tender through e- procurement for

Tender through E- Procurement For

Online scanning services for BPCL websites

Document Title Tender Specifications for Online scanning services for BPCL websites Document Type RFP Bid Type Two part bid (Technical & commercial) CRFQ No 1000230862 Date of RFQ 22.05.2015 Pre-Bid meeting 27.05.2015 (15:00 hrs IST) Last Date for Submission of Bid

01.06.2015 (15:00 hrs IST)

RFQ issued by: Bharat Petroleum Corporation Limited,

Information Systems Department, Bharat Bhavan II, 2nd Floor, 4 & 6 Currimbhoy Road, Ballard Estate, Mumbai 400 001.

Subject: Invitation of Tender for online scanning services for BPCL websites

Dear Sir / Madam, 1. You are invited to submit your offer in a two bid for the subject job as per the technical specifications

and on the terms & conditions contained in this tender document.

2. Please visit the website https://bpcleproc.in for participating in the tender and submitting your bid online.

3. Bidders are required to submit their bids in two part bids consisting of the following, through this E-

Tender.

i) Techno-Commercial Bid: This should contain all technical details, Literature, Leaflets etc, confirmation of Commercial terms and conditions of the tender.

ii) Price bids: This should contain Prices/Taxes against the Bill of materials.

4. On opening bids in the system on the Tender due date and time, first technical bids will be opened.

5. Commercial bids of only those bidders, who qualify the techno-commercial criteria will be opened and evaluated further.

6. It is necessary, for all the bidders to submit an EMD of Rs. 1 lac by DD drawn in favour of ‘Bharat Petroleum Corpn. Ltd.’ on any scheduled Bank payable at Mumbai, in physical form in our office at the following address before due date and time failing which bids will not be considered:

Mr. Milind Mangalgiri, IS Department, 2nd floor, Bharat Bhavan II, 4 & 6 Currimbhoy Road, Ballard Estate, Mumbai – 400001.

EMD of the unsuccessful bidders shall be returned after finalization of the L-1 bidder.

7. You should submit your Techno-commercial & price bid through online mode to the BPCL e-

tendering site. However, the instrument i.e. EMD in the form of Demand Draft to be submitted in physical form on or before the due date and time of this tender. No claims on account of postal delay or any other reason shall be entertained.

8. BPCL does not take any responsibility for any delay in submission of online bid due to connectivity problem or non-availability of site and/or non receipt of instrument i.e. DD due to postal delay. DD and NDA to be submitted in physical form.

9. Incomplete tenders shall be liable for rejection without seeking any further clarification. We also

reserve the right to reject any or all tenders without assigning any reasons whatsoever. Yours faithfully, For Bharat Petroleum Corporation Ltd. Milind Mangalgiri Sr. Manager IS (Procurement & Contracts)

Contents General Instructions to Tenderers for E-Tendering .......................................................................................... 4

1. INTRODUCTION ...................................................................................................................................... 6

2. EVALUATION METHODOLOGY ......................................................................................................... 6

2.1. TECHNICAL EVALUATION CRITERIA ...................................................................................... 6

2.2. COMMERCIAL BID EVALUATION ............................................................................................. 6

3. SCOPE OF WORK (SOW) ........................................................................................................................ 6

4. TERMS OF DELIVERY ............................................................................................................................ 7

5. SLA .............................................................................................................................................................. 7

6. PENALTY ................................................................................................................................................... 8

7. TERMINATION OF THE CONTRACT (EXIT CLAUSE) ................................................................... 8

8. OTHER ........................................................................................................................................................ 8

9. PAYMENT TERMS ................................................................................................................................... 8

10. UN-PRICED BID ................................................................................................................................... 9

11. Commercial Terms & Conditions .......................................................................................................... 9

ANNEXURE – I (TECHNICAL COMPLIANCE) ........................................................................................ 10

NDA Format & Third Party and outsourcing services policy

General Instructions to Tenderers for E-Tendering 1. Interested parties may download the tender from BPCL website (http://www.bharatpetroleum.in) or

the CPP portal (http://eprocure.gov.in) or from the e-tendering website (https://bpcleproc.in) and participate in the tender as per the instructions given therein, on or before the due date of the tender. The tender available on the BPCL website and the CPP portal can be downloaded for reading purpose only. For participation in the tender, please fill up the tender online on the e-tender system available on https://bpcleproc.in

2. For registration on the e-tender site https://bpcleproc.in, you can be guided by the "Instructions to

Vendors" available under the download section of the homepage of the website. As the first step, bidder shall have to click the "Register" link and fill in the requisite information in the "Bidder Registration Form". Kindly remember your e-mail id (which will also act as the login ID) and the password entered therein. Once you complete this process correctly, you shall get a system generated mail. Login in to the portal using your credentials. When you log in for the first time, system will ask you to add your Digital Signature. Once you have added the Digital Signature, please inform us by mail to the vendor administrator [email protected] with a copy to [email protected] for approval. Once approved, bidders can login in to the system as and when required.

3. As a pre-requisite for participation in the tender, vendors are required to obtain a valid Digital

Certificate of Class IIB and above (having both signing and encryption certificates) as per Indian IT Act from the licensed Certifying Authorities operating under the Root Certifying Authority of India (RCIA), Controller of Certifying Authorities (CCA). The cost of obtaining the digital certificate shall be borne by the vendor.

In case any vendor so desires, he may contact our e-procurement service provider M/s. E-Procurement Technologies Ltd., Ahmadabad (Contact no. Tel: +91 79 4001 6816 | 6848 | 6844 | 6868 & Tel: +91 22 65354113 | 65595111) for obtaining the digital signature certificate

4. Corrigendum/amendment, if any, shall be notified on the site https://bpcleproc.in. In case any

corrigendum/amendment is issued after the submission of the bid, then such vendors, who have submitted their bids, shall be intimated about the corrigendum/amendment by a system-generated email. It shall be assumed that the information contained therein has been taken into account by the vendor. They have the choice of making changes in their bid before the due date and time.

5. Price bid of only those vendors shall be opened whose Techno-Commercial bid is found to be

acceptable to us. The schedule for opening the price bid shall be advised separately. 6. Tenderer is required to complete the following process online on or before the due date/time of

closing of the tender:

- Technical bid - Price bid 7. Directions for submitting online offers, electronically, against e-procurement tenders directly

through internet: (i) Vendors are advised to log on to the website (https://bpcleproc.in) and arrange to register

themselves at the earliest, if not done earlier.

(ii) The system time (IST) that will be displayed on e-Procurement web page shall be the time considered for determining the expiry of due date and time of the tender and no other time shall be taken into cognizance.

(iii) Vendors are advised in their own interest to ensure that their bids are submitted in e-Procurement

system well before the closing date and time of bid. If the vendor intends to change/revise the bid already submitted, they shall have to withdraw their bid already submitted, change / revise the bid and submit once again. In case vendor is not able to complete the submission of the changed/revised bid within due date & time, the system would consider it as no bid has been received from the vendor against the tender and consequently the vendor will be out of contention. The process of change / revise may do so any number of times till the due date and time of submission deadline. However, no bid can be modified after the deadline for submission of bids.

(iv) Once the entire process of submission of online bid is complete, they will get an auto mail from the

system stating you have successfully submitted your bid in the following tender with tender details. (v) Bids / Offers shall not be permitted in e-procurement system after the due date / time of tender.

Hence, no bid can be submitted after the due date and time of submission has elapsed. (vi) No manual bids/offers along with electronic bids/offers shall be permitted. 8. For tenders whose estimated procurement value is more than Rs. 10 lakhs, vendors can see the rates

quoted by all the participating bidders once the price bids are opened. For this purpose, vendors shall have to log in to the portal under their user ID and password, click on the "dash board" link against that tender and choose the "Results" tab.

9. No responsibility will be taken by BPCL and/or the e-procurement service provider for any delay

due to connectivity and availability of website. They shall not have any liability to vendors for any interruption or delay in access to the site irrespective of the cause. It is advisable that vendors who are not well conversant with e-tendering procedures, start filling up the tenders much before the due date /time so that there is sufficient time available with him/her to acquaint with all the steps and seek help if they so require. Even for those who are conversant with this type of e-tendering, it is suggested to complete all the activities ahead of time. It should be noted that the individual bid becomes viewable only after the opening of the bid on/after the due date and time. Please be reassured that your bid will be viewable only to you and nobody else till the due date/ time of the tender opening. The non availability of viewing before due date and time is true for e-tendering service provider as well as BPCL officials.

10. BPCL and/or the e-procurement service provider shall not be responsible for any direct or indirect

loss or damages and or consequential damages, arising out of the bidding process including but not limited to systems problems, inability to use the system, loss of electronic information etc.

In case of any clarification pertaining to e-procurement process, the vendor may contact the following agencies / personnel:

1. For system related issues : M/s. E-Procurement Technologies Ltd at contact no. Tel: +91 22 65354113 | 65595111 & Tel: +91

79 4001 6816 | 6848 | 6844 | 6868) followed with a e-mail to id [email protected]. 2. For tender related queries:

a. Mr. Anil Satpute of BPCL at contact no. 022-22714237 followed with an email to ID [email protected]

b. Mr. Milind Mangalgiri of BPCL at contact no. 022-22713754 /22714214 followed with an email to ID [email protected]

The responsible person of the tender is Mr. Milind Mangalgiri of BPCL at contact no. 022-22713754 / 22714214. 1. INTRODUCTION

BPCL has taken many IT initiatives. To support business many website been created by respective Business Units to promote various brands & services. For these websites various security measures are enforced at various levels, Application Security, Network Security, Database security, OS security, Access Controls, Physical Security etc...) to maintain the website security. To further strengthen the Security Infrastructure, BPCL require a web based solution which perform daily vulnerability assessment, application audit, malware monitoring and protect these websites from data breaches and defacement through Web Application Firewall (WAF) in a service model. The contract would be valid for 3 years. The tender is non-transferable.

2. EVALUATION METHODOLOGY

2.1. TECHNICAL EVALUATION CRITERIA

2.1.1 Technical bid will be accepted only if they are in the prescribed format in e-tender, with complete information as per ANNEXURE with necessary documents or documentary proof in support of Technical specifications compliance.

2.1.2 During Technical evaluation, BPCL may ask the bidders for a technical presentation on the proposed architecture to BPCL team at Mumbai.

2.1.3 Only Technically Qualified bids would be evaluated further.

2.2. COMMERCIAL BID EVALUATION 2.2.1 Price bids of Technically Qualified bidders will be evaluated using considering Unit rate and quantity for period of three years including applicable taxes. Contract will be awarded on overall lowest (L1) quote basis.

3. SCOPE OF WORK (SOW) 3.1. Successful bidders should provide daily website Security Assessment (System vulnerability,

Application vulnerability & Malware monitoring) report for the websites as requested in this tender and subsequent PO’s.

3.2. Successful bidder should have the ability to verify the fixing of the reported vulnerability. 3.3. Successful bidder should ensure that the reports of the scanning provided do not have any false

positives. 3.4. Successful bidder should ensure that any new vulnerability found to be discovered/ disclosed

publicly should be included in the scan policies within 36 hours of announcement. 3.5. Successful bidder should provide weekly scan results to BPCL for all websites configured for

daily vulnerability scanning by-passing WAF, if any. 3.6. Successful bidder should schedule the scan as per the requirement of BPCL.

3.7. As per the proposed subscription model, all the Internet traffic meant for web facing applications shall be routed first to the WAF on the cloud for scanning and genuine traffic will be forwarded to the web servers.

3.8. Proposed WAF shall ensure automatic protection without administrative intervention. 3.9. Successful bidder shall provide the WAF services in High availability mode. 3.10. No hardware and software to be installed at BPCL premises to provide Daily Vulnerability

Scanning & Web Application Firewall. 3.11. Successful bidder shall provide all these security solutions as security as a service (SAAS)

model. 3.12. Successful bidder shall include website under WAF as per the request of BPCL. 3.13. Successful bidder shall report immediately on any change in the homepage of a monitored

website. 3.14. Successful bidder shall work with website hosting service provider to diagnose the issue

during non-availability of website services hosted under WAF. WAF vendor shall be the single point of contact during any website service unavailability.

3.15. WAF should be capable to handle minimum 5000 concurrent connections and minimum 20 Mbps throughput.

3.16. For any bandwidth utilization beyond 20 Mbps payment shall be made on actuals on pro rata basis (in multiple of 1 Mbps).

3.17. Successful bidder shall submit the quarterly WAF service uptime report for each website. However, the uptime report would be subjected to scrutiny by BPCL. In case of conflict, uptime report produced by BPCL would be treated as final.

3.18. Technical write-up of the proposed WAF solution for BPCL (Provide full technical write-up on the solution offered to BPCL, including: 3.18.1. Technical Brochure of the products 3.18.2. Software licenses required and to be supplied by the vendor 3.18.3. Detailed architecture of the proposed solution

3.19. Successful bidder should submit risk analysis in executing this project, if any, & proposed mitigation plan.

4. TERMS OF DELIVERY

4.1. The successful bidder shall activate the online scanning & WAF services as per SOW within 15 days from the date of issue of PO.

4.2. The given quantities are indicative and can be changed based on the requirement of BPCL. Around 10 websites will be put under Vulnerability scanner during a period of three years.

4.3. To start with 6 websites would be placed under daily vulnerability scanner. BPCL shall include other websites for daily vulnerability scanning on request basis with same term & condition as mentioned in this tender.

4.4. Successful bidder shall add other website under daily vulnerability scanner or WAF, within 7 days from the date of receipt of request from BPCL.

4.5. Delay in project delivery (due to reason pertaining to the vendor) shall attract penalty calculated @0.1% of PO value per day of delay (maximum delay of 30 days), beyond which BPCL reserves the right to cancel the tender.

5. SLA

5.1. Uptime for WAF should be 99.9% on Quarterly basis (i.e. 129 minutes permissible downtime per

quarter per website) 5.2. Successful bidder should submit daily scanning report and weekly scanning report bypassing

WAF, if any, for each websites separately. 5.3. Support : 24 X 7 X 365

5.4. Response Time for Online Scanning and WAF is 2 hours from time of logging call with successful bidder.

5.5. Successful Bidder should be single point of contact for both Website Scanning and WAF solution.

5.6. In case of interdisciplinary issues, successful bidder will be responsible until it is proven that the problem/issue lie outside successful bidder’s domain.

5.7. Critical Response time ( in case of cyber-attack): 5.7.1 During cyber-attack on the WAF protected websites, successful bidder shall intimate

BPCL representative within 15 minutes of the attack. 5.7.2 Successful bidder shall restore the WAF services with required fine-tuning in WAF

within 2 hour of the incident.

6. PENALTY 6.1 Uptime: Bidder to ensure that the quarterly uptime for BPCL website under WAF is at least

99.9%. Unavailability of WAF service (partial or full) shall be treated as downtime. (Website downtime other than WAF issues shall be treated separately).

6.2 Penalty would be calculated at Rs. 1000/- per hour or part thereof for every hour of downtime beyond the permissible downtime with a maximum of 10% of quarterly contract value. Penalty would be calculated on accumulated downtime for each website/’s separately.

6.3 BPCL will tolerate four missing instance of daily and weekly scanning report in a quarter. Beyond which a penalty of Rs. 100/- per instance for every failed instance will be charged with a maximum of 10% of quarterly contract value.

7. TERMINATION OF THE CONTRACT (EXIT CLAUSE) 7.1 Bidders must take a note that the Max limits of penalties are upper tolerance (i.e. 10% of

quarterly contract value (excluding taxes)). BPCL reserves right to terminate the contract in parts or full at any point of time depending on the scenario for breach of SLAs even before reaching the Max limit of penalties.

7.2 BPCL reserves the right to terminate the contract, if successful bidder failed to detect the cyber-attack due to misconfiguration of WAF.

8. OTHER

8.1. The contract would be valid for a period of three years from the date of release of contract. 8.2. The quoted rates shall be valid for acceptance for the period of 90 days from the date of opening

technical bid. 8.3. The price quoted in the price bid should cover all charges as mentioned in the deliverables. 8.4. All prices quoted should in Indian Rupees (INR).

9. PAYMENT TERMS

9.1 Payment shall be made on the actual usage of services. 9.2 Quarterly arrear payment at the end of the quarter after due deduction of penal payment, if any. 9.3 PO will be issued on call off basis during the contract period on ‘Year on year’ basis. 9.4 For any bandwidth utilization beyond 20 Mbps payment shall be made on actuals on pro rata

basis (in multiple of 1 Mbps) on agreed per Mbps bandwidth cost.

10. UN-PRICED BID

It. No Description

Qty (Web sites)

UOM (Per

Year)

Unit Rate (INR)

Ser Tax %

Ser Amt

Total (INR)

10 Daily Vulnerability assessment scanning, application audit & Malware monitoring per website for 1st year.

10 Per Year

20 Daily Vulnerability assessment scanning, application audit & Malware monitoring per website 2nd year

10 Per Year

30 Daily Vulnerability assessment scanning, application audit & Malware monitoring per website 3rd year

10 Per Year

40 WAF with 20 Mbps Throughput with 3 website 1st year 1 Per

Year

50 WAF with 20 Mbps Throughput with 3 website 2nd year 1 Per

Year

60 WAF with 20 Mbps Throughput with 3 website 3rd year 1 Per

Year

70 Cost of additional bandwidth usage in the multiple of 1 Mbps 1st year (as and when basis)

50 Per Year

80 Cost of additional bandwidth usage in the multiple of 1 Mbps 2nd year (as and when basis)

50 Per Year

90 Cost of additional bandwidth usage in the multiple of 1 Mbps 3rd year (as and when basis)

50 Per Year

100 Cost of additional domain configuration and protection on WAF 1st year 1 Per

Year

110 Cost of additional domain configuration and protection on WAF 2nd year 1 Per

Year

120 Cost of additional domain configuration and protection on WAF 3rd year 1 Per

Year

Note: The price quoted in the price bid should cover all deliverables mentioned in the Scope of Work.

11. Commercial Terms & Conditions

11.1. Pricing Type 11.1.1 The quoted rates shall be valid for acceptance for the period of 90 days from the date of

opening of commercial bid.

11.1.2 The successful bidder should quote separately for Basic price and VAT / CST / Ser. Tax as applicable in the Price Bid. Rate of VAT / CST and service tax as applicable on the material should be quoted separately in the un-priced bid.

11.1.3 Variation in the rates for Statutory levies/ taxes / duties during the tenure of the contract for

supplies within delivery schedule will be allowed only on the submission of documentary evidence from Govt. / Statutory Authorities and its acceptance by BPCL.

11.2. Other Contractual Stipulations 11.2.1 We reserve the right to reject the tender without assigning any reason whatsoever. 11.2.2 Right to Audit: BPCL reserves the right to audit or inspect work performed by the vendor.

BPCL may participate directly or through an appointed representative, e.g., Mutually Agreeable external auditor, in order to verify that the tasks related to this project have been performed in accordance to the procedures indicated.

11.2.3 NDA Clause: The successful bidder has to sign the 'Non Disclosure Agreement(NDA)' on Rs. 100/- stamp paper (Non Judicial) from their competent authority as a compliance for the 'Non Disclosure Agreement' in line with BPCL's IS Security Policy(Soft copy of NDA will be provided to you once the tender is finalized). Purchase orders will not be placed without entering into above NDA. If NDA has already been submitted, please ignore this clause.

11.2.4 IP (Intellectual Property) Organization retains all rights to its pre-existing intellectual property and any intellectual

property it creates in connection with the agreement; and The vendor assigns to organization all rights in any work product developed pursuant to the

agreement and acknowledges that all materials created by the vendor pursuant to the agreement shall be deemed to be owned by the organization. If the vendor will not agree to an assignment, then the vendor should, at a minimum, grant organization a perpetual, irrevocable, worldwide, royalty-free license to use the work product developed pursuant to the agreement.

11.2.5 Force Measure Clause: The parties to this agreement cannot be responsible for any failure of performance or delay in performance of their obligations there under if such failure or delay shall be the result of any Government Directive relevant to this agreement or due to war, hostilities, act of public enemy, riots or civil commotion’s, strikes, lock out, fire, floods, epidemics or act of God, arrests and restraints or rulers and people political or administrative acts of recognized or defacto Government Import or Export restrictions, compliance with any Government or local authority or any other cause or cause beyond the control of the parties hereto.

11.2.6 Arbitration clause: In case of any dispute or differences arising under and out of, or in connection with the

contract, shall be referred to the sole arbitration by an arbitrator appointed under the provision of Indian arbitration Act and conciliation Act 1996 and subject to jurisdiction of courts in Mumbai only.

In case of any dispute in the interpretation of the terms and conditions of the tender, the decision of the Corporation shall be final and binding.

11.2.7 Third Party and Outsourcing Services Policy(BPCL-TPOSP) The successful bidder has to sign the ' Third Party and Outsourcing Services Policy' from their competent authority as a compliance in line with BPCL's IS Security Policy(Soft copy of BPCL-TPOSP will be provided to you once the tender is finalized). Purchase orders will not be placed without entering into above BPCL-TPOSP.

11.2.8 Limitation of liability will be restricted to Total Contract Value. ALL ABOVE TERMS & CONDITIONS ARE ACCEPTABLE TO US. SIGNATURE & NAME OF THE PERSON COMPANY SEAL

ANNEXURE

TECHNICAL COMPLIANCE

Please provide the following information as part of your RFP bid. All information required herein must be provided. Please upload this Technical Compliance sheet along with the evidence during submission of your technical bid.

S. No Description Compliance

(YES/NO) Evidence /Remark

1

Bidder should have hosted the Scanner operation and WAF infrastructure in India.

i. Bidder shall submit the address details of the vulnerability scanner and WAF infrastructure hosted in India.

ii. Vendor shall submit an undertaking that the WAF hosting services used by BPCL shall not be moved outside India during the entire contract period.

2 The bidder should be CERT-In empaneled as mentioned in the latest list as on May 2015 published on CERT-In Website (www.cert-in.org.in).

i. Bidder shall submit the latest CERT-In empaneled IT Security Auditing Organisation list highlighting bidders’ name.

3 BPCL’s RFP duly stamped & signed by the authorized signatory in token of acceptance of all terms & conditions mentioned in this document.

4

Technical write-up on the proposed solution for BPCL (Provide full technical write-up on the solution offered to BPCL, including:

i. Technical Brochure of the products. ii. Software licenses required & to be supplied by the vendor. iii. Detailed Architecture of the proposed Solution.

5 Risk analysis in executing this project, if any, & proposed mitigation plan.

6 We agree to submit Non Disclosure Agreement (NDA) form (Specimen enclosed) duly signed by the Authorized signatory, if we happened to be successful bidder within 15 days from date of Contract/ PO.

7 Third Party and Outsourcing Services Policy (Specimen enclosed) duly signed by the Authorized signatory.

8 List of Deviations, if any else submit NIL deviation statement. Vulnerability Scanner 9 Solution should perform daily system vulnerability assessment. 10 Solution should perform daily Application Security Assessment 11 Solution should perform daily Malware monitoring

12 Bidder to ensure that the scanning does not impact the BPCL websites in any manner.

13 Solution must be capable of assessing both authenticated as well as non-authenticated website URLs.

14 Vulnerability management dashboard (Web based solution, available on the internet).

15 Detailed reporting along with remediation guidance on the web-based dashboard.

16 Ability to verify the fixing/closure of the reported vulnerabilities in the next scan.

17 Ability to download the vulnerability reports of the websites.

18 Vendor should provide weekly scan results to BPCL for all websites configured for daily vulnerability scanning by-passing WAF, if any.

19 Any change in the home page of a monitored website must be reported immediately

WAF 20 The proposed WAF should be hosted in Indian geography only.

21 WAF instance used should be dedicated to BPCL and not shared with any other customer.

22

WAF should be able to handle minimum 5000 concurrent connections and minimum 20 Mbps throughput with scalability of handling 150 Mbps and 15000 concurrent connections. Scalability plan should be specified in the proposal, along with commercials.

23 WAF should be able to decrypt the SSL traffic to analyze the HTTP data

24 WAF should be able to re-encrypt the SSL traffic 25 WAF should support different policies for different web applications

26 WAF should support different policies for different application section (different security zones within the app)

27

WAF should support configurable error response page. The WAF shall support URL rewriting and show customized response pages to the web user when a policy has been violated.

28

WAF should support IP Reputation DB (DB including blacklisted IP Address, IP Address, Anonymous Proxy, Botnets, Windows Exploit etc.) along with Client Source IP address based Security Policy and dynamic source IP blocking.

29

The WAF shall maintain non-repudiation of the HTTPS connection between the web user and the web server and not terminate the connection.

30 The WAF shall automatically provide content protection for all applications covered under it.

31 WAF should detect known attacks at multiple levels, Web server software and application-level attacks.

32

WAF should detect known malicious users who are often responsible for automated and botnet attacks. Malicious users may include malicious IP addresses or anonymous proxy addresses.

33

WAF shall take the feed from Vulnerability Scanner and update the WAF policy to counter the security vulnerability daily at application layer.

34

The Web application firewall should be able to accurately distinguish between good and bad traffic. Vendor to provide details how they will do

35 Vendor should maintain WAF logs for at least 3 years and should be able to provide the same as and when requested by BPCL.

36 WAF Solution should be capable of handling IPV4 and IPV6 traffic.

37 It should ensure compliance and advanced protection against industry standards such as OWASP Top 10 requirements.

FORMAT

NON DISCLOSURE AGREEMENT This Agreement is made as of the ------------- 2015 between BHARAT PETROLEUM CORPORATION LTD. (BPCL) a Government of India Enterprise, having its registered office and Corporate office at Bharat Bhavan , 4&6 , Currimbhoy Road , Ballard Estate , Mumbai -400001 hereinafter referred as First Part which expression shall unless repugnant to the subject or the context mean and included its successors, nominees or assigns and M/s ------------------ -------- --------------------------------------------------------- a company incorporated under the Indian Companies Act, 1956, and having its registered office at ------------------------------------ ------------------------------------------------------ herein after called “-Second Part ” which expression shall unless repugnant to the subject or the context mean and include its successors, nominees or assigns. Whereas in order to pursue the business purpose of this particular project as specified in Annexure A (the “Business Purpose”), M/s---------------------------------------------------------------------------------------------- recognize that there is a need to disclose certain information, as defined in para 1 below, to be used only for the Business Purpose and to protect such confidential information from unauthorized use and disclosure. In consideration of First Part’s disclosure of such information, Second Part agrees as follows:

1. This Agreement will apply to all confidential and proprietary information disclosed by First part to Second part, including information which the disclosing party identifies in writing or otherwise as Confidential before or within thirty days after disclosure to the receiving party (“Confidential Information”).

Confidential Information consists of certain specifications, designs, plans, drawings, software, processes, prototypes and/or technical information, and all copies and derivatives containing such Information, that may be disclosed to other part by first part for and during the Purpose, which disclosing party considers proprietary or confidential (“Information”). Confidential Information may be in any form or medium, tangible or intangible, and may be communicated/disclosed in writing, orally, or through visual observation or by any other means by other part (hereinafter referred to as the receiving party) by the First Part (hereinafter referred to as one disclosing party). Information shall be subject to this Agreement, if it is in tangible form, only if clearly marked as proprietary or confidential as the case may be, when disclosed to the receiving party or, if not in tangible form, its proprietary nature must first be announced, and it must be reduced to writing and furnished to the receiving party within thirty (30) days of the initial disclosure.

2. M/s --------------------------- i.e. Second Part ----------------------------------hereby agreed that during the Confidentiality Period:

a) The receiving party shall use Information only for the Purpose, shall hold Information in confidence using the same degree of care as it normally exercises to protect its own proprietary information, but not less than reasonable care, taking into account the nature of the Information, and shall grant access to Information only to its employees who have a need to know, but only to the extent necessary to carry out the business purpose of this project as defined in exhibit A, shall cause its employees to comply with the provisions of this Agreement applicable to the receiving party, shall reproduce Information only to the extent essential to fulfilling the Purpose, and shall prevent disclosure of Information to third parties. The receiving party may, however, disclose the Information to its consultants and contractors with a need to know; provided that by

doing so, the receiving party agrees to bind those consultants and contractors to terms at least as restrictive as those stated herein, advise them of their obligations, and indemnify the disclosing party for any breach of those obligations.

b) Upon the disclosing party's request, the receiving party shall either return to the disclosing party all Information or shall certify to the disclosing party that all media containing Information have been destroyed.

3. The foregoing restrictions on each party's use or disclosure of Information shall not apply to

Information that the receiving party can demonstrate:

a) Was independently developed by or for the receiving party without reference to the Information, or was received without restrictions; or

b) Has become generally available to the public without breach of confidentiality obligations of the receiving party. The information shall not be deemed to be available to the general public merely because it is embraced by more general information in the prior possession of Recipient or of others, or merely because it is expressed in public literature in general terms not specifically in accordance with the Confidential Information; or

c) Was in the receiving party's possession without restriction or was known by the receiving party without restriction at the time of disclosure and receiving party declare of possession of such confidential information within a day upon such disclosure by disclosing party ; or

d) Pursuant to a court order or is otherwise required by law to be disclosed', provided that Recipient has notified the disclosing party immediately upon learning of the possibility of any such court order or legal requirement and has given the disclosing party a reasonable opportunity and co-operate with disclosing party to contest or limit the scope of such required disclosure including application for a protective order.

e) Is disclosed with the prior consent of the disclosing party; or

f) The receiving party obtains or has available from a source other than the disclosing party without breach by the receiving party or such source of any obligation of confidentiality or non-use towards the disclosing party.

4. Receiving party agrees not to remove any of the other party’s Confidential Information from the

premises of the disclosing party without the disclosing party’s prior written approval and exercise extreme care in protecting the confidentiality of any Confidential Information which is removed, only with the disclosing party’s prior written approval, from the disclosing party’s premises. Receiving party agrees to comply with any and all terms and conditions the disclosing party may impose upon any such approved removal, such as conditions that the removed Confidential Information and all copies must be returned by a certain date, and that no copies are to be made off of the premises.

5. Upon the disclosing party’s request, the receiving party will promptly return to the disclosing party

all tangible items containing or consisting of the disclosing party’s Confidential Information all copies thereof.

6. Receiving party recognizes and agrees that all of the disclosing party’s Confidential Information is owned solely by the disclosing party (or its licensors) and that the unauthorized disclosure or use of such Confidential Information would cause irreparable harm and significant injury, the degree of which may be difficult to ascertain. Accordingly, receiving party agrees that the disclosing party will have the right to obtain an immediate injunction enjoining any breach of this Agreement, as well as the right to pursue any and all other rights and remedies available at law or in equity for such a breach.

7. As between the parties, all Information shall remain the property of the disclosing party. By

disclosing Information or executing this Agreement, the disclosing party does not grant any license, explicitly or implicitly, under any trademark, patent, copyright, mask work protection right, trade secret or any other intellectual property right. The disclosing party disclaims all warranties regarding the information, including all warranties with respect to infringement of intellectual property rights and all warranties as to the accuracy or utility of such information. Execution of this Agreement and the disclosure of Information pursuant to this agreement does not constitute or imply any commitment, promise, or inducement by disclosing party to make any purchase or sale, or to enter into any additional agreement of any kind.

8. Disclosing party’s failure to enforce any provision, right or remedy under this agreement shall not

constitute a waiver of such provision, right or remedy.

This Agreement will be construed in, interpreted and applied in accordance with the laws of India.

9. This Agreement and Exhibit A attached hereto constitutes the entire agreement of the parties with respect to the parties' respective obligations in connection with Information disclosed hereunder and supersedes all prior oral and written agreements and discussions with respect thereto. The parties can amend or modify this Agreement only by a writing duly executed by their respective authorized representatives. Neither party shall assign this Agreement without first securing the other party's written consent.

10. This Agreement will remain in effect for three years from the date of the last disclosure of

Confidential Information, at which time it will terminate, unless extended by the disclosing party in writing.

11. With regard to the confidential information of M/s disclosed to BPCL, BPCL agrees to comply

with all the obligations of receiving party mentioned in this Agreement. IN WITNESS WHEREOF, the parties hereto have executed this Agreement by their duly authorized officers or representatives. M/S ----------------------- BHARAT PETROLEUM CORPORATION LIMITED Signature: _____________ Signature: ____________ Printed Name: _________ Printed Name: ___________ Designation: ________________ Designation: ________________________

Exhibit A 1. Business Purpose: ……………………………………………………………

……………………………………………………………………………………. 2. Confidential Information of M/s ------------------------------------------------

All communication/ information submitted to the BPCL relating to the proposal of M/s _______________ for the purpose of procurement and subsequent integration with existing infrastructure of BPCL, marked as confidential.

3. Confidential Information of BPCL:

a) All details relating to architecture and other Network infrastructure details of BPCL etc. b) All information shared in oral or in written form by BPCL with M/s----------------------------------------------

--------------------------------. c) Any information desired by M/s ----------------------------- shall be justified for. d) Information downloaded or taken in physical form shall be returned/ destroyed after use and not

copied. e) Draft Technical specifications for the various projects and Tender documents for the same.

BPCL: ___________________ M/s------------------------------------------- Signed Signed

Third Party and Outsourcing Services Policy Bharat Petroleum Corporation Ltd

Version 1.0 Page 1 of 8

Bharat Petroleum Corporation Limited

Third Party and Outsourcing Services Policy

(BPCL – TPOSP)



Document Control

S. No. Type of Information Document Data

1. Document Title Third Party and Outsourcing Services Policy (BPCL – TPOSP)

2. Document Code BPCL/TPOSP

3. Date of Release <10/JUL/2014>

4. Document Revision No Version 1.0

5. Document Owner A K Gidwani, CISO

6. Documents Author(s) V Natarajan

Asit K Sethi

7. BPCL Policy Reference

8. Policy Section Reference

Document Approvers

S. No. Approver Approved Through /

Nominee(s) Nominee(s) Contact

1.

2.

3.

Document Change Approvals

Version No.

Revision Date Nature of Change Date Approved



Contents 1.1 Introduction ..................................................................................................................................... 4

1.2 Responsibility ............................................................................................................................... 4

1.3 Policy Statement and Objectives: ................................................................................................ 4

1.4 Risk Assessment Requirements for third party services ............................................................ 5

1.5 Access Control for third party service provider .......................................................................... 5

1.6 Security conditions in third party contracts ................................................................................ 5

1.7 Security conditions in Outsourcing Contracts ........................................................................... 6

1.8 Service level Agreements ............................................................................................................. 6

1.9 Third party service delivery management ................................................................................... 7

1.9.1 Service Delivery ........................................................................................................................ 7

1.9.2 Monitoring and Reviewing of third party services.................................................................. 7

1.9.3 Managing changes to Third party services .............................................................................. 7



1.1 Introduction

The security of the BPCL might be put at risk by access from users of third party or outsourcing

agencies. A risk assessment should be carried out to determine the specific security requirements in

such cases. A formal contract (SLA / NDA) with third parties or outsourcing agencies should also be

established stating the necessary security conditions and service levels. All security requirements

resulting from the risk assessment should form part of the contract.

1.2 Responsibility

Business Units / Functional Heads are responsible for enforcing the implementation of BPCL TPOSP

within their Business Units/Functions.

It is responsibility of every third party and their employees, who handle, process, manage and/or store

information of BPCL to read, understand and adhere to the BPCL TPOSP

1.3 Policy Statement and Objectives:

Security of BPCL’s information assets used by the third party for providing services to BPCL is of

paramount importance and Confidentiality, Integrity and Availability of these shall be maintained

at all the times by the third party concerned through the controls commensurate with the

classification of information asset.

The objectives of BPCL Third Party and Outsourcing Services Policy is to ensure that

a. A risk assessment is carried out to determine the security implications and control

requirements, where there is a requirement for third party access to critical or sensitive

information systems.

b. Vendors, consultants, contractors and customers are subjected to the same access restrictions

to which an internal user is subjected to.

c. A formal contract is be established prior to a third party being granted access to the BPCL

information and data.

d. The risks posed to BPCL by outsourcing all or part of its operations will be addressed in a

contract agreed between the parties.

e. Service level agreement, clearly defining service level criterion, will be entered into with third

parties and outsourcing agencies, where applicable.

f. Implement and maintain appropriate level of information security and service delivery in line

with the third party service delivery agreements.

g. The BPCL TPOSP is reviewed at regular intervals and appropriate amendments are done to

the policy, as required, ensuring



1.4 Risk Assessment Requirements for third party services

A risk assessment will be carried out to identify any requirements for specific controls in case of any

third party access to sensitive or critical information systems of BPCL.

The risk assessment will take into account the type of access required and the value of information,

controls employed by the third party and the implications of this access to the security of the BPCL.

All security requirements identified from risk assessment will be reflected as security conditions in

third party contract.

1.5 Access Control for third party service provider

BPCL will subject vendors, consultants, contractors and customers to at least the same access

restrictions to which an internal user would be subject. Further, the third party users will be restricted

to the minimum information required to complete the contracted work.

The vendors, consultants, contractors and customers will only be provided access to BPCL

Information resources after authorization.

All third party users accessing BPCL information and data, from within the premises or from external

sites will be provided with a unique login-id and password, to maintain accountability.

The third party users will not connect to the local area network from their laptops or computers unless

authorized.

Third party laptops authorized to connect to the BPCL's network will be segregated from BPCL's local

area network through the use of VLANs

Periodic and random reviews will be conducted to ensure that appropriate access restrictions are in

place.

Security Breaches - Any employee who identifies a security violation by third party will immediately

report the same to the Information Security Manager and Department Head

1.6 Security conditions in third party contracts

Arrangements involving third party access will be based on a formal contract. The contract will have

all the necessary security conditions and service levels to ensure compliance with the BPCL security

policies and procedures. The following terms will be considered for inclusion in the contract:

Controls to ensure the return or destruction of information and data at the end of, or at

an agreed point in time during the contract.

Restrictions on copying and disclosing information.

The respective liabilities of the parties to the agreement.

Intellectual property rights (IPRs) and copyright assignment and protection of any

collaborative work like development of software / application



Access controls agreements covering permitted access methods, and the control and use

of unique identifiers such as User Accounts and passwords

Scanning of Network and unauthorized login / access attempts to BPCL Network and /

or network devices.

The right to audit contractual responsibilities

Involvement of the third party with subcontractors

The contract will be established before access to BPCL’s information and data is granted.

All third party users will read and sign a non-disclosure agreement before access is granted to

the user.

All contractual agreements will be reviewed by the Legal department of the BPCL

In case of Annual Maintenance Contracts (AMC) of computer hardware / UPS / ACs with

third parties, preventive maintenance along with the frequency will form part of the contract.

The Premises / IT department will ensure that the preventive maintenance is carried out by

the third party as agreed in the Annual Maintenance Contract.

The contract will include the agreement with vendors on escrow for software code

1.7 Security conditions in Outsourcing Contracts

The risks posed by outsourcing the management of all or part of the facilities or information systems;

networks and/or desktop environments will be addressed in a contract agreed between the parties.

The contract will include the following, at a minimum:

Physical and Logical access controls to limit the access to the BPCL’s business

information.

Availability of services in event of disaster.

Arrangement will be in place to ensure that all parties involved in outsourcing are aware

of the security responsibilities and requirements.

The responsibilities and liabilities in the event of information security incident such as

loss of data.

All Outsourced Service Agreements involving information owned by the BPCL will need to be

approved.

1.8 Service level Agreements

When building a relationship with a new vendor, the respective department shall define the SLA

requirements which would be embedded in the contract to be signed.

With respect to BPCL’s objectives and requirements, the SLA team will collect, analyze, and draw

conclusions about issues that comprise the BPCL Infrastructure / Environment and BPCL’s desired

level of system availability and performance - both from an IT perspective and from a functional

standpoint.



Systems problem and downtime

The IT personnel will maintain a register for all hardware and software problems. This register will

also state the manner in which the problems were resolved.

IT will ensure that a system downtime log is maintained.

1.9 Third party service delivery management

1.9.1 Service Delivery

Third parties shall ensure that security controls, service definitions and delivery levels included in the

service delivery agreements are implemented, operated and maintained by third parties

Respective business units shall ensure that service definitions, service delivery levels and security

controls included in the third party service delivery agreements are implemented operated and

maintained by the third parties

1.9.2 Monitoring and Reviewing of third party services

The services, reports and records provided by the third party should be regularly monitored and

reviewed, and audits should be carried out by the business units

The review shall include:

Monitoring service performance levels to check adherence to the agreements

Reviewing service reports produced by the third party and arrange regular progress

meetings required by the agreements

Resolve and manage any identified problems

1.9.3 Managing changes to Third party services

Changes to the provision of services, including maintaining and improving existing information

security policies, procedures and controls, should be managed, taking account of the criticality of

business systems and processes involved and re-assessment of risks.

The changes to be considered include

Changes requested by the BPCL such as enhancements to the current services offered,

development of any new applications and systems etc.

Changes in third party services such as change of vendors, use of new technologies etc.

Declaration

I_____________ on behalf of M/s _____________ have read, understand and ensure to adhere

as per BPCL TPOSP.



Following are the members has been appointed from M/s_____________ for the project

__________________

Mr. _________________

Mr.___________________

Mr.__________________

Mr.___________________

Mr.__________________

3rd Party: M/s_________________

BPCL Witness:

Authorized Signatory:

Signature:

Name: Designation: Date:

Name: Designation: Date:

Company Seal: