N.C.T of Delhi their employees and advisors make

no representation or warranty and shall incur no liability under any law, statute, rules or

regulations as to the precision, reliability or completeness of the Tender Document. The

Secretary, Department of Information Technology , Government of N.C.T of Delhi, may in

their absolute discretion, but without being under any obligation to do so, update, improve

or supplement the information in this Tender Document.



Table of Contents

Sr.No Description Page No.

I Instruction to Bidders 6

1.1 Introduction and Background 6

1.2 Objectives 6

1.3 Submission of proposals 7

1.3.1 Bid Security 9

1.3.2 Pre-Qualification/Eligibility 10

1.3.3 Technical Proposal 11

1.3.4 Financial Proposal 11

1.4 Disqualification 12

1.5 Evaluation Process 12

1.6 Award and duration of work 14

1.7 Subcontracting and/or outsourcing of work. 14

1.8 Termination of the work 15

1.9 Penalties 15

1.10 Payment Terms and Conditions 15

1.11 Performance Guarantee 17

1.12 Audit Environment 17

1.13 Indemnity 17

1.14 Responsibility of the Auditor 18

1.15 Liability in respect of Damage 18

1.16 Quality of Audit 18

1.17 Confidentiality and Copyright 18

1.18 Validity of Proposals 19

1.19 Right to accept/reject the Proposals 19

1.20 Fraud and Corruption 19

1.21 Clarifications and amendments of RFP 20

1.22 Force Majeure 20

1.23 Arbitration 21

1.24 Follow-Up and Compliance 21

1.25 Exit Plan 21



II Terms of reference 22

2.1 Scope of the Work 22

2.1.1 Task1: Web Security Audit/Assessment 22

2.1.2 Task2: Re-Audit based recommendation report of Task1 24

2.1.3 Task3: Re, Re-Audit, if required based on the Task2 24

2.2 Deliverables and Audit Report 25

2.3 Exceptions of Audi tee Organization from the Auditor 26

2.4 List of websites of Delhi Government Departments/ Local

bodies /Autonomous Bodies

29

III List of Annexures

3.1 Annexure 1: Notice of Intent to Bid 32

3.2 Annexure 2: Proposal Covering Letter 33

3.3 Annexure 3: Pre-Qualification Bid Covering letter 36

3.4 Annexure 4: Pre-Qualification Format 38

3.5 Annexure 5: Technical Bid Proposal 40

3.6 Annexure 6: Technical Bid Format 44

3.7 Annexure 7: Financial Proposals Format 45

3.8 Annexure 8: Project Experience Format 46

3.9 Annexure 9: Undertaking Format 47

3.10 Annexure 10: Curriculum Vitae 48

3.11 Annexure 11: Bid Security Format 49

3.12 Annexure 12: Performance Bank Guarantee Proforma 50

3.13 Annexure 13: List of Personnel 53

3.14 Annexure 14: Guidelines & Sample Audit Report Format for

Website Audit as per NIC norms.

54



Section 1: Instructions to Bidders

�� Introduction and Background

A secure Web portal creates a single doorway to online services to the citizens. This

doorway generates new opportunities to strengthen relationships and increase the value

of services delivered to citizens, and employees. To take advantage of these

opportunities, it is necessary to mitigate the risk of sharing information, accepting

commitments and delivering services over the public Internet. A secure web portal

mitigates risk of unauthorized access to resources, has an auditable trail to support

transactions, particularly those with high sensitivity or high value, protects important

information from the moment it is entered by the user and as it continues through back-

end applications and workflow processes, strengthens on-line relationships enabling

more and more applications and services to be integrated with and accessed via the

high-value web portal. Also submission of data on a web portal to its final destination

in multiple back-end applications, information needs to be protected from unauthorized

access or use.

The Government of National Capital Territory of Delhi was among the first few States

to recognize the importance of Internet and Information Communication Technology

(ICT) services in functioning of Government Departments/Corporations/Local bodies

and taken many initiatives to utilize this potential and bring it into a ground reality.

This led to brining ease for citizens in interacting with the Government, appropriate

utilization of Government resources, re-engineering the organizations and designing a

suitable framework.

The web portal of the Delhi Government i.e www.delhigovt.nic.in, provides a single

point of information and interaction, for all citizens, visitors and businesses. The

websites of various Departments are further enabling the Government to bring G2C,

G2G and G2B services to the citizens.

�� Objectives

The objective of this proposal is to conduct the Audit to discover any

vulnerabilities/weaknesses/attacks in the website(s) and web application(s), which are

listed in this RFP. The Audit should be done by using Industry Standards and as per the

Open Web Application Security Project (OWASP) methodology.



The main objectives for conducting this website security audit is to:

1. Identify the security vulnerabilities, which may be discovered in the website and

website application security audit including cross-site scripting, Broken

ACLs/Weak session management, Buffer Overflows, Forceful browsing, CGI-BIN

manipulation, Form /hidden field manipulation, Command injection, Insecure use

of cryptography, Cookie posing, SQL injection, Server miss-configuration, Well-

known platform vulnerabilities, Errors triggering sensitive information leak etc. on

the websites of the Delhi Government’s Departments /Corporations/Local bodies;

2. Requirements and analysis performed to increase overall security posture;

3. Identification and prioritization of various risks to the websites;

4. Gain a better understanding of potential website its applications and vulnerabilities;

5. Determine if the current websites of the Departments are secure and evaluate the

security.

6. Identify remedial solutions and recommendations for making the web site

applications secure.

7. Rectify / fix identified potential vulnerabilities, and web application vulnerabilities

thereby enhancing the overall security.

�� Submission of Proposals

The proposals shall be prepared in a three-cover format (one each for pre-qualification,

technical and financial documents, (a)Pre-qualification details as per Annexure 3&4,

Technical details, as per Annexure 5 & 6 and Financial details as per Annexure-7)

The Bidder shall submit Pre-Qualification Bid, Technical Bid and Financial Bid

documents in separate wax sealed envelopes prescribing Pre-qualification, Technical

and Financial Bid on the top left hand corner. All these three sealed covers are to be put

in a bigger cover which should also be sealed and dully super scribed.

Sealed proposals will be received at the front desk of the Deputy Secretary, Department

of Information Technology, Government of N.C.T of Delhi , New Delhi-110002 by

14th November 2007.



Addressed to :

SECRETARY (Information Technology)

DEPARTMENT OF INFORMATION TECHNOLOGY,

Government of NCT of Delhi,

9th floor, B-Wing

Delhi Secretariat, New Delhi – 110002.

Following are terms and conditions for the particular tender bid submission:

1. The tenderer cannot bid in consortium

2. All proposals should be submitted in English language only.

3. Award of the contract resulting from this tender will be based upon the most

responsive Bidder whose offer will be the most advantageous to Information

Technology Department in terms of cost, functionality and other factors as

specified.

4. Department of Information Technology, Government of N.C.T of Delhi

reserves the right to reject any or all offers and discontinue this tender process

without obligation or liability to any potential Bidder

5. The Bidder will confine its submission to those matters sufficient to define its

proposal, and to provide an adequate basis for Information Technology

department’s evaluation of the Bidder’s proposal.

6. All proposals received after the specified date and time shall not be considered

for award of work.

7. The Secretary, Department of Information Technology, Government of N.C.T

of Delhi will not accept delivery of proposals by fax or E-mail. Proposals

received by facsimile shall be treated as defective, invalid and rejected.

8. The original and copies of the bid, each consists of the documents listed in

instructions, shall be typed and shall be signed by the bidder or a person(s) duly

authorized to bind the bidder to the contact.

9. The Department of Information Technology, Government of N.C.T of Delhi,

will be under no legal obligation to provide employment to any of the personnel

of the contractor after expiry of agreement period and the Department

recognizes no employer-employee relationship between the Department and the

personnel deployed by the contractor.

10. The contractor shall comply with all the statutory provisions as laid down

under various Labour Laws/Acts/Rules like Minimum Wages, Provident Funds,



ESI, Bonus, Gratuity, Contract Labour Act and other Labour Laws/Acts/Rules

in force from time to time at his own cost. In case of violation of any such

statutory provisions under Labour Laws or any other law applicable by the

Contractor, there will not be any liability on Department/Government.

11. The contractor shall not employ any person who has not completed eighteen

years of age.

12. The department shall not be responsible financially or otherwise for any injury

to the staff deployed by the contractor in the course of performing the duty for

and on behalf of the contractor.

1.3.1 Bid Security

a) The Bidder shall furnish, as part of its technical proposal, an original bid security in

the amount of India Rupees (Rs) 4,00,000 /- (Four Lakhs) only.

b) The Bid security shall be in the form of Demand Draft/Bankers’ Cheque/ Bank

Guarantee drawn in favour of Secretary, Department of Information Technology

issued by a Scheduled Bank. The Bid Security shall be valid for period of 45 days

beyond the final bid validity period.

c) The Bid Security must be submitted in the Technical Bid Cover.

d) Any proposal not sealed shall be rejected by the Department of Information

Technology, Government of N.C.T of Delhi

e) The Bid Security provided by the Bidder whose proposal is accepted shall be repaid

or discharged when the Performance Security has been duly submitted when the

vendor and vendee enter into and execute a Contract.

f) Bid security of unsuccessful bidders will be returned within and not later than 30

days of award of contract to the successful bidders.

g) Bid Security will be provided as per Annexure-11.

h) Forfeitures of Bid Security:

The Bid Security may be forfeited:

� if a bidder withdraws its bid during the period of validity of his proposal as

specified by the bidder in his proposal; or

� in the case of the successful bidder, in case the bidder fails -

o to sign the contract or

o to furnish performance security as mentioned at Annexure-12 of the

RFP



1.3.2 Pre-Qualification/Eligibility Criteria for Bidders

Eligibility Criteria: Pre-qualification proposal as specified in Annexure 3 and 4 will be

used to evaluate if the bidder’s technical skill base financial capacity are consistent

with the needs of the project. Following criteria has been defined for eligibility of an

audit firm (copy of the documentary evidence must be submitted.) The audit firms that

qualify the below mentioned criteria need only apply.

a). This invitation is open to all Indian firms/company (the bidder).

b). The firm/company must be a company registered under the Indian Companies Act,

1956/ The Partnership Act, 1932 or Registration of Societies Act.

c). The bidder must have been empanelled by CERT-IN, having an empanelment

certificate valid up to 31st March 2008. Proof of this will have to be submitted.

d). The bidder should have been in operation for a period of at least 3 years as of 31-3-

2007 as evident by the Certificate of Incorporation and Certificate of Commencement

of Business issued by the Registrar of Companies, India.

e). The bidder should have had an average turnover of (Rs) 25,00,000/- (Twenty five

Lakhs) only during the last 3 financial years in Information Technology related

operations i.e. for the financial years 2004-05, 2005-06 & 2006-07 as revealed by

audited accounts.

f). The bidder should have adequate number of Certified Information Systems Auditor

(CISA / CISSP qualified professionals (say a minimum of 5), so as to associate them

with each audit team auditing listed websites in this RFP simultaneously.

g)The bidder should give commitment to deploy a Project Manager in the project, who

should be a Graduate in Engineering (B.Tech/B.E) and having at least 10 years

experience in the Information Technology field, out of which he/she should have

minimum three years experience in the Security Audit related Projects. He/She must be

a Certified Information Systems Auditor (CISA). The bidder should have at least 5

security audit certified professionals on rolls who have sufficient experience in

Information Technology & Web security audit and they must have Certified

Information Systems Auditors (CISA)/CISSP. The details of Project Manager/Auditors

for this project has to be submitted as per the format mentioned at Annexure-10 with

this bid.

h) The bidder should have experience of conducting similar Website Audit as proposed

by Department of Information Technology, Government of N.C.T. of Delhi of a



minimum of 3 audit projects in organizations like banks, financial institutions,

Insurance Companies or Government departments.

i) The bidder should have SEI CMM Level 5 or higher Certificates.

j) The bidder should own at least one commercial Security Audit Tool. Name,

Description of the tool needs to be defined. Proof of this will have to be submitted.

k) The bidder should have at least one implementation/technical support office in the

National Capital Region.

l) The bidder should have to submit the proof for the eligibility criteria including Sales

Tax Registration, Income Tax PAN Number and Etc., .

1.3.3 Technical Proposal

The Technical Bid shall include the detailed project plan for website security Audit

Corresponding to the deliverables as required by Department of Information Technology,

Government of N.C.T. of Delhi, for the project. The project plan should indicate the

milestones and time frame of completion of the different activities of the project. The bidder is

required to give details of the Project Management Methodology, Audit Standards and

methodology along with the quantum of resources to be deployed for the project, qualifications,

experience of personnel deployed, in the technical bid. Resources and support required from

Department of Information Technology, Government of N.C.T. of Delhi, may also be clearly

defined. The technical bid is required to be submitted in the format as given in Annexure 5 & 6

1.3.4 Financial Proposal

Following are the terms and conditions for the Financial Proposal

1. This tender is for a fixed price bid.

2. The financial proposal shall be priced in Indian Rupees.

3. The Financial proposal shall clearly indicate, as per the Financial Summary

Sheet in Annexure-7, the total costs of carrying out the services as described in

the Terms of Reference (TOR) as well as taxes namely Value Added Tax

(VAT) and Service Tax etc wherever applicable.

4. The quotations shall be fixed and shall not allow for any fluctuation in costs of

labour, transport, etc. No adjustment shall be made to the contract value for any

fluctuation arising following submission of tender.



�� Disqualifications

Department of Information Technology, Government of N.C.T of Delhi may at its sole

discretion and at any time during the evaluation of Proposal, disqualify any bidder, if

the bidder has:

a. Submitted the Proposal documents after the scheduled date and time;

b. Made misleading or false representations in the forms, statements and attachments

submitted in proof of the eligibility requirements;

c. Exhibited a record of poor performance such as abandoning works, not

properly completing the contractual obligations, inordinately delaying

completion or financial failures, etc. in any project in the preceding three years;

d. Submitted a proposal that is not accompanied by required documentation or is non-

responsive;

e. Failed to provide clarifications related thereto, when sought;

f. Submitted more than one Proposal;

g. Declared ineligible by the Government of India/State/UT Government for

corrupt and fraudulent practices or blacklisted.

h. Submitted a proposal with price adjustment/variation provision.

Please note that the Department of Information Technology, Government of N.C.T. of

Delhi reserves the right to carry out the capability assessment of the “Bidder” and

the Department's decision shall be final in this regard.

1.5 Evaluation Process

A three-stage procedure (i.e Pre-Qualification criteria, Technical Bid and Financial

Bid) will be adopted for evaluation of proposals. The process for evaluation of

proposals is as given below:

a) Pre-qualification Criteria Evaluation: Preliminary scrutiny of the

Proposals for eligibility will be done to determine whether the Proposals

are complete, whether the documents have been properly signed,

whether any computational errors have been made, and whether the

Proposals are generally in order. Proposals not conforming to

Prequalification eligibility criteria shall be rejected summarily. Proposal

responses conforming to preliminary scrutiny shall be checked for

conformance to the prequalification eligibility criteria. Non-conforming

Proposals shall be out rightly rejected.



b) Technical Evaluation: An Evaluation Committee will assess all the bids received.

Technical Proposals would be opened only for those bidders, who have been qualified

during the Prequalification Evaluation of Proposals. If a Technical Proposal is

determined as not substantially responsive, Department of Information Technology,

Government of N.C.T. of Delhi will reject it. Technical Proposals conforming to Pre-

qualification eligibility criteria will be taken up for detailed Technical evaluation. All

the bidders who secure a Technical Score of 70% and above will be declared as

technically qualified for this bid with Department of Information Technology,

Government of N.C.T. of Delhi .The technical proposal will be evaluated as per the

Technical Evaluation Criterion mentioned in the following table:-

TECHNICAL VALUATION CRITERIA Weightage (%)

1a) Experience in working with Government

Departments and Public Sector undertaking for

similar Projects

05

1b ) Quality Management Standards/Certifications 05 Number of

Projects

Number

of Marks

3 15

4-10 17

1

1c) Experience in conducting similar website and

web application Security Audit

More than 10 20

2a) Level of understanding of the Project 05

2b) Vendor’s Proposed Technical solution: Type of

Security assessment toll will be used for identifying

Security Vulnerabilities tolls (Licensed /Free) and

Technologies.

15

2

2c) Project implementation Methodology giving

approach of vendor along with rollout plan, Project

Management and Reporting.

10

Manpower Deployment:

3a) Level of skills and experience 10

3

3b) Certification relevant to the role described (such

as CISA and CISSP)

10



3c) Relevance of Experience of the Individual to the

Website & Web Application Security.

5

3d) Number of Personnel in various categories

proposed to be deployed on the ground.

5

4 Sample Reports, Fulfilment of Audit Requirements

as per this RFP Scope of Work - The extent to which

Bidder’s proposed solution fulfils Information

Technology Department stated requirements as set

out in this tender. An assessment of the Bidder’s

ability to deliver the indicated service in accordance

with the specifications set out in this tender

10

c) Financial Bid Evaluation: The evaluation of the financial proposals shall be

carried out considering the total cost of the project to Department of Information

Technology, Govt of NCT of Delhi as indicated in the formats suggested for

furnishing the Financial Bids vide Annexure –7.

The Department of Information Technology, Government of N.C.T of Delhi, may, at

their discretion and without explanation to the prospective Bidders, at any time

choose to discontinue this tender without obligation to such prospective Bidders.

1.6 Award and Duration of the work

On acceptance of Proposal for awarding the contract, Department of Information

Technology, Government of N.C.T. of Delhi will notify the successful bidder in

writing that their proposals have been accepted. Department of Information

Technology, Government of N.C.T. of Delhi and successful bidder shall sign the

Contract Agreement at the time of signing of Contract. After signing of the Contract

Agreement, no variation in or modification of the term of the Contract shall be made

except by written amendment signed by the parties. The successful bidder has a

period of 15 days to start the work. The successful bidder is expected to complete

the work within a period of 180 days once the work has started.

1.7 Subcontracting and/or Outsourcing of Work

Outsourcing / subcontracting of work will not be permissible in any form. The

selected bidder after the award of the contract, pursuant to this RFP shall not

subcontract, transfer, or assign any portion of the contract and if awarded a contract



pursuant to this RFP, the selected vendor shall be the solely and wholly responsible

to perform the work. Subcontracting/outsourcing will lead to termination of contract

and forfeiture of Performance Guarantee. In case of such unavoidable circumstances,

the audit firm/company has to take prior written permission from Department of

Information Technology, Government of N.C.T. of Delhi for engaging such agency

or individual.

1.8 Termination of the Work

The Information Technology Department, Government of NCT of Delhi, without

prejudice to its rights under the Conditions of tender or any other remedy for break of

Contract, shall have the right to terminate contract of the Auditor at any time, if, the

Auditor breaches any of the terms and conditions –

• Mentioned in this document or in the Award of Contract;

• As defined by CERT-IN, Department of Information technology, Min .of

Information Technology, Government of India

• The contract may also be terminated in case, the Information Technology

Department is of the view that the Auditor’s performance or competence

fails to meet the standards required for the Audit assignment.

�� Penalties

For any delay in completion of the task beyond the 180 days period from the date of

award of work, the liquidated damages of a sum equivalent to 0.5% of the project value

for every day of delay, up to a maximum of 30% of the contract value shall be

deducted from the project value. Once the maximum, penalty amount is reached,

termination of the contract of shall also be made.

1.10 Payment Terms and Conditions 1. The bidder will offer commercial quote, based on fixed cost, inclusive of VAT, Service

Tax etc. and other duties, cess, fees etc., if any and Department of Information Technology,

Government of N.C.T. of Delhi will not pay any additional amount other than indicated in

the offer.

2. TDS will be deducted at source for any payment made, as per rules of Government of

India.

3. Department of Information Technology, Government of N.C.T. of Delhi will neither

provide nor reimburse expenditure towards any type of accommodation, travel ticket,

airfares, train fares, halting expenses, transport, lodging, boarding etc.



4. Department of Information Technology, Government of N.C.T. of Delhi may impose

penalty, in case of delay of any deliverables at the rate of 0.5% per week delay, either for

completion of audit exercises or submission of draft reports, subject to a maximum of 30 %

of the total cost, for all delays attributable directly to the Audit Firm/Company.

5. The audit firm/company will not sub contract part or complete assignment to any other

agency or individual. In case of such unavoidable circumstances, the audit firm/company has

to take prior written permission from Department of Information Technology, Government of

N.C.T. of Delhi for engaging such agency or individual.

6. The audit firm/company shall keep information related to this project confidential and will

not divulge to outside agencies without written consent from Department of Information

Technology, Government of N.C.T. of Delhi.

7 If selected, the Audit Firm/Company shall have to sign agreement.

8.Payment Schedule:

The payment terms for the bidder’s services shall be as follows:

Sl. No Payment milestones Payment in

Percentage

(i) On confirmation of award of contract and submission

of performance security

10% payment

for total of

payment for

Task 1 to 3

(ii) After submission of Report as per Task 1: Web

Security Audit/Assessment

30% payment

for total of

payment for

Task 1 to 3

(iii) After submission of Report as per Task 2: (Re-Audit

based on the vulnerabilities identified from Task1)

30% payment

for total of

payment for

Task 1 to 3

(iv) After submission of Report as per Task 3: (Re,Re-

Audit based on the vulnerabilities identified from

Task2)

30% payment

for total of

payment for

Task 1 to 3



1.11 Performance Guarantee

The successful bidder shall furnish the performance security representing 10% of the

total value of the contract within 15 days of the receipt of notification of award as per

the Performance Guarantee Proforma provided in Annexure-12.

Performance security should remain valid for a period of 60 days beyond the date of

completion of all contracts.

1.12 Audit Environment

The Audit may be conducted at the successful bidder’s site by accessing remotely. The

auditors from their own location will carry out external audit. However the successful

bidder need to take the required permission from the particular Department. For this the

successful bidder shall agree with the Non-Disclosure Agreement (NDA) as specified

in this RFP. The successful bidder will also conduct a conference with the respective

Departments/Corporations/Local Bodies in the Delhi Secretariat before the

commencement of the work to understand the website of concerned Department. One

visit to user department and meeting with representative of department is required to be

done by auditor for guiding departments to fix/remove the vulnerabilities identified

during the first audit by the Auditor.

1.13 Indemnity

The Auditor shall indemnify, and keep indemnified, the Government of N.C.T of Delhi

against all claims, demands, actions, costs, expenses, (including without limitation,

damages for any loss of business, business interruption, loss of business information or

other indirect loss), arising from or incurred by reason of any third party claims against

Department of Information Technology arising from the breach by the Auditor of any

or all of its obligations under the Contract with the Department of Information

Technology . The Auditor shall be liable to indemnify the Department of Information

Technology only if:

(i) The Department of Information Technology, Government of N.C.T of Delhi has

promptly provided Auditor intimation of such claim;

(ii) The Department of Information Technology, Government of N.C.T of Delhi has

not admitted to or accepted any of the claim;

(iii) The Department of Information Technology, Government of N.C.T of Delhi has

authorized the Auditor to defend or settle the claim;



(iv) The Department of Information Technology, Government of N.C.T of Delhi has

provided such assistance and information to the Auditor as may be required by

the Auditor.

1.14 Responsibilities of the auditor

The Auditor shall ensure that:

1. The auditing is carried out strictly in accordance with the terms and conditions

stipulated in the audit assignment contract as well as general expectations of the

auditee from an auditor.

2. All applicable codes of conduct and auditing standards are adhered to with due

professional care.

3. The audit report is submitted to the Department of Information Technology,

Government of N.C.T of Delhi and one copy of the report should be submitted to

the concerned department.

1.15 Liability in Respect Of Damage

The Auditor shall make good or compensate for, all direct damage occurring to

website and web applications of the respective department and/or Department of

Information Technology, Government of N.C.T of Delhi in connection with this

Contract for carrying out audit.

Provided that this Clause shall not apply if the Auditor is able to show that any such

damage is caused or contributed to by the neglect or default of the respective

Department. The security auditor’s liability will be limited to the cost of service

provided. Default or neglect by the Auditor will include both malicious and non-

malicious errors and project mismanagement.

1.16 Quality Of Audit

The selected vendor will ensure that the audit assignments are carried out in

accordance with applicable guidelines and standards as mentioned in this document

and terms and conditions specified by the CERT-IN, Department of Information

Technology, Min. of Information Technology, Government of India.

1.17 Confidentiality and copyright

Information relating to the examination, clarification and comparison of the Proposals

shall not be disclosed to any bidder or any other persons. The undue use by any

bidder of confidential information related to the process may result in rejection of its



Proposal. During the execution of the project except with the prior written consent of

the Department of Information Technology, Government of N.C.T of Delhi. The

Consultant and its personnel shall not at any time communicate to any person or

entity, any confidential information acquired in the course of the auditing. All

recipients of tender documents, whether they submit a tender or not, shall treat the

details of the documents as private and confidential. Copyright in the documents

prepared by the bidder is reserved to the Department of Information Technology,

Government of N.C.T of Delhi. The Auditor shall ensure that his employees,

servants, agents and sub-contractors keep confidential all information in whatever

form it is obtained, produced or derived from or related to the carrying out of its

obligations under this terms and conditions as well as the Contract with the

Department of Information Technology, Govt of N.C.T of Delhi.

1.18 Validity of Proposals

The bidder proposal shall remain valid for a period of 120 days beyond the closing date

of the tender.

1.19 Right to Accept/Reject Proposals

The Department of Information Technology, Government of N.C.T. of Delhi reserves

the right to accept or reject any Proposal(s) at any time prior to award of contract,

without thereby incurring any liability to the affected Respondent(s) or any obligation

to inform the affected bidder (s) of the grounds for such decision.

1. 20 Fraud and Corruption

The Consultants selected through this RFP must observe the highest standards of

ethics during the performance and execution of such contract. In pursuance of this

policy, Department of Information Technology, Government of N.C.T. of Delhi:

(a) Defines, that for such purposes, the terms set forth will be as follows:

(i) "Corrupt practice" means the offering, giving, receiving or soliciting of any

thing of value to influence the action of Department of Information Technology,

Government of N.C.T. of Delhi or any personnel of Consultant(s) in contract

executions.

(ii) "Fraudulent practice" means a mis-presentation of facts, in order to influence

a procurement process or the execution of a contract, to Department of

Information Technology, Government of N.C.T. of Delhi, and includes collusive

practice among bidders (prior to or after Proposal submission) designed to

establish Proposal prices at artificially high or non-competitive levels and to



deprive DIT, Government of N.C.T. of Delhi of the benefits of free and open

competition;

(iii) “Unfair trade practices” means supply of services different from what is

ordered on, or change in the Scope of Work

(iv) ”Coercive practices” means harming or threatening to harm, directly or

indirectly, persons or their property to influence their participation in the

execution of contract.

(b) Shall reject a proposal for award, if it determines that the bidder recommended for

award, has been engaged in corrupt, fraudulent or unfair trade practices.

(c) Shall declare a Consultant ineligible, either indefinitely or for a stated period of time,

for awarding the contract, if it at any time determines that the Consultant has been engaged

in corrupt, fraudulent and unfair trade practice in competing for, or in executing, the

contract.

1.21 Clarifications and amendments of RFP Document

1.21.1 RFP Clarifications

During Pre Qualification and Technical Evaluation of the Proposals Department

of Information Technology, Government of N.C.T. of Delhi may, at its

discretion, ask bidders for clarifications on their proposal. The bidders are

required to respond within the prescribed time frame.

1.21.2 Amendments in RFP

At any time prior to deadline for submission of proposal, Department of

Information Technology, Government of N.C.T. of Delhi may for any reason,

modify the RFP. The prospective bidders having received the RFP shall be

notified of the amendments through website and/or newspapers and such

amendments shall be binding on them.

1.22. Force Majeure

If the performance as specified in this order is prevented, restricted, delayed or

interfered by reason of:

- Fire, explosion, cyclone, floods

- War, revolution, acts of public enemies, blockage or embargo

- Any law, order, proclamation, ordinance, demand or requirements of any

Government or authority or representative of any such Government including restrict

trade practices or regulations.



- Strikes, shutdowns or labour disputes which are not instigated for the purpose of

avoiding obligations herein, or

- Any other circumstances beyond the control of the party affected then

notwithstanding anything here before contained, the party affected shall be excused

from its performance to the extent such performance relates to prevention, restriction,

delay or interference and provided the party so affected uses its best efforts to remove

such cause of non-performance and when removed the party shall continue

performance with utmost dispatch.

1.23. Arbitration

In the event of a dispute or difference or difference of any nature whatsoever between

the Audit firm/company and Department of Information Technology, Government of

N.C.T. of Delhi during the course of the assignment arising as a result of this order,

the matter shall be referred to Arbitration as per Arbitration & Reconciliation Act,

1996

1.24 Follow-Up and Compliance

The Audit firm/company is required to follow-up with the concerned offices of the

Department of Information Technology, Government of N.C.T. of Delhi and the

concerned Department for compliance. The Audit firm/company has to submit a

summary compliance report at end of each task and the final report should be

certify that the website/web applications (should be mentioned the name of the

website and/or web applications) is “Certified for Security “.

1.25 Exit Plan :

The Partner will promptly on the commencement of the exit management period supply

the following:

• Documentation relating to website audit Intellectual Property Rights ;

• Data and confidential information

• The terms of payment as stated in the Terms of Payment Schedule include the

costs of the Partner complying with its obligations under this Schedule.

• In the event of termination or expiry of MSA, Project Implementation, or

Operation and Management SLA, each Party shall comply with the Exit

Management Plan.



• During the exit management period, the Partner shall use its best efforts

to deliver the services.

Section 2: Terms of Reference

2.1 Scope of the Work

Bidders would be expected to perform the following tasks for Website and the web-

application Security to analyze and review the website/application security .The

auditors will have to carry out an assessment of the vulnerabilities, threats and risks

that exist in website through Internet Vulnerability Assessment and Penetration

Testing. This will include identifying remedial solutions and recommendations for

implementation of the same to mitigate all identified risks, with the objective of

enhancing the security of the website. The bidder will also be expected to propose

a risk mitigation strategy as well as give specific recommendations to tackle the

residual risks emerging out of identified vulnerabilities assessment. The website

and Web-application should be audited as per the Industry Standards and also as per

the OWASP (Open Web Application Security Project) model. The auditor is

expected to submit the final audit report after the remedies/recommendations are

implemented. The final report will certify the particular website/web application

“Certified for Security “.All the Website security audit reports should contain the

details as mentioned at the Audit report of Section 2.2.

The scope of the proposed audit tasks is given below. The audit firm/company

will be required to prepare the checklist/reports

2.1.1 Task 1: Web Security Audit/ Assessment

Check various web attacks and web applications for web attacks. The various

checks/attacks /Vulnerabilities should cover the following or any type of attacks,

which are vulnerable to the website/Web-application.

� Vulnerabilities to SQL Injections

� CRLF injections

� Directory Traversal

� Authentication hacking/attacks

� Password strength on authentication pages

� Scan Java Script for security vulnerabilities

� File inclusion attacks

� Exploitable hacking vulnerable

� Web server information security



� Cross site scripting

� PHP remote scripts vulnerability

� HTTP Injection

� Phishing a website

� Buffer Overflows , Invalid inputs , insecure storage etc .

� Other any attacks, which are vulnerability to the website and web-

applications

� The Top 10 Web application vulnerabilities, which are given below, should

also checked from the given websites:

A1 - Cross Site

Scripting (XSS)

XSS flaws occur whenever an application takes user supplied data

and sends it to a web browser without first validating or encoding

that content. XSS allows attackers to execute script in the victim's

browser which can hijack user sessions, deface web sites,

possibly introduce worms, etc.

A2 - Injection Flaws

Injection flaws, particularly SQL injection, are common in web

applications. Injection occurs when user-supplied data is sent to

an interpreter as part of a command or query. The attacker's

hostile data tricks the interpreter into executing unintended

commands or changing data.

A3 - Malicious File

Execution

Code vulnerable to remote file inclusion (RFI) allows attackers to

include hostile code and data, resulting in devastating attacks,

such as total server compromise. Malicious file execution attacks

affect PHP, XML and any framework, which accepts filenames or

files from users.

A4 - Insecure Direct

Object Reference

A direct object reference occurs when a developer exposes a

reference to an internal implementation object, such as a file,

directory, database record, or key, as a URL or form parameter.

Attackers can manipulate those references to access other objects

without authorization.

A5 - Cross Site Request

Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a pre-

authenticated request to a vulnerable web application, which then

forces the victim’s browser to perform a hostile action to the



benefit of the attacker. CSRF can be as powerful as the web

application that it attacks.

A6 - Information

Leakage and Improper

Error Handling

Applications can unintentionally leak information about their

configuration, internal workings, or violate privacy through a

variety of application problems. Attackers use this weakness to

steal sensitive data, or conduct more serious attacks.

A7 - Broken

Authentication and

Session Management

Account credentials and session tokens are often not properly

protected. Attackers compromise passwords, keys, or

authentication tokens to assume other users� ' identities.

A8 - Insecure

Cryptographic Storage

Web applications rarely use cryptographic functions properly to

protect data and credentials. Attackers use weakly protected data

to conduct identity theft and other crimes, such as credit card

fraud.

A9 - Insecure

Communications

Applications frequently fail to encrypt network traffic when it is

necessary to protect sensitive communications.

A10 - Failure to

Restrict URL Access

Frequently, an application only protects sensitive functionality by

preventing the display of links or URLs to unauthorized users.

Attackers can use this weakness to access and perform

unauthorized operations by accessing those URLs directly.

2.1.2 Task 2: Re-Audit based on the Recommendations Report from Task 1

The vendor will be responsible to provide a detailed recommendations report for the

vulnerabilities observed from Task 1.

2.1.3 Task 3: Re, Re-Audit, if required based on the Recommendations Report from Task 2

If vulnerabilities are observed form the re-audit, the vendor has to provide a

detailed recommendations report on the vulnerabilities observed or found from Re-

auidt/Task2. The Department of Information Technology, Government of N.C.T. of

Delhi is expected that all vulnerabilities will be removed at the Task 3 stage. The

Audit firm/company has to submit a summary compliance report at end of each task

and the final report should be certify that the website/web applications (should be

mentioned the name of the website and/or web applications) is “Certified for

Security “.



2.2 Deliverables and Audit Reports

(a) The successful bidder will be required to submit the following documents after the

audit for each website, as mentioned below and the audit firm must also submit

suggestions / recommendations and other detailed steps for enhancing the website

security

(i) A detail report will be submitted with security status and discovered

vulnerablities , weknesses and mis-configurations with associated risk

levels and recommended actions for risk mitigations.

(ii) Summary and detailed reports on secruity risk, vulnerabilites and audit

with the necessary countermeasures and recommended corrective actions

as recommended above need to be submitted in duplicate to the

Department of Information Technology, Government of N.C.T. of Delhi .

Also the same copy should be submiited to the concerned departrment.

(iii)All deliverables shall be in English language and side A4 size format.

(iv) The vendor will be required to submit the deliverables as per agreed

implementation Plan

• The deliverables (like Summary compliance report, Check list, Audit Report,

Executive Summary and Final compliance report after all observations) for each

task to be submitted by the Auditors for this assignment as mentioned in

the Task1, Task2 and Taks3.

(b) Timeframe of the deliverables�

• The selected successful bidder will be required to start the project within 15 days

from the date of placing the order for the audit.

• The entire audit must be completed within 180 days from the placing of order.

• All the draft reports of the agreed deliverables should be submitted by the

firm/company within 15 days of the commencement of the audit.

• The successful bidder should submit the final reports of the deliverables within 20

days of the commencement of the audit or within 30 days of receiving feedback

from the concerned department on draft reports.

• The audit, as mentioned above, has to be completed in time. It is expected

that, if required, the successful bidder may deploy multiple teams to complete

the audit projects within given time frame.

(c ) Audit Report

The Website security audit report is a key audit output and must contain the

following:



1. Identification of auditee (Address & contact information)

2. Dates and Location(s) of audit

3. Terms of reference (as agreed between the auditee and auditor), including the

standard for Audit, if any

4. Audit plan

5. Explicit reference to key auditee organisation documents (by date or version)

including policy and procedure documents

6. Additional mandatory or voluntary standards or regulations applicable to the

auditee

7. Standards followed

8. Summary of audit findings including identification tests, tools used and results

of tests performed (like vulnerability assessment, application security assessment

, password cracking and etc.)

a. Tools used

b. List of vulnerabilities identified.

c. Description of vulnerability

d. Risk rating or severity of vulnerability

e. Test cases used for assessing the vulnerabilities

f. Illustration if the test cases to provide the vulnerability

g. Applicable screen dumps

9. Analysis of vulnerabilities and issues of concern

10. Recommendations for action

11. Personnel involved in the audit, including identification of any trainees

The auditor may further provide any other required information as per the

approach adopted by them and which they feel is relevant to the audit process.

12. The successful bidder must also follows the guidelines of National

Informatics Center (NIC) for website security Audit and submit the Audit

report as per the format mentioned in guidelines. These guidelines are

available at Annexure-14.

2.3 Expectations Of Auditee Organization From The Auditor

Following are the expectations of auditee from the auditor:

1. Verification of possible vulnerable services will be done only with explicit

written permission from the auditee.



2. The auditee will refrain from security testing of obviously highly insecure

and unstable systems, locations, and processes until the security has been

put in place.

3. With or without a Non-Disclosure Agreement Contract, the security

auditor will be ethically bound to confidentiality, non-disclosure of

customer information, and security testing results.

4. Auditor should have clarity in explaining the limits and dangers of the

security test.

5. In the case of remote testing, the origin of the testers by telephone

numbers and/or IP addresses will be made known.

6. Seeking specific permissions for tests involving survivability failures,

denial of service, process testing, or social engineering will be taken.

7. The scope should be clearly defined contractually before verifying

vulnerable services.

8. The scope should clearly explain the limits of the security test.

9. The test plan should include both calendar time and man-hours.

10. The test plan should include hours of testing.

11. The security auditors are required to know their tools, where the tools

came from, how the tools work, and have them tested in a restricted test

area before using the tools on the customer organization.

12. The exploitation of Denial of Service tests is done only with explicit

permission.

13. High risk vulnerabilities such as discovered breaches, vulnerabilities with

known, high exploitation rates, vulnerabilities which are exploitable for

full, unmonitored or untraceable access, or which may convey immediate

risk, discovered during testing are to be reported immediately to the

Department of Information Technology, Government of N.C.T. of Delhi

with a practical solution as soon as they are found.

14. The Auditor is required to notify the auditee whenever the auditor changes

the auditing plan, changes the source test venue, has high risk findings,

previous to running new, high risk or high traffic tests, and if any testing

problems have occurred. Additionally, the Department of Information

Technology, Government of N.C.T. of Delhi is to be notified with

progress updates at reasonable intervals.



15. Reports should state clearly all states of security found and not only failed

security measures.

16. Reports will use only qualitative metrics for gauging risks based on

industry-accepted methods. These metrics are based on a mathematical

formula and not on feelings of the auditor.

17. The Auditor is required to notify the Department of Information

Technology, Government of N.C.T. of Delhi when the report is being sent

as to expect its arrival and to confirm receipt of delivery.

18. All communication channels for delivery of report are end to end

confidential.



2.4 List of Websites: Following is the list of websites for which the bidder will be required to do the security audit.

List of Government, Autonomous and Local Bodies Departments: 76 Government Departments: 53

S.No. Website URL Department Name 1 http://www.ar.delhigovt.nic.in Administrative Reforms 2 http://www.artandculture.dehigovt.nic.in Art, Culture and Language 3 http://www.audit.delhigovt.nic.in Audit 4 http://tiharprisons.nic.in Central Jail 5 http://www.chitfund.delhigovt.nic.in Chit Fund 6 http://www.forest.delhigovt.nic.in Conservator of Forest 7 http://www.dce.ac.in/ Delhi College of Engineering 8 http://www.dfsdelhigovt.nic.in Delhi Fire Services 9 http://www.delhiassembly.nic.in Delhi Legislative Assembly

10 http://www.sec.delhigovt.nic.in Delhi State Election Commission 11 http://www.dsssb.delhigovt.nic.in Delhi Subordinate Services Selection

Board 12 http://www.dccentral.delhigovt.nic.in Deputy Commissioner (Central) 13 http://www.dceast.delhigovt.nic.in Deputy Commissioner (East) 14 http://dcnewdelhi.delhigovt.nic.in Deputy Commissioner (New Delhi) 15 http://www.dcnortheast.delhigovt.nic.in Deputy Commissioner (North East) 16 http://www.dcnorthwest.delhigovt.nic.in Deputy Commissioner (North West) 17 http://www.dcnorth.delhigovt.nic.in Deputy Commissioner (North) 18 http://www.dcsouthwest.delhigovt.nic.in Deputy Commissioner (South West) 19 http://www.dcsouth.delhigovt.nic.in Deputy Commissioner (South) 20 http://www.dcwest.delhigovt.nic.in Deputy Commissioner (West) 21 http://development.delhigovt.nic.in/ Development 22 http://agriculturalmarketing.delhigovt.nic.in/ Directorate of Agricultural Marketing

23 http://www.des.delhigovt.nic.in Directorate of Economics And Statistics

24 http://www.health.delhigovt.nic.in Directorate of Health Services (DHS) 25 http://www.districts.delhigovt.nic.in District Administration 26 http://www.ceodelhi.nic.in Election (Chief Electoral Office) 27 http://www.environment.delhigovt.nic.in Environment 28 http://www.excise.delhigovt.nic.in Excise 29 http://www.gbpant.org G. B. Pant Hospital 30 http://www.higheredn.delhigovt.nic.in Higher Education



31 http://www.delhihomeguards.nic.in Home Guard & Civil Defence 32 http://www.industries.delhigovt.nic.in Industries 33 http://www.publicity.delhigovt.nic.in Information and Publicity 34 http://www.ifc.delhigovt.nic.in Irrigation and Flood Control(I&FC) 35 http://www.land.delhigovt.nic.in Land and Building 36 http://www.law.delhigovt.nic.in Law and Justice and Legislative

Affairs 37 http://www.mamc.ac.in/ Maulana Azad Medical College 38 http://www.delhiplanning.nic.in Planning 39 http://www.pfa.delhigovt.nic.in Prevention of Food Adultration (PFA) 40 http://www.coa.delhigovt.nic.in Principal Accounts Office 41 http://www.pgc.delhigovt.nic.in Public Grievances Commission 42 http://www.pwd.delhigovt.nic.in Public Works Department (PWD) 43 http://www.rcs.delhigovt.nic.in Registrar Cooperative Society 44 http://services.delhigovt.nic.in Services 45 http://www.socialwelfare.delhigovt.nic.in Social Welfare / Rehabilitation

Services

46 http://www.delhigovt.nic.in/dept/Tourism/default.htm

Tourism

47 http://www.tte.delhigovt.nic.in Training & Technical Education 48 http://www.transport.delhigovt.nic.in Transport 49 http://www.utcs.delhigovt.nic.in Union Territory Civil Services

(UTCS) 50 http:http://delhigovt.nic.in/dept/ud/index.asp

//www.delhigovt.nic.in/dept/UD/welcome.htm

Urban Development

51 http://www.delhigovt.nic.in/dept/vigilance/welcome.htm

Vigilance

52 http://www.weights.delhigovt.nic.in Weights & Measures 53 http://www.scstwelfare.delhigovt.nic.in Welfare of SC/ST



Local Bodies: 01 S.No. Website URL Department Name

1 http://www.ndmc.gov.in New Delhi Municipal Corporation(NDMC)

Autonomous Departments: 22

S.No. Website URL Department Name 1 http://www.delhihomeoboard.com Board of Homeopathic System

of Medicine 2 http://www.delagrimarket.org Delhi Agriculture Mkt. Board 3 http://www.dcw.delhigovt.nic.in Delhi Commission for Women 4 www.dchfcdelhi.com Delhi co-op. Housing Societies

Finance Co. Ltd. 5 http://www.dfcdelhi.nic.in Delhi Financial

Corporation(DFC) 6 http://www.delhijalboard.nic.in Delhi Jal Board(DJB) 7 http://www.dkvib.delhigovt.nic.in Delhi Khadi Village Industries

Board(DKVIB) 8 http://www.dlwb.delhigovt.nic.in Delhi Labour Welfare Board 9 http://www.dmc.delhigovt.nic.in/ Delhi Minority Commission

10 http://www.pharmacy.delhigovt.nic.in Delhi Pharmay Council 11 http://www.dscsc.delhigovt.nic.in Delhi State Civil Supplies

corporation limited (DSCSC) 12 http://www.delhitrafficpolice.nic.in Delhi Traffic Police 13 http://dtc.nic.in Delhi Transport

Corporation(DTC) 14 http://www.delhicourts.nic.in District & Session Judge Office 15 http://www.ipu.ac.in Guru Gobind Singh Indraprastha

University 16 http://www.ihbas.delhigovt.nic.in IHBAS 17 http://www.ipgcl-ppcl.com Indraprastha Power Generation

Co.Ltd 18 http://ilbs.delhigovt.nic.in Institute of Liver and Biliary

Sciences 19 http://www.delhidemo.nic.in/lokayukta/home.asp Lokayukta

20 http://www.mgiirepd.org.in Mahatma Gandhi Institute of Integrated Rural Energy Planning and Development

21 http://www.nsit.ac.in Netaji Subhash Institute of Tech. 22 http://www.cbsdu.net Shaheed Sukhdev College of

Business Studies



3.1 Annexure-1: Notice of Intent to Bid

Letter Dated Date/Month/Year

The Secretary, Information Technology

Government of NCT of Delhi

Dear Sir,

RE: : Notice of Intent to Submit the Proposal

This is to notify you that our firm/company intends to submit a proposal in response to RFP

No……………………. Primary and Secondary contacts for our firm/company are :

Primary Contact Primary Contact

Name :

Title :

Company Name :

Address :

Phone :

Fax :

E-mail :

Sincerely,

[BIDDER’S NAME]

Title

Signature

Date



3.2 Annexure-2: Proposal covering letter




Dear Sir,

Re: website and web application security audit for the Delhi Government departments,

Corporations and Local bodies.

In response to the RFP for “website and web application security audit for the Delhi

Government Departments, Corporations and Local bodies” issued by the Secretary,

Information Technology, the Government of NCT of Delhi, we herewith submit out

proposal. The following documents have been included as part of the proposal:

S.No Enclosed documents

1 Pre-qualification bid (sealed and marked)

2 Technical bid (sealed and marked)

3 Commercial bid (sealed and marked)

4 EMD amount in the form of DD as mentioned in section 1.3.1 of this

RFP.

5 Additional information if any

1. Having examined the tender Documents and Appendices thereto and Addenda

Numbers …………. Thereto we, the undersigned, offer to provide the said services, in

conformity with the said Contract, Terms of Reference and Appendices thereto and

Addenda for the sum indicated as per the attached Financial Proposal.

2. We acknowledge having received the following Addenda to the bid documents:

Addendum No. Date



3. We undertake if our proposal is accepted to provide the services comprised in the

contract within 15 days of the receipt of notification of award from the Information

Technology Department, Government of NCT of Delhi

4. If our proposal is accepted we will obtain, within 15 days of receipt of notification of

award, the guarantee of a scheduled commercial bank to be jointly and severally bound

with us in a form of Performance Guarantee.

5. We agree to execute the work in the form set out in the tender Documents with such

alterations or additions thereto as may be necessary to adapt such agreement to the

circumstances of this tender and notice of award within 105 days after notification of

your intention to accept this proposal

6. Unless and until a formal agreement is prepared and executed this proposal together

with your written acceptance thereof shall constitute a binding contract between us and

shall be deemed for all purposes to be the contract agreement.

7. We understand that you are not bound to accept the lowest or any bid you may receive,

nor to give any reason for the rejection of any bid and that you will not defray any

expenses incurred by us in bidding.

8. We would like to clearly state that we qualify for this work as our company meets all

the pre-qualification criteria indicated on your tender document. The details are as

under.

Dated this …………………………. day of

…………………………………...……….

Signature …………………………………………………………………………………

In the capacity of ……………………………………………………………..………….

Duly authorised to sign bids for and on behalf of

……………………………………………………………………………………………

(IN BLOCK CAPITALS)

Address:

Witness:



Address:

Occupation:

Sincerely yours

(Signature) (In the capacity of)

Duly authorized to sign the Tender Response for an on behalf of :

(Name and address of Company) Seal/Stamp of bidder

Witness Signature :

Witness Name :

Witness Address :

CERTIFICATE AS TO AUTHORIZED SIGNATORIES

I, certify that I am Secretary of the …………………., and that

……………………………………………. Who signed the above Bid is authorized to bind

the corporation by authority of its governing body.

(Secretary)

Date

(Seal here)



3.3 Annexure-3: Pre-qualification bid covering letter


The Secretary, e-Governance


Dear Sir,

Re : Submission of Pre-Qualification Bid for website and web application security audit for

the Delhi Government departments, Corporations and Local bodies .

Having examined the tender document, the receipt of which is hereby duly acknowledged,

we, the undersigned, offer to website and web application security audit for the Delhi

Government Departments, Corporations and Local bodies as required and outlined in the

RFP for Government of NCT of Delhi.

The details sought by the Government to evaluate the bidder’s technical skill base and

financial capacity for website and web application security audit for the Delhi Government

departments, Corporations and Local bodies are provided in the pre-qualification bid. As it

is required, the list of details specified in the table below is given in the formats specified in

the RFP :

S.No Enclosed details Pg.No

1 General information about the Bidder/Consortium

2 Information about the company

3 Financial details as per audited balance sheet

The details specified in the formats are substantiated with support documents as required.

Sincerely yours



(Signature) (In the capacity of)

Duly authorized to sign the Tender Response for and on behalf of :

(Name and Address of Company) Seal/Stamp of bidder

Witness Signature : Witness Name :

Witness Address :

CERTIFICATE AS TO AUTHORISED SIGNATORIES

I, certify that I am Secretary of the ……………….., and that …………………………..

who signed the above Bid is authorized to bind the corporation by authority of its

governing body.

(Secretary)

Date

(Seal here)



3.4 Annexure-4: Pre-qualification Formats

I General Information

S.No Particulars Details to be Furnished

A Details of the Prime Bidder (Company)

Name

Address

Telephone/Mobile Fax

E-mail Website

Details of Authorized person

Name

Address

Telephone/Mobile Email

II Information about the Company

i) Does The firm/company have a company registered

under the Indian Companies Act, 1956, The Partnership

Act, 1932 and the Registration of Societies Act?

Give Page no. Where proof is given

ii) Does the firm/company should have been in operation for a

period of at least 3 years as of 31.3.2007?

Give Page no. Where proof is given.

iii) Does the firm/company have provided attested copies

of the valid?

a. Provident Fund No

b. PAN No.

c. Service Tax Registration No.

d. Income Tax Registration No.


iv) Does the Firm/Company have Empanelment as a IT

Security Auditor by CERT-IN (Valid Upto 31st March

2008)?


v) Does the Firm/Company have SEI CMM Level 5

Certification?




vi) Does the Firm/Company have a branch in the National

Capital Region


vii) Does the Firm/Company have an experience of

conducting similar Website Audit as proposed by

Department of Information Technology, Government of

N.C.T. of Delhi of a minimum of 3 audit projects in

organizations like banks, financial institution, and

Insurance Companies or Government departments during

the last 3 years?


viii) Does the Firm/Company have at least one

Commercial Security Audit Tool?


III Financial Details as per Audited Balance Sheet

Year Turnover in Rs.

2004-05

2005-06

i) Does the firm/company have an average turnover of

25,00,000/- (Twenty-five Lakhs) during the last 3

financial years in Information Technology related Projects

as revealed by audited accounts? (Proof of this need to be

attached)

2006-07

Total Turnover ( the last three years in Information Technology related

operations): Give Page no. where proof is given

IV) Manpower for deploying to this project

i)Do you have a Project Manager, (To be deployed on the

project, if awarded) who have fulltime B.Tech/B.E in

Computer Engineering /Information Technology and at

least ten years experience in the Information Technology

field, out of which he /she should have at least 5 years

experience in handling the Information Security Audit .

The project manager for deploying to this project must

have a CISA certified person.

Give Page no. Where proof is given.



ii) Do you have 5 personnel, (To be deployed on the

project, if awarded) who have a fulltime B.Tech/B.E in

Computer Engineering /Information Technology and at

least 5 years experience in the Information Technology

field, out of which he /she should have at least two years

experience in handling the Information Security Audit.

Preference will be given to the CISA/CIISP persons.

Give Page no. where proof is given.

Please note that provide details of the personnel, who intended be deployed to this project in the

Format as given at Annexure 10 & Annexure 13 of this RFP.

3.5 Annexure-5 Technical Bid



Government of Delhi

Dear Sir,

Sub:- Technical bid proposal for website and web application security audit for the

Delhi Government departments, Corporations and Local bodies .

Having examined the tender document, the receipt of which is hereby duly acknowledged,

we, the undersigned, offer for website and web application security audit for the Delhi

Government departments, Corporations and Local bodies as required and outlined in the

RFP for Government of N.C.T of Delhi.

To meet such requirements and provide such services as required are set out in the tender

document, we attach hereto the tender technical response as required by the tender

document, which constitutes our proposal. Our abilities to the website and web application

security audit for the Delhi Government departments, Corporations and Local bodies as

required by the Government are explained in the technical response. The response sought

by the Government is given within the formats prescribed by the Government. Kindly refer

to the enclosures for details on the formats enclosed. Additionally, we have included the

following supplementary information to support our proposal:



i. Supplementary information title one

ii. Supplementary information title two

If our proposal is accepted, we will obtain a performance bank guarantee in the format

given in the tender document issued by a Scheduled Commercial Bank in India,

acceptable to the Government of Delhi, for a sum of 10% of value of contract for due

performance of the contract.

We agree for unconditional acceptance of all the terms and conditions set out in the tender

document and also agree to abide by this tender response for a period of SIX (plus ONE)

MONTHS from the date fixed for tender opening and it shall remain binding upon us with

full force and virtue, until within this period a formal contract is prepared and executed,

this tender response, together with your written acceptance thereof in your notification of

award, shall constitute a binding contract between us and the Government of NCT of Delhi.

We have read and understood the criteria spelt out for evaluating the technical bids as

mentioned in this RFP. If the committee invites us to make a presentation in a date, time

and location determined by Secretary (Information Technology), we will be glad to be

there and present the solution proposed by us and the key points of our proposal.

During technical bid evaluation, if you find some parts of the proposal ambiguous and

uncertain, you may seek oral clarifications. The clarifications shall be addressed to the

primary contact person Dr.V. Ranga Rao who is reachable in the following address:

Address and telephone information:

Department of Information Technology,

Government of NCT of Delhi,

Level – 9, B - Wing, Delhi Secretariat,

I.P. Estate, New Delhi-110 002.

Phone: 011-23392074 Email: [email protected]

We confirm that the information contained in this proposal or any part thereof, including its

exhibits, schedules, and other documents and instruments delivered or to be delivered to

the Government of N.C.T of Delhi is true, accurate, and complete. This proposal includes

all information necessary to ensure that the statements therein do not in whole or in part

mislead the Government of N.C.T of Delhi as to any material fact.



We agree that you are not bound to accept the lowest or any tender response you may

receive. We also agree that you reserve the right in absolute sense to reject all or any if the

products/service specified in the tender response without assigning any reason whatsoever.

It is hereby confirmed that I/We are entitled to act on behalf of our

corporation/company/firm/organization and empowered to sign this document as well as

such other documents, which may be required in this connection.

Dated this Day of 2007

(Signature) (In the capacity of )

Duly authorized to sign the Tender Response for and on behalf of :

(Name and Address of Company) Seal/Stamp of bidder

Witness Signature :

Witness Name :

Witness Address :



CERTIFICATE AS TO AUTHORISED SIGNATOTIES

I, certify that I am Secretary of the ……………………..., and that ………………………

who signed the above Bid is authorized to bind the corporation by authority of its

governing body.

(Secretary) Date

(Seal here)



3.6 Annexure 6 Technical Bid Format:

TECHNICAL VALUATION FORMAT

1)Describe Experience in working with Government

Departments and Public Sector for similar Projects. (As per

Annexure 8)

2) Describe Quality Management Standards/Certifications

3) Describe Experience in conducting similar website and web

application Security Audit. . (As per Annexure 8)

4) Describe Level of understanding of the Project

5) Provide Vendor’s Proposed Technical solution: Type of

Security assessment toll will be used for identifying Security

Vulnerabilities tolls (Licensed /Free) and Technologies.

6) Describe Project implementation Methodology giving

approach of vendor along with rollout plan, Project

Management and Reporting.

7) Describe Level of skills and experience

8) List Number of CISA / CISSP and other personnel to be

deployed on this project.

a) No of CISAs :-

b) No of CISSPs:-

c) Others:-

9) Number of Personnel in various categories proposed to be

deployed on this project. Provide complete details like their

Job / Experience / qualifications profile of the Project Manager

and other key Personnel to be involved in the project (As per

Annexure 10 and Annexure 13) including relevance of

Experience of the Individual to the Website & Web Application

Security.

10) Sample Reports, Fulfilment of Audit Requirements as per

this RFP Scope of Work - The extent to which Bidder’s

proposed solution fulfils Department of Information

Technology stated requirements as set out in this tender. An

assessment of the Bidder’s ability to deliver the indicated



service in accordance with the specifications set out in this

tender

3.7 Annexure 7: FINANCIAL PROPOSAL FORMAT

Cost Summary Sheet:

Sr.No Carrying out Security Audit Cost in Rupees

1

Task 1: Web Security Audit/

Assessment.

Rs.

2 Task 2: Re-Audit –Audit of websites

and applications based on the Task1.

Rs.

3

Task 3: Re, re Audit - Further

Iteration of Re-Audit (if required)

based on the Task 2.

Rs.

4 Sub total Cost of Sr.No 1, Sr.No2 &

Sr.No3:

Rs.

*Cost on account of Taxes:

5a) VAT (If applicable) Rs.

5b) Service Tax ( If applicable) Rs.

5

5c) Any other Taxes (If applicable) Rs.

6 Sub total Cost of 5(a), 5(b) and 5(c) Rs.

7 **Grand Total Cost:

( Sr. No 4 and Sr. No 6)

Rs.

Note:

• *Please show the calculation of taxes along with applicable rate of taxes.

• **Grant total cost of the project arrived by the above formula will be

considered for financial bid evaluation.

• Definition and Scope of each of element of above is detailed in Section 2 Scope of Work.

Company’s Official Seal

Signature: ___________________________ Date: _______________

Full Name of Signatory: ___________________________

Duly authorized to sign bids for and on behalf of: _____________________________



3.8 Annexure 8: PROJECT EXPERIENCE

COMPANY'S SPECIFIC EXEPERIENCE DURING LAST THREE YEARS IN

THE FIELD OF IT SECURITY:

The following information should be provided in the format indicated for each reference

project for which your company either individually as a corporate entity or as one of the

major companies within a consortium has carried out and/or similar work in the field of

Information Technology Security Audit.

Project Name: Country:

Project Location within Country: Professional Staff Provided by your Company/Associates No. of Staff

Name of Client, Public/Private Sector Contact Person, Contact Details, Address:

No. of Man-month:

Start Date (month/year)

Completion Date: (Month/year)

Approx. Value of Services:

Name of Associated company(s) if any:

No. of Man-months of professional staff provided by associated companys(s)

Name of Senior Staff (Project Director/Coordinator, Team Leader) involved and functions performed:

Detailed Narrative Description of Project, nature of work, and services provided by your company:-



3.9 Annexure 9 – UNDERTAKING FORMAT

1. It is certified that the information furnished here in and as per the document

submitted is true and correct and nothing has been concealed or tampered with. We

have gone through all the conditions of tender and are liable to any punitive action for

furnishing false information / documents.

2. The technical solution offered fully meets your requirements and have no

deviations and variations to the scope of work defined in this RFP. The entire work

shall be performed as per Department of Information Technology, Government of

N.C.T. of Delhi, specifications and documents.

Dated this _____ day of ____________________ 2007

Signature

(Company Seal)

__________________

In the capacity of

Duly authorized to sign Applications for and on behalf of:



3.10 Annexure 10: FORMAT OF CURRICULUM VITAE

• Name of Company:

• Name of Staff:

• Job Designation:

• Role in this project

• Total years of experience:

• Years with Company:

• Nationality:

• Membership in Professional Societies:

• Key Qualifications:

(Give an outline of staff member’s experience and training most pertinent to tasks on

assignment. Describe degree of responsibility held by staff member on relevant

previous assignments and giv