REQUEST FOR PROPOSAL (RFP) FOR ... - The RFP Database [PDF]

Tender No. 062008

Banking with personal touch

REQUEST FOR PROPOSAL (RFP) FOR Consultancy for ISO27001 Certification

Bank of Maharashtra Central Office Information Technology Department 1501, Lokmangal, Shivajinagar Pune- 411 005 Phone : 25536051 / 25532731- Extn-291/350 Fax : 25521568 Email : [email protected] Website: www.bankofmaharashtra.in Cost of Tender Document: Rs.5000/-

BOM- RFP- ISO 27001 Certification

-1-

Contents _______________________________________________________ PART I Invitation for tender offers PART II Instructions to Bidders PART III Terms and Conditions ANNEXURE 1 Format of tender offer cover letter ANNEXURE 2 Bidders Information ANNEXURE 3 Proforma for Bank Guarantee ANNEXURE 4 Scope of work ANNEXURE 5 Commercial Bid ANNEXURE 6 Format for CV ANNEXURE 7 Check list of documents to be submitted ______________________________________________________________

BOM- RFP- ISO 27001 Certification

-2-

1. Invitation for Tender offers Introduction Bank of Maharashtra, established in 1935, was nationalized in the year 1969. The Bank is a force to reckon with as it is having more than 900 branches in the State of Maharashtra itself with a largest network of branches by any Public Sector Bank in this state. The Bank has a four-tier organizational structure comprising of Branches, Regional Offices, Circle Offices and Central Office with a network of more than 1376 branches, spread across the country. The Bank has specialized branches catering to the needs of Industries, Corporate clients, Exporters & Importers, Small Scale Industries and Agriculturists. As a part of modernization of banking services of the Bank in tune with the emerging technologies and with a view to provide integrated products and services to the customers, the Bank has embarked upon a series of technology initiatives including implementation of Core Banking Solution (‘CBS’). Various IT initiatives taken by the bank so far are•

Implementation of Core Banking Solution covering more than 700 branches spread across the country. The bank has established tier 3 data centre at Pune with disaster recovery site at Hyderabad ( co-hosted at Hi tech Park city in TCS premises)

•

Commissioned the Bank’s Wide Area Network ‘MAHANET’ which connects more than 700 branches, all Regional Offices, Circle Offices and Central Office

•

Is a member of Indian Financial Network (INFINET) set up by Institute for Development & Research in Banking Technology (IDRBT) for the purpose of interbank and intra-bank communication and settlements.

•

Has deployed a mail messaging solution using IBM Lotus Domino server at Data Centre with DR site at Hyderabad.

•

Development of various in-house application software for departments of Central Office, Regional Office, Service Branch, etc. using FoxPro, VB-SQL, etc.

•

Setup and installation of 345 ATMs across the country with Visa affiliation for the card.

•

Setting up of the state of the art IT Training Institute at Pune for imparting training in all IT related areas and products.

•

Introduction of Internet banking, Mobile banking and Telebanking.

•

The bank has computerized all the Rural and semi urban branches using Nelito BIBAS software (Bi lingual branch automation software.)

•

The bank has prepared Information Security Policies and Procedures for implementation across the organization..

In view of these major strides in the field of I.T, it has now been decided to go for ISO 270001 certification. Hence Bank of Maharashtra invites sealed tender offers (Technical bid and Commercial bid) from eligible, reputed firms for Consultancy for ISO 27001:2005 certification for Central Office-IT deptt, Data Centre, Disaster Recovery site and CBS Project Management Office as specified in the Scope of Work.

BOM- RFP- ISO 27001 Certification

-3-

A complete set of tender documents may be purchased by eligible bidder upon payment of a non-refundable fee of Rs.5000/- (Rs. Five Thousand only) by demand draft / banker’s cheque in favour of Bank of Maharashtra and payable at Pune. Bid Collection and Submission Tender Reference number Price of Tender Copy Earnest Money Deposit (EMD) Date of commencement of sale of tender document Last Date of sale of tender document Queries to be mailed by Pre-Bid meeting with Bidders Last Date and Time for receipts of tender offers Time and Date of Opening of technical bids Place of Opening tender offers

062008 Rs.5000/Rs.1 lakh 24/09/2008

Address for Communication Contact Telephone Numbers

As above Phone no :020-25536051 020-25520708 Fax no: 020-25521568

23/10/2008 01/10/2008 13/10/2008 at 11.00 hrs 23/10/2008 up to 15:00 hrs 23/10/2008 at 16:00 hrs Bank of Maharashtra Information Technology Department, Central office,1501,Lokmangal, Shivaji Nagar,Pune-411 005.

Tender offers will be opened in the presence of the bidder representatives who choose to attend the opening of tender on the above-specified date, time and place. Technical Specifications, Terms and Conditions and various formats and pro forma for submitting the tender offer are described in the tender document.

General Manager IT, BPR & MIS

BOM- RFP- ISO 27001 Certification

-4-

2. Instructions to bidders 2.1. Two Bid System Tender Two Copies of the Technical Bid (Each in Separate Envelopes) & One Copy of the Commercial Bid must be submitted at the same time, giving full particulars in separate sealed envelopes at the Bank’s address given below, on or before the schedule given above. All envelopes should be securely sealed and stamped. The sealed envelope containing Commercial bid must be submitted separately to the Bank. The softcopy of the technical Bid should also be provided in a CD along with the technical bid. The hard copy of the bid document shall be treated as correct and final, in case of any errors in soft copy. Earnest Money Deposit must accompany all tender offers as specified in this tender document. EMD amount/Bank Guarantee in lieu of the same should not be mixed with Technical/Commercial bid. It should be in separate cover to be handed over to the department. Bank’s address Dy. General Manager IT, BPR & MIS Bank of Maharashtra “Lokmangal”, 1501, Shivajinagar Pune - 411005 All the envelopes must be super-scribed with the following information: • • • • •

Type of Offer (Technical or Commercial) Tender Reference Number Due Date Name of Bidder Name of the Authorised Person

All Schedules, Formats and Annexures should be stamped and signed by an authorized official of the bidder’s company. The bidder will also submit copy of the RFP duly stamped and signed on each page by the authorized official of the bidder’s company.

ENVELOPE-I (Technical bid): The Technical bid should be complete in all respects and contain all information asked for, except prices. The TECHNICAL BID should include all items asked for in Annexure-2. The Technical bid should not contain any price information. The TECHNICAL BID should be complete to indicate that all products and services asked for are quoted and should give all required information. A copy of original Commercial offer with prices duly masked should be submitted along with the Technical Bid.

BOM- RFP- ISO 27001 Certification

-5-

ENVELOPE-II (Commercial bid): The Commercial bid should give all relevant price information and should not contradict the TECHNICAL BID in any manner. The prices quoted in the commercial bid should be without any conditions. The bidder should submit an undertaking that there are no deviations to the specifications mentioned in the RFP either with the technical or commercial bids submitted. These three envelopes containing the Technical bids (Two copies in Separate envelopes) and Commercial bid should be separately submitted. Please note that if any envelope is found to contain both technical and commercial bid, then that offer will be rejected outright. The three envelops will have to be handed over to any of the following persons who will provide an acknowledgement for receipt of the envelopes. 1. Mr Tushar Talegaonkar, Senior Manager-IT 2. Mr Sanjeeb Nayak, Senior Manager-IT Bank’s Address Bank of Maharashtra, IT Department “Lokmangal”, 1501, Shivajinagar Pune - 411005 2.2. Annexure to the Tender This tender comprises of following schedules / Annexures Annexure 1: Format of Covering Letter Annexure 2: Bidder’s Information Annexure 3: Proforma of Bank Guarantee for Earnest Money Annexure 4: Scope of Work Annexure 5: Commercial Bid Annexure 6: Format of CV for the Professionals to be Involved In the consultancy for design implementation and certification ISO 27001:2005. Annexure 7: Check List of documents to be submitted. 2.3. Eligibility Criteria The bidders, who fulfil the eligibility criteria mentioned in “Qualification Criteria” of the tender, will only be eligible for further process i.e. technical evaluation. 2.4. Terms and Conditions Terms and conditions for bidders who participate in the tender are specified in the section called “Terms and Conditions”. These terms and conditions will be binding on all the bidders. These terms and conditions will also form a part of the purchase order, to be issued to the successful bidder(s) on the outcome of the tender process. 2.5. Non-transferable Tender This tender document is not transferable. Only the bidder, who has purchased this tender form, is entitled to quote.

BOM- RFP- ISO 27001 Certification

-6-

2.6. Soft Copy of Tender document The soft copy of the tender document will be made available on the bank’s website. However Bank of Maharashtra shall not be held responsible in any way, for any errors/omissions/mistakes in the downloaded copy. The bidder is advised to check the contents of the downloaded copy for correctness against the printed copy of the tender document. The printed copy of the tender document shall be treated as correct and final, in case of any errors in soft copy. The bidders who are submitting the bid by downloading from the Bank’s website will have to pay the non-refundable fee of Rs.5000/- by way of a demand draft / bankers’ cheque in favour of Bank of Maharashtra payable at Pune while submitting the bid. 2.7. Offer validity Period The offer should hold good for a period of 180 days from the date of the opening of Commercial bid. 2.8. Address for Communication Offers should be addressed to the following office at the address given below: Deputy General Manager IT, BPR & MIS Bank of Maharashtra Central Office, “Lokmangal” 1501, Shivaji Nagar Pune - 411005 Emails: [email protected], [email protected], [email protected] [email protected] 2.9. Pre-Bid Meeting For the purpose of clarification of doubts of the bidders on issues related to this RFP, Bank of Maharashtra intends to hold a Pre-Bid Meeting on the date and time as indicated in the RFP. The queries of ALL the bidders should reach in writing or by e-mail on or before 01/10/2008 on the address as mentioned above. It may be noted that no queries of any bidder shall be entertained received after the Pre-Bid Conference. The clarifications given in the Pre-Bid meeting will be available on the Bank’s Website. Only the authorized representatives of the bidders who have purchased the RFP will be allowed to attend the Pre-Bid meeting. 2.10. Opening of Offers by Bank of Maharashtra Tender offers received within the prescribed closing date and time will be opened in the presence of bidders’ representatives who choose to attend the opening of the tender on the specified date and time as mentioned earlier in the tender document. The bidder’s representatives present shall sign a register of attendance and minutes and they should be authorized by their respective companies to do so. A copy of the authorization letter should be brought for the Bank to verify.

BOM- RFP- ISO 27001 Certification

-7-

2.11. Scrutiny of Offers Scrutiny of Bids will be in three stages as under: ¤ Eligibility Criteria: Bank of Maharashtra will first scrutinize the eligibility of the prospective bidders as per “Eligibility criteria” mentioned in the RFP based on the documents submitted. The offers of the only those bidders who fulfil the above eligibility criteria will be taken up for further scrutiny i.e. technical evaluation. ¤ Technical evaluation: Bank of Maharashtra will scrutinize the technical offers. Bank of Maharashtra will determine whether the technical details along with documents have been furnished as per RFP and whether items are quoted as per the schedules / Annexures. The bidders who qualify in technical evaluation will only be short-listed for commercial evaluation. The technical evaluation will be done on the basis of the information provided in the “Bidder’s Information” format along with supporting documents. The bidder will have to give a presentation on the following points as a part of the technical evaluation. 1. Process approach for ISO 27001:2005 design & Implementation. 2. Risk Assessment process approach and methodology 3. ISMS development activities details. 4. Pre-audit assessment process plan and execution. 5. Certification audit stage plans. 6. Surveillance audit plans. 7. Statement of Applicability: - approach and completion 8. Deliverables 9. Project timeline and completion plan 10. Consultancy Team details such as qualifications, experience etc 11. Case study of any ISO 27001:2005 certification carried out in the past. A team of Bank officials along with the Bank’s consultant will evaluate the bidder on the above mentioned points. Each of the above mentioned point will carry a weightage of 10 points .The bidder will have to procure a minimum 75 points to qualify technically. The points given by the evaluation team is final and the Bank will not entertain any queries on the points given to a particular bidder or its competitors. • Commercial evaluation: Bank of Maharashtra will open and scrutinize the commercial offers of the technically qualified bidders only. The Commercial bids will have to be submitted in the format as per Annexure -5. Commercial bids should not have any alteration or overwriting. The bank may reject or load the financial implication of any alteration, if found into the commercial bid submitted by the respective bidder. The calculation arrived by the Bank will be final and will be binding on the bidders. If any cost items in the commercial bid is found to be blank and not filled with any amount then it shall be considered as zero and the same will be offered to the Bank free of any charges.

BOM- RFP- ISO 27001 Certification

-8-

2.12. Clarification of Offers To assist in the scrutiny, evaluation and comparison of offers, Bank of Maharashtra may, at its discretion, ask some or all bidders for clarification of their offer. The request for such clarifications and the response will necessarily be in writing. 2.13. No Commitment to Accept Lowest or Any Tender Bank of Maharashtra shall be under no obligation to accept the lowest or any other offer received in response to this tender notice and shall be entitled to reject any or all offers including those received late or incomplete offers, without assigning any reason whatsoever. Bank of Maharashtra reserves the right to make any changes in the terms and conditions of the RFP. Bank of Maharashtra will not be obliged to meet and have discussions with any bidder, and or to listen to any representations. 2.14. Submission of Technical Details It is mandatory to provide the technical details in the exact format of Bidder’s Information as per Annexure-2. The offer may not be evaluated by Bank of Maharashtra in case of non-adherence to the format or non-submission / partial submission of technical details as per the format given in the tender. Bank of Maharashtra will not allow/permit changes in the technical specifications once it is submitted. The relevant information, printed brochure, technical specification sheets etc. should be submitted along with the offer. Failure to submit this information along with the offer could result in disqualification (Please refer to the suggested checklist given in this document) 2.15. Format for Technical bid The Technical bid must be made in an organized, structured and neat manner. Brochures/leaflets etc. should not be submitted in loose form. This can be divided into three parts - the first part should contain the documents supporting the eligibility of the vendor to participate in the tendering process as per the eligibility criteria mentioned in the RFP , the second part should contain the technical details of the proposed project and the third part should contain the technical brochures etc.

BOM- RFP- ISO 27001 Certification

-9-

The suggested format for submission of Technical bid is as follows: 1. Index 2. Covering letter. This should be as per Annexure-1. 3. Details of the bidder, as per Annexure-2. 4. Compliance of eligibility criteria along with support documents in following format. Sr No

Short Description of Eligibility Criteria

1 2

Certificate of Incorporation/ Partnership deed Balance Sheets 2005- 06 2006- 07 2007-08 (If the Balance sheet is provisional the CFO of the company should certify the same under company’s seal) Profit figure 2005-06 2006-07 2007-08 Details of minimum six experts/Certified Resources with minimum one each from

3

4

Submitted Yes/No

Write figures wherever required

Profit:(Rs in lacs)

a) CCNA/CCNP b) CISSP/CISA c) BS 7799 / ISO 27001:2005 Lead Auditor

5

6

7

8

Bio Data in the enclosed format along with the copies of certificate. Team Leader must be ISO 27001:2005 Lead Auditor having experience of conducting ISO 27001:2005 audit Necessary certificates having executed orders of value of minimum Rs.25 lacs during last three financial year for ISO27001 Certification audit of Data Center out of which one should be for a commercial bank or financial institution (This certification from the client in addition to the copies of purchase orders enclosed) Whether involved directly or indirectly in implementation or audit of security and network infrastructure of Bank Of Maharashtra Self-declaration for being Not blacklisted

The eligibility criteria will be verified based on above compliance table duly filled by the bidder along with the supporting documents.

BOM- RFP- ISO 27001 Certification

- 10 -

5. The bidder should give undertaking that bidder complies/ accepts all terms and conditions stipulated in the RFP without any deviations. 6. Implementation methodology 7. Details of Risk assessment and audit tools. 8. Design, implementation and certification methodology document. 9. Deliverables 10. Project time plan for implementation and ISO 27001:2005 certification. 11. Valid Bank Draft / Bank Guarantee in lieu of EMD (To be submitted in a separate envelope along with the First Copy of Technical Bid.) 12. Bidder’s Financial Details (audited balance sheets, annual reports etc.) and other supporting documents, as asked in the tender document 13. Copy of the Commercial Bid duly masking the price column. 14. Details of certification authority. 2.16. Masked Commercial The bidder should submit a copy of the actual price bid being submitted to the bank by masking the actual prices. This is mandatory. The bid may be disqualified if it is not submitted. 2.17. Format for Commercial bid The Commercial bid must not contradict the Technical bid in any way. The suggested format for submission of Commercial bid is as follows: a. Index b. Covering letter C. Commercial Version of commercial bid document as per Annexure -5 d. A statement that the bidder agrees with Payment terms given in the tender. 2.18. Costs & Currency The offer must be made in Indian Rupees only, and price quoted must include all taxes and levies. 2.19. Fixed Price The Commercial bid shall be on a fixed price basis, inclusive of all taxes and levies at site as mentioned above. No price variation relating to increases in customs duty, excise tax, Service tax, dollar price variation etc. will be permitted. 2.20. No Negotiation It is absolutely essential for the bidders to quote the lowest price at the time of making the offer in their own interest, as Bank of Maharashtra will not enter into any price negotiations,. 2.21. Short-listing of Bidders Bank of Maharashtra will create a short-list of technically qualifying bidders and the Commercial bids of only these bidders will be opened.

BOM- RFP- ISO 27001 Certification

- 11 -

2.22. Right to Alter location and/or Scope Bank of Maharashtra reserves the right to alter the proposed locations /scope. Bank of Maharashtra also reserves the right to remove one or more locations from the list of locations specified in tender. In case location is removed then amount quoted for that location and other expenses should be reduced proportionately. 2.23. Qualification Criteria Eligibility of the Bidder a) The Bidder should be a PSU / PSE / a limited company / a registered partnership firm having existence in India. The necessary certificates, for example, Certificate of Incorporation in case of a Limited company, Registration Certificate along with the latest partnership deed in case of partnership firm should be submitted with the offer. b) The Bidder should be in existence for five years as on 31.03.2008. (In case of mergers/ acquisitions/ restructuring or name change, the data of establishment of earlier/ original Partnership Firm/ Limited Company can be taken into account) c) The Bidder Company / firm should have made profits in the last three financial years i.e. 2005-2006, 2006-2007 and 2007-2008. A copy of last three financial years’ relevant audited balance sheets and profit and loss statements should be submitted with the offer. d) The bidder should have executed orders for ISO 27001 Certification, Audit of Data Center totalling to Rs.25.00 Lakhs during last three financial years out of which one should be for a commercial bank or financial institution. Necessary certificates to that effect from the clients should be enclosed. e) The Bidder should have minimum of six experts and certified resources with at least one from each of the following: • CCNA/CCNP • CISA / CISSP • BS 7799 LA / ISO 27001 LA f) Team Leader must be ISO 27001:2005 Lead Auditor having experience of conducting at least one ISO 27001:2005 audit. g) The bidder should not be involved directly or indirectly in implementation or audit of security and network infrastructure of Bank Of Maharashtra. h) The Bidder should not have been blacklisted by any Government department /PSU /PSE or banks. Self-declaration to that effect should be submitted along with the technical bid. 2.24 Earnest Money Deposit Bidders are required to give a Demand Draft drawn in favour of Bank of Maharashtra and payable at Pune, (valid for 180 days from the due date of the tender) for Rs.1 lac (Rupees One lac only) as Earnest money Deposit (EMD) along with their offer. Offers made without E.M.D. will be rejected. Bank of Maharashtra will not pay any interest on the E.M.D. The Bank may accept Bank Guarantee in lieu of EMD for an equivalent amount issued by any Public Sector Bank other than Bank of Maharashtra or by any scheduled commercial bank acceptable to Bank of Maharashtra. In case of Bank Guarantee from other than Public sector banks prior permission of Bank of Maharashtra is essential. The BG should be valid for 6 months from the date of submission of the offer. The format of BG is enclosed.

BOM- RFP- ISO 27001 Certification

- 12 -

3. Terms and Conditions 3.1 Project Timeline The bidder has to adhere to the following time lines. Stages Stage 1

Particular Completion of locational review and current state study after placing of order. Submission of ISMS Implementation Plan / procedure and methodology as per scope of work. Completion of Document audit

Stage 2

Stage 3 Stage 4

Gap analysis and implementation after stage 1 audit.

Stage 5

Final certification (stage 2) audit

Period Within four weeks form the date of purchase order.. Within two weeks after completion of stage I. Within three weeks after the completion of stage 2. Within 12 weeks from the date of completion of stage 3. Within 3 weeks from the date of completion of stage 4.

3.2 Timeframe: The basic objective is to enable the Bank to obtain certification within a period of six months, from the date of purchase order. Accordingly, the consultant would carry out a comprehensive study of the extant systems & procedures; documentation etc. in the set-up identified for certification and should harmonize them with BS / ISO standards, culminating in the Certification. Thereafter, post-certification surveillance audit to be carried once in year for a period of three years, for maintenance of certification The total Project should be completed within six months of placing of order. 3.3 Payment Terms 10%

After successful completion of stage 1

30%

After successful completion of stage 3

20 %

After successful completion of stage 4

40 %

After getting Final certification.

The above payment terms are applicable for the stages up to surveillance audit. The payment for surveillance audit will be released on yearly basis after completion of the audit. 3.4 The final selected bidder will have to sign a contract with the Bank. The contract will be based on the terms and conditions mentioned in the RFP. 3.5 Delays in Design, Implementation and Certification ISO 27001:2005 and Performance Guarantee. The final short listed firm should submit a performance guarantee valid for three year from the date of signing the contract. The value of the guarantee will be 10% of the amount of Purchase order. The Consultant must strictly adhere to the project time line schedule, as specified in the

BOM- RFP- ISO 27001 Certification

- 13 -

Contract, executed between the bank and the vendor, pursuant hereto, for performance of the obligations arising out of the contract and any delay will enable the Bank to resort to any or all of the following at sole discretion of the bank.

(a) Claiming Liquidated Damages (b) Termination of the agreement fully or partly In addition to the termination of the agreement, Bank of Maharashtra reserves the right to appropriate the damages by invoking the performance guarantee. 3.6 Liquidated Damages The liquidated damages will be an estimate of the loss or damage that the bank may have suffered due to delay in performance of the obligations (under the terms and conditions of the contract) by the vendor and the consultancy company / firm shall be liable to pay the Bank as liquidated damages at the rate of 1% of the total contract value for delay of every week or part thereof(for final certification). Without any prejudice to the Bank's other rights under the law, the Bank shall recover the liquidate damages, if any, accruing to the Bank, as above, from any amount payable to the vendors either as per the Contract, executed between the Bank and the vendor pursuant hereto or under any other Agreement/Contract, the Bank may have executed/shall be executing with the vendor. 3.7 Indemnity The vendor shall, at their own expense, defend and indemnify the Bank against any claims due to loss of data / damage to data arising as a consequence of any negligence during implementation and certification process. 3.8 Publicity Any publicity by the bidder in which the name of Bank of Maharashtra is to be used should be done only with the explicit written permission of Bank of Maharashtra. 3.9 Force Majeure The Consultant shall not be liable for forfeiture of its performance security, liquidated damages or termination for default, if any to the extent that its delay in performance or other failure to perform its obligations under the contract is the result of an event of Force Majeure. For purposes of this Clause, “Force Majeure” means an event explicitly beyond the control of the Consultant and not involving the Consultant’s fault or negligence and not foreseeable. Such events may include, Acts of God or of public enemy, acts of Government of India in their sovereign capacity and acts of war. If a Force Majeure situation arises, the Consultant shall promptly notify the Bank in writing of such conditions and the cause thereof within fifteen calendar days. Unless otherwise directed by the Bank in writing, the Consultant shall continue to perform his obligations under the Contract as far as is reasonably practical, and shall seek all reasonable alternative means for performance not prevented by the Force Majeure event. In such a case the time for performance shall be extended by a period (s) not less than duration of such delay. If the duration of delay continues beyond a period of three months, the Bank and the consultant shall hold consultations in an endeavor to find a solution to the problem.

BOM- RFP- ISO 27001 Certification

- 14 -

Notwithstanding the above, the decision of the Bank shall be final and binding on the Bidder consultant. 3.10 Resolution of Disputes Bank of Maharashtra and the bidder shall make every effort to resolve amicably, by direct informal negotiation, any disagreement or dispute arising between them under or in connection with the contract. If after thirty days from the commencement of such informal negotiations, Bank of Maharashtra and the Bidder are unable to resolve amicably a contract dispute; either party may require that the dispute be referred for resolution by formal arbitration. All questions, disputes or differences arising under and out of, or in connection with the contract, shall be referred to two Arbitrators: one Arbitrator to be nominated by Bank of Maharashtra and the other to be nominated by the Bidder. In the case of the said Arbitrators not agreeing, then the matter will be referred to an umpire to be appointed by the Arbitrators in writing before proceeding with the reference. The award of the Arbitrators, and in the event of their not agreeing, the award of the Umpire appointed by them shall be final and binding on the parties. THE ARBITRATION AND RECONCILIATION ACT 1996 shall apply to the arbitration proceedings and the venue & jurisdiction of the arbitration shall be at Pune. 3.11 Privacy and Security Safeguards The successful Bidder shall not publish or disclose in any manner, without the Bank's prior written consent, the details of any security safeguards designed, developed, or implemented by the successful Bidder under this contract or existing at any Bank location. The successful Bidder shall develop procedures and implementation plans to ensure that IT resources leaving the control of the assigned user (such as being reassigned, removed for repair, replaced, or upgraded) are cleared of all Bank data and sensitive application software. The successful Bidder shall also ensure that all subcontractors who are involved in providing such security safeguards or part of it shall not publish or disclose in any manner, without the Bank's prior written consent, the details of any security safeguards designed, developed, or implemented by the successful Bidder under this contract or existing at any Bank location. 3.12 Confidentiality

This document contains information confidential and proprietary to BANK OF MAHARASHTRA. Additionally, the Bidder consultant will be exposed by virtue of the contracted activities to internal business information of BANK OF MAHARASHTRA, affiliates, and/or business partners. Disclosure of receipt of any part of the aforementioned information to parties not directly involved in providing the services requested could result in the disqualification of the Bidder consultant, pre-mature termination of the contract, or legal action against the Bidder consultant for breach of trust. The information provided / which will be provided is solely for the purpose of undertaking the consultancy services effectively. No news release, public announcement, or any other reference to this RFP or any program there under shall be made without written consent of BANK OF MAHARASHTRA. Reproduction of this RFP, by photographic, electronic, or other means is strictly prohibited. ANNEXURE 1: FORMAT OF TENDER OFFER COVER LETTER Date: ____________________________________2008

BOM- RFP- ISO 27001 Certification

- 15 -

Tender Reference No. 062008 To: Having examined the tender documents including all annexure the receipt of which is hereby duly acknowledged, we, the undersigned, offer to provide consultancy to perform design, implementation, of ISO 27001 certification for Data Center, Disaster recovery site and critical locations as mentioned in scope of work in conformity with the said tender documents in accordance with the Commercial bid and made part of this tender. We understand that the RFP provides generic specifications about all the items and it has not been prepared by keeping in view any specific bidder. If our tender offer is accepted, we will obtain the guarantee of a bank for a sum equal to 10% of the Contract Price for the due performance of the Contract. We agree to abide by this tender offer till 180 days from the date of tender opening and our offer shall remain binding upon us and may be accepted by the Bank any time before the expiration of that period. Until a formal contract is prepared and executed, this tender offer, together with the Bank’s written acceptance thereof and the Bank’s notification of award, shall constitute a binding contract between us. We understand that the Bank is not bound to accept the lowest or any offer the Bank may receive. Dated this __________________day of __________2008

Signature: __________________________________

(In the Capacity of :) ________________________________ duly authorized to sign the tender offer for and on behalf of

BOM- RFP- ISO 27001 Certification

- 16 -

ANNEXURE 2: BIDDER’S INFORMATION Particulars

Details to be furnished for the Particulars

Enclosures to be submitted

Name of the IS Audit Company Address of Registered Office Address of Communication at Pune Date of inception of IS Audit services Presence and locations of Offices in India Details of Services provided by the Company Number of CISA qualified personnel Number of CCNA qualified personnel Number of CISSP qualified personnel Number of BS 7799/ISO 27001 lead auditors Number of Network Security Audit assignments completed for Banking and Financial Sector in India Number of Clients for whom ISO 27001/BS7799 Certification obtained by the IS Consultant Co. Experience in conducting IS audit and IT Security audit for Banks and/or Financial sector

Whether the IS Audit company is having dedicated ethical hacking lab

BOM- RFP- ISO 27001 Certification

Please attach a separate sheet, if required Please enclose list of names, with their Bio Data Please enclose list of names, with their Bio Data Please enclose list of names, with their Bio Data Please enclose list of names, with their Bio Data Details of the credentials.

Please enclose list of names and Letters from such organizations supporting the same. Details of credentials. (giving scope of work for each assignment) with letters from the respective organizations supporting the same If Yes, furnish address of the lab and profile of the dedicated security professionals involved in ethical hacking

- 17 -

Annexure 2 contd. Experience of working on similar projects in Public Sector Undertakings and government Departments Number of persons who are proposed to be associated for executing the assignment with name of the Team Leader Whether the IS Audit Company has formulated Information System Security Policy (ISSP) and Disaster Recovery Plan (DRP) for any Banking or Financial institution

Furnish credentials with details of work done.

Resume of the persons in the format enclosed as CV format to this document Names of the institutions with reference and details of type of environment covered by ISSP and DRP

We confirm that all the details mentioned as required above and the documents/enclosures submitted in support of the same are true and correct and if the Bank observes any misrepresentation of facts on any matter at any stage of evaluation, the Bank has right of rejecting the Bid. We have understood the scope of work and undertake to execute the assignment as per the requirement of RFP.

Dated this ....... day of ............................ 2008 _________________________________ (Signature)

________________________________ (In the capacity of)

Duly authorized to sign Proposal for and on behalf of _________________________

BOM- RFP- ISO 27001 Certification

- 18 -

ANNEXURE 3: PROFORMA FOR THE BANK GUARANTEE FOR EARNEST MONEY DEPOSIT (EMD). Guarantee for Payment of Earnest Money/Security Deposit Bank Guarantee no.: Date Period of Bank Guarantee: Valid up to Amount of Bank Guarantee: Rs. To, Bank of Maharashtra, IT Department, 1501, Lokmangal, Shivajinagar, Pune 411005. THIS DEED OF GUARANTEE made at …….. this ………..day of ………….. between Bank of ……………………… a banking company having its office at hereinafter referred to as ‘the Bank’ of the One Part and Bank of Maharashtra a New Bank constituted under the Banking Companies (Acquisition & Transfer of Undertakings) Act, 1970 having its Head Office at ‘Lokmangal’ , 1501 Shivajinagar, Pune 411 005, hereinafter called the Beneficiary, of the other Part. a) Whereas the Beneficiary had invited tenders for Consultancy for ISO 27001 certification vide tender No 062008 dated 24/10/2008. b) One of the terms of the tender is that bidder are required to give a Demand Draft drawn in favour of beneficiary and payable at Pune, (valid for 180 days from the due date of the tender) for Rs 1 lac (Rs. One lac only) as Earnest Money Deposit (EMD) along with their offer. The Beneficiary may accept Bank Guarantee in lieu of EMD for an equivalent amount issued by any Public Sector Bank, valid for 6 months from the date of issue. c) M/s …………………... hereinafter referred to as the said Contractors’ have given their offer for ISO 27001 certification of Data Center, Disaster recovery site, Project Management Office and Central Office- IT deptt to the Beneficiary and the said Contractors are required to deposit the said amount of earnest money (or security deposit) or to furnish bank guarantee. d) At the request of the said M/s.…………………. the Bank has agreed to furnish guarantee for payment of the said amount of earnest money (or security deposit) in the manner hereinafter appearing: NOW THIS DEED WITNESSETH that pursuant to the said tender and in consideration of the premises the Bank doth hereby guarantee to and covenant with the Beneficiary that the Bank shall, whenever called upon by the Beneficiary in writing and without demur and notwithstanding any objection raised by the said Contractor/s, pay to the Beneficiary the said amount of Rs.1 lakh (Rupees One lakh only) payable by the said Contractor/s under the said Contract.

AND IT IS AGREED and declared by the bank that the liability of the Bank to pay the said amount whenever called upon by the Beneficiary shall be irrevocable and absolute and the Bank will not be entitled to dispute or inquire into whether the Beneficiary has become entitled to forfeit the said amount as earnest money (or as security deposit) under the terms of the said contract or not and entitled to claim the same or not or whether the said contractors have committed any

BOM- RFP- ISO 27001 Certification

- 19 -

breach of the said contract or not or whether the Beneficiary is entitled to recover any damages from the said contractors for breach of terms thereof or not. Any such demand made by the Beneficiary shall be binding and conclusive as regards amount due and payable by the Contractor to the Beneficiary. And the Bank undertakes to pay unconditionally on written demand without demur and the claim of beneficiary shall be conclusive and binding as to the amount specified therein. AND it is further agreed and declared by the Bank that any waiver of any breach of any term of the said contract or any act of forbearance on the part of the Beneficiary or any time given by the Beneficiary to the contractors for carrying out and completing the work under the said contract or any modifications made in the terms and conditions of the said contract or any other act or omission on the part of the Beneficiary which could have in law the effect of discharging a surety, will not discharge the Bank. AND it is agreed and declared that this guarantee will remain in force until the time fixed in the said contract for completion of the said work or until the expiration of any extended time for such completion and shall be valid for a period of six months from the date hereof i.e. the guarantee shall be valid up to …… AND it is agreed and declared that this Guarantee will be irrevocable and enforceable even if the contractor’s company goes into liquidation or there is any change in the constitution of the said Company or management of the said Company and shall ensure to the benefit of its successors and assigns and shall be binding on the successors and assigns of the Bank. Not withstanding anything contained herein: c) The liability of the Bank under this Bank Guarantee shall not exceed Rs.________ ________. (Rupees _______________). d) This Bank Guarantee shall be valid up to _____________________. e) Bank is liable to pay guaranteed amount or part thereof under this Bank Guarantee only and only if beneficiary serve upon as a written claim or demand on or before ______________ (date of expiry of the Guarantee). IN WITNESS WHEREOF the Bank has put is seal the day and year first hereinabove written.

Signed, sealed and delivered by Mr………… For and on behalf of the Guarantor to do so and to affix the seal of the Bank, in the presence of ……….

BOM- RFP- ISO 27001 Certification

- 20 -

ANNEXURE-4: SCOPE OF WORK The Consultant/Vendor shall establish, implement, operate, monitor, review, maintain and improve documented Information System Management System (ISMS) for ISO 27001:2005 certification for the following locations. Central Office IT Department (Pune): The nodal department which plans, monitors and executes all IT projects of the bank. Project Management Office (Pune): It is Bank’s Project Management and control office from where the entire CBS project is implemented, managed and controlled. Data Centre (Pune): Bank has a level III Data Center where the entire infrastructure for core banking solutions have been installed and supporting 700 core banking branches spread across all over India. The Data Centre also hosts NOC for management of all branches / offices of the Bank. Disaster Recovery Centre (Hyderabad): Bank’s DR Centre is Co hosted with Tata Consultancy Services Ltd (TCS Ltd) in Hyderabad where we take care of Business continuity management.. Brief about the Applications, Infrastructure & Network required to be covered under the proposed assignment:I Applications covered would include: • Core Banking Solution (BANCS24 Core comprising of Deposits, Retail and Corporate Loans, Remittances, General Ledger Accounting, etc.) • Trade Finance Solution (EximBills, e-Treasury) covering Forex management, Treasury operations for both domestic/ international. • Government Business Module (with on-line remittance and information transmitting facilities for Tax collection, EDI, CBEC, modules for Pension, PPF, RBI Relief bonds, tax collection ) • Retail Loan Origination System (e-Credit) • Internet and Tele Banking Solution (e-banksworks) • Mobile / SMS banking solution • Enterprise Management System ( CA Unicenter) • Help Desk module of CA Unicenter • Interfaces developed for functionality like ATM, RTGS, SFMS, SWIFT, ECS /EFT, EDI (Interface with Customs), OLTAS, Treasury and ALM, Credit Monitoring System (CREAM), Credit Risk Rating System, Intranet, HR system. II. Brief about the Core Banking Solution Platform Core Banking Solution is supplied by Tata Consultancy Services Ltd. It covers Deposits, Advances, Remittances, and Trade Finance, Accounting modules, Internet, SMS banking modules, Tele Banking module, Government Business Module. Enterprise Management System is CA Unicenter. Core Banking Solution, Application and Database are ported on IBM AIX 5.3 Operating System and IBM P5 series. The Database used is Oracle 9i. The Data Centre is set up at Pune. The Disaster Recovery Servers is co-located at TCS, Hyderabad. III.

Brief about the Network Architecture The Bank’s Network is dedicated point-to-point leased line network as primary links with ISDN links backup for all the branches covered under Core Banking Solution Project.

BOM- RFP- ISO 27001 Certification

- 21 -

a. Level I – Core: The core of the network consists of a DC and DRC linked together. DC and DRC have links to the HO, PMO, Network Aggregation Points (NAP’s) and the external networks b. Level II – Distribution: The distribution network forms part of the Bank’s wide area network connecting the NAP’s to DC and DRC using dedicated links. There is a network component redundancy at NAP. c. Level III – Access: In the access network, all the branches are connected to the nearest designated NAP. The consultant/vendor is also expected to co ordinate the surveillance audit after getting the certification. The quote for this job has to be given in the commercial bid. For arriving at TCO the cost of surveillance audit for year one and year two will be considered. The following activities and processes have to be identified by the Consultant Company / Firm according to the standard ISO 27001:2005 in the above mentioned Locations. •

Establish ISMS policy, objectives, processes and systems and procedures relevant to managing risk and improving information security to deliver results in accordance with the organization’s overall policies and objectives.

•

Implement and operate the ISMS policy, controls, processes and systems and procedures.

•

Assess and where applicable, measure process performance against ISMS policy, objectives and practical experience and prepare the relevant report for review.

•

Prepare the internal ISMS audit team from the bank and impart necessary trainings for conducting the internal ISMS audit.

•

Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information to achieve continual improvement of the ISMS

•

Define the scope and boundaries of the ISMS in terms of its location, assets and technology

•

Define the risk assessment approach of the Locations

•

Develop criteria for accepting risks and identify the acceptable levels of risk

•

Identify the impacts that losses of confidentiality, integrity and availability may have on the assets and locations.

•

Analyze and evaluate the risks

•

Identify and evaluate options for the treatment of risks

•

Select control objectives and controls for the treatment of risks.

•

Prepare a Statement of Applicability

•

Prepare a statement of exclusion of any control objectives and controls in SOA with the justification for their exclusion.

BOM- RFP- ISO 27001 Certification

- 22 -

•

Review of controls and control objectives already implemented and recommending for addition/ modification required in the existing controls implemented.

•

Co-ordianate with bank in completing documentation, procedures required by ISO 27001

•

Co-ordinante with bank and Certification bodies during Pre Audit and certification audit

•

Assist Bank during surveillance audits

•

Any other guidance and help which may be required by bank ISO 27001:2005 certification.

•

The consultant has to submit weekly progress report during the project.

The bank will give full cooperation for timely access to resources, facilities, documents and coordination with various external agencies such as software vendors, network providers etc so that the work can be performed in a smooth manner by the consultant. The bank expects that consultant will perform work in a mutually respectful and professional manner. All following 11 domains must be taken for ISMS 9 Security policy 9 Organization of Information security 9 Asset management 9 Human Resources security 9 Physical and environmental security 9 Communications and operations management 9 Access control 9 Information systems acquisition, development and maintenance 9 Information security incident management 9 Business continuity management 9 Compliance

BOM- RFP- ISO 27001 Certification

- 23 -

ANNEXURE 5: COMMERCIAL BID The Commercial Bid should contain the Total project cost, on a fixed cost basis excluding service taxes. Bank of Maharashtra will not provide any reimbursement for travelling, lodging/boarding, local conveyance or any other related expenses.. The format for the commercial bid is given below SL

Deliverables (broad)

No

Amount in Rs. (Inclusive of Taxes) **

all

1. A

Data Centre

B

Disaster Recovery Site

C

CBS Project Management Office

D

Central Office-IT Deptt

E

Any other expenses please specify Total ( A+B+C+D+E)

2 A

Post Certification Surveillance audit for 1st year

B

Post Certification Surveillance audit for 2nd year Total (A + B) Total ( 1 +2 ) (Mention total amounts in figure and words also.)

(** Fixed sum inclusive of all taxes, duties, travelling, lodging, boarding expenses and any other out of pocket expenses but excluding Service tax) Note: The Bank reserves the right to avail the services of the consultant firm for more surveillance audit work, up to a period of three years, as per the Bank’s requirement after the completion of two surveillance audit, at the same price. For Post-certification surveillance / maintenance for three years: Payment will be released on yearly basis for subsequent post-certification surveillance audit for maintenance of Certification. IS Consultant selected for the assignment will have to abide by the above payment terms. Bank reserves the right to reject the Bids/responses to the RFP seeking deviation from the above payment terms.

BOM- RFP- ISO 27001 Certification

- 24 -

ANNEXURE 6: FORMAT OF CURRICULUM VIATE (CV) (Separate sheets for each person) Position: Name of Firm: Name of Personnel: Profession: Date of Birth: Years with Firm: Nationality: Membership of Professional Societies:

Detailed Tasks Assigned :( past 5years) (Giving an outline of person's experience and training most pertinent to task on assignment. Describe degree of responsibility held by the person on relevant previous assignments and give dates and locations)

Employment Record: (Starting with present position, list in reverse order)

Qualifications: Technical and Academic with year of passing

BOM- RFP- ISO 27001 Certification

- 25 -

ANNEXURE 7: CHECKLIST OF DOCUMENTS TO BE SUBMITTED ¤ Eligibility Criteria ¤ Technical Bid ¤ Commercial Bid ¤ Security Deposit / EMD BG ¤ Masked Commercial Bid ¤ Format of CV for the professionals to be involved in the entire ISO 27001 certification process.

BOM- RFP- ISO 27001 Certification

- 26 -