[iNDyana AaovarsaIj,a baOMk

Indian Overseas Bank

kond`Iya kayaa-laya Central Office INSPECTION DEPARTMENT Information Systems Audit Cell RFP Ref.No. ISA / 01 /12-13 dated 07.11.2012

REQUEST FOR PROPOSAL TO CONDUCT INFORMATION SYSTEMS AUDIT / REVIEW I. REQUEST FOR BID Indian Overseas Bank, a leading Public Sector Bank offering a wide range of financial / banking products and services to its customers invites sealed offers (technical and commercial bids) for each one of the following area of operations separately, from eligible Firms/Companies to conduct Risk Based Information Systems Audit / Information Systems Security Review at Chennai and other places as specified in this document. 1

Audit of Data Centers at Chennai and Disaster Recovery Site at Hyderabad 2 Network Security 3 CBS Operations 4 ATM/Debit Card Operations / ATM Managed Services 5 Internet Banking Operations 6 Mobile Banking Operations 7 RTGS / NEFT Operations 8 Credit Card Operations 9 Treasury Operations 10 Financial Inclusion 11 Payment Gateway 12 AMLOCK Software of AML Cell 13 Cheque Truncation System (CTS) (Note: Wherever the Services/Activities are outsourced, Outsourcing policy / implementation, SLA Management, etc. will be included) For assigning the audit/review of each of the above activities, Indian Overseas Bank (hereinafter referred to as the Bank) will follow a two-stage evaluation and selection process. These stages are: 1. Technical Bid Evaluation 2. Commercial Bid Evaluation

Request for Proposal for IS Audit/Review

2012-13

1

II.

BACKGROUND

All the major software packages used in the Bank have been developed and implemented in-house by Information Technology Department of the Bank. Many financial products and services were introduced in the Bank, like Core Banking, Networked ATMs, Internet Banking, Mobile Banking, RTGS, NEFT, and Credit Cards etc. The overall objectives of the proposed audit / review are intended to ensure the Confidentiality, Integrity and Availability of the Bank’s information and information assets and also to evaluate the Effectiveness and Efficiency of the various operations in the changed / changing environments. The exercise would also ensure the compliance of IT related Acts and guidelines/instructions of Reserve Bank of India, Government and other agencies. The present offer of Audit Assignment is mainly to assess/review the existing Management Control / Information Systems Security Control and practices in the below mentioned area of operations coming under different Departments of our Central Office, Chennai as mentioned there against, taking into account the overall objectives as mentioned above. III.

SCOPE

The scope of IS Audit will include the adequacy and effectiveness of internal control systems for the use and protection of the Information and Information Systems as detailed below. Generally the IS Audit / Review shall take into account the following: ¾ The Auditors are required to verify for compliance status of the previous Audit Reports for which Audits were conducted ¾ Auditors should follow Risk Based approach in all areas ¾ To ensure that Data Integrity across various systems is maintained ¾ To ensure compliance of Information Technology (IT) Act 2000, Information Technology (Amendment) Act-2008 and other Information System related guidelines ¾ Application in terms of its functionality, controls and change management systems ¾ Physical Security controls for the relevant servers / production environment ¾ Logical Security controls, User Management Process, Systems Administration, Access Control Measures ¾ Operational Security Controls including troubleshooting / help desk Request for Proposal for IS Audit/Review

2012-13

2

¾ People in terms of establishing proper Segregation of duties and other administrative controls ¾ Vulnerability Assessment and Penetration testing wherever applicable. ¾ Adequacy of audit trail, history of access to database, Monitoring Mechanism ¾ Business Continuity preparedness / Disaster Recovery Preparedness/ Backup (for Data, Systems, Personnel etc.,) ¾ Documentation, Manuals, Job Card availability ¾ The adequacy of existing Guidelines and Procedures in the relevant area ¾ The adequacy and effectiveness of internal control systems ¾ Audit the Services of all Service Provider to ensure they adhere to the contracted levels of services set out in the Service Level Agreement (SLA) ¾ Audit the compliances by the service providers to various regulatory and statutory requirements

Auditors should sign the Do’s and Don’ts letter, Non Disclosure Agreement (NDA) and Fidelity & Secrecy as given in Annexure Auditor will not have any professional relationship with the Department that they Audit Audit firm should complete and submit the Audit Report within the time limit stipulated. Any delay on the part of the Auditee may be brought to the knowledge of IS Audit Department. Delayed submission of reports and unsatisfactory performance will entail forfeiture of full or part Audit Fee. In addition to the above, the scope more specific to each of the area to be audited and the Department to be audited (Auditee) are detailed below:

Request for Proposal for IS Audit/Review

2012-13

3

Additional Scope specific to the activity and the Auditee (1) Audit of Data Centers at Chennai and Disaster Recovery Site at Hyderabad AUDITEE: Transaction Banking Department, Central Office, Chennai Brief details of area of operation: Bank has combination of own in-house CBS software and outsourced software. Bank follows 3-tier architecture - Primary Data Centre, Chennai, Near Primary Data Centre, Chennai and Disaster Recovery (DR) centre at Hyderabad. All the critical servers are housed in Data Centres and replicated at DR center. Bank has formulated its own BCP/DR policy. The Data Centres and DR centre contain various Production Servers, Application Servers and Database Servers. Additional SCOPE: • Conduct a review of controls surrounding the three data centres of the bank located in the premises of different Service Providers (two Data Centres (both) situated at Chennai & the Disaster Recovery site at Hyderabad ) and identify any weakness therein. Security review is required to the extent of segregation of duties between different layers of the users and administrators and network security administration functions. • Adequacy of the existing Procedure like Physical and Environmental Security Procedure, Incident handling procedure, Log Monitoring, Patch management Procedure, Change Management Procedure, Configuration Management Procedure, Vulnerability assessment procedure etc., • Verification of data updation, fall back systems & procedures, data synchronization • Review the availability of Disaster Recovery Mechanism and the preparedness of DR team etc • Review to know whether written down procedures are available • Whether sufficient number of employees are trained in the DR Mechanism • The conformance of the Back Up / Recovery Plan with the prevailing standards, regulatory stipulations and/or government regulations • The effectiveness of the plan, by reviewing the results, from the tests carried out • The conformance of the recovery site with the security and environment controls • The ability and readiness of personnel to react and respond quickly, in situations of disaster • Review of the outsourcing arrangement. • Adequacy of Networking and Redundancy for the same vis-à-vis industry standards. • Identification of Critical Business for BCP/DR purpose • Owned and shared resources with supporting function for BCP/DR • Risk assessment on the basis of Business Impact Analysis (BIA) • Formulation of Recovery Time Objective (RTO) and identification of Recovery Point Objective (RPO) • The adequacy of the Practices in force in comparison with industry standards. Request for Proposal for IS Audit/Review

2012-13

4

(2) Review of Network Security : AUDITEE : Information Technology Department, Central Office, Chennai Brief details of area of operation: The Bank’s network support is outsourced and the personnel from the company manage the network from our premises. A MPLS-VPN network supports the Bank’s CBS with redundancies built in at device level, media level and service provider level. All the Regional network nodes and three data centres are provided with dual MPLS VPN Connectivity sourced from two different service providers. All the branches/Offsite ATMs/other offices are connected either by point-to-point leased line connection to the respective regional network node or directly under primary MPLS-VPN Cloud.

Additional SCOPE: • Conduct a review of controls surrounding the current network security within the Bank's network, and identify any weakness therein. Security review is required to the extent of segregation of duties between users, network administration and network security administration functions. • Adequacy of the existing Procedure like Incident handling procedure, Downtime analysis, Log Monitoring, Patch management Procedure, RouterSwitch-Firewall- IDS Management Procedure, Anti virus procedure, Vulnerability assessment procedure etc., • Effectiveness and Efficiency of the Anti-Virus Software Implementation vis-àvis industry standards. • Effectiveness and Efficiency of the Network Monitoring Tool Implemented. • Review of the outsourcing arrangement (SLA) in totality vis-à-vis industry standards. • E-Mail rules and requirements – Information storage and retrieval • Penetration testing • Review of Network vulnerabilities • Verification of weak/default passwords in Network devices • Review of security of Data in transmission • Review of Network performance issues • Adequacy of capacity of communication facilities and Hardware (3) Information Systems Security Audit of CBS (Core Banking Solution) Operations. AUDITEE: Transaction Banking Department, Central Office, Chennai Brief details of area of operation: The bank has its own in-house software for Core Banking Operations. The programs are customized to Bank’s requirement. Request for Proposal for IS Audit/Review

2012-13

5

Bio Metric authentication for all CBS users has been implemented. There are other applications that have been integrated to CBS. Additional SCOPE: • Review of controls surrounding the operational environment of the Core Banking Operations and identify any weakness therein. • Adequacy of the existing Policy, Procedure like Incident handling procedure, Log Monitoring, Access Control Procedure etc., • Review of Audit Solution (Access Control Mechanism) developed in house. • Robustness of CBS Administrative practices and Help-Desk Management & Procedures. • Business Continuity preparedness / Disaster Recovery Preparedness / Backup (Data, Systems, Personnel etc.,) • Database controls – Physical Access and Protection, Integrity and Accuracy, Administration and House Keeping • Verification of Interfaces / Links with other systems such as ATM server, Net Banking / Mobile Banking server, RTGS/NEFT etc., and observation with regard to failure of one or more interfaces • Problems faced by Users and redressal mechanism for such problems • Management of Help Desk • Change Management procedures • Documentation relating to User requirements, specifications • Version Control (4) Information Systems Audit of ATM / Debit Card Operations and outsourced ATM Managed Services Brief details of area of operation: ATM Managed Services is outsourced. The scope involves audit of activities such as installation of new ATMs, replacement of old ATMs, Cash Management and other related activities. AUDITEE: Transaction Banking Department, Central Office, Chennai Additional SCOPE: • Review of Controls in ATM Operations including ATM Card Management, Support to Branches/Users, Incident Response capability • Review of ATM Switch Operations including Audit of Outsourced Switch Maintenance vendor • Review of the outsourcing practices, Implementation and Effectiveness of Service Level Agreement in protecting Bank’s interests etc., • Review of the outsourcing arrangement (SLA) in totality vis-à-vis industry standards. • Review of compliance by outsourcing agents with regard to SLA terms and conditions. • Review of Identification, Authentication and Authorization Mechanism • Reconciliation of ATM transactions within the Bank and across the Banks / Establishments. Request for Proposal for IS Audit/Review

2012-13

6

• • •

•

Review of the outsourcing practices including on-site visit and audit of the vendor arrangement for the bank with regard to the data and other security, effectiveness and efficiency of all operations and controls. Review of security controls / Management Controls of all other interfacing systems including CBS, if any. Review of the effectiveness / efficiency of guidelines and procedures in place at Central Office and branch level, with regard to CARD / PIN distribution, as advised per extant guidelines keeping in view the security and control aspects. Verification and analysis of situations such as customer getting money at ATM but transaction not updated at Switch/CBS and vice versa because of connectivity problems

(5) Information Systems Security Audit of Internet Banking Applications. AUDITEE: Transaction Banking Department, Central Office, Chennai Additional SCOPE: •

• • • • • • • • • • • •

Review of Security management, Service Level Agreement, Capacity Monitoring Process, Change management (HW/SW/Content), Penetration testing, Logging and its monitoring, Incidence Management, De-Militarized Zone, Firewall/IDS Management, Logon process, Sessions handling, Cookies, Input validations, Web server-Authentication Mechanism, Hardening of OS, Robustness of Server Administrative practices. Security reviews of all servers used for Internet Banking Business Continuity preparedness in case of Web server failure, Internet Link failure and other components failure. Review to include Internet Payment Gateway – virtual point-of-sale (POS) terminal on the Internet. Verification of encryption algorithms, if any, to protect the data during communication, across networks Database and System Administration - Adequacy of controls related to Internet Banking at the all levels. (e.g., Registration Procedure, Authorization Procedure, Amendment Procedure, Record Maintenance Procedure etc.,). Database maintenance procedures. Verification of maintenance activities such as User Id creation, PIN generation etc Integrity with regard to transactions – Transaction in movement from Browser to CBS server and back Application Control review and application security Review of Security Controls / Management Controls of all other interfacing systems including CBS. Review of the outsourcing arrangement if any. Any other security concern in Internet Banking of the Bank vis-à-vis Industry Standards. The Audit report shall suggest remedial measures for each vulnerability / irregularity found

Request for Proposal for IS Audit/Review

2012-13

7

• •

Review of the Two-Factor Authentication architecture Review of the interface with external vendor providing SMS communication facility

(6) Information Systems Audit of Mobile Banking Operations AUDITEE: Transaction Banking Department, Central Office, Chennai Additional SCOPE: •

• • • • • • • •

Review of Security management, Service Level Agreement, Capacity Monitoring Process, Change management (HW/SW/Content), Penetration testing, Logging and its monitoring, Incidence Management, Firewall/IDS Management, Logon process, Sessions handling, Cookies, Input validations, Web server-Authentication Mechanism, Hardening of OS, Robustness of Server Administrative practices. Business Continuity preparedness in case of Web server failure, Internet Link failure and other components failure. Security of any thick-client application running on the device. Authentication of the device. User-id / Password authentication of the customer. Encryption of the data being transmitted over the air. Encryption of the data that will be stored in device for later / off-line analysis by the customer. Review of Security Controls / Management Controls of all other interfacing systems including CBS. Review of the outsourcing arrangement (SLA) vis-à-vis industry standards.

(7) Information Systems Audit of RTGS / NEFT AUDITEE: Transaction Banking Department, Central Office, Chennai Additional SCOPE: • • • • •

Review of Controls in RTGS/NEFT Operational environment, Support to Branches/Users/Departments, Incident Response capability, Robustness of Server Administrative practices. Review of Identification, Authentication, Authorization Mechanism Review of the outsourcing practices and arrangement. Review of Security Controls / Management Controls of all other interfacing systems including CBS. Review of the directives of RBI/IDRBT on system maintenance and the compliance of the same

Request for Proposal for IS Audit/Review

2012-13

8

(8)

Information Systems Audit of Credit Card Operations AUDITEE: Credit Card Division,, Central Office, Chennai

Additional SCOPE: • • • • • • • •

Review of Controls in entire Credit Card Operations of the Bank including Credit Card Management, Switch Operations, Support to Branches/Users/Others, Incident Response capability, Review of the outsourcing practices including the on-site visit and audit of the vendor located at Chennai and controls in the extranet connectivity to IOB. Review of the outsourcing arrangement regarding Point of Sale Review of Identification, Authentication, Authorization Mechanism. Visit to few of the branches (Minimum two) in Chennai to review the adequacy of procedure advised to the branches and the practices followed by the branches with regard to Credit Card Operations. Reconciliation of the transactions within the Bank and across the Banks/Establishments. Review of Security Controls / Management Controls of all other interfacing systems including CBS if any. Ascertain and verify PCI / DSS standards compliance

(9) Information Systems Audit of Treasury Operations AUDITEE: Treasury Department, Central Office, Chennai Additional SCOPE: • Review of Security controls / Management Controls of Information Systems supporting the Treasury operations. • Maintenance of Data Integrity and Security in terms of the reliability of the same in decision making at the apex level. • Review of Security Controls / Management Controls of all other interfacing systems including CBS if any.

(10) Information System Audit of Financial Inclusion Cell AUDITEE: Financial Inclusion Cell, Central Office, Chennai Brief details of area of operation: Bank has engaged third party vendor as technology service provider for the financial inclusion project. SLA for providing End-To-End solution for Financial Inclusion through Business Correspondents has been entered with the third party vendor

Request for Proposal for IS Audit/Review

2012-13

9

Additional SCOPE: • • • • •

Review of Security controls / Management Controls of Information Systems supporting the Financial Inclusion operations. Review and confirm that the outsourced activity is in compliance with RBI instructions as per RBI circular dated 03.11.2006 and 22.04.2009 on outsourcing activity and with our Bank’s policy Reconciliation of the transactions with Bank and the outsourced Vendor Maintenance of Data Integrity and Security in terms of the reliability of the same in decision making at the apex level. Review of Security Controls / Management Controls of all other interfacing systems including CBS.

(11) Information Systems Audit of Payment Gateway AUDITEE: Transaction Banking Department, Central Office, Chennai

Additional SCOPE: • • • •

Review of Security controls /Management Controls of Information Systems supporting the Payment Gateway operations. Maintenance of Data Integrity and Security in terms of the reliability of the same in the making of business decisions. Review of security controls / Management Controls of all other interfacing systems including CBS if any. DR Site Audit of Vendor

(12) Information System Audit of AML software AUDITEE: AML Cell, Inspection Department, Central Office, Chennai Brief details of area of operation: In India Prevention of Money Laundering Act 2002, forms core of legal framework for combating Money laundering. The act is enforced by FIU-IND. Bank has purchased the software from third party vendor Additional SCOPE: • Review of Controls in the software, Support to User Department, Incident Response capability, Robustness of Server Administrative practices. • Physical security controls for the relevant servers / production environment • Logical security controls, User Management Process, Systems Administration, Access Control Measures • Operational Security controls including troubleshooting /help desk • Change Management Process • Proper Segregation of duties and other administrative controls • Adequacy of audit trail, history, Monitoring Mechanism Request for Proposal for IS Audit/Review

2012-13

10

• • • • • •

Business Continuity/Disaster Recovery Preparedness/Backup (for Data, Systems, Personnel etc.,) Documentation, Manuals, Job Card availability The adequacy of existing Operational Guidelines and Procedures Review of the outsourcing practices and arrangement. Review of Security Controls / Management Controls of all other interfacing systems including CBS. Review of the compliance level to the Government directives on AML operations

(13) Information Systems Audit of Cheque Truncation System AUDITEE: City Back Office, Chennai Brief details of area of operation: Cheque Truncation System has been outsourced to third party vendor. CTS is centralized at City Back Office (CBO), Chennai Additional SCOPE: Generally the review /audit shall take into account the following: • • • • • • • • •

IV.

Physical security controls for the relevant servers / production environment Logical security controls, User Management Process, Systems Administration, Access Control Measures Operational Security controls including troubleshooting /help desk Change Management Process Proper Segregation of duties and other administrative controls Adequacy of audit trail, history, Monitoring Mechanism Business Continuity/Disaster Recovery Preparedness/Backup (for Data, Systems, Personnel etc.,) Documentation, Manuals, Job Card availability The adequacy of existing Operational Guidelines and Procedures

TIME-FRAME AND DELIVERABLES:

The selected firm should complete the audit and hand over the final report within one month from the date of acceptance of the assignment / order. Each page of the Report should be signed by the Auditor and should be affixed with the stamp of the firm. Before submitting the final report the firm is expected to discuss the observations / recommendations with the Auditee (Department concerned) and the Inspection Department. The final report should contain the signature of the official from the Department audited (Auditee).

Request for Proposal for IS Audit/Review

2012-13

11

DELIVERABLES: While the firm may prepare the report in their own format, we expect the same to contain the following: (i) Report should contain observations on the gaps / short comings, in the existing practices, with reference to best practices and industry standards. (ii) Report should contain the risk associated with non-adherence to best practices in the short / long term and suggestion/recommendation for improvement, if any. (iii) Report should identify / classify observations into critical and non-critical. (iv) An Executive summary should form part of the report. (v) All the pages of pages of the report should be signed and stamped The Bank reserves its right to enlarge the scope of deliverables and to increase the deliverables any time before the work order is given.

V.

ELIGIBILITY CRITERIA FOR THE BIDDERS:

A. The firms offering services should not be a proprietary concern or an individual and must be a Partnership Firm or a Corporate Entity like a Limited Company or a statutory body or a government department or a society etc. Documents like certified copy of Partnership Deed, Society Registration Certificate, Certificate of incorporation etc as applicable will have to be produced as proof of constitution. Proof of Bidders’ standing (experience) in this line should also be produced. B. At least 5 years existence of the firm/company and in the line of IT/ IS Audit / Security activity C. Turnover of above Rs.50.00 lakhs from IS Audits / IT Security Services. D. CERT-In Empanelled (CERT - In Computer Emergency Response Team India coming under the Department of Information Technology, Government of India) E. Should have conducted IS Audit /Security review assignments for at least 3 scheduled commercial banks. F. Should not have conducted the IS Audit of the same activity / application in our Bank during 2011-12. G. Should have conducted at least one Information Systems Audit Assignment of a scheduled Bank in India, pertaining to that particular audit area like BCP/DRP, CBS, Internet Banking, ATM Switch, ATM Card Management, Network Security, Credit Card Operations, Data Centre etc., for which the auditor wishes to be considered.

Request for Proposal for IS Audit/Review

2012-13

12

H. The Firm should be employing at least five CISA/ CISSP/ CISM /CEH qualified personnel in their rolls who should also have adequate knowledge/experience in similar type of assignment in banking/ related areas. Details of such persons with complete details of their qualification (both general and technical), experience in the relevant area of assignment and domain knowledge shall be furnished with the technical bid along with documentary evidence. The successful bidder should deploy only such qualified personnel for the assignment to be allotted. I. The Firm and its personnel should have a proven approach / methodology to information system security/audit assignments and should have experience in handling IS security/audit related assignments in banking and similar financial institutions in the country. Proof for having handled such assignments should be submitted along with the technical bid. J. The firm should have the capability to perform the entire scope of the assignment without outsourcing the same to any third party or without engaging persons other than their own employees for this assignment. K. Auditor will not have any professional relationship with the Department that they Audit L. Auditors should adhere to the Do’s and Don’ts condition that would be stipulated by the bank (As given in the Annexure) M. Auditors should sign Non Disclosure Agreement (NDA) and Fiduciary & Secrecy as given in the Annexure The Bidder is expected to examine all instructions, forms, terms and specifications in these documents and should submit relevant documents supporting the above eligibility / qualification criteria. Failure to furnish all information required in the documents or to submit a bid not substantially responsive to the documents in every respect will be at the Bidder’s risk and may result in the rejection of the bid. All bids and supporting documentation shall be in English. FIRMS NOT SATISFYING THE ABOVE ELIGIBILITY CRITERIA NEED NOT BID. VI.

TECHNICAL BID:

The technical details shall consist of the methodology to be adopted for the proposed IS Audit /review satisfying the scope and requirements detailed in Clause III above (including the additional scope mentioned for each activity) and should be furnished in the format specified in Annexure 2. The technical Bid should be submitted as a hard copy in a sealed cover. No other format will be accepted. Request for Proposal for IS Audit/Review

2012-13

13

As mentioned earlier, for each activity separate Technical Bid is to be submitted as per annexure 2. The Technical Bid should NOT contain any pricing or commercial information at all. If it does, it will be summarily rejected. VII.

COMMERCIAL BID:

The Commercial Bid should be submitted as a hard copy in a sealed cover. No other format will be accepted. As mentioned earlier, for each activity separate Commercial Bid is to be submitted as per annexure 3. The commercial bid shall be valid for a period of three months from the last date for submission of the bid. VIII.

SUBMISSION OF BIDS:

The original technical and commercial bids shall be typed and shall be signed by the Bidder or a person / persons duly authorized to bind the Bidder to the contract. Any inter-lineation, erasures or overwriting shall be valid only if the persons or persons signing the bid initial them. Technical and commercial bids are required to be submitted in the formats provided in ANNEXURE 2 and 3 respectively in separate sealed envelopes super scribed “Technical Bid for Review/Information Systems Audit of …..…………….. " and "Commercial Bid for Review/Information Systems Audit of …………….……….." as the case may be and addressed as under: The Asst General Manager(VS) Indian Overseas Bank Information Systems Audit Cell Inspection Department Central Office, 763, Anna Salai, (II Floor – Annexe Building) Chennai 600002. Contact Numbers Phone:044-2851 9546, 2851 9664, 2851 9442 Email: [email protected] The bids shall be submitted under the cover of a letter as per format in Annexure- 1. Bids as mentioned above, should be sent so as to reach the Asst General Manager at the address given above by Registered Post on or before 24.11.2012.

Request for Proposal for IS Audit/Review

2012-13

14

The bid document may also be handed over to the Asst General Manager or Senior Manager, Information Systems Audit Cell, Inspection Department, Central Office, Chennai before the scheduled date and time for receipt of the bids. In the event of the specified date for the submission of bids being declared a holiday for the Bank, the bids will be received up to 5 PM on the next working day. Extension of submission date will be at the sole discretion of the Bank.

IX.

EVALUATION OF TECHNICAL BID AND SHORT LISTING

The technical bids of the eligible firm/company/organization would be evaluated based on one or more of the following:•

The bidder’s experience and its relevance for the assignment

•

The qualifications/experience of the key staff proposed to be employed for the assignment

•

The quality of the methodology proposed

•

The business strength of the bidder like turnover, period of operation in the line etc.,

To assess the capability of handling the assignment, if necessary, the bidders may be asked to give a demo of their capability and participate in an interaction with a team of officials of the Bank. If considered necessary, the bidders will be also called either collectively or individually for a presentation and discussion on the technical aspects including the methodologies they propose to adopt. After such technical evaluation, a short list of technically qualified bidders will be prepared. Commercial bids of only such short-listed bidders will be opened and evaluated for awarding the contract. The right of acceptance/ rejection of any bid or otherwise will rest solely with the Bank.

X.

EVALUATION OF COMMERCIAL BID:

The Bank’s evaluation of the Commercial Bids will take into account the following factors: (a) Status of compliance of terms and conditions mentioned under technical criteria of this RFP and (b) Submission of commercial bids strictly in the format specified in Annexure 3 of RFP. Request for Proposal for IS Audit/Review

2012-13

15

Any change in the format specified or inclusion / addition of any condition in the commercial bid or attaching any addendum / annexure to the commercial bid may result in rejection of the bid. XI.

DETERMINATION OF L1 BIDDER AND AWARDING OF CONTRACT

On completion of the evaluation of the commercial bid and based on any clarification submitted by the bidder in response to the Bank’s query, if any, on the commercial bid, the contract will be awarded to the L1 bidder, i.e. the bidder, who has quoted the lowest price. There will normally be no negotiation on the price. As such bidders in their own interest, should quote the most competitive prices. The Bank reserves the right to reject L1 bid if the same is found unreasonable. If for any reason the work order given to the L1 Bidder does not get executed or the L1 bidder backs out, the Bank has the right either to go for fresh bids or to award the work order to the next lowest bidder. XII.

CLARIFICATION:

During evaluation of the bids, the Bank may, at its discretion, ask the Bidder for any clarification on its bid. The request for clarification and the response thereto shall be in writing and no change in the commercials (price, rate etc) shall be sought, offered, or permitted after submission of the bids. XIII. CONTACTING THE BANK: Any effort by a Bidder to influence the Bank in its decisions on bid evaluation, bid comparison, contract award etc., will result in the rejection of the Bidder’s bid. XIV. BANK’S RIGHT TO ACCEPT AND TO REJECT ANY OR ALL BIDS: The Bank reserves the right to accept or reject any bid, and to annul the bidding process and reject all the bids at any time prior to award of contract/assignment, without thereby incurring any liability to the affected Bidder or bidders or any obligation to inform the affected Bidder or bidders of the grounds for the Bank’s action. XV. NOTIFICATION OF AWARD AND SIGNING OF CONTRACT The notification of award in the form of a work order/ assignment letter and acceptance thereof by the bidder will constitute the formation of the contract. Within 7 days (inclusive of holidays) of receipt of the work order, the successful Bidder shall sign, affix official stamp and date on the duplicate copy of the work order/assignment letter and return it to the Bank as a token of having accepted the terms and conditions of the work order/assignment.

Request for Proposal for IS Audit/Review

2012-13

16

XVI. PAYMENT TERMS: No advance will be paid to the selected bidder before the commencement of work or while the work is in progress. The contracted amount will be paid only after successful completion of the work and after the documents as per clause IV (‘Deliverables’) are received by the Bank in full and the invoice is raised. 50% of the work order value will be paid on handing over the draft copy of the report to the satisfaction of the Bank. The remaining 50% will be paid after the entire assignment is completed and the final report is handed over and accepted by the Bank. XVII. RE - ASSIGNMENT The Successful Bidder shall not assign, in whole or in part, its obligations to perform under this Contract to any other entity.

XVIII. USE OF CONTRACT DOCUMENTS AND INFORMATION The successful Bidder shall not, without the Bank’s prior written consent, disclose any specification, plan, drawing, pattern, sample, or any other information furnished by or on behalf of the bank in connection therewith, to any person other than a person employed by such bidder in the performance of the contract. Disclosure to any such employed person shall be made in confidence and shall extend only so far, as may be necessary for purposes of such performance. The bidder is solely responsible for any leakage of Information or misuse of Information by the persons employed by the bidder.

XIX. TERMINATION FOR DEFAULT The Bank, without prejudice to any other remedy for breach of contract, by written notice of default sent to the Bidder, may terminate this Contract in whole or in part, if the Bidder fails to deliver any or all of the deliverables specified in the work order, or within any extension granted by the Bank if any pursuant to clause IV or if the Bidder fails to perform any other obligation(s) under the Contract. XX. TERMINATION FOR INSOLVENCY: The Bank may at any time terminate the Contract by giving written notice to the Bidder, if the bidder becomes bankrupt or otherwise insolvent. In this event, termination will not prejudice or affect any right of action or remedy, which has accrued or will accrue thereafter to the Bank. XXI. BIDDER’S LIABILITY FOR TERMINATION OF CONTRACT In the event of the Bank terminating the Contract in whole or in part, pursuant to clause XIX Bank may procure, upon such terms and in such manner, as it deems appropriate, Goods or Services similar to those undelivered, and the Bidder shall be liable to the Bank for any excess costs for such similar Goods or Services. However, the Bidder shall continue performance of the Contract to the extent not terminated.

Request for Proposal for IS Audit/Review

2012-13

17

XXII. FORCE MAJEURE Notwithstanding the provisions of clauses XIX, XX and XXI, the Bidder shall not be liable for penalty for termination for default if and to the extent that its delay in performance or other failure to perform its obligations under the Contract is the result of any event of Force majeure. For purposes of this clause, “Force majeure” means an event beyond the control of the Bidder and not involving the Bidder’s fault or negligence and not foreseeable. Such events may include, but are not restricted to, wars or revolutions, fires, floods and epidemics. If a Force Majeure situation arises the Bidder shall promptly notify the Bank in writing of such condition and the cause thereof. Unless otherwise directed by the Bank in writing, the Bidder shall continue to perform its obligations under the Contract as far as is reasonably practical, and shall seek all reasonable alternative means of performance not prevented by the Force Majeure event. XXIII. OTHER TERMS AND CONDITIONS This offer document is not transferable. No offer can be modified by the bidder, subsequent to the closing date and time for submission of offers. The Bank reserves its right to cancel the work order in case of bidder’s delay in commencing the work beyond the specified period or delay in completion beyond the stipulated time. In such case, in addition to the cancellation of work order, the Bank reserves the right to claim damages from the bidder. The Bank will provide the required number of computer systems for the purpose of conducting the System Review. Any external software or testing tool required to be used by the bidder will have to be arranged and installed by the bidder only at their cost and with due permission from the Bank. Details of such software or other external tool to be used have to be furnished along with the technical bid.

INDEMNITY: The Bidder shall indemnify, protect and save the Bank against all claims, losses, costs, damages, expenses, action suits and other proceedings, resulting from infringement of any patent, trademarks, copyrights etc. or such other statutory infringements in respect of the activities of the firm in the course of review. The Bidder shall indemnify the bank against any loss which the Bank may sustain or incur as a result of the Bidder or any person employed by the bidder causing loss / damage to the systems / network / outputs / operating manuals / third party intellectual property rights during the course of dealing / operating with the Bank. The successful bidder should submit an indemnity to the Bank to the above effect in the format prescribed by the Bank. PUBLICITY: Any publicity by the bidder in which the Bank's name is to be used should be done only with the explicit written permission of the Bank.

Request for Proposal for IS Audit/Review

2012-13

18

PROTECTION OF IPR: The copyright and all other intellectual property rights of whatever nature in the information systems, in the Operating Manuals and in all other specifications and documentation relating to the systems are and shall remain vested with the Bank. The bidder shall undertake to treat as confidential and keep secret all information contained or embodied in the systems and documentation relating to the systems and all information conveyed by the Bank. NON-DISCLOSURE OF INFORMATION The bidders shall not, without the Bank's written consent, disclose any specification or information furnished by or on behalf of the Bank, to any person other than a person employed by the bidder in the performance of the work assigned to them. The successful bidder shall be required to sign a Non Disclosure Agreement with the Bank in the prescribed format. ********.********

Request for Proposal for IS Audit/Review

2012-13

19

(In Letterhead of the bidder firm) Annexure - 1 Covering letter format on the letterhead of the bidder Ref No.

Date:_______2012

To:

Dear Sirs, Ref: We refer your RFP No…………..dated…………webcast on ……. and hereby confirm having perused the same and all its annexure. We, the undersigned, offer our services for Information Systems Audit/Review mentioned in the RFP in conformity with the Bank's requirements and on the terms and conditions stipulated therein. We enclose two sealed envelopes duly super scribed one containing the technical and the other, commercial bid for your consideration. We confirm that the price quoted by us in the commercial bid is all-inclusive. We note that the Bank reserves the right to reject any or all the offers at any stage before award of the contract without assigning any reason and without incurring any liability to the bidders therefore.

Signature: ______________________________________ Dated: (In the Capacity of:) ________________________________ Duly authorized to sign the offer for and on behalf of the firm / company

Request for Proposal for IS Audit/Review

2012-13

20

Annexure - 2 Technical Bid (To be kept in a separate sealed cover duly superscribed as TECHNICAL BID FOR REVIEW / I.S.Audit of ………………) DETAILS OF THE BIDDER 1. Name of the Company/Firm/Society/Organization 2. Constitution 3. Postal Address 4. Phone No. Mobile, email: 5. Name of the Partners / Directors / Members 6. Details of assignments of Information Systems Audit / Review Assignment of banks and financial institutions of the country undertaken by the firm (Enclose separate sheets) Of which the details of the assignment in the relevant area for which the bid is made 7. Name and designation of the Contact Person: With Phone No., Mobile and email id: 8. a. Details of Human Resources available: (enclose separate sheets) b. Names and designations of persons available with CISA / CISSP / CISM / CEH and other relevant certifications c. Details of experience of such persons in IS Review /IS Audit d. Details of experience in banking related applications/domain: 9. Details of IS Review /Audit methodology proposed to be adopted and details of assessment tools if any proposed to be used. (Enclose separate sheet) 10. Capability to perform the assignment without out-sourcing: (Enclose documents if any) I / We agree to sign the Non Disclosure Agreement, Fiduciary & Secrecy and the Do’s and Don’ts in format given in the RFP if we are assigned the job. Date: Signature: ______________________________________ (in the Capacity of:) ________________________________ Duly authorized to sign the offer for and on behalf of the firm / company

Request for Proposal for IS Audit/Review

2012-13

21

Annexure - 3 Commercial Bid (To be kept in a separate sealed cover duly superscribed as COMMERCIAL BID FOR REVIEW / I.S.Audit of …………………)

All inclusive price for Review / Information Systems Audit of ……………………. …………..at Indian Overseas Bank, Chennai vide their RFP No………….dated…………. is Rs…………… (in figure) Rupees ………………. . (in words)

The price is inclusive of all service charges, levies, taxes and other charges, if any.

Date: Signature: ______________________________________ (in the Capacity of:) ________________________________

Duly authorized to sign the offer for and on behalf of the firm / company.

Request for Proposal for IS Audit/Review

2012-13

22