KIOCL Limited Tel : (080)-25531461-70
(Formerly Kudremukh Iron Ore Company Limited) Fax : (080)-25630984 / 25532153
(A Government of India Enterprise) Website : www.kioclltd.com
Registered Office: e-mail : bpurchase@kudreore.com
KUDREMUKH II Block, Koramangala, BANGALORE-560 034
AN ISO 9001:2008, ISO 14001:2004, OHSAS 18001:2007 COMPANY
NOTICE INVITING TENDER
(TWO BID SYSTEM)
KIOCL/MTLS/e-PROCUREMENT/2011-12 /C DATE : 26.10.2011
Due Date for submission of Quotation :
18.11.2011 at 2.00 PM
To
Respected Service Provider
Dear Sirs,
Sub:- Selection and Appointment of Service Provider for conducting
Online Price Bidding cum Reverse Auction by providing
e-Procurement services.
KIOCL Limited is a Central public sector unit in the manufacture of Iron oxide pellets
and pig iron. KIOCL, in pursuit of business excellence, has decided to introduce
e-procurement service in its material procurement system.
Sealed tender is invited in sealed covers (two bid system) for appointing
suitable service provider for conducting Online price bidding cum Reverse Auction i.e.,
for providing e-Auction systems and services through a customized and secured
public electronics platform as detailed in the Bid Document, on behalf of KIOCL
Limited, Bangalore.
1. SCOPE OF WORK : KIOCL intends to initiate the following
1.1 To implement e-procurement solution for the purchase process of
selected items {raw materials, equipments, spares, consumables, etc.,}
1.2 KIOCL is seeking to appoint a service provider for conducting online
price bidding cum reverse auction in the purchase process on behalf of
their units.
1
1.3 Locations of Services Required :
The services are required at KIOCL Ltd., Bangalore and Mangalore.
1.4 Duration of Contract: One year from the date of award of
Contract.
2. EARNEST MONEY DEPOSIT :
The bidders shall furnish an interest free Earnest Money Deposit (EMD) of
Rs. 20,000/- (Rupees Twenty thousands only) in the form of Bank Demand Draft
(DD) in favour of "KIOCL Limited", payable at Bangalore, along with their Techno-
Commercial Tenders. The DD shall be from any Indian Nationalised Bank or from
Scheduled Bank.
Please note that those Bids not accompanied with EMD will be summarily
rejected. Quotation even if received by due date and time but without EMD, shall
be rejected.
The EMD will be returned to bidders after finalisation of the tender and the same will
not carry any interest till it is returned. However, in the case of successful bidder, the
EMD will be returned after receipt of security deposit towards performance
guarantee.
Note : Those bidders who have already submitted EMD of Rs. 20,000/- against our
earlier Tender No. KIOCL/MTLS/e-PROCUREMENT/2011-12 dated 25.03.2011 or
KIOCL/MTLS/e-PROCUREMENT/2011-12/B dated 12.09.2011, where EMD amount is
not refunded by KIOCL, need not submit fresh EMD. However, bidder’s are required
to indicate in their freshly submitted tender that their earlier furnished EMD amount is
to be considered against the fresh tender.
3. SUBMISSION OF TENDER DOCUMENTS (TWO BID SYSTEM) :
The tenders complete in all respects conforming to the Scope of Job / Work
Involved, Tender Terms & Conditions should reach us latest by 18.11.2011
at 14.00 HRS (IST) in sealed covers as under :
(A) Cover.1 – Techno-Commercial Bid
Technical bids with commercial terms along with Earnest Money
Deposit and a copy of Price bid blanking the price portion repeat
blanking the price portion in a sealed cover super scribed with our
Tender number & Due Date and time of Opening and captioned “Techno-
Commercial Bid”
2
Cover-1 should contain
a. Techno-Commercial Bid : Detailed technical and commercial aspects of
the offer, including necessary brochures, catalogues, etc., for the
e-Procurement services provided.
b. Earnest Money Deposit as per clause no. 2 above.
c. Documents supporting pre-qualifying criteria. (ref: Annexure- II)
d. Profile of the Organisation of the tenderer.
e. Copy of Price bid blanking the price portion (without showing the
Quoted price).
(B) Cover. 2 – Price Bid
Price bid duly filled in the format as at Annexure–IV & signed
shall alone be enclosed in a separate sealed cover duly super scribed with our
Tender Number & Due Date and time of Opening and captioned
“PRICE BID”
(C) Cover.3 – Common Outer Cover :
Cover at (1) & (2) above shall be kept in a common sealed outer
cover duly super scribed with our Tender number & Due Date and time of
Opening and captioned "e-Procurement Services"
Please note that quotation received by fax / e-mail / in open condition will
not be accepted. Further, if quotation is not received in two parts in separate
covers and finally put in a single cover as above, the offer will be rejected.
Tender that is received after the schedule time and date of submission will
be rejected.
4. PARTICIPATION IN TENDER OPENING
a) Techno-Commercial Bid (except Price bid) will be opened on 18.11.2011 at
15.00 Hrs (IST) in the presence of your representative if you so desire.
b) If your offer is technically and commercially acceptable, you will be informed
the date and time of opening of price bid. If your desire, you may depute your
representative with authorization letter with specimen signature dully attested
for witnessing the price bid opening.
3
5. CONFIDENTIALITY:
You shall keep all the information shared with you as confidential and shall not
disclose the same under any circumstances to any one, without obtaining
written consent from KIOCL.
6. The following enclosures are attached herewith
Annexure – I : Scope of Work of Service Provider
Annexure--II : Eligibility Criteria (To qualify for the award of Bid)
Annexure--III :
Part 1 of 4 : Instructions to Bidders (Service Providers) with
Commercial terms and conditions of contract.
Part 2 of 4 : Basic information of the bidder
Part 3 of 4 : Technicall parameter
Part 4 of 4 : Central Vigilance Commission Guidelines
Annexure-IV : Price Bid format
Annexure-V : Qualification information
Thanking you,
Yours faithfully,
for KIOCL LIMITED,
Sd/-
(S. G. SHET)
Sr.Manager (Purchase)
Mobile No. 09741899457
Fax : (080) 25630984 / 25532153
e-mail : bpurchase@kudreore.com
4
ANNEXURE – I
SCOPE OF WORK OF SERVICE PROVIDER
1. The Service provider is expected to provide end to end service for conducting
online price bidding cum Reverse Auction. The Service Provider is expected to
provide the facility of online price bidding and reverse auction to the vendors
of the KIOCL on a totally outsourced & secured model. The KIOCL will only
provide the particulars of the qualified vendors participating in the Auction and
other necessary inputs connected with the price necessary for conducting the
auction.
2. The Online price bidding and Reverse Auction process provided shall be fully
compliant with IT Acts & CVC guidelines. The online price bidding cum reverse
auction should be able to provide Auto bid facility and extension time for the
process. All the other functions of the online price bidding and reverse auction
ie., The Business rules; Training to the vendors; Online price bidding, Reverse
Auction itself are to be conducted by the Service Provider.
3. After the Auction the Service Provider has to provide the details of the Online
price bidding cum Reverse Auction to the KIOCL. It is very important that
the Service Provider follows standards of the highest integrity and
any action which is detrimental to the interests of the KIOCL or
against CVC/other guidelines will entail cancellation of the order in
addition to taking any other action which the KIOCL deems fit at that
point of time.
4. The Service Provider should ensure masking of the bidding Company names
and the KIOCL should be able to view the transaction online during the bidding
process. The bidding should be conducted securely using PKI. The Online price
bidding and Reverse Auction should be permitted by using Digital Signature
and the vendor should support Digital signature issued by reputed / authorized
institutions / organisations.
5. The vendor providing online auction should ensure that no un-authorised
person has access to data and information that is considered confidential and
that any compromise should be brought to the knowledge of the KIOCL
6. Online submission of price bids and reverse auction
The online price bids submitted should be signed electronically with a Class II
or Class III - Digital Signature Certificate to establish the identity of the Bidder
submitting the Bid online.
Note : In all cases based on Tender Committee recommendation, qualified
bidders are only called for participation in online price bidding cum reverse
auction process.
5
a. Decide Auction strategy. Jointly identify auction format, closing time
rules, bidding rules, business rule & information release requirements
that KIOCL would like to build in the auction. This has to be closed
preferably 48 hours before the auction event and document to be
signed by you and KIOCL.
b. Train all qualified bidders on how to place price bids as well as how to
use other features of the auction tool.
c. Train KIOCL team to view auction comfortably by conducting a mock
auction if required.
d. Obtain Process-cum-Technical Compliance Statements duly signed by
suppliers Document deviations from REP, if any. After receipt of the
Agreement Form, Log in ID and Password shall be allotted to the
qualified bidders.
e. Host the actual auction on the Internet. The auction proceedings will be
accessible only to parties those offers are techno-commercially
acceptable and approved by KIOCL.
f. Subsequent to the online price bidding cum reverse auction, the bidders
has to submit complete breakup of the price..
g. Generate and submit all reports which would be required by KIOCL for
analyzing the auction, as well as historical data in terms of the bid
history, suppliers login data Bid history, compliance statement, auction
summary and price break-ups etc.
h. Final price comparative statement with bid history will be submitted by
you within 12 hours from the completion of auction event.
Comprehensive report with other data’s like cost break-up etc., will be
submitted within 2 days after conducting the auction.
7. Jointly work with KIOCL in ensuring that bidders who have shown interest to
participate in the e-bidding.
8. Online Automated Bid evaluation as per KIOCL’s policy if required.
9. Time Schedule :
Successful service provider and KIOCL shall jointly determine the date for bid
schedule and online price bidding cum reverse auction and the timing should
be strictly adhered to as in case of any change, the same has to be intimated
within 48 hours (preferably) to all the concerned.
6
10. Security Features
The security features incorporated in the application ensures that all
activities are logged and no unauthorized person has access to data.
Digital Signature: The solution includes capturing Digital Signature
Authorized and certified by approved agency nominated by Controller of
Certifying Authorities under Ministry of IT, Govt. of India.
Process Validation: The Solution has been so architected that a user
(KIOCL Officers / Bidders) cannot view the price bid of any Bidder. All
the documents are encrypted.
Un-authorised Access : The entire solution is behind a firewall and
Unauthorized access is not allowed. The login passwords of all the users
is encrypted at the database level. Minimum 128 bit SSL Certificate from
is used for communication between the browser and the web server.
This ensures that all communication between browser and web server is
encrypted and cannot be hacked.
Compliance to IT ACT: The complete e-process is compliant with THE
INFORMATION TECHNOLOGY ACT, 2000 of the Govt. of India.
11. Training & Help Desk
a) Training of both KIOCL Personnel and the bidders on the usage of
Online price bidding and reverse auction system. The training imparted
shall be properly structured to meet the different requirements of KIOCL
and the bidders.
b) The service provider shall assist all bidders to obtain Digital signatures.
c) Capturing of all the transactions during the online price bidding and
reverse auction process and providing this information to KIOCL in the
form of a soft copy.
-oOo-
7
ANNEXURE - II
ELIGIBILITY CRITERIA
Only the Service Providers who meet all the qualifications mentioned in “Eligibility
Criteria” of the tender are eligible to participate in the tender.
1.1 The intending bidder must possess as prime Service Provider, experience of
having successfully executed similar work for the procurement of goods,
services etc. and possess capability of conducting global e-procurement events
through their own auction portal complying with the provisions related to
security aspects of Information Technology-IT Act 2000 and complying with
the guidelines of CERT-In, Dept. of Information Technology, Government of
India.
Note : Along with Techno-commercial offer, the bidder shall furnish self
certificate/documentary evidence for the above.
1.2 The Bidders shall furnish details of successful usage of their e-commerce
System by a minimum of two Government Departments / Public Sector
Undertakings / Public Sector Banks during the last four financial years. The
bidder shall furnish Work Order Copies or Experience Certificates issued in his
favour. This is a pre-requisite for considering their offer. Please furnish the
following details :
a) Name of the Govt. Departments/Public Sector Undertakings/
Public Sector Banks
b) Contact Details
c) URL
d) Number of Tenders floated
e) Letter of satisfaction and past experience from existing user
1.3 The Bidder must have ISO 27001 Certificate
Note : The bidder is required to provide documentary proof in support of
meeting above criteria (Point No. 1.2 & 1.3) in the techno-commercial bid
of the offer.
1.4 The bid value for at least one of the e-auction events conducted, shall be at
least Rs. 5 (Five) Crores. In this regard self certificate is to be furnished by
the bidder indicating the following details :
a) Auction Number
b) Auction Start date and time
c) Auction Close date and time
d) Total Procurement Value (Rs. in Crores)
8
1.5 The Bidders shall provide evidence of possessing adequate infra-structural
support in India with respect to design, hardware, software, communication
inclusive of legally bound back-up MOU /Agreement with other agencies in the
respective field of specialization as joint venture partners etc. or its own.
1.6 The auction portal should be owned by the Bidder and it should be located in
Indian Territory for the proposed e-procurement activities of KIOCL.
1.7 The Bidder must have disaster recovery site with sufficient capacity to ensure
continued services in the eventuality of non-function of primary site.
1.8 The bidder must not have been blacklisted or deregistered by any Central /
State Government Department or Public Sector Undertaking.
Note : Along with Techno-commercial offer, the bidder shall furnish self
certificate/documentary evidence for the above (for Point No. 1.4 to 1.8).
-oOo-
9
ANNEXURE – III
Part 1 of 4
INSTRUCTION TO BIDDERS (SERVICE PROVIDERS) (ITB)
WITH COMMERCIAL TERMS AND CONDITIONS OF CONTRACT
1. BIDDING DOCUMENTS:
The Bidder is expected to examine all instructions, forms, terms and
specifications in the bidding documents. Failure to furnish all information
required by the bidding documents or submission of a bid not substantially
responsive to the bidding documents in every respect will be at the Bidder ’s
risk and shall result in rejection of the bid.
2. AMENDMENTS TO BIDDING DOCUMENTS:
At any time prior to the deadline for submission of bids, the Tendering
Authority, KIOCL Limited may, for any reason, whether on its own initiative or
in response to the clarification requested by a prospective bidder, modify,
change, incorporate or delete certain conditions in the bidding document.
IMPORTANT NOTE: Amendments, if any, that may be
decided at a later date shall be intimated through our
Company Web-site. In this regard, therefore, please visit
our Web-site www.kioclltd.com for complete details from
time to time and prior to submission of offer.
3. HOW TO QUOTE PRICES:
Please indicate your fees for the above services to be rendered to KIOCL in
terms of Lump sum per Event in Indian Rupee basis (i.e., fixed price
should be on event basis, irrespective of the value of Procurement).
The fee quoted should be firm till end of contact period and is not subject to
escalation of any kind whatsoever. KIOCL will deduct TDS as applicable.
Please note that your offered fixed price shall be inclusive of all taxes
except service tax. However, applicable service tax is to be indicated in the
price bid (Annexure-IV).
Note :
a) The procurement value of the event may be of any amount and
the same will be treated as One Event only.
b) In case KIOCL Plant operates continuously to its full capacity, the
number of e-procurement Events in a year will be approx. 86 Nos.
10
c) Please note that the Fees offered in any other fashion will not be
considered and such offer will be rejected.
4. PAYMENT TERMS :
KIOCL shall make 100% payment towards the service rendered after
successful completion of events duly certified by KIOCL authorities based on
the auction report on monthly payment basis. In case there is no online price
bids received from vendors, no payment will be made to service provider
against such events.
5. PERIOD OF VALIDITY:
Bids shall be valid for placement of order for a period of 60 days from the date
of opening of the techno-commercial bid
6. EVALUATION AND COMPARISON OF BIDS
a) Offers will be evaluated against the stipulated minimum eligibility criteria
and on the basis of technical parameters and features offered in the
techno-commercial bids. KIOCL may call the vendors representatives for
clarifications, presentation if required.
The KIOCL reserves the right to reject Offer in any of the following
circumstances:
i) If Offer is incomplete and/or not accompanied by all stipulated
documents.
ii) If the Offer is not in conformity with the terms and conditions stipulated
in this document. i.e., Offers not complying with the eligibility criteria,
Central Vigilance Commission Guidelines and other techno-commercial
parameters indicated in the tender document will be rejected
summarily.
b) After the techno-commercial bids evaluation, vendors will be short listed
based on acceptance of their techno-commercial bids. The price bids of
such short-listed vendors only qualify for opening the Price bids. The Price
bids will be opened in the presence of their representatives on a specified
date and time to be intimated to the respective vendors.
c) Price Bid Evaluation (L-1) is based on Service charges quoted in terms
of per Event basis in Indian Rupees excluding Service Tax for
conducting online price bidding cum reverse auction.
11
7. PERFORMANCE GUARANTEE :
Successful bidder shall have to furnish Security Deposit for Rs. 20,000
(Rs. Twenty Thousand only) by way of Bank Guarantee in favour of KIOCL
Limited, within 15 days from the date of Receipt of Work Order. The Bank
Guarantee shall be on Rs.200/- Non-Judicial Stamp paper strictly as per our
format and should be valid for a period of 12 months. Bank Guarantee issued
by any Co-operative Bank will not be accepted. The bank guarantee will be
returned after expiry of the contract period, if the performance of the system
is satisfactory and due fulfillment of all contractual obligations. For Proforma of
Bank Guarantee in lieu of Security Deposit, please visit our website
www.kioclltd.com. Or otherwise
Earnest Money Deposit (EMD) of the successful bidder paid by way of DD shall
be adjusted towards part of Security Deposit.
8. ORDER CANCELLATION
The KIOCL reserves its right to cancel the Work Order in case of the following
conditions:
a) Delay in attending to the work beyond the specified period.
b) Serious discrepancy noticed in the Online price bidding and Reverse
Auction process.
c) Non adherence of CVC and other regulatory guidelines in the e-auction
process
9. Please note that the terms and conditions contained in this annexure including
other annexure of tender enquiry shall prevail over the General Conditions of
Indigenous Supply-KIOCL P/1 wherever applicable. (visit KIOCL’s website page
http://kioclltd.com/general.doc)
Thanking you,
Yours faithfully,
for KIOCL LIMITED,
(S. G. SHET)
Sr.Manager (Purchase)
12
ANNEXURE – III
PART – 2 of 4
Basic Information about the Service Provider
1. Name of Company :
2. Ownership Details :
3. PAN Number :
4. Bank Account Details :
Name of Bank –
Address -
9-digit MICR code –
Account No. –
Swift Code -
5. Contact Person’s Name :
Phone Number :
Mobile Number :
Fax Number :
Email Id :
Financial Details for the last three years:
Financial year Turnover in Rs. (crores)
2008-09
2009-10
2010-11
Major Clients :
Authorised Signatory :
Date :
Stamp of the firm :
Date: Authorized Signatory
Name of bidder & Seal
13
ANNEXURE – III
Part – 3 of 4: Technical Parameters
The Service Providers shall submit their compliance on the Technical
Parameters as specified as to whether the offered system complies with
requirements by specifying in terms of Yes or No.
Service
Description KIOCL requirement Provider’s offer
confirm
(Yes / No)
A) Scope
Internet based
price bidding for Acceptance to the scope of work defined in
procurement of Tender
selected items
(raw materials,
equipments,
spares,
consumables, and
all associated
services) as
specified.
Payment terms a) Price Quoted on Lump sum per Event
basis.
b) Acceptance of payment terms
Validity of One Year from the date of award of contract
Contract period
Validity of offer Valid for a period of 60 days for placement of
work order
Taxes & duties Offered fixed price shall be inclusive of all
taxes except service tax. Deduct TDS as
applicable.
14
Training To conduct free of cost training for KIOCL’s
officers to familiarize for operation,
administration and online price bidding cum
reverse auction processes.
Live Service Provider agrees that they can give
demonstration Live demonstration of any one site they are
maintaining if required.
Eligibility Criteria List out photocopies of relevant documents
/certificates as proof in support
of various information submitted along with
this document & self certificates
SECURITY & KIOCL’S REQUIREMENT
The Intellectual Property Right (IPR) of the e-system should be
owned by the Service Provider
The Service Provider is a CA/Sub CA/RA or should have a
technical tie-up with a CA, Sub CA, RA who are authorized to
issue Digital Certificates. Furnish documentary proof in this
regard.
Possession of ready software which they can demonstrate and
the same can be customized and launched within one week from
date of award of tender. Service Provider must ensure that
customization is done to meet procedural requirement of
purchase guidelines laid down by the company
Service Provider agrees that their existing e-system fulfills the
scope of work as defined in this tender document
The e-Auction portal proposed is fully secured and Service
Provider confirms that their e-system complies to Information
Technology (IT) Act 2000
Compliance with guidelines provided by CERT.in Dept. of
Information Technology, Govt. of India. The Website / Auction
portal is duly certified by empanelled auditors of CERT.in as per
the provisions relating to the security aspects of IT Act 2000.
15
Service Provider agrees that theirs e-system is PKI Enabled.
Ability to handle at least 100 concurrent users with response time
of less than 5 seconds
Service Provider confirms that their system preventing Auto
Bidding by the bidders
On-line alert to bidders to ensure data inconsistency during
auction
Ability to handle secure transaction & multiple auctions
simultaneously
Any additional features not specifically sought above, may be described by Service
Provider and appended at the end of this sheet. Extra Sheet as required may be
attached.
Name
Company
Signature
Official Seal
Date
Date: Authorized Signatory
Name of bidder & Seal
16
ANNEXURE – III
Part – 4 of 4 :
Central Vigilance Commission Guidelines
The Service Providers shall also submit their compliance on the Central
Vigilance Commission Guidelines as specified as to whether the offered
system complies with requirements by specifying in terms of Yes or No.
Compliance
Sl by bidder
Security Considerations
No. ( please fill
Y/N)
Whether the application is secure from making any temporary
1 distortion in the electronic posting of tender notice, just to
mislead certain vendors?
If yes at 2 above, then whether any automatic systems alert is
2 provided in the form of daily exception report in the application
in this regard?
Whether application ensures that the tender documents issued
3 to I downloaded by bidders are complete in shape as per the
approved tender documents including its corrigendum?
Is there any check available in the application to detect & alert
4
about the missing pages to the tenderer, If any?
Whether application ensures that all the corrigendum issued by
the Competent Authority are being fully communicated in
5 proper fashion to all bidders including those who had already
purchased/ downloaded the bid documents well ahead of the
due date & before uploading the corrigendum?
Whether system is safe from sending discriminatory
6 communication to different bidders about the same e-tendering
process?
Whether e-procurement solution has also been customized to
7
process all types of tenders viz Limited / open / global tenders?
Whether online Public Tender opening events feature are
8
available in the application?
Whether facilities for evaluation I loading of bids, strictly in
9 terms of criteria laid down in bid documents are available in the
application?
Whether sufficient safeguards have been provided in the
10
application to deal with failed attempt blocking?
11 Whether application is safe from submission of fake bids?
Whether encryptions of bids are done at clients end?
12
17
13 Whether safety against tampering and stealing information of
submitted bid, during storage before its opening, is ensured?
Whether application is safe from siphoning off and decrypting
14
the clandestine copy of a bid encrypted with public key of
tender opening officer?
Whether application is safe from mutilation/ sabotage or
otherwise rendering the encrypted bid in the e-tender box
15
during storage, to make it unreadable /invalid in any form,
before opening the bids?
Whether introduction of special characters I executable files etc
16
by users are restricted in the application?
17 Whether validity check of DSC is being done at server end?
Whether system supports the feature that even though if a
published tender is being deleted from the application, system
18 does not allow permanent deletion of the published tender
from the Database?
Whether sufficient security features are provided in the
19 application for authentication procedure of the system
administrator like ID, password digital signature, biometric etc?
Whether audit trails are being captured in the application on
20
media not prone to tampering, such as optical write once?
Whether log shipping feature is available, where a separate
21 dedicated server receives the logs from the application over a
web service in real time?
Whether integrity and non-tampering is ensured in maintaining
22
the server clock synchronization & time stamping?
Whether application generates any exception reports / system
alert etc. to indicate the re-setting of the clock, in case the
23
application for time stamping is killed at the server level and
time is manipulated?
Whether application ensures that the quotes from various
bidders with their name are not being displayed to anyone
24
including to the Organization during carrying out of the e-
reverse auctioning process?
Whether application is fit for usage compiling with the
requirement of tender processing viz. authenticity of tenderer,
25
non-repudiation and secrecy of information till actual opening
of tenders.
Whether any comprehensive third-party audit [as per the
statutory requirement and also as per the requirements of e-
26
tender processing (compliance to IT Act 200) ] was got
conducted before first putting it to public use?
18
27 Deployment of routers, firewalls, IPS/IDS, Remote Access and
Network Segmentation
Network authentication trough deployment of password policy
28 for accessing the network resources. To minimize unauthorized
access to the e-procurement system at system level.
Deployment of logging at OS/network level and monitoring the
29
same.
The security of individual servers & workstations is a critical
factor in the defence of any environment, especially when
30
remote access is allowed. Workstations should have safeguards
in place to resist common attacks.
As the vulnerability of the system are discovered almost
regularly and the system vendors are also releasing the
31
patches. It is expected the host are patched with latest security
updates released by the vendors.
Suitable controls like antivirus,anti-spyware etc. should be
deployed on the host associated with e-procurement
system.Howerver the option for running the services at non-
32
privileged user profile may be looked for. Otherwise suitable OS
which is immune to virus, trojan and malware may be
deployed.
The availability of network service is critically dependent on the
quality of interconnection between the hosts through
33 structured including termination and marking. It is expected
that e-procurement system has implemented structured cabling
and other controls related with network and interconnection.
Depending on the number of expected hits and access the
34 options for clustering of servers and load balancing of the web
application shall be implemented
Suitable management procedure shall be deployed for regular
back-up of application and data. The regularity of data back-up
35
shall be in commensurate with the nature of transaction/
business translated into the e-procurement system
Suitable management control shall be implemented on
availability of updated source code and its deployment. Strict
36
configuration control is recommended to ensure that the latest
software in the production system.
The authentication mechanism of e-procurement application
37 should ensure that the credentials are submitted on the pages
that are server under SSL
The application shall enforce proper access control model to
38 ensure that the perimeter available to the user cannot be used
for launching any attack
The design should ensure that the session tokens are
39 adequately protected from guessing during an authenticated
sessions
19
The design should ensure that the application tokens do not
40
present user error messages to the outside world which can be
used for attacking the application.
The application may accept input at multiple points from
external sources, such as users, client’s applications and data
feeds. It should perform validation checks of the syntactic and
41 semantic validity of the input. It should also check that input
data does not violate limitations of underliying or dependent
components, paricularly string length and character set.
All user-supplied fields should be validated at the server side
Logging should be enabled across all applications in the
environment. Log file data is important for incident and trend
analysis as well as for auditing purposes.
The application should log, failed and successful authentication
42 attempts, changes to application data including user accounts,
serve application errors and failed and successful access to
resources.
When writing log data, the application should avoid writing
sensitive data to log files.
Sensitive data should be encrypted or hashed in the database
and file system. The application should differentiate between
data i.e. sensitive to disclosure and must be encrypted, data i.e.
sensitive only to tampering and for which a keyed hash value
(HMAC) must be generated, and data that can be irreversibly
43 transformed (hashed) without loss of functionality (such as
passwords). The applications should store keys used for
decryption separately from the encrypted data.
Examples of widely accepted strong ciphers are 3DES, AES,
RSA, RC4 and Blowfish. Use 128-bit keys (1024 bits for RSA) at
a minimum.
Sensitive data should be encrypted prior to transmission to
other components. Verify that intermediate components that
handle the data in clear text form, prior to transmission or
subsequent to receipt, do not present an undue threat to the
data. The application should take advantage of authentication
44
features available within the transport security mechanism.
Specially encryption methodology like SSL must be deployed
while communicating with the payment gateway over public
network.
20
Application should enforce an authorization mechanism that
provides access to sensitive data and functionality only to
suitably permitted users or clients.
Role-based access controls should be enforced at the database
levels as well as at the application interface. This will protect
the database in the event that the client application is
exploited.
Authorization checks should require prior successful
45
authentication to have occurred.
All attempts to obtain access, without prior authorization
should be logged.
Conduct regular testing of key applications that progress
sensitive data and of the interface available to users from the
internet. Include both Black Box testing against the application.
Determine if users can gain access to data from other accounts
Date: Authorized Signatory
Name of bidder & Seal
21
ANNEXURE – IV
PRICE BID FORMAT
Service Charges in
terms of Lump Sum per
Sl. No. Description Event basis
Rs.
1 Service Charge for conducting online price bidding cum
Reverse auction as part of e-procurement activity among
the bidders for procurement of selected items (raw Please quote your fixed
materials, equipments, spares, consumables etc.,) as per price on Event basis
irrespective of the value of
KIOCL requirement. Procurement
The above activity shall cover all the aspects as
mentioned in Tender documents.
Duration of Contract : One Year
2 Rate of Service Tax in percentage %
Confirmation by Bidder
This is to certify that the Price quoted above will remain firm throughout the period of
the contract and is not subject to escalation of any kind whatsoever.
Date: Authorized Signatory
Name of bidder & Seal
22
ANNEXURE-V
QUALIFICATION INFORMATION
(The information to be submitted by all the Service Providers)
1. Individual Bidder/ Individual Members of Joint venture (Please specify):
2. Constitution or Legal status of Bidder (attach copy)
Place of Registration : ---------------------------------
Principal place of business : ---------------------------------
Power of Attorney of Signatory to the Bid: (attach)
3. Details of experience of works undertaken in the past:
Use a separate sheet for each contract (attach performance certificates from
customers concerned)
1 Reference Number of contract
2 Name of contract and purchaser
3 Purchaser Address
4 Nature of work and special features if any
5 Value of the total contract
6 Date of award of contract
7 Date of completion with original schedule and slippage, if any
8 Specified requirements if any
23
4. Details of IT Infrastructure, Communication etc.,
1 Data Centre Details Please specify against
each
Server
a) No. of Servers
b) Server Specification
c) Processor
d) Operating System
e) Database
f) Application Server
Server TPM/C Rating
No. of Nodes
2 Network backbone
a) Type
b) Speed
3 Internet
a) Connectivity through
b) Band Width
c) ISP
4 Network security / certification
5 Similar specification of disaster recovery site
5. The Bidder must provide minimum of ten(10) professionally qualified persons,
who will be dedicated for the project and the team leader must be having
minimum of three years relevant experience.
6. Permanent Income Tax Account No. (PAN)
7. Valid Service Tax Registration No.
8. Details of Bid Security / Earnest Money
24
9. Other details :
a) Details of registration / enlistment with Government Organizations/
Public Sector Undertakings and Banks
b) Certificate of registration as per statutory requirement under sales tax,
contract labour laws etc., as may be applicable.
Date: Authorized Signatory
Name of bidder & Seal
25