Best Bank Proposal Templates by efv15496


More Info
									                     Central Bank of India

                       Tender Document

      Tender Reference Number: CO:DIT:PUR:2009-10:77

                      Request for Proposal


          Security Audit of Internet Banking Application


                      Bank Official website

Cost of the Tender Document: Rs. 2,000/- (Rs. Two Thousand Only)
Central bank of India                                                                                                 Page 2 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

                                                   TABLE OF CONTENTS

TABLE OF CONTENTS ............................................................................................................. 2
1. Invitation for tender offers ...................................................................................................... 3
2. Scope of the Job: ....................................................................................................................... 4
3. Eligibility Criteria of Vendors: ............................................................................................... 6
4. Terms and Conditions .............................................................................................................. 7
5. Technical Bid – RRP For Security Audit Of Internet Banking Application. ................... 14
6. Acceptance Letter to be given by the Vendor ...................................................................... 16
7. Commercial Bid: .................................................................................................................... 17
Central bank of India                                                                    Page 3 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

1. Invitation for tender offers

M/s __________________________________
Central Bank of India invites sealed tender offers (technical offer and commercial offer) from
the eligible vendors for carrying Security Audit of Internet Banking Application & Bank Official
Website along with associated hardware & network infrastructure and equipment supporting
 The copy of tender document may be obtained from Dept of IT, 1st Floor, Plot No. 26, Sector –
11, CBD Belapur, Navi Mumbai on all working days in person. The details are given below:

  Tender Reference                              CO:DIT:PUR:2009-10:77

  Cost of Document                              Rs.2000/-

  Earnest Money Deposit                         Rs.25000/-
  Date of commencement of sale of tender
  document (RFP)
                                                11-02-2010 at 15.00 Hrs.
                                                Central Bank of India, DIT, 1st floor, Sec.11, Plot
  Date of Pre-bid meeting
                                                No.26, Opp.Belapur Rly. Stn., CBD Belapur, Navi
                                                Mumbai 400 614.
  Last Date and Time for receipts of tender
                                                23-02-2010 at 15.00 Hrs.
  Technical Bid Opening date                    23-02-2010 at 15.30 Hrs.
                                                Central Bank of India, DIT, 1st floor, Sec.11, Plot
  Address of Communication                      No.26, Opp.Belapur Rly. Stn., CBD Belapur, Navi
                                                Mumbai 400 614.
  Contact Telephone Numbers                     022-67123669/67123684
  Email Id:

It is essential that all clarifications / queries be submitted to Central Bank of India at least three
days before the date of the Pre-bid meeting. The vendors who will purchase the Tender
Document before pre-bid meeting, only those vendors will be eligible to participate in the pre-
bid meeting. Otherwise vendors may send a mail and the clarifications will be mailed back.
Earnest Money Deposit must accompany all tender offers (Technical Bid as specified in this
tender document.

Tender offers will normally be opened one hour after the closing time, in the presence of the
tenderer’s representatives who choose to attend the opening of tender.

Asst.General Manager-IT
Central bank of India                                                                    Page 4 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

1. Background

Central Bank of India (CBI) is one of the leading public sector Banks with a large network of
approx 3550 branches spread across the country. The Bank has also established its Wide Area
Network at 1500 locations all over India covering administrative and branch offices and is
planning to enlarge it during the current year.

Now the bank has initiated implementation of a host of customer centric delivery channel
solutions like Internet Banking, Tele Banking, SMS Alerts and Mobile Banking etc.

The bank as a part of implementation of Internet Banking Application intends to carry out
Security Audit of Internet Banking System & Bank Official Website (along with associated
hardware & network infrastructure and equipment supporting them) through out side vendors
and thus invites Proposals from CERT-IN empanelled Auditors, Audit Companies/Agencies for
primarily undertaking inter-alia the following activities for the Bank in respect of Internet
Banking Solution.

2. Scope of the Job

The scope of the job is to carry out Security Audit of Bank’s Internet Banking System and
Bank’s Official Website alongwith associated hardware & network infrastructure and
equipments supporting them. Therefore, scope will also include DR Servers. The security audit
is to be done for one year resting at quarterly intervals, which includes the following:

       To Assess Flaws in Web hosting Software i.e. Security of web server.
       To Assess Flaws in the Design of the Applications.
       Attempting to guess passwords using password-cracking tools.
       Search for back door traps in the software.
       Attempting to overload the systems using Distributed Denial of Services (DDoS) and
        Denial of Services (DoS) attacks.
       Checking if commonly known holes in the software exist.
       Attempting penetration through perceivable network equipment/addressing and other
       Check Vulnerabilities like IP Spoofing, Buffer Overflows, session hijacks, account
        spoofing, Frame Spoofing, Caching of web pages, Cross site scripting, Cookie handling
       Sniffing.
       128-bit SSL Certificate & PKI has to be verified.
       Whether solution architecture provides 24 X 7 availability to customer is confirmed. If
        all servers are configured to synchronize time with Central NTP server.
       To check whether date and time stamp are appearing correctly on all reports.
       To check whether servers are updated with latest security patches. Remote server
        Management Software used, Web logic server is up to date, IOS version in Router is
        vulnerable one.
       Confirm Rule base in Firewall are configured properly.
Central bank of India                                                                    Page 5 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

      To ascertain IDS is configured for intrusion detection, suspicious activity on host are
       monitored and reported to server, firewall and IDS logs are generated and scrutinized. IP
       routing is disabled.
    For changing system parameters whether Maker-Checker concept is followed.
    Logical Access Controls Techniques viz. Passwords, Smart Cards or Other Biometric
    Proxy Server is used between Internet and proxy systems.
    Vulnerabilities of unnecessary utilities residing on Application server.
    Computer Access, messages are logged and security violations reported and acted upon.
    Effectiveness of Tools being used for monitoring systems and network against intrusions
       and attacks.
    Proper infrastructure and schedule for back up is fixed, testing of back-up data done to
       ensure readability.
    Legal issues.
    Electronic Record is authenticated by Asymmetric Cryptosystem and hash function.
    Secrecy and confidentiality of Customer information preserved.
    If any cases of unauthorized transfer through hacking, denial of service due to
       Technological failure is brought to the notice.
    Regulatory and Supervisory non-compliance issues.
    Any other items relevant in the case of security.
    Internet Banking Application should comply with Bank’s approved security Policy.
    All the guidelines issued by RBI and CERT-IN from time to time relating to Internet
       Banking Application and Bank’s Official Website/Web hosting Software should be
       adhered to.
    Security auditing should be done as per the Industry Standards and also as per the
       OWASP (Open Web Application Security Project) model. With respect to ethical
       hacking, testing needs to be done by the auditor as black box testing only. No user Name
       and password shall be provided for testing. The VAPT audit needs to be carried out
       based on the domain name rather than based on number of IP addresses for the domain.
   The Top 10 Web application vulnerabilities, which are given below, should also be checked
   from the given websites:
 Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data
                               and sends it to a web browser without first validating or encoding
                               that content. XSS allows attackers to execute script in the victim's
                               browser which can hijack user sessions, deface web sites, possibly
                               introduce worms, etc.

 Injection Flaws                  Injection flaws, particularly SQL injection, are common in web
                                  applications. Injection occurs when user-supplied data is sent to an
                                  interpreter as part of a command or query. The attacker's hostile
                                  data tricks the interpreter into executing unintended commands or
                                  changing data.
 Malicious File Execution         Code vulnerable to remote file inclusion (RFI) allows attackers to
                                  include hostile code and data, resulting in devastating attacks, such
                                  as total server compromise. Malicious file execution attacks affect
                                  PHP, XML and any framework, which accepts filenames or files
                                  from users.
 Insecure Direct Object           A direct object reference occurs when a developer exposes a
Central bank of India                                                                    Page 6 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

 Reference                        reference to an internal implementation object, such as a file,
                                  directory, database record, or key, as a URL or form parameter.
                                  Attackers can manipulate those references to access other objects
                                  without authorization.

 Cross Site Request Forgery       A CSRF attack forces a logged-on victim’s browser to send a
 (CSRF)                           preauthenticated request to a vulnerable web application, which
                                  then forces the victim’s browser to perform a hostile action to the
                                  benefit of the attacker. CSRF can be as powerful as the web
                                  application that it attacks.

 Information Leakage and          Applications can unintentionally leak information about their
 Improper Error Handling          configuration, internal workings, or violate privacy through a
                                  variety of application problems. Attackers use this weakness to
                                  steal sensitive data, or conduct more serious attacks.

 Broken Authentication and        Account credentials and session tokens are often not properly
 Session Management               protected. Attackers compromise passwords, keys, or
                                  authentication tokens to assume other users' identities.

 Insecure Cryptographic           Web applications rarely use cryptographic functions properly to
 Storage                          protect data and credentials. Attackers use weakly protected data to
                                  conduct identity theft and other crimes, such as credit card fraud.

 Insecure Communications          Applications frequently fail to encrypt network traffic when it is
                                  necessary to protect sensitive communications.

 Failure to Restrict URL         Frequently, an application only protects sensitive functionality by
 Access                          preventing the display of links or URLs to unauthorized users.
                                 Attackers can use this weakness to access and perform
                                 unauthorized operations by accessing those URLs directly.
3. Eligibility Criteria of Vendors: (All documentary proof be attached)
    3.1 Reputed IT auditing companies/agencies who have experience in executing similar
        projects in at least 2 PSUs and should be in existence for last 5 yrs. only need to apply.
        Reference of major clients should be given.
    3.2 The vendor must be panel member of the security auditors of the Indian Computer
        Emergency Response Team (CERT-in) under the department of Information
        Technology, Government of India.

    3.3 Must be based within in Mumbai jurisdiction.

    3.4 Empanelment with Controller of Certifying Authorities, Government of India under
        Information Technology Act.

    3.5 Empanelment with Reserve Bank of India for auditing of Network and IT Systems.

    3.6 Company should have net profit during last two financial years.
Central bank of India                                                                    Page 7 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

    3.7 Vendor should not be a consultant in Central Bank of India for IT related applications to
        be audited in this RFP.

    3.8 The vendor should depute a team with members being CISA Certified and having the
        defined scope experience of at least 2 years.

4. Terms and Conditions
Central Bank of India invites the Vendor’s attention to the following terms and conditions which
underline this RFP and which provide a statement of understanding between the interested

4.1 Two Bid System
Separate Sealed Envelopes Containing Technical Proposal (Technical Bid) and Commercial
Proposals (Commercial Bid) should be clearly superscribed as “Technical Bid–RFP for Security
Audit of Internet Banking Application and Bank’s Official Website” and “Commercial Bid -
RFP for Security Audit of Internet Banking Application and Bank’s Official Website”
respectively and should be addressed to and submitted at: -
Chief Manager,
Central Bank of India,
1st Floor, Plot No. 26, Sector – 11
CBD Belapur, Navi Mumbai – 400 614

4.2 Date of Submission
The proposal should be prepared in English and should reach the Bank on or before date and
time mentioned above. The proposals received later than the above targeted date and time will
not be accepted. The e-mail address and phone/fax numbers of the vendor should also be
indicated on the sealed cover. The details in both the Bids should be exactly as stipulated and
otherwise the offer is liable to be rejected.

4.3 Liabilities of Bank
This RFP is not an offer by Bank, but an invitation for Vendor responses. No contractual
obligation on behalf of Bank whatsoever shall arise from the RFP process unless and until a
formal contract is signed and executed by duly authorized officials of Bank and the Vendor(s).

4.4 Proposal Process Management

Bank reserves the right to accept or reject any and all proposals, to revise the RFP, to request
one or more re-submissions or clarifications from one or more Vendors, or to cancel the process
in part or whole. No Vendor is obligated to respond to or to continue to respond to the RFP.
Additionally, Bank reserves the right to alter the requirements, in part or whole, during the RFP
process, and without re-issuing the RFP. Each party shall be entirely responsible for its own
costs and expenses that are incurred while participating in the RFP and subsequent presentations
and contract negotiation processes.

4.5 Date of Bid Expiration
Proposals must be valid for a minimum of 180 days from the proposal date. Responses must
clearly state the validity of the bid and its explicit expiration date.
Central bank of India                                                                    Page 8 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

4.6 Bidder Indication of Authorization to Bid

Responses submitted by a Vendor to this RFP (including response to functional and technical
requirements) represent a firm offer to contract on the terms and conditions described in the
Vendor’s response. The proposal must be signed by an official authorised to commit the bidder
to the terms and conditions of the proposal. Vendor must clearly identify the full title and
authorization of the designated official and provide a statement of bid commitment with the
accompanying signature of the official and submit the copy of power of attorney / authority
letter authorizing the signatory to sign the bid.

4.7 RFP Ownership

The RFP and all supporting documentation/templates are the sole property of Central Bank of
India and should NOT be redistributed, either in full or in part thereof, without the prior written
consent of Bank. Violation of this would be a breach of trust and may, inter-alia cause the
Vendor to be irrevocably disqualified. The aforementioned material must be returned to Bank
when submitting the Vendor proposal, or upon request. In case the Vendor is not interested in
responding to the RFP, the RFP documents and any appendices must be returned to Bank

4.8 Proposal Ownership

The proposal and all supporting documentation submitted by the Vendor shall become the
property of Central Bank of India unless the Vendor specifically requests, in writing, that the
proposal and documentation be returned or destroyed.

4.9 Bid Pricing Information

By submitting a signed bid, the Vendor certifies that:
The Vendor has arrived at the prices in its bid without agreement with any other bidder of this
RFP for the purpose of restricting competition. The prices in the bid have not been disclosed and
will not be disclosed to any other bidder of this RFP. No attempt by the Vendor to induce any
other bidder to submit or not to submit a bid for restricting competition has occurred.

4.10 Bidder Status

Each Vendor must indicate whether or not they have any actual or potential conflict of interest
related to contracting services with Central Bank of India.

4.11 Confidentiality

This document contains information confidential and proprietary to Central Bank of India.
Additionally, the Vendor will be exposed by virtue of the contracted activities to internal
business information of Bank, affiliates, and/or business partners. Disclosure of receipt of any
part of the aforementioned information to parties not directly involved in providing the services
Central bank of India                                                                    Page 9 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

requested could result in the disqualification of the Vendor, pre-mature termination of the
contract, or legal action against the Vendor for breach of trust.
No news release, public announcement, or any other reference to this RFP or any program there
under shall be made without written consent from Bank. Reproduction of this RFP, without prior
written consent of Bank, by photographic, electronic, or other means is strictly prohibited.

4.12 Bid Security

The Vendor is required to submit an interest free deposit which is refundable, in form of a
Demand Draft or Pay Order in favor of “CENTRAL BANK OF INDIA – EMD FOR
TENDER NO ... ”, as part of the proposal, for an amount as mentioned above issued by any
Bank acceptable to us.

The Demand Draft / Pay Order will not be returned, if the vendor withdraws his proposal during
the period of the proposal validity; or if the vendor, having been notified of the acceptance of its
proposal by the purchaser during the period of validity of the proposal fails or refuses to execute
the contract in accordance with the RFP.

4.13 Disclaimer

The Bank and/or its officers, employees disown all liabilities or claims arising out of any loss or
damage, whether foreseeable or not, suffered by any person acting on or refraining from acting
because of any information including statements, information, forecasts, estimates or projections
contained in this document or conduct ancillary to it whether or not the loss or damage arises in
connection with any omission, negligence, default, lack of care or misrepresentation on the part
of Bank and/or any of its officers, employees.

The short-listed vendor should execute (a) a Service Level Agreement, which would include all
the services and terms and conditions of the services to be extended as detailed herein and as
may be prescribed by the Bank and (b) Non-disclosure Agreement.

4.14 Right to Reject
Central Bank of India reserves the right to Reject any or all proposals received in response to the
RFP without assigning any reasons thereof.

Waive or modify any formalities, irregularities, or inconsistencies in proposal format delivery.
Reserve the right to discuss any specific aspect/s of the proposal with any consultant and
negotiate with more than one consultant at a time.

Accept/reject any counter proposal or addendum submitted by the consultant.
Extend time for submission of all proposals.

Select the next most responsive vendor in the event of negotiations with the L1 vendor fail to
result an agreement within a specified time frame.
Central bank of India                                                                    Page 10 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

Share the information/ clarifications provided in response to RFP by any vendor, to any other
vendor(s) /others.

4.15 Other General Conditions:

All responses received after the due date/time would be considered late and would not be

All responses should be in English Language. All responses by the vendors to this RFP
document shall be binding on such vendors for a period of 180 days after the opening of the
technical bids.

All responses including commercial and technical bids would be deemed to be irrevocable
offers/proposals from the vendors and may if accepted by the bank form part of the final contract
between the bank and the selected vendor.

Any technical or commercial bid, submitted cannot be withdrawn/modified after the last date for
submission of the bids unless specifically permitted by the bank.

The vendor is requested to quote in Indian Rupees (INR). Bids in currencies other than INR
would not be considered.

Bank reserve the absolute right to reject the offer it if is not in accordance with its requirements
and no further correspondence, whatsoever, will be entertained by the Bank in the matter.

The prices quoted by the vendor shall include all costs such as taxes, levies, cess, excise duty,
insurance etc. that need to be incurred. The price payable to the vendor shall be inclusive of
carrying out any modifications changes/upgrades to the software or equipment that is required to
be used in order to carry out the specified assignments.

In case of any variation (upward or downward) in Government levies, taxes, cess, excise etc. up
to the date of invoice, the benefit or burden of the same shall be passed on or adjusted to the
bank. If the vendor makes any conditional or vague offers, without conforming to these
guidelines, the bank will treat the prices quoted as in conformity with these guidelines and
proceed accordingly. Local entry taxes or octroi whichever is applicable, if any, will be paid by
the bank on production of relative payment receipts/documents. Necessary documentary
evidence should be produced for having paid the customs/excise duty, sales tax, if applicable,
and or other applicable levies.

If any Tax authorities of any state, including, Local authorities like Corporation, Municipality,
Mandal Panchayat, etc. or any Central Government authority or Statutory or autonomous or such
other authority imposes any tax, penalty or levy or any cell/charge other than entry tax or octroi
and if the bank has to pay the same for any of the items or supplies made hereunder by the
vender, for any reason including the delay or failure or inability of the vendor to make payment
for the same, the bank has to be reimbursed such amounts paid, on being intimated to the vendor
alongwith the documentary evidence. If the vendor does not reimburse the amount within a
Central bank of India                                                                    Page 11 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

fortnight, the bank reserves the right to adjust the amount out of the payments due to the vendor
from the Bank.

The project will be deemed complete only when the vendor with the satisfaction of the bank
completes all the assignments contracted by the bank and all deliverables are provided.

Any additional or different terms and conditions proposed by the vendor would be rejected
unless expressly assented to in writing by the bank.

All terms and conditions, payments schedules, time frame for completion of assignments as per
this tender will remain unchanged unless explicitly communicated by the Bank in writing to the
vendor. The bank shall not be responsible for any judgments made by the vendor with respect to
any aspect of the assignment.

4.16 Payment Terms

The Vendor must accept the payment terms proposed by the Bank. The financial bid submitted
by the vendor must be in conformity with the payment terms proposed by the bank. Any
deviation from the proposed payment terms would not be accepted.

The bank shall have the right to withhold any payment due to the vendor, in case of delays or
defaults on the part of the vendor. Such withholding of payment shall not amount to a default on
the part of the bank.

The payment terms need to be read in conjunction with the price bid:

Fees shall be payable only after submission of the quarterly final report and acceptance of
the same by the IT Committee.

4.17. Project Completion Time

Detailed and realistic Project Plan, Management and Implementation schedule should be
provided. Approximate time for customization and implementation of the pilot branches system
will be 6 WEEKS from the date of the assignment.

4.18 Penalty Clause

The vendor must strictly adhere to the schedules for completing the assignments. Failure to meet
these delivery dates, unless it is due to reasons entirely attributable to the bank, may constitute a
material breach of the vendor's performance. In the event that the Bank is forced to cancel an
awarded contract (relative to this RFP) due to the vendor's inability to meet the established
delivery dates, the bank may take suitable penal actions as deemed fit.
Central bank of India                                                                    Page 12 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

4.19 Force Majeure

The vendor shall not be liable for forfeiture of its performance security, liquidated damages or
termination for default, if any to the extent that its delay in performance or other failure to
perform its obligations under the contract is the result of an event of Force Majeure.

For purposes of this Clause, “Force Majeure” means an event explicitly beyond the control of
the vendor and not involving the vendor’s fault or negligence and not foreseeable. Such events
may include, Acts of God or of public enemy, acts of Government of India in their sovereign
capacity and acts of war.

If a Force Majeure situation arises, the vendor shall promptly notify the Bank in writing of such
conditions and the cause thereof within fifteen calendar days. Unless otherwise directed by the
Bank in writing, the vendor shall continue to perform his obligations under the Contract as far as
is reasonably practical, and shall seek all reasonable alternative means for performance not
prevented by the Force Majeure event.

In such a case the time for performance shall be extended by a period (s) not less than duration
of such delay. If the duration of delay continues beyond a period of three months, the Bank and
the vendor shall hold performance in an endeavor to find a solution to the problem.

Notwithstanding the above, the decision of the Bank shall be final and binding on the Vendor.

4.20 Acceptance of Terms and Conditions:

The vendors participating in the tender process should give an Acceptance Certificate for all the
points mentioned through 2.1 to 2.22. Otherwise their offers are liable to be rejected.

4.21 Performance Guarantee

The successful bidder shall furnish the performance security representing 10% of the total value of
the contract within 15 days of the receipt of notification of award as per the Performance Guarantee
Proforma provided by Bank. Performance security should remain valid for a period of 60 days
beyond the date of completion of all contracts.

4.22 Responsibilities of the auditor
The Auditor shall ensure that:

1. The auditing is carried out strictly in accordance with the terms and conditions stipulated in the
    audit assignment contract as well as general expectations of the auditee from an auditor.
2. All applicable codes of conduct and auditing standards are adhered to with due professional care.

3. Will use audit tools that are licensed and not the trial versions. Auditor should disclose the details
   of the any automated tool used for accomplishing the audit process. The auditor must have the
   valid license of the said automated tool(s).

4. Plan of action of audit & compliance audit and deliverables for each should be specified for every
    quarter along with any reconciled plan of action for future.
Central bank of India                                                                    Page 13 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

4.23 Quality of Audit

The selected vendor will ensure that the audit assignments are carried out in accordance with
applicable guidelines and standards as mentioned in this document and terms and conditions
specified by the CERT-IN, Department of Information Technology, Min. of Information
Technology, Government of India.

4.24 Clarifications and amendments of RFP Document

RFP Clarifications

During Technical Evaluation of the proposals Bank may, at its discretion, ask bidders for
clarifications on their proposal. The bidders are required to respond within the prescribed time

Amendments in RFP

At any time prior to deadline for submission of proposal, Bank may for any reason, modify the RFP.
The prospective bidders having received the RFP shall be notified of the amendments through
website and/or newspapers and such amendments shall be binding on them.

4.25 Names of Companies where Penetration testing has been conducted.
Central bank of India                                                                    Page 14 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

Proposal Formats:



    No.     Particulars                                                             To be furnished by
                                                                                    the Vendor
    1       Name and address of the Vendor

    2       Year of establishment and constitution
    3       Telephone no., Fax no. and E-mail-id
    4       Name and designation of the personnel authorized to take
            decisions on behalf of the Vendor and can make commitments
            to the Bank
    5       The details of the Head with professional qualifications and
    6       Description of area of activity
            Service profile
            Domestic & International exposure
            Alliance and joint ventures
            d) Client profile
    7       Whether the IT auditing process conforms to ISO9001 (2000),
            BS7799, and ISO17799 standards and furnish details of
    8       Profile of key personnel involved in auditing (domain specific
            and others) with their CVs (Information in respect of skill
            and     expertise    specifying   technical    and     banking
            knowledge/solutions should be mentioned)
            IT auditing
            Planning & Design
            Systems development
            Service/support for similar project assignment by the
            Track record
    9       Details of experience/knowledge in the area of Project Design
            and management, Resource Planning, Role and Responsibility
            definition, co-ordination across multiple teams, Risk analysis
            and mitigation
            Area description
            Client organization name & location
            Number of employees, branches, installations, systems
            applications, Cost involved, Time taken, Largest job etc.
Central bank of India                                                                    Page 15 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

    10      Total revenues (not of the group)
            During the financial year 2007-08
            During the financial year 2008-09

    11      Net profit (not of the group)
             During the financial year 2007-08
             During the financial year 2008-09
    12      Details of the major IT auditing completed in Banks
            institutions, during the last two years:

            Name of the Bank/Institution

            Location of Head Office

            No. of branches/sites under coverage

            Specific area of involvement

            Present Status of the Project

    13      Present projects on hand:

            Name of the Bank/Institution

            Location of Head Office

            No. of branches/sites under coverage

            Specific area of involvement

            Present Status of the Project
Central bank of India                                                                    Page 16 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website

6. Acceptance Letter to be given by the Vendor


Central Bank of India,
Central Office,

Dear Sir,

REG: Acceptance of the Terms and Conditions and Confirmation of the Offer.

The details submitted in the format above are true and correct to the best of our knowledge and
if it is proved otherwise at any stage of execution of the contract, Central bank of India has the
right to summarily reject the proposal and disqualify us from the process.

We hereby acknowledge and confirm having accepted can at its absolute discretion apply
whatever criteria it deems appropriate, not just limiting to those criteria set out in the RFP and
related PROC documents, in short listing of vendors for providing software solution.

We also acknowledge the information that this response of our Company for the Bank’s RFP
process is valid for a period of 180 Days, for the selection purpose, from the date of expiry of
the last date for submission for response to RFP and related enclosures.

We also confirm that we have noted the contents of the RFP including various documents
forming part of it and have ensured that there is no deviation in submitting our offer in response
to the tender. The Bank will have the option to disqualify us in case of any such deviations.

We also confirm that we will abide by the Terms & Conditions mentioned in Chapter – 2 though
Points 2.1 to 2.22 and Scope of Consultancy mentioned in Chapter – 3 as given in the Tender
Document in full and without any deviation.


Date:                                                  Seal & Signature of the Vendor
Central bank of India                                                                    Page 17 of 17

Request for Proposal for Security Audit of Internet Banking application and Bank’s Official Website


 (To be submitted as per this format only)

  This bill of material must be attached in Technical Offer as well as commercial offer. The
  format will be identical for both technical and commercial versions, except that the technical
  version will not contain any price information. Technical offers without the bill of material
  are liable for rejection.
  The vendor can also mention any other component(s) that are required for their solution
  The vendor must take care in filling price information in the commercial version, to ensure
  that there are no typographical or arithmetic errors. All fields must be filled up correctly.
  Consolidated, all-inclusive fee for the total project of IT auditing as specified in the Request
  for Proposal should be mentioned.


   S.       Description                                                               Fees in Rs.
   1.       The total fees for the IT auditing project to be paid                     To
                   The consolidated fees offered against each of the                 FILLED
                    specified components in the commercial proposal is all-           IN
                    inclusive amount and no other charges, whatsoever, is             COMMERCIAL
                    payable by the Bank for whatsoever reason.                        BID
                   The fees quoted should be includes all taxes, duties,             ONLY
                    levies, service tax or any other hidden costs.
                   The Bank would not make any payments in respect of
                    other charges/reimbursement of expenses like traveling,
                    boarding & lodging, conveyance, etc., for visits to the
                    Bank’s office/branches during the tenure of IT auditing.
                    All discussions, meetings and presentations with the
                    Bank will be carried out at CBS Department for the
                    purpose of IT auditing relating to this RFP.
                   Bank will deduct the tax at source, if any, as per the
                    prevailing laws.

   2.       Any other cost please enumerate                                           To be filled in
                                                                                      commercial bid

            Total Cost of Ownership (TCO) (1 + 2 )                                    To be filled in
                                                                                      commercial bid
                                        ~~ End of document ~~

To top