Punjab National Bank, Inspection & Audit Division, HO, Delhi
Punjab National Bank
REQUEST FOR PROPOSAL
FOR
EMPANELMENT OF IS AUDITOR FOR
SECURITY CUM FUNCTIONAL AUDIT OF APPLICATION SOFTWARE
Inspection & Audit Division
Corporate Office, Plot-4, Sector-10, Dwarka
New Delhi - 110075
RFP for security cum functional audit of application software Confidential
1
Punjab National Bank, Inspection & Audit Division, HO, Delhi
CONTENTS
1 INTRODUCTION
1.1 Background
1.2 Purpose
1.3 Project Scope
1.4 Invitation
1.5 Time Schedule of Various bid related events
1.6 Confidentiality
1.7 Non Disclosure Clause
1.8 RFP Terminology
1.9 Disclaimer
2 BIDDING PROCESS
2.1 Bidding
2.2 Minimum Eligibility Criteria for Bidder(s)
2.3 Scope of Bid
2.4 Amendments/Supplements to Bidding Documents
2.5 Rights of PNB
2.6 Governing Law and Disputes
3 INSTRUCTIONS TO BIDDER
3.1 The Bidding Documents
3.1.1 Cost of Bidding
3.1.2 Content of Bidding Document
3.1.3 Clarification on RFP
3.1.4 Language of bids
3.2 Preparation of Bids
3.2.1 Document Constituting the Bid
3.2.2 Document Establishing Bidder's Qualification
3.2.3 Documents establishing Solution Conformity to Bidding Documents
3.2.4 Bid Security
3.2.5 Period of Validity of Bids
3.2.6 Format and Signing of Bid
3.2.7 Sealing, Marking and Submission of Bids
3.2.8 Deadline for Submission of Bids
3.2.9 Late Bids
3.2.10 Modification and Withdrawal of Bids
3.2.11 Acceptance or rejection of bid
3.2.12 Notification of award
3.3 Bid Opening and Evaluation of Bids
3.3.1 Assumptions and Agreements
3.3.2 Opening and evaluation of Technical Bids by the Bank
3.3.3 Clarification of Bids
3.3.4 Evaluation Criteria for empanelment
3.3.5 Contacting the Bank
3.3.6 Signing of Contract
3.3.7 Performance Guarantee
3.3.8 Notification of Empanelment
RFP for security cum functional audit of application software Confidential
2
Punjab National Bank, Inspection & Audit Division, HO, Delhi
3.4 Award of Contract
3.4.1 Post qualification
3.4.2 Award Criteria on post empanelment
3.4.3 Dead Line / Critical Dates
3.4.4 Right to accept any Bid and to reject any or All Bids
3.4.5 Notification of Award of Contract
4 Broad Terms and Conditions
4.1 Standards
4.2 Arbitration
4.3 Notices
4.4 Use of Contract Documents and Information
4.5 Patent and Copyrights
4.6 Deliverables
4.7 Payment Terms
4.8 Taxes and Duties
4.9 Delay in the Performance
4.10 Penalty
4.11 Force Majeure
4.12 Correspondences
4.13 Successful bidder's Obligations
4.14 Contract Amendments
4.15 Extension of Bank Guarantees
4.16 Adherence to Standards
4.17 Subcontracting
Annexure A Detailed Scope of Audit
Annexure B Performance Guarantee Form
Annexure C Technical BID FORM
Annexure D Score Sheet
Annexure E Undertaking 1
Annexure F Undertaking 2
Annexure G Compliance Statement
Annexure H Technical Compliance Sheet
Annexure I Security cum functional audit of application software assignment
Annexure J Confidentiality Cum Non Disclosure Agreement
Annexure K Professional's details
Annexure L Check list for the Documents to be submitted
RFP for security cum functional audit of application software Confidential
3
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Chapter - 1: Introduction
1.1. Background
Punjab National Bank (PNB) has taken many IT initiatives. Bank has computerized
100% of its branches and has implemented a Centralized Banking Solution with Data
Centre at New Delhi and Disaster Recovery Site at Mumbai.
Bank has already implemented Data Ware House project for providing better access to
information, to foster better and more informed decision-making, besides providing
statutory reporting and MIS for the bank.
In the bank there are several applications which are developed in house/or procured
through outsourcing for internal requirements of Bank. Some of these applications are
accessed through Enterprise Wide Network by different Branch Offices and also
available through Internet and through Dial-up Connection. Approximately, every year
50-60 software are being developed In house / procured in our bank for which Security
cum Functional Audit is required.
We have alternate Delivery channels services like Internet Banking, ATM, Mobile
Banking, Mobile Apps, Tab Banking and POS etc which is being also offered to the Bank
customers. An ATM Switch has been installed at New Delhi in the Data Centre and a DR
setup in Mumbai. Internet Banking Infrastructure is also located and integrated with the
Enterprise Wide Network in a secured manner.
The Operating Systems used in Different applications include different flavors of Unix
like Solaris, AIX, SCO etc.), Windows NT, Windows 2008/2012 enterprise Servers,
Guardian, IBM AIX, HP Unix, Novell Netware, Tandem, DOS etc. Applications, which
use messaging, include SWIFT, SFMS (RBI Infinet), Cash Management Services,
Electronic Funds Transfer, and other RBI Projects etc. The Mail Server is on MS
Exchange Server 2010. The Data bases include Oracle, MS SQL, DB2, Access, Sybase
etc.
To Secure the Application software, Data bases, Data, Information etc and to ensure the
availability of resources including the network to authorized users without any disruption
or degradation, the bank plans to utilize the services of Information Security.
The bank houses various security devices positioned across various locations to protect
its infrastructure from internet threats.
1.2. Purpose
For empanelment of IS Auditor for Security cum functional Audit of application software
for providing independent reasonable assurance to the management on:
1. Audit of application software or any enhancement in any existing Application/IT
Platform before roll out in live environment which serves our following purpose:-
I. Ensure better quality of software development.
II. Reducing the chances of security breach in the software.
III. Improve the secure coding practices for future software development..
IV. Robust IT security.
V. Mitigation of risks where there are significant control weaknesses
VI. Efficient utilization of IT Resources.
RFP for security cum functional audit of application software Confidential
4
Punjab National Bank, Inspection & Audit Division, HO, Delhi
VII. Ensuring compliance of IT Security Policy and procedures defined by the
Bank.
1.3. Project Scope
Detailed scope is at Annexure A. The overall approach of the Security cum functional
Audit of application software shall be constructive/ contributory. The evaluation shall be
comprehensive, clear and Security cum functional Audit shall help rectify the lacunae by
concise directions.
1.4. Invitation
This RFP seeks Bidder(s) who are committed to the Information Security business and
have the capability and experience in conducting Security cum functional audit of
application software. Auditor wherever mentioned in RFP means the bidder/ company
/firm who can conduct the security cum functional audit of application software.
Evaluation criteria, evaluation of the responses to the RFP and subsequent selection of
the successful bidder(s) will be entirely at PNB's sole discretion.Bank's decision shall
be final and binding and no correspondence about the decision shall be entertained.
1.5. Time Schedule of Various bid related events
1. Date of commencement of availability 12.03.2018
of Bidding Documents for Sale
2. Last date & time for submission of 18.03.2018
queries (by e-mail). 05.00 PM
3. Last date and time for receipt of Bidding 02.04.2018
Documents. 02.00 PM
4. Date and Time of Bid Opening. 02.04.2018
(Change if any will be communicated to 03.00 PM
bidders who have purchased RFP.)
5. Cost of RFP Rs. 5000/- (non refundable) to be
deposited in A/C
1522002100021143, PNB IAD,
IFSC PUNB0976200, Branch
PNB Head Office (9762200),
Sector -10Dwarka New Delhi
6. Earnest Money Deposit Amount Rs.50000/- Rs. Fifty Thousand
Only to be deposited in A/C
1522002100021143, PNB IAD,
IFSC PUNB0976200, Branch
PNB Head Office (9762200),
Sector -10Dwarka New Delhi
7. Place of opening of Bids Punjab National Bank,
IT Audit Cell, Inspection & Audit
Division, Head Office
2nd Floor, East Wing, Corporate
Office, Plot-4, Sector 10, Dwarka,
New Delhi 110075
Note:
RFP for security cum functional audit of application software Confidential
5
Punjab National Bank, Inspection & Audit Division, HO, Delhi
(i) Bids will be opened in the presence of bidders who choose to attend as above
(ii) The schedule is subject to change and notice in writing of any changes will be
published and communicated wherever feasible through bank's corporate web-
site www.pnbindia.in. The PNB reserves the right to cancel the RFP at any time
without incurring any financial obligation to any Bidder or potential Bidder.
(iii) Any query regarding the RFP may be sent to iadisaudit@pnb.co.in and
pankajgupta@pnb.co.in addressed to The Chief Manager, IT Audit Cell,
Inspection & Audit Division, Head Office, 2nd Floor, East Wing, Corporate Office,
Plot 4, Sector-10, Dwarka, Rajendra Place, New Delhi 110075 before the Last
date & time for submission of queries by e-mail.
1.6 Confidentiality
The RFP document is confidential and is not to be reproduced, transmitted, or made
available or disclosed in any form or manner by the Recipient to any other person.
Punjab National Bank may amend or revise the RFP document or any part of it. The
Recipient accepts that they will receive any such revised or amended document subject
to the same terms and conditions as this original and subject also to confidentiality.
The Recipient will not disclose or discuss the contents of the RFP document with any
officer, employee, consultant, director, agent, or other person associated or affiliated in
any way with Punjab National Bank or any of its customers, Auditors, or agents without
the prior written consent of the Bank. The empanelled bidder shall execute a
Confidentiality & Non Disclosure agreement with the Bank as per Annexure `J'.
1.7 Non Disclosure Clause
i) The bidder (and his employees) shall not, unless the bank gives permission in
writing, disclose any part or whole of this RFP document, of the proposal and/or
contract, or any specification, plan, drawing, pattern, sample or information
furnished by the bank, in connection therewith to any person other than a
person employed by the bidder in the pursuance of the proposal and/or
contract. Disclosure to any such employed person shall be made in confidence
and shall be to the extent only so far as may be necessary for purposes of such
performance. The bidder will ensure that the employees engaged by the bidder
will maintain strict confidentiality.
ii) The bidder, his employees and agents shall not without prior written consent
from the bank make any use of any document or information given by the Bank,
except for purposes of performing the contract award.
iii) In case of breach, the bank shall take such legal action as it may deem fit.
1.8 RFP TERMINOLOGY
Definitions
Throughout this RFP, unless inconsistent with the subject matter or context, the
following terms will have the meaning as under:
i. Agreement:
Any written contract to be entered into between Punjab National Bank and the
Bidder(s) qualifying for empanelment with respect to providing for any
deliverables or services contemplated by this RFP. Any Agreement shall be
deemed to incorporate, as schedules, this RFP and all supplements issued by
RFP for security cum functional audit of application software Confidential
6
Punjab National Bank, Inspection & Audit Division, HO, Delhi
the Bank, the bid of the Successful Bidder(s) and any negotiated modifications
thereto.
ii. Bidder/Vendor/Auditor:
A firm/ Company submitting a bid in response to this RFP. "Bidder" definition for
this specific RFP for empanelment of IS auditors shall include bidder(s) who
directly possesses capabilities of conducting such assignments.
iii. Bank:
Reference to "the Bank", "Bank", "PNB" and "Punjab National Bank" shall be
determined in context and may mean without limitation "Punjab National Bank", a
Nationalized Bank in India.
iv. Proposal/Bid:
The Bidder's written reply or submissions in response to this RFP.
v. RFP:
The Request for Proposal document in its entirety, inclusive of any supplement
that may be issued by the Bank.
vi. ITB:
Instructions to Bidders as Contained in Chapter 3.
vii Successful bidder:
Empanelled IS Auditor to whom job has been awarded.
1.9 Disclaimer
Subject to any law to the contrary, and to the maximum extent permitted by law, PNB
and its officers, employees, contractors, agents, and advisers disclaim all liability from
any loss or damage (whether foreseeable or not) suffered by any person acting on or
refraining from acting because of any information including forecasts, statements,
estimates, or projections contained in this RFP document or conduct ancillary to it
whether or not the loss or damage arises in connection with any negligence, omission,
default, lack of care or misrepresentation on the part of PNB or any of its officers,
employees, contractors, agents, or advisers.
Chapter 2: Bidding Process
2.1. Bidding
Bidder who decides to bid will have to deposit a non-refundable amount of Rs. 5000/-
(Five Thousand only) to the cost of Bidding Fee.. Bid amount to be deposited in A/C
1522002100021143, PNB IAD, IFSC PUNB0976200, Branch PNB Head Office
(9762200), Sector -10Dwarka New Delhi
Bidders shall submit their Bid in sealed envelope containing:-
(i)Technical Compliance Sheet: - It contains the details to prove that it meets the
minimum eligibility criteria with documentary evidence to support the same.
RFP for security cum functional audit of application software Confidential
7
Punjab National Bank, Inspection & Audit Division, HO, Delhi
(ii) Score sheet: - It contains the details with documentary evidence to score maximum
on different parameter.
Note: - Bid will not contain any pricing or commercial information at all.
Technical compliance sheet will be opened for evaluation. Those bidders who meet the
minimum eligibility criteria, as per the requirements and the terms and conditions of this
document, shall be shortlisted for further processing. Scoring will be done by the
technical committee for the shortlisted bidders.
2.2. Minimum Eligibility Criteria for Bidder(s)
To become eligible to respond to this RFP the vendor should fulfill the following
minimum eligibility criteria:-
a) Bidder must be a legal entity in India and must be financially solvent.
b) Should not be a vendor for Software and Hardware components of the Bank .
c) Should be a Company /Firm /Organization /independent subsidiary with an
average annual turnover of Rs.1 (One) crore or more for the last three financial
years and should be in profit during all three financial years.(i.e. 2014-
2015,2015-2016,2016-2017)
d) Should have at least 3 years experience in the field of providing Security Cum
functionality audit of application software and company should have carried out
similar work in the Government organization /PSUs/ Banks. The company
should provide the adequate documentary evidence in support of providing
similar services.
For consideration of above experience in Security cum functional Audit of
application software, the activities similar to given below will be considered:-
I. Application Control Review.
II. System Processing Logic.
III. Review of parameters and other areas.
IV. Interface with other applications
V. Data Integrity of the report generated from the system
VI. Assessment of Role based security for application under scope.
VII. Adequacy of Audit trail and logs.
VIII. Vulnerability assessment and penetration test [VAPT] of server/security
equipment/network equipment/ Applications through intranet.
IX. Verification of compliance of system and procedures as per Organization's
IT Security Policy/ guidelines.
X. Business Impact Analysis.
XI. Migration Audit
XII. Any other Computer/Mobile/IT Application.
e) Should not have been blacklisted by any nationalized Bank/RBI/IBA/ PSUs or
any other Government agency from offering such audit services/solutions to
them. Bidder must give an Undertaking to this effect.
f) Firm must have minimum 5 qualified professionals with degree from Govt.
recognized reputable Universities/Institutions as
BE/B.Tech/ME/M.Tech/MCA/C.A.(ICAI) and certifications as CISA/
RFP for security cum functional audit of application software Confidential
8
Punjab National Bank, Inspection & Audit Division, HO, Delhi
/CISSP/CEH / Sun Certified Security Administrator (SCSECA) / OCE (Oracle
Certified Expert - Security Administrator), Cisco CCIE-security along with
minimum 2 years post qualification experience in security cum functional audit
of application software with at least one software audit of PSUs/Banks and on
permanent roll of the organization.
g) Firm must be empanelled with Cert-In, Govt of India for Security Auditors with
a certificate of empanelment for the block 2016-2019.
Bidder must submit a detailed statement of facts and profile of company including
year of commencement of business, Internet site details and name and title of the
authorized signatory for their Bid and their contact numbers and e-mail address.
Bidder should provide the documents in support of their eligibility in terms of above
minimum eligibility criteria.
2.3. Scope of Bid
The scope of the bid shall be to empanel Information System Auditor to conduct security
cum functional audit of application software as per detailed scope given in Annexure A.
2.4. Amendments/Supplements to Bidding Documents
At any time prior to the deadline for submission of bids, the bank may, for any reason,
modify the Bidding Document by amendments at the sole discretion of the bank. All
amendments will be in writing and shall be communicated and published on bank's
website and will be binding on all prospective bidders. Further for any communication
bidders must provide name of the contact person, mailing address, telephone number
and FAX numbers on the covering letter sent along with the bids/ request for bidding
document.
In order to provide, prospective bidders, reasonable time to take the amendment into
account in preparing their bid, the bank may, at its discretion, extend the deadline for
submission of bids.
2.5. Rights of PNB
PNB reserves the right to:-
Modify any terms, conditions and specifications of the RFP.
Negotiate with Bidders.
Accept any Bid in whole or in part.
Split orders in favor of more than one Bidder.
Release order, part order or more than one order.
Finalize the bill of material and repeat orders.
Issue the amendments to the RFP at anytime, prior to the deadline for the
submission of Bids. From the date of issue, amendments to Tender Document
shall be deemed to form an integral part of the Tender Document.
The Bids received and accepted will be evaluated by PNB to ascertain the best in the
interest of PNB. However, PNB does not bind itself to accept any Bid and reserves the
right to reject any or all Bids at any point of time prior to the placing of order without
assigning any reasons whatsoever. PNB reserves the right to re-tender. PNB shall not
incur any liability to the affected Bidder(s) on account of such rejection. PNB shall not be
obliged to inform the affected Bidder(s) of the grounds for PNB's decision of rejection. It
RFP for security cum functional audit of application software Confidential
9
Punjab National Bank, Inspection & Audit Division, HO, Delhi
is to be understood clearly by the Bidders that the selection process requires them to
have adequate expertise in the audit domain.
2.6. Governing Law and Disputes
The Bid and the resulting Contract with the successful Bidders shall be governed in
accordance with the Laws of India for the time being in force.
All disputes or differences whatsoever arising between PNB and the Bidders out of the
meaning and operation or effect of this Tender Document or breach thereof, shall be
settled amicably. If, however, the parties, as above, are not able to resolve them
amicably, the same shall be settled by Arbitration in accordance with the Arbitration and
Conciliation Act 1996, and the award made in pursuance thereof shall be binding on the
parties.
Any appeal will be subject to the exclusive jurisdiction of the courts at Delhi (India). In
such instances, the Successful bidder shall continue to work under the Contract during
the arbitration proceedings unless otherwise directed in writing by PNB or unless the
matter is such that the work cannot possibly be continued until the decision of the
Arbitrator or of the umpire, as the case may be, is obtained.
The venue of the arbitration shall be Delhi, India.
Chapter 3: Instructions to Bidders (ITB)
3.1. The Bidding Documents
3.1.1. Cost of Bidding
The cost of bidding and submission of tender documents in response to this RFP is
entirely the responsibility of bidders, regardless of the conduct or outcome of the
tendering process. PNB will not be liable for any costs incurred by the Bidder in replying
to this RFP. It is also clarified that no binding relationship will exist between any of the
Respondents and the Bank until execution of a contractual agreement.
3.1.2. Content of Bidding Document
The bidding document provides overview of the requirements, bidding procedures and
contract terms. It includes Introduction, eligibility criteria; Instruction to Bidders, Broad
terms and conditions of Contract and Bid, The bidder must conduct its own investigation
and analysis regarding any information contained in the RFP document and the meaning
and impact of that information.
The Bidder is expected to examine all instructions, statements, forms, terms and
specifications in the bidding documents. Failure to furnish all information required by the
bidding documents or submission of a bid not responsive to the bidding documents in
every respect will be at the Bidder's risk and may result in rejection of the bid. While the
Bank has made considerable effort to ensure that accurate information is contained in
this RFP, the information contained in this RFP is supplied solely as a guideline for
Bidders. Furthermore, during the RFP process, the Bank has disclosed or will disclose
in the RFP and supplement as applicable, available information relevant to the Work to
the extent, detail, and accuracy allowed by prevailing circumstances. Subject to the
provision in the previous sentence, the Bank has used or will use its best judgment and
assessment to fairly and reasonably represent the nature and scope of the Work in order
for Bidders to submit viable Proposals. However, the Bank shall not be deemed to give
any guarantees or warranties of accuracy of any of the information in this RFP or any
RFP for security cum functional audit of application software Confidential
10
Punjab National Bank, Inspection & Audit Division, HO, Delhi
supplement, nor of its being comprehensive or exhaustive. Nothing in this RFP or any
supplement is intended to relieve Bidders from forming their own opinions and
conclusions in respect of the matters addressed in this RFP or any supplement, as
applicable.
3.1.3. Clarification on RFP
The Bidder shall carefully examine and understand the specifications / conditions of RFP
and seek written clarifications, if required, to ensure that they have understood all
specifications / conditions of RFP. Written requests for clarification may be submitted to
PNB before last date specified for queries (through email) in this regard.
Thereafter, no more clarification other than that asked by the last date specified for this
purpose shall be entertained. No oral consultation either shall be entertained thereafter.
The Bid should not carry any sections like clarifications, 'as orally told', `to be
discussed', interpretations and assumptions. With the submission of the Bid, the Bidder
acknowledges that he/she has carefully studied and understood the RFP in totality.
Any questions concerning this RFP must be submitted through email at
iadisaudit@pnb.co.in, pankajgupta@pnb.co.in on or before the last date of submission
of queries to:
Chief Manager,
Punjab National Bank,
IT Audit Cell, Inspection & Audit Division,
Head Office, 2nd Floor, East Wing
Corporate Office, Plot-4, Sector-10, Dwarka,
New Delhi 110075
No requests for clarification will be accepted by over telephone.
3.1.4 Language of Bid
The bid prepared by the Bidder, as well as all correspondence and documents relating to
the bid exchanged between the Bidder and the Bank shall be written in English language
only.
3.2 Preparation of Bids
3.2.1 Document Constituting the Bid
The bid prepared by the Bidder shall comprise the following components:
a) Technical Compliance Sheet:-
Details establishing the qualification of the bidder as per Minimum eligibility criteria
(see Chapter-2) for the Bidders. Annexure-H
b) Point wise compliance of the terms and conditions enumerated in Tender
Document. Any technical/commercial deviation with the Tender Document should
be clearly stated with the reasons thereof.
c) Documentary evidence established in accordance with ITB Section 3.2.2 that the
Bidder is qualified to perform the contract if its bid is accepted and that the bidder
has financial, technical capability necessary to perform the contract and meets the
criteria outlined in the Qualification Requirement and fulfills all the conditions of the
Contract.
RFP for security cum functional audit of application software Confidential
11
Punjab National Bank, Inspection & Audit Division, HO, Delhi
d) - Bid security furnished in accordance with ITB Section 3.2.4.
e) An undertaking from the bidder (As per Annexure C) that the bidder is complying
with all the conditions of the Contract and Technical Specifications of the Bidding
Document as no deviation will be acceptable to the Bank.
f) Score Sheet (Annexure-D)
g) Compliance statement as per the Annexure-G.
This will be evaluated by the technical committee as per the procedure elaborated in ITB
Section 3.3.2(v).
3.2.2 Document Establishing Bidder's Qualification.
Pursuant to ITB section 3.2.1, the Bidder shall furnish, as part of its Bid, documents
establishing the Bidder's qualification to perform the Contract if the bid is accepted.
The documentary evidence of Bidder's qualification to perform the Contract if the bid is
accepted should establish to the Bank's full satisfaction that the bidder has the financial,
technical and performance capability necessary to perform the Contract and meets the
criteria outlined in the Minimum eligibility Criteria specified in this RFP. Bids that do not
fully comply with minimum eligibility criteria will be rejected, Technical scoring will be
done for only for bidders who fulfill minimum eligibility criteria and have been shortlisted.
3.2.3 Documents establishing Solution Conformity to Bidding Documents
All the documents must accompany the response to this RFP as per Annexure L.
Willful misrepresentation of the facts will lead to the cancellation of the contract without
prejudice to any other action that the Bank may take.
All the submissions, including any accompanying documents, will become property of
Punjab National Bank. The bidders shall be deemed to have license, and grant all rights
to, Punjab National Bank, to reproduce the whole or any portion of thereof for the
purpose of evaluation, to disclose the contents of submission to other bidders and to
disclose and/or use the contents of submission as the basis for RFP process.
3.2.4 Bid Security
(i) Pursuant to ITB Section 3.2.2, the Bidder shall furnish, as part of its bid, a bid
security of INR 50000/-(Rupees Fifty Thousand only).
(ii) The bid security is required to protect the Bank against the risk of Bidder's
misconduct, which would result in the forfeiture for the bid security.
(iii) The bid security shall be in Indian Rupees and shall be in the form of a Draft
/Banker's cheque, in favor of Punjab National Bank, Inspection & Audit Division,
payable at Delhi.
(iv) Any bid, not secured in accordance with above will be rejected by the Bank as
non-responsive.
(v) Unsuccessful bidder's bid security will be discharged/returned as promptly as
possible but not later than 30 days after the expiry of the period of bid validity
prescribed by the Bank. Bank will not be liable for any delay beyond 30 days as
aforesaid and no claim for delayed interest will be allowed
RFP for security cum functional audit of application software Confidential
12
Punjab National Bank, Inspection & Audit Division, HO, Delhi
(vi) Bid security of bidders who have qualified for empanelment will be discharged
upon the Bidder signing the Contract, and furnishing the Performance
Guarantee.
(vii) The bid security may be forfeited, if a Bidder
a) Withdraws its bid during the period of bid validity specified by the Bidder on
the Bid Form; or does not accept the correction of errors or attempts to
influence the Bank in its decisions on bid evaluation or bid comparison
b) In case of a successful Bidder, if the Bidder fails:
To sign the Contract in accordance with Section 3.3.6; or
To furnish Performance Guarantee in accordance with Section 3.3.7.
3.2.5 Period of Validity of Bids
The bids shall be valid for a period of 180 days from the date of closure for submission
of the bid. The bid valid for shorter period shall be rejected as non-responsive.
In exceptional circumstances, the Bank may solicit the Bidder's consent to an extension
of the period of validity. The request and the response thereto shall be made in writing
(or by fax). The bid security validity period shall also be suitably extended. A Bidder may
refuse the request without forfeiting its bid security. A Bidder granting the request of
extension will not be required nor permitted to modify its bid.
3.2.6 Format and Signing of Bid
(i) The Bidder shall prepare Bid in accordance with ITB Section 3.2.1.
(ii) The bid shall be typed or written in indelible ink, numbered and shall be signed by
the Bidder or a person or persons duly authorized to bind the Bidder to the
Contract. The authorization shall be indicated by a written power-of-attorney or a
board resolution accompanying the bid. The person or persons signing the bid
shall sign & seal all pages of the bid;
(iii) Any interlineations, erasures or overwriting shall be valid only if the person or
persons signing the bid sign them.
(iv) Bid should be typed and submitted on A4 size paper and bound securely.
Bidders responding to this RFP must comply with the following format
requirements:
(a) COVER LETTER/BIDDER CERTIFICATIONS:
Certificates and other supporting document may be attached with covering letter while
submitting the proposal.
Proposals submitted in response to this RFP must be signed by the person working in
the bidder's organization who is responsible for the decision or by a person who has
been authorized in writing to act as agent for the person responsible for the decision.
Each bid shall stipulate that it is predicated upon the terms and conditions of this RFP
and any supplement or revision thereof. By submitting a signed proposal, the bidder's
signatories certify that in connection with this assignment:
The bidder's organization or an agent of the bidder's organization has submitted
the bid without consultation, communication or agreement with any other
respondent or with any competitor for the purpose of restricting competition.
RFP for security cum functional audit of application software Confidential
13
Punjab National Bank, Inspection & Audit Division, HO, Delhi
No attempt has been made or will be made by the bidder's organization or by any
agent of the bidder's organization to induce any other person or firm to submit or
not to submit a bid for the purpose of restricting competition.
(b) REFERENCE DATA SHEET:
For the services offered, Bidder must furnish a list of minimum of two (2) references that
will be capable of verifying information supplied by the Bidders in proposal. Bidders
should submit additional Reference Data Sheet forms if they have more than two (2)
references.
The Bank reserves the right to contact and/or visit any party listed as a reference, which
has previously utilized or is presently utilizing service(s) identical or similar to those
being proposed by the bidder. The Bank may also utilize other sources of information
about the product(s) and/or service(s) proposed by the Bidder where these sources are
publicly available and are equally available for all competing bidders. The Bidder should
not be present during site visits.
(c)FINANCIAL STABILITY DOCUMENTATION:
Bidders responding to this RFP must be able to substantiate their financial stability.
Audited Financial statements along with additional supporting documentation must be
submitted with the bid.
(d) RESPONSE TO GENERAL, TECHNICAL, PERFORMANCE AND SUPPORT
REQUIREMENTS:
Provide a point-by-point response to each and every requirement specified in this RFP.
Responses must indicate that either bidder's bid "does comply" with specifications or
that it "does not comply." A succinct explanation of how each requirement can be met or
cannot be met must be included.
(e) ADDITIONAL INFORMATION:
Include additional information, which will be essential to an understanding of the
proposal. This might include diagrams, excerpts from manuals, or other explanatory
documentation, which would clarify and/or substantiate the bid. Any material included
here should be specifically referenced elsewhere in the bid.
(f) GLOSSARY:
Provide a glossary of all abbreviations, acronyms, and technical terms used to describe
the services or products proposed. This glossary should be provided even if these terms
are described or defined at their first use in the bid response.
3.2.7 SEALING, MARKING AND SUBMISSION OF BIDS
Bidders should provide their `Minimum Eligibility Criteria' and `Score Sheet in one
original and two additional copies and shall be labeled as "Original" or "Copy" as
appropriate. Each of these shall then be sealed in a separate envelope labeled "Original
Tender" or "Copy Tender" as appropriate. All the sealed envelopes containing Technical
responses shall then be sealed in one envelope marked " Bid for Empanelment of IS
Auditor For Security Cum Functional Audit Of Application Software" in the top left hand
RFP for security cum functional audit of application software Confidential
14
Punjab National Bank, Inspection & Audit Division, HO, Delhi
corner. The Bids, which are not sealed as indicated above, are liable to be rejected. PNB
will not be liable for Postal/Courier delay, non-receipt/non-delivery of documents, loss of
documents in transit, etc., if any, in the Bidder receiving the RFP and/or in submitting the
Bid before the scheduled time.
All pages of the Bid including Brochures are to be numbered as Page --- (current page)
of --- (total pages). The numbering shall be done for the whole Bid and not section-wise.
The envelopes shall be dated with the current date in the top right hand corner and
addressed to as below:
The Chief Manager,
Punjab National Bank,
IT Audit Cell, Inspection & Audit Division,
Head Office, 2nd Floor, East Wing
Corporate Office, Sector-10, Dwarka
New Delhi 110075
If the envelope is not sealed and marked, the Bank will assume no responsibility for the
bid's misplacement or premature opening.
Telex, Email or fax bids will be rejected.
3.2.8 Deadline for Submission of Bids
Bid must be received by the Bank at the address specified under Section 3.2.7 on or
before the last date of receipt of the Bid. In the event of the specified date for the
submission of Bids being declared a holiday for the Bank, the Bids will be received up to
the appointed time on the next working day.
The Bank may, at its discretion, extend this deadline for submission of bids by amending
the bid documents in accordance with section 2.5, in which case all rights and
obligations of the Bank and Bidders previously subject to the deadline will thereafter be
subject to the deadline as extended.
3.2.9 Late Bids
Any bid received by the Bank after the deadline fixed for submission of the bids will not
be considered. PNB will not be liable for any delayed receipt due to Postal/Courier delay.
Bidder shall ensure timely dispatch so that the same reaches the Bank before deadline.
3.2.10 Modification and Withdrawal of Bids
i) The Bidder may modify or withdraw its bid after the bid's submission, provided
that written notice of the modification or withdrawal is received by the Bank
prior to the deadline prescribed for submission of bids.
ii) The Bidder's modification or withdrawal notice should be sealed and marked
accordingly.
iii) No bid can be modified subsequent to the deadline for submission of bids.
iv) No bid can be withdrawn during the interval period between the deadline for
submission of bids and the expiration of period of bid validity. The act of
withdrawal of a bid during this interval will result in the forfeiture of the
Bidder's bid security. In other words, no withdrawal of the Bid is allowed after
the Dead Line fixed for Submission of the Bid.
RFP for security cum functional audit of application software Confidential
15
Punjab National Bank, Inspection & Audit Division, HO, Delhi
3.2.11 Acceptance or rejection of bid
Incomplete Bid(s), conditional Bid(s), Bid(s) not conforming to the terms and
conditions, Bid without EMD are liable for rejection by PNB.
The Bank reserves the right not to accept any bid, or to accept or reject a particular bid
at its sole discretion without assigning any reason whatsoever.
3.2.12 Notification
Any relevant information regarding the bid will be published on bank's web site
www.pnbindia.in & www.pnbinida.biz only.
3.3 Bid Opening and Evaluation of Bids
3.3.1. Assumptions and Agreements
PNB, at its discretion, may make modifications to the selection criteria and the
weightage pattern, which will be notified to the bidders.
PNB reserves the right to accept or reject any proposal without assigning any reason
whatsoever.
3.3.2. Opening and evaluation of Technical Bids by the Bank
I. The Bank will open the bid, in the Inspection and Audit division, Punjab National
Bank, 2nd Floor, East Wing, , Plot-4, Sector 10, Dwarka, New Delhi. Bidders'
representatives who choose to attend at the date/time and venue specified in section
1.5. shall have to sign a register evidencing their attendance. In case no
representatives attend the bid opening, the bids shall be opened in their absence. In
the event of the specified date of Bid opening being declared a holiday for the Bank
or bids cannot be opened due to any unavoidable circumstances, the Bids shall be
opened at the time and location on the next working day or any other day as decided
by the Bank.
II. The bidder's names, bid modifications or withdrawals and the presence or absence
of requisite bid security and such other details as the Bank at its discretion may
consider appropriate will be announced at the time of bid opening.
III. Bids that are not opened and read out at bid opening shall not be considered for
further evaluation, irrespective of the circumstances.
IV. The Bank will prepare minutes of the bid opening.
V. The Minimum eligibility criteria and score sheet would be evaluated by the Technical
Committee. Score sheet would be evaluated as per the following criteria/weight-
SNo Details Scale of Measurement (Marks)
1 No. of qualified auditor in Maximum Marks -30
the firm as defined in 2.2. (i) 15 or more qualified auditor : 30 Marks
(f) on the permanent roll of (ii) More than or equal to 10 but less than 15: 20
the organization. Marks
Maximum Marks -30 (iii) More than or equal to 5 but less than 10: 15
Marks
RFP for security cum functional audit of application software Confidential
16
Punjab National Bank, Inspection & Audit Division, HO, Delhi
2 No. of completed Security Maximum Marks -40
cum Functional Audit of 1. Total no. of application software audit in PSU/Govt./
Application software in Bank in last 5 years
Government organization (i) More than 25 software audit - 40 Marks
/PSUs/ Banks during last 5 (ii) More than or equal to 15 but less than 25- 30
years. Marks
(iii) More than or equal to 10 but less than 15- 20
(Maximum Marks -50) Marks
Maximum Marks 10
1. Audit of Application software in Banks
(i) Audit of Core Banking Solution (CBS) project of the
Bank in any bank having more than 200 offices- 10
Marks
(ii) Audit of financial software other than above (like
ATM, IBS, Treasury) of any bank having more than
200 offices- 7 marks
(iii) Other than above- 5 Marks
3 Total no. of PSU/Banks No. of PSU/Bank customer dealt in last 5 year.
customer for the purpose Maximum Marks 20
of security cum functional (i) More than or equal to 5 Customer-20 Marks
audit of application (ii) More than or equal to 2 but less than 5 Customer-
software during last 5 15 Marks
years: (iii) 1 Customers-10 Marks
(Maximum Marks -20)
Bidders have to submit the details as above with documentary proof. Scoring for
shortlisted bidders will be done on the parameter as given above. Bidders scoring more
than or equal to 60% marks will qualify for empanelment for security cum functional audit
of application software. In case there are less than 5 firms who qualify with a score of
60% or above, the bank may at its discretion include the next top scoring firms so that
total number of selected firms is at least 5(Five).However Bank reserves the rights of
lowering the qualifying marks in case of non-qualifying of stipulated number of bidders .
In case more than one firm have secured same score and selection for empanelment of
top 5 firms requires inclusion of one or more firm(s) at that score, then all the firms on
that score will be selected for empanelment.
VI If a bid is not responsive or not fulfilling all the conditions of the Contract or not meeting
Technical Specifications and Qualification Requirement, it will be rejected by the bank
out rightly and may not subsequently be made responsive by the Bidder by correction of
the non- Conformity.
VI. Proposal will be reviewed to assess compliance with the requirements set out on this
RFP. Proposals that do not fully comply with the minimum requirements will be rejected
without further consideration.
RFP for security cum functional audit of application software Confidential
17
Punjab National Bank, Inspection & Audit Division, HO, Delhi
3.3.3. Clarification of Bids
During evaluation of bids, the Bank may, at its discretion, ask the Bidder for a
clarification of its bid. The request for clarification and the response shall be in writing.
3.3.4. Evaluation Criteria for Empanelment:-
i) Preliminary scrutiny of all the bids received will be done and bids not meeting
the minimum eligibility criteria would be rejected.
ii) Scoring would be done only for shortlisted bidders who qualify the minimum
eligibility criteria.
iii) Shortlisted bidders will qualify for empanelment as IS Auditors on the basis of
scores procured by the bidders and as per process defined in section 3.3.2(v).
iv) Technical evaluation committee would recommend the name of bidders who
qualify for empanelment after evaluating the score sheet.
v) In the process of scrutiny of the proposals, Bank may seek additional inputs
and clarifications as may be needed and also may request the service
providers to make a presentation.
3.3.5. Contacting the Bank
No Bidder shall contact the Bank or its employees on any matter relating to its bid, from
the time of the bid opening to the time the empanelment is completed. If the bidder
wishes to bring additional information to the notice of the Bank, it should do so in writing.
Any effort by a Bidder to influence the Bank in its decisions on bid evaluation or bid
comparison may result in rejection of the Bidder's bid and forfeiture of their Bid Security.
3.3.6 Signing of Contract
At the same time as the Bank notifies the successful bidders that they have been
qualified for empanelment; the Bank will send the bidders the Contract Form
incorporating all agreements between the parties as enumerated in RFP.
Within 7 days of receipt of the Contract Form, the successful bidder shall sign and date
the Contract and return it to the Bank. The Bidder will agree to all the terms and
conditions as mentioned in this RFP.
3.3.7 Performance Guarantee
Within 7 days of the receipt of notification for qualifying for empanelment from the Bank,
the successful Bidder shall furnish the Performance Guarantee from a scheduled
commercial public sector bank, payable on demand for an amount of Rs. 100000/-(One
Lakh Only) for the due performance and fulfillment of the contract by the empanelled
bidder, in accordance with the conditions of Contract, in the Performance Guarantee
Form provided in the bidding documents or in another form acceptable to the Bank.
The Performance Guarantee may be discharged by the PNB upon being satisfied that
there has been due performance of the obligations by the Successful bidder under the
contract during the empanelment period. The Performance Guarantee shall be valid till
the end of the empanelment Period.
RFP for security cum functional audit of application software Confidential
18
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Failure of the successful bidder to comply with the requirement shall constitute sufficient
grounds for the annulment of the empanelment and forfeiture of the bid security.
3.3.8 Notification of Empanelment:
The process of empanelment would complete only after signing of Contract,
Confidentiality cum Non Disclosure Agreement and furnishing of Performance
Guarantee by the bidders who have qualified for empanelment.
The Bank will notify the successful bidders in writing by registered letter / courier/ email
or by fax that they have been empanelled, as IS Auditor for Security Cum Functional
Audit of Application Software for a period of 2 years.
Upon the successful Bidders' furnishing of Performance Guarantee as specified in
Section 3.3.7 thereof, the Bank will promptly discharge the bid security.
3.4 Award of Contract
3.4.1. Post qualification
The Bank will determine to its satisfaction whether the empanelled IS Auditor is qualified
to perform the contract satisfactorily. The determination will take into account the
Bidder's financial, technical and performance capabilities. It will be based upon an
examination of the documentary evidence of the Bidder's qualifications, expertise,
capability submitted by the bidder as well as such other information as the Bank deems
necessary and appropriate.
The empanelment doesn't entitle the empanelled IS Auditor the right of getting any
assignment during the contract period & it will be solely subject to requirement and
discretion of bank.
Empanelment would be initially for the period of 2 years subject to review of
performance on yearly basis.
3.4.2 Award Criteria on Post Empanelment
All the empanelled IS auditors would be asked to submit their commercial bid for
security cum functional audit of application software as per requirement of the bank.
For this purpose requisite applicable documents will be provided to them for each
software separately from the list given below:-
1. System documentation (Details of Systems/OS/RDBMS/development
platform /Web Server etc.)
2. User Requirement Specifications frozen for customization
3. Change request Documentation (for packages undergoing enhancement)
4. User Manual & Other instructions
5. Details of Acceptance Tests conducted along with details
6. Pilot testing reports in case of packages released for implementation
7. Problems reported during the pilot testing and their resolution details
8. Release / implementation instructions
(The above list not exhaustive)
RFP for security cum functional audit of application software Confidential
19
Punjab National Bank, Inspection & Audit Division, HO, Delhi
E-Mail asking the empanelled auditors to submit their commercials within a specified
date will be sent by the bank as and when requirement of audit of application software(s)
will arise. It will be binding on all the empanelled auditors to participate in the bidding
process whenever initiated by the Bank. Bank may also consider online bidding
whenever required and all bidders shall be required to participate in the online bidding
process as stipulated by the bank. On failing to participate in the bidding process for any
3 consecutive occasions during the empanelment period bank may cancel the
empanelment of the respective bidder as well as may forfeit the amount of the
performance bank guarantee.
Empanelled auditors would submit their commercials for the job separately for each
software within the specified date in a sealed envelope through courier/registered post or
online whichever mode decided by the bank. The commercial bids so received will be
opened by the Bank as per intimated date & time and in presence of the representatives
of the bidders whoever whishes to attend otherwise the same would be opened in their
absence. The job of audit of application software will be awarded to the empanelled
auditor whose commercial bid would be lowest for that particular software.
On assignment of job Empanelled auditor will submit the audit plan along with full
credentials of Audit team within 3 days as per the annexure-`A'(3.1). The job of Audit
must be commenced within 7 days of assignment.
The bank retains the right to finally negotiate the commercials with the lowest bidder to
arrive at reasonable remuneration before awarding the job. It may be noted that the
Bank will not entertain any price negotiation with any other bidder, till the successful
bidder declines to accept the offer, in which event the Bank may make the award to the
next lowest bidder or call for new bids
3.4.3 Dead Line / Critical Dates
The empanelled auditor to whom job would be awarded shall complete/perform all
activities before last date. If audit activity awarded by the bank is not carried-out by the
L1 bidder as per the timeline then bidder shall be liable of strict action including
cancellation of audit assignment and de-empanelment of the bidder firm.
Bank may also terminate the contract after giving a notice of 30 days at its sole
discretion without assigning any reason.
(For last date please refer Annexure- `A' Time lines clause 3.1.)
3.4.4 Right to accept any Bid and to reject any or All Commercial Bids
(a) The Bank reserves the right to accept or reject any or all Bids without
assigning any reasons. Bids may be accepted or rejected in total or in any
part or items thereof. Any Bid not containing sufficient information, in view of
the Bank, so as to enable a thorough analysis may be rejected.
(b) The Bank reserves the right to verify the validity of bid information, and to
reject any bid where the contents appear to be incorrect, inaccurate or
inappropriate in the Bank's estimation.
(c) The Bank shall have the right to determine in its own best judgment, the
Bidders who will qualify for the short list, if any, and thereafter, the final
successful bidder shall undertake the work.
RFP for security cum functional audit of application software Confidential
20
Punjab National Bank, Inspection & Audit Division, HO, Delhi
(d) Bids not conforming to the requirements of the Bank may not be considered.
However, the Bank reserves the right, at any time, to waive any of the
requirements of the RFP, if, in the sole discretion of the Bank, the best
interests of the Bank would be served by such change.
(e) If, in the opinion of the Bank, any Bidder has clearly misinterpreted the Work
and /or underestimated the hours and / or value of the Work to be performed
as reflected in the bid content and quoted price(s)/rate(s), then the Bank may
reject the bid as unbalanced (i.e. not representative of the Work Scope).
(f) Further, the bank shall have the right to cancel the Bid process at any time
prior to execution of the contract, without thereby incurring any liability to the
affected Bidder or bidders. Reasons for cancellation, as determined by the
Bank in its sole discretion, include, but are not limited to, the following:
(i) Services contemplated are no longer required;
(ii) Requirements and terms of reference (scope of work) of the RFP were
not adequately or clearly defined due to unforeseen circumstances and
/or factors and /or new developments;
(iii) The RFP did not allow for consideration of all significant elements of the
Bank for the work (e.g. new/additional matters have arisen);
(iv) Proposed price is unacceptable for the Work; and
(v) The Project is not in the best interest of the Bank
(vi) Any other reason
3.4.5 Notification of Award of Contract
Prior to the expiration of the period of bid validity, the Bank will notify the successful
bidder in writing by registered letter / courier/ email or by fax, to be confirmed in writing
by registered letter, that its bid has been accepted.
The notification of empanelment will constitute the formation of the Contract and
agreement shall be executed with all the empanelled bidders separately.
Chapter 4: Broad Terms and Conditions
This chapter describes the general terms and conditions of the Contract. However, the
terms and conditions are not conclusive and PNB reserves the right to add, delete,
modify or alter all or any of these terms and conditions in any manner, as deemed
necessary by PNB.
If any irregularity is detected anytime in respect of the above, PNB will have the right to
take appropriate action against the Bidder, as deemed fit by PNB.
Successful bidder wherever mentioned under this chapter shall mean the
empanelled IS Auditor to whom job has been awarded.
4.1. Standards
The services rendered under the contract shall in conformity with the industry standards/
best practices.
4.2. Arbitration
All disputes and differences of any kind, whatsoever, between the parties i.e.
empanelled IS Auditor and PNB, arising out of or in relation to the construction,
RFP for security cum functional audit of application software Confidential
21
Punjab National Bank, Inspection & Audit Division, HO, Delhi
meaning, operation or effect of the Contract, shall be settled amicably. If, however, the
parties are not able to resolve any dispute or differences amicably, the same shall be
settled by arbitration in accordance with the provisions of Arbitration and Conciliation
Act, 1996 and the award made in pursuance thereof shall be binding on the parties.
The Successful bidder shall continue to work under the Contract during the arbitration
proceedings unless otherwise directed in writing by PNB or unless the matter is such
that the work cannot possibly be continued until the decision of the Arbitrator or of the
umpire, as the case may be, is obtained.
Save as those, which are otherwise explicitly provided in the contract, no payment due
or payable by PNB, to the successful bidder shall be withheld on account of the ongoing
arbitration proceedings, if any, unless it is the subject matter or one of the subject
matters thereof.
The venue of the arbitration shall be Delhi, India & arbitration will be in English.
4.3. Notices
Notice or other communications given or required to be given under the Contract shall
be in writing and shall be hand-delivered with acknowledgement thereof, or transmitted
by pre-paid registered post or by recognized courier, or by facsimile, provided that where
such notice is sent by facsimile, a confirmation copy shall be sent by pre-paid registered
post or by recognized courier within five days of the transmission by facsimile, to the
address of the receiving party by the other in writing, provided such change of address
has been notified at least ten days prior to the date on which such notice has been given
under the terms of the contract.
Any notice or other communications shall be deemed to have validly given on date of
delivery if hand-delivered; if sent by registered post or by recognized courier, then on the
expiration of seven days from the date of posting; and if transmitted by facsimile, then on
the next business date after the date of transmission.
4.4. Use of Contract Documents and Information
The empanelled IS Auditor shall not, without PNB's prior written consent, disclose the
Contract or any provision thereof, or any specification or information furnished by or on
behalf of PNB in connection therewith, to any person other than a person employed by
the empanelled IS Auditor in the performance of the Contract. Disclosure to any such
employed person shall be made in confidence against Non-disclosure agreements
completed prior to disclosure and disclosure shall extend only so far, as may be
necessary for the purposes of such performance. Any document, other than the Contract
itself, shall remain the property of PNB and all copies thereof shall be returned to PNB
on termination of the Contract.
4.5. Patent and Copyrights
The empanelled IS Auditor shall, at its own cost and expenses, defend and indemnify
and keep indemnified PNB against all third-party claims including those of the
infringement of Intellectual Property Rights, including patent, trademark, copyright, trade
secret or industrial design rights, arising from use of the Products or services or any part
thereof in India.
RFP for security cum functional audit of application software Confidential
22
Punjab National Bank, Inspection & Audit Division, HO, Delhi
If PNB is required to pay compensation to a third party resulting from such infringement,
the empanelled IS Auditor shall be fully responsible therefore, including all expenses and
cost and legal fees. PNB will give notice to the empanelled IS Auditor of any such claim
and shall provide reasonable assistance to the empanelled IS Auditor in disposing of the
claim.
The empanelled IS Auditor shall also be liable to indemnify PNB, at its own cost and
expenses, against all losses/damages, which PNB may suffer on account of violation by
the empanelled IS Auditor of any or all national/international trade laws, norms,
standards, procedures etc.
The empanelled IS Auditor shall be liable to indemnify PNB, at its own cost and
expense, in respect of any losses sustained or suffered by any third party, on account of
breach of any stipulation of this agreement by the Empanelled IS Auditor or any
negligent or fraudulent act or omission by Empanelled IS Auditor in course of fulfilling its
obligations under the RFP.
4.6. Deliverables
Schedule of audit and reports required are covered in scope of audit. (Annexure-`A')
4.7. Payment Terms
The successful bidder will be entitled to claim 80% payment on submission of final report
of security cum functional audit of application software and 20% on completion of
compliance audit of the observations.
In case of factors not attributed to auditor for delay in completion of compliance audit, 20%
payment will also be released to the IS auditor after 30 days of submission of final report.
4.8 Taxes and Duties
Price will be quoted excluding all taxes. All applicable Taxes and Duties should be
indicated in the Commercial Bid separately and will be payable on actual basis on
providing the proof of the payment.
4.9 Delays in the Performance
The Successful bidder must strictly adhere to the audit schedule, as specified in the
contract in the performance of the obligations and any delay in this regard will enable
PNB to resort to any or both of the following:
(a) Claiming Liquidated Damages
(b) Termination of the agreement fully or partly and claim liquidated damages.
(c) Imposing penalty.
4.10 Penalty
Delayed start of audit, Delayed completion of audit and Delayed submission of report as
per agreed terms defined in scope of audit will attract penalty of 1 % per day on delay of
total amount payable for the audit of software(maximum up to 15% of the fees).If the
report is not submitted within 15 days after completion of audit, the bank may cancel the
order.
RFP for security cum functional audit of application software Confidential
23
Punjab National Bank, Inspection & Audit Division, HO, Delhi
PNB will have the rights to recover the liquidated damages, if any, from any amount
payable to the Successful bidder.
4.11 Force Majeure
The Successful bidder or PNB shall not be responsible for delays or non-performance of
any or all contractual obligations, caused by war, revolution, insurrection, civil
commotion, riots, mobilizations, strikes, blockade, acts of God, Plague or other
epidemics, fire, flood, obstructions of navigation by ice of Port of dispatch, acts of
government or public enemy or any other event beyond the control of either party, which
directly, materially and adversely affect the performance of any or all such contractual
obligations.
Provided either party shall within ten (10) days from the occurrence of such a cause
notify the other in writing of such causes. Unless otherwise directed by the Bank in
writing, the Successful bidder shall continue to perform his obligations under the contract
as far as possible, and shall seek all means for performance of all other obligations, not
prevented by the Force Majeure event.
4.12 Correspondences
PNB and the empanelled IS Auditors shall nominate a Project Manager each
immediately on empanelment, who shall be the single point of contact for the projects to
be assigned for IS Audit. However, for escalation purpose, details of other persons shall
also be given. The project manager nominated by the Bidder should have prior
experience in implementing similar systems in the past and should be a qualified
professional.
4.13 Successful bidder's Obligations
The following form illustrative obligations of the Successful bidder. These are not exhaustive.
The Successful bidder will abide by the job safety, customs and immigration measures
prevalent and laws in force in India, and will indemnify PNB against all demands or
responsibilities arising from accidents or loss of life, the cause of which is the Successful
bidder's negligence. The Successful bidder will pay all indemnities arising from such
incidents and will not hold PNB responsible or obligated.
The Successful bidder is responsible for, and obligated to conduct all contracted activities
with due care and diligence, in accordance with the Contract and using state-of-the-art
methods and economic principles, and exercising all reasonable means to achieve the
performance specified in the Contract.
The Successful bidder is obliged to work closely with PNB's staff, act within its own authority,
and abide by directives issued by PNB that are consistent with the terms of the Contract.
The Successful bidder is responsible for managing the activities of its personnel, and will
hold itself responsible for any misdemeanors.
The Successful bidder shall be solely responsible for the performance of the contract to the
satisfaction of PNB.
No right to employment in bank shall accrue of arise by virtue of empanelment of the
successful bidder. Neither the successful bidder nor its employees, agents or representative
shall hold out or represent as agents of bank. None of the employees, representatives or
agents of successful bidder shall be entitled to claim permanent absorption or any other
RFP for security cum functional audit of application software Confidential
24
Punjab National Bank, Inspection & Audit Division, HO, Delhi
claim or benefit against the bank/employment. The personnel employed by the successful
bidder shall not have any claim whatsoever against the bank.
4.14 Contract Amendments
Any change made in any clause of the contract which shall modify the purview of the
contract within the validity and currency of the contract shall be deemed as an Amendment.
Such an amendment can and will be made and be deemed legal only when the parties to the
contract provide their written consent about the amendment, subsequent to which the
amendment is duly signed by the parties and shall be construed as a part of the contract.
The details of the procedure for amendment shall be as specified in the contract.
4.15 Extension of Bank Guarantees
The Bidder shall be responsible for extending the validity date and claim period of all the
bank guarantees as and when it is due. PNB shall invoke the guarantee before expiry of
validity if work is not completed and the guarantee is not extended, accordingly.
4.16 Adherence to Standards & Right of Audit/Visit
The selected Bidder must adhere to laws of land and rules, regulations and guidelines
prescribed by various regulatory, statutory and Government authorities.
The Bank and Regulatory bodies such as RBI reserve the right itself or through a
consultant to conduct audit/ongoing audit or visit the office locations of the selected Bidders.
The cost of the audit/Consultant shall be borne by the Bank.
4.17 Subcontracting
No Subcontracting of the work will be permissible to the empanelled bidders.
RFP for security cum functional audit of application software Confidential
25
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure A
1 SCOPE
Scope of Security cum Functional Audit of the application software i.e. Programs/
Webscripts/Applications etc coded in any computer programming language, during
the contract period will include:-
Functionality implemented vis-à-vis the Bank's requirements.
Input, processing and output controls across various schemes across the bank
Controls for performing/changing parameter setup of functionality across
applications.
Through-put validation
Automated batch processing, scheduled tasks, critical calculations etc
IT General Control Review
In case of web based application, the validation against top 10 OWASP
vulnerabilities.
Regular updation of job cards with new version releases.
Checks against network attacks
Code Review, wherever possible
Application Security & Controls Review
Database Security & Integrity Review
Review of Interface Controls with other applications
Review of Network & Communication Controls with relation to the application
package
Test of robustness of the system by running a specific number of transactions on
it
Evaluation of Efficiency & Effectiveness of the package vis-à-vis business
processes and requirements. Whether the objectives of the application are likely
to be fulfilled by implementation.
Assessment of the risk component in the package
Compliance testing of the changes in software made for mitigation of the
discrepancies pointed out in the audit report
Availability of necessary audit logs and its accuracy and effectiveness.
Integration with Delivery Channels including data and transaction integrity for the
same.
Suggestions for mitigating the risks.
If outsourced, escrow arrangement with application vendors.
The above scope is illustrative and subject to change as per the requirement of the Bank
and may vary on case to case basis.
. 1.2 VULNERABILITY/THREAT ASSESSMENT & PENETRATION TESTING
(INTERNAL/EXTERNAL)
Testing should not disrupt our services. Test cases should not be selected that are
destructive. The techniques, the tools used should have been thoroughly tested.
RFP for security cum functional audit of application software Confidential
26
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Exercise will be carried out from the place where servers are placed. The same will
also be carried out from a selected branch outlet for selected sample critical
application/ servers.
Appropriate updated tools should be used for each phase of test.
a) Vulnerability assessment of all newly developed application software servers.
b) Placement/ Deployment of security equipments, network equipments for securing
database, application, web servers of various applications.
c) In Penetration testing on applications through internal network (Intranet).
NOTE: Penetration testing should include network and application layer
testing as well as controls & processes around the networks &
applications, and should conduct from inside the network (internal testing).
1.3 OPEARATING SYSTEM (OS)
i. Set up and maintenance of operative system parameters.
ii. All the Security features available in the OS are enabled/taken advantage of
as far as possible.
iii. Vulnerabilities in OS are being taken care off. Compensatory controls for
known vulnerabilities are in place.
iv. Security configuration of devices with respect to OEM latest released patches
and software versions.
v. Changes in system software are controlled in line with the organization's
change management procedures. Proper record is maintained and
authenticated regarding installation, its up-gradation, re-installation and
maintenance.
vi. Use of sensitive system software utilities is in controlled manner and it is
monitored and logged.
vii. Root and sensitive passwords are used in controlled manner. Their use is
logged and monitored.
viii. Performance, scalability and availability.
1. 4 DATA BASE MANAGEMENT SYSTEM AND DATA SECURITY
a) Use of Data Repository System (DRS), Data Definition Language (DDL),
Data Manipulation Language (DML).
b) Storage of duplicate copy of Data Definition and DRS at off-site.
c) Monitoring of log of changes to the Data Definitions.
d) Data Dictionary and Data Directory System
e) Procedures to ensure that all data are classified in terms of sensitivity by a
formal and explicit decision by the data owner and necessary safeguards
for its confidentiality, integrity and authenticity are taken as per IT Security
Policy.
f) Logical access controls which ensure the access to data is restricted to
unauthorized users
g) Confidentiality and privacy requirements are met.
h) Authorization, authentication and access control are in place
i) Segregation of duties is ensured for accessing data.
RFP for security cum functional audit of application software Confidential
27
Punjab National Bank, Inspection & Audit Division, HO, Delhi
j) Purging policy-procedures of Data Files.
k) How the database integrity is ensured in case tables are not properly
updated by application software due to various reasons, i.e. break in link,
bug in software, etc. In case of direct Updation /modification of database is
done by opening the tables in live environment, evaluate the controls.
l) Protection of Sensitive Information during Transmission and Transport.
m) Separation of duties.
n) Rotation of duties.
o) Patches and new versions are updated as and when released by vendor/
Research and Development team. If not done then comment upon
vulnerabilities and availability of services of existing version being used.
Evaluate procedure for correct updation of the same and confirmation by
user/ Research and Development team.
1.5 OUTSOURCING
a) Service levels are defined and managed.
b) Non Disclosure agreement NDA is in place.
c) Responsibility and liability of vendors have been defined.
d) Service Level Agreements (SLAs) covers key performance indicators
which formalize the performance criteria with penalty clause against which
the quantity and quality of service is measured.
e) Monitoring of vendors activities as per SLAs.
f) Imposing penalties wherever there are deviations.
g) Formal agreements are entered which takes care of all the risks
associated with outsourcing.
1.6 Migration Audit
a) Review of Data Migration strategy/methodology followed by the
Bank.Review of data mapping performed by the Bank.
b) Review of Data Migration tools/scripts configured/developed by Bank.
c) Review of data validation performed by the Bank.
d) Review of logs of data migration activity and the identified errors in
accuracy, integrity, conformity and completeness of data reconciled and
uploaded into Target System and whether they have been rectified by
Bank.
e) Review of appropriate data integrity checks like batch totals, check digit
totals, number of records & other value parameters.
1.7 Other Audit
a) Special Audit such as for RA Audit or any regulatory guidelines etc.
b) Any other Audit as and when required.
2 Schedule of Audit:
Successful bidder will have to visit the respective location and no remote access will be
given. Audit location shall be primarily 5, Sansad Marg, New Delhi however in case of
any change same shall be informed accordingly.
Audit to be completed as per schedule mentioned under point no. 3.1 of the scope.
3 DELIVERABLES:
RFP for security cum functional audit of application software Confidential
28
Punjab National Bank, Inspection & Audit Division, HO, Delhi
3.1 Time Lines
1. On acceptance of the commercials for audit of application software, the
successful bidder will provide schedule of audit, within 2 working days with full
credentials of Audit team (qualification & experience as defined in RFP) who will
be conducting the audit of the software. Audit should be commenced not later
than 3 days from the award of the application audit work.
2. Completion of each software audit as per the scope within 7 working days from
the date of commencement of audit.
3. Giving draft report for discussions with owners within 2 working days after
completion of audit.
4. Discussion of the issues with owner after 2 working days of submission of draft
report..
5. Give digitally signed final report within 2 working days after discussions with
owners.
6. If recommendation for risk mitigation/ removal could not be implemented as
suggested, alternate solutions will be provided over phone/ email or personal
visits to respective location if required. Response over phone/ email should come
within 4 hours of receipt of request and personal visit should be made within 4
days.
7. Compliance testing of the changes in software made for mitigation of the
discrepancies pointed out in the audit report should be completed within 2 days
from the submission of compliance report by the auditee. Compliance testing
report should be submitted through email/Hard copy not later than 3 days after
compliance testing.
8. Resources strength with experience as defined in 2.2(f) will be deployed keeping
in view the scope of audit and time schedule.
9. No inexperienced / less qualified resource should be deployed for audit. Resume
of auditor will be provided to Bank before hand and will be deputed to assignment
only after Bank's consent.
10. Single point of contact person should not be changed frequently.
3.2 REPORTS:
Report should be wherever possible provided with snap shot / evidence/ documents
details from which observation made wherever required by Bank.
Report shall be submitted in digitally singed soft copies as well as signed hard copies.
Audit Report format should at the minimum include:-
a) Broad domain categorization of activity (Port/SQL injection/ Services/Logical
access control etc.)
b) Risk category High, Medium, Low
c) Risk / Implication
d) Recommendation for risk mitigation/ removal as per bank's existing
environmental setup step wise. If not resolved, alternate solutions will be
provided over phone/ email or personal visits to department if required. Response
over phone/ email should come within 4 hours of receipt of request.
RFP for security cum functional audit of application software Confidential
29
Punjab National Bank, Inspection & Audit Division, HO, Delhi
e) Provision for updating owner's compliance comments.
f) Explicit reference to key policy and procedure documents of the Bank against
identified risk/observation.
g) Additional mandatory or voluntary standards or regulations applicable to the
banking industry as best practices should be reported under "Improvement
/suggestions"
h) Summary of audit findings including identification tests, tools used and results of
tests performed (like vulnerability assessment, application security assessment
a. Tools used
b. List of vulnerabilities identified.
c. Description of vulnerability
d. Test cases used for assessing the vulnerabilities and
Analysis of vulnerabilities and issues of concern
i) Personnel involved in the audit, including identification of any trainees
The auditor may further provide any other required information as per the approach
adopted by them and which they feel is relevant to the audit process.
Report will be given in editable and non editable softcopy so that editable can
be used in updating compliances by User Department
Report will be given in signed hard copy also.
Presentation on findings of audit will be given to Management by the person
who audited accompanied by senior consultant after completion of each
software audit within a week time of giving final report whenever requested by
the bank.
3.3 Training:
The successful bidders (who will be awarded with maximum work orders during the
period) shall have to provide 1 day training on half yearly basis at Bank's Premise at
New Delhi without charging any cost. The training shall be provided to Bank's in-house
software developers/internal auditors regarding secure code practices and secured
application development.
RFP for security cum functional audit of application software Confidential
30
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure B
Performance Guarantee Form
Date:
The Chief Manager,
Punjab National Bank,
IT Audit Cell, Inspection & Audit Division,
Head Office, 2nd Floor, East Wing
Corporate Office, Sector-10, Dwarka
New Delhi 110075
Dear Sir,
PERFORMANCE BANK GUARANTEE SECURITY CUM FUNCTIONAL AUDIT OF
APPLICATION SOFTWARE OF THE PUNJAB NATIONAL BANK AS PER SCOPE IN
RFP.
WHEREAS
M/s.(name of Auditor), a company/Firm registered under the Companies Act, 1956,(as
applicable) having its registered and corporate office at (address of the Auditor), (
hereinafter referred to as "our constituent", which expression, unless excluded or
repugnant to the context or meaning thereof, includes its successors and assigns),
entered into a Agreement dated.........(hereinafter , referred to as "the said Agreement")
with you ( Punjab National Bank) for Security cum functional audit of application software
as detailed in the said Agreement.
We are aware of the fact that in terms of sub-para (...), Section (...), Chapter (...) of the
said Agreement, our constituent is required to furnish a Bank Guarantee for an amount
Rs 100000/-(Rs. One Lakh only) as per the said Agreement, as security against
breach/default of the said Agreement by our Constituent.
In consideration of the fact that our constituent is our valued customer and the fact that
he has entered into the said Agreement with you, we, (name and address of the bank),
have agreed to issue this Performance Bank Guarantee.
Therefore, we (name and address of the bank) hereby unconditionally and irrevocably
Guarantee you as under:
I. We (Name of the Bank), do hereby undertake to pay the amounts due and
payable under this guarantee without any demur, merely on a demand from
Punjab National Bank that the amount clamed is due by way of loss or damage
caused to or would be caused to or suffered by Punjab National Bank by reason
of breach by our constituent, of any of the terms or conditions contained in the
said agreement.
II. Notwithstanding anything to the contrary, as contained in the said Agreement,
We agree that your decision as to whether our constituent has made any such
default/s/ breach/es, as afore-said and the amount or amounts to which you are
RFP for security cum functional audit of application software Confidential
31
Punjab National Bank, Inspection & Audit Division, HO, Delhi
entitled by reasons thereof, subject to the terms and conditions of the said
Agreement, will be binding on us and we shall not be entitled to ask you to
establish your claim or claims under this Performance Bank Guarantee, but will
pay the same forthwith on your demand without any protest or demur.
III. This Performance Bank Guarantee shall continue and hold good till the
completion of 30 months from the date of agreement i.e. (date), subject to the
terms and conditions in the said Agreement.
IV. We bind ourselves to pay the above said amount at any point of time
commencing from the date of the said Agreement until the completion of the
contract.
V. We further agree that the termination of the said Agreement, for reasons solely
attributable to our constituent, virtually empowers you to demand for the payment
of the above said amount under this guarantee and we have an obligation to
honour the same without demur.
VI. In order to give full effect to the guarantee contained herein, we (name and
address of the bank), agree that you shall be entitled to act as if we were your
principal debtors in respect of your claims against our constituent. We hereby
expressly waive all our rights of surety ship and other rights, if any, which are in
any way inconsistent with any of the provisions of this Performance Bank
Guarantee.
VII. We confirm that this Performance Bank Guarantee will cover your claim/s against
our constituent made in accordance with this Guarantee from time to time, arising
out of or in relation to the said Agreement and in respect of which your claim is
lodged with us on or before the data of expiry of this Performance Guarantee,
irrespective of your entitlement to other claims, rights and relief, as provided in
the said Agreement.
VIII. Any notice by way of demand or otherwise hereunder may be sent by special
courier, telex, fax, registered post or other electronic media to our address, as
aforesaid and if sent by post, it shall be deemed to have been given to us after
the expiry of 48 hours when the same has been posted.
IX. If it is necessary to extend this guarantee on account of any reason whatsoever,
we undertake to extend the period of this guarantee on the request of our
constituent under intimation to you (Punjab National Bank).
X. This Performance Bank Guarantee shall not be affected by any change in the
constitution of our constituent nor shall it be affected by any change in our
constitution or by any amalgamation or absorption thereof or therewith or
reconstruction or winding up, but will ensure the benefit to you and be available to
and be enforceable by you.
XI. Notwithstanding anything contained hereinabove, our liability under this
Performance Guarantee is restricted to Rs.100000/-(Rs. One Lakh only) and
shall continue to exist, subject to the terms and conditions contained herein,
RFP for security cum functional audit of application software Confidential
32
Punjab National Bank, Inspection & Audit Division, HO, Delhi
unless a written claim is lodged on us on or before the afore-said date of expiry of
this guarantee.
XII. We hereby confirm that we have the power/s to issue this Guarantee in your
favour and the undersigned is/are the recipient of authority by express delegation
of power/s and has/have full power/s to execute this guarantee under the Power
of Attorney issued by the bank in his/their favour.
XIII. We further agree that the exercise of any of your rights against our constituent to
enforce or forbear to enforce or any other indulgence of facility, extended to our
constituent to carry out the contractual obligations as per the said Agreement,
would not release our liability under this guarantee and that your right against us
shall remain in full force and effect, notwithstanding any arrangement that may be
entered into between you and our constituent, during the entire currency of this
guarantee.
Notwithstanding anything contained herein:
a. Our liability under this Performance Bank Guarantee shall not exceed Rs
100000/- ( Rs. One Lakh only)) ;
b. This Performance Bank Guarantee shall be valid only up to ..............( and
c. We are liable to pay the guaranteed amount or part thereof under this
Performance Bank Guarantee only and only if we receive a written claim or demand on
or before ...........( .
This Performance Bank Guarantee must be returned to the bank upon expiry of the
claim period as under (c) above. If the Performance Bank Guarantee is not received by
the bank within the above-mentioned period, subject to the terms and conditions
contained herein, it shall be deemed to be automatically cancelled.
Dated......................this...............day.............20...
Yours faithfully,
For and on behalf of the ..............Bank,
(Signature)
Designation
(Address of the Bank)
Note:
a) This guarantee will attract stamp duty as a security bond.
b) A duly certified copy of the requisite authority conferred on the official/s to execute
the guarantee on behalf of the bank should be annexed to this guarantee for verification
and retention thereof as documentary evidence in the matter.
RFP for security cum functional audit of application software Confidential
33
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure C
TECHNICAL BID FORM
Date:
The Chief Manager,
Punjab National Bank,
IT Audit Cell, Inspection & Audit Division,
Head Office, 2nd Floor, East Wing
Corporate Office, Sector-10, Dwarka
New Delhi 110075
Dear Sir,
Reg: Security cum functional audit of application software(s) of the Punjab
National Bank as per scope in RFP.
Dear Sir,
Having examined the RFP Documents, the receipt of which is hereby duly
acknowledged, we, the undersigned, offer to conduct security cum functional audit of
application software in conformity with the said RFP Documents and hereby undertake
that we accept all the conditions of the contract as per the Bidding Document and will
audit the application software as per the Scope of audit (Annexure-`A'). We further
undertake that we fulfill the Minimum eligibility criteria stated in Chapter 2 clause 2.2 and
for this purpose we enclose the details. In addition to this, the particulars of our
organization such as legal status, principal place of business, details of experience and
past performance, service support details, capability statement and the required bid
security in shape of bank draft are furnished with this bid form.
We further undertake, if our bid is accepted, to execute the audit assignment in
accordance with the requirements and the delivery schedule as mentioned in the
Schedule of Requirements.
If our bid is accepted, we will obtain the guarantee of a bank in the form prescribed by
you for a sum equivalent to Rs. 100000/- for the due performance of the Contract.
We agree to abide by this bid for the Bid validity period specified in section 3.2.5 of the
ITB and it shall remain binding upon us and may be accepted at any time before the
expiration of that period. Until a formal contract is prepared and executed, this bid,
together with your written acceptance thereof and your notification of award shall
constitute a binding Contract between us.
We undertake that, in competing for (and, if the award is made to us, in executing) the
above contract, we will strictly observe the laws against fraud and corruption in force in
India namely "Prevention of Corruption Act. We understand that you are not bound to
accept the lowest or any bid you may receive.
Dated this ........... Day of ............... 20.....
(Signature and the capacity of the person duly authorized to sign Bid for and on behalf
of)
RFP for security cum functional audit of application software Confidential
34
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure D
Score Sheet
SNo Criteria Details
1 No. of qualified auditor in Bio data of the qualified auditors to be deployed for
the firm as defined in 2.2. audit is to be given as per Annexure K.
(f) on the permanent roll
of the organization.
Maximum Marks -30
2 No. of completed Security Details of Security cum functional audit of application
cum Functional Audit of software conducted in Government organization
Application software in /PSUs/ Banks during last 5 years with details as given
Government organization in Annexure-I.
/PSUs/ Banks during last
5 years. Details of Security cum functional audit of application
software in Banks with bifurcation as given below in
(Maximum Marks -50) Annexure-I.
(i) Audit of Core Banking Solution (CBS) project of the
Bank in any bank having more than 200 offices.
(ii) Audit of financial software other than above (like
ATM, IBS, Treasury) of any bank having more than
200 offices.
(iii) Other than above.
3 Total no. of PSU/Banks No. & name of PSU/Bank for the security cum
customer for the purpose functional audit of application software in last 5
of security cum functional year.(Attach work order in support of audit work).
audit of application
software during last 5
years.
(Maximum Marks -20)
RFP for security cum functional audit of application software Confidential
35
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure E
Undertaking- 1
To,
Date
The Chief Manager,
Punjab National Bank,
IT Audit Cell, Inspection & Audit Division,
Head Office, 2nd Floor, East Wing
Corporate Office, Sector-10, Dwarka
New Delhi 110075
Dear Sir,
Reg: Security cum functional audit of application software(s) of the Punjab
National Bank as per scope in RFP.
We understand that
a) You are not bound to accept the lowest or any bid received by you, and you may
reject all or any bid.
b) If we qualify for the empanelment, we undertake to enter into and execute at our
cost, when called upon by the bank to do so, a contract in the prescribed form.
Unless and until a formal contract is prepared and executed, this bid together
with your written acceptance thereof shall constitute a binding contract between
us.
c) After empanelment if our commercials are accepted, we are responsible for the
due performance of the contract.
d) You may accept or entrust the entire work to one vendor or divide the work to
more than one vendor without assigning any reason or giving any explanation
whatsoever.
(Vendor means the bidder who is decided and declared so after examination of
commercial bids submitted by empanelled IS Auditor.)
Dated at____________this _______________day of __________20.
(Signature and the capacity of the person duly authorized to sign Bid for and on behalf
of)
RFP for security cum functional audit of application software Confidential
36
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure F
Undertaking 2
To, Date
The Chief Manager,
Punjab National Bank,
IT Audit Cell, Inspection & Audit Division,
Head Office, 2nd Floor, East Wing
Corporate Office, Sector-10, Dwarka
New Delhi 110075
Dear Sir,
Reg: Security cum functional audit of application software(s) of the Punjab
National Bank as per scope in RFP.
a) We hereby confirm that all the requirements as enumerated in RFP as per
requirement of the Bank have been included in the bid. Further, we hereby
undertake and agree to abide by all the terms and conditions stipulated by the
Bank in this RFP. We understand that any deviation may result in disqualification
of bids.
b) We undertake that adequate number of qualified auditors will be deployed for
audit process to complete the audit within stipulated time as per clause 3.1 of
annexure A.
c) We undertake that reporting formats should at the minimum include all the
requirements as per clause 3.2 of annexure A.
d) We undertake that we will have legal right to use any third party software if
required for audit and under such licenses, in terms set out under any relevant
license or sub-license agreement. We will indemnify the Bank for any and all
costs that may arise out of the use of software, in which it is alleged that any
rights of the owners of such software have been infringed.
e) We shall provide Risk Movement for various activities as desired.
f) We have not been blacklisted by any nationalized Bank/ RBI/IBA or any other
Government agency. No legal action is pending against us for any cause in any
legal jurisdiction.
(Deviation to the above if any, the Bidder must provide details of such action (s).)
1)
2)
3)
4)
(Signature and the capacity of the person duly authorized to sign Bid for and on behalf
of)
RFP for security cum functional audit of application software Confidential
37
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure-G
COMPLIANCE STATEMENT
DECLARATION
We hereby undertake and agree to abide by all the terms & conditions and Scope of
audit stipulated by the Bank in the RFP including all annexure, addendum and
corrigendum.
Signature and Seal of Bidder Date:-
RFP for security cum functional audit of application software Confidential
38
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure - H
Technical Compliance Sheet
S. Criteria Details
No
a Bidder must prove that it is a current Bidder's Firm/Company Name:
Registered Head office:
legal entity in India and must warrant that
it is financially solvent. Offices at other locations:
1
2
Brief Profile:
Year of commencement of
Business
Website:
Authorized person:
Designation:
Phone No
Email Address
b Must not be a vendor for Software and Provided following hardware and
Hardware components of the Bank. software to the Bank:
c Must be a Company /Firm /Organization Turnover and profit during last 3
/independent subsidiary with an average years: (In Indian Rupee)
annual turnover of Rs.1 (One) Crore or 2014-15 2015-16 2016-17
more during the last three financial years Turnover
and should be in profit during all three Profit
financial years. Attach copy of audited balance
sheets of above periods.
d Must have at least 3 years experience in Conducted following Security
the field of providing Security Cum cum functional Audit of
functionality audit of application software application software in last three
and The company should provide the years:
adequate documentary evidence in support Organizations
of providing similar services.
Fill details in Annexure I
e Must not have been blacklisted by any Signed Undertaking in annexure
nationalized Bank/ RBI/IBA or any other F
Government agency.
f Firm must have minimum 5 qualified Number of such Professionals on
professionals with degree from Govt. the permanent roll of the bidding
recognized reputable company with certifications
Universities/Institutions as CISA
BE/B.Tech/ME/M.Tech/MCA/C.A.(ICAI) CISSP
and certifications as CISA/ CISSP/CEH / CEH
Sun Certified Security Administrator
SCSECA/OCE
(SCSECA) / OCE (Oracle Certified Expert -
CCIE-Security
Security Administrator), Cisco CCIE-
RFP for security cum functional audit of application software Confidential
39
Punjab National Bank, Inspection & Audit Division, HO, Delhi
security along with 2 or more years post Others(Specify)
qualification experience of security cum
functional audit of application software with
at least one software audit of PSUs/Banks
and on permanent roll of the organization.
g Must be empanelled with Cert-in, Govt of Attach self attested copy of
India for Security audit with a certificate certificate of empanelment.
of empanelment for the Block 2016-2019
i Must be able to provide deliverables as
Undertaking by the bidder.
per clause 3 of Annexure A of RFP.
Place:
Date: Seal & Signature of Bidder
RFP for security cum functional audit of application software Confidential
40
Punjab National Bank, Inspection & Audit Division, HO, Delhi
ANNEXURE I
Security cum functional audit of application software assignment:
Organization Scope of Audit Date/ Details of software
Period
Website: (Attach copy of when
address: order / contract) conducted
Place:
Date: Seal & Signature of Bidder
RFP for security cum functional audit of application software Confidential
41
Punjab National Bank, Inspection & Audit Division, HO, Delhi
Annexure J
CONFIDENTIALITY - CUM - NON DISCLOSURE AGREEMENT
If it is not
a
company, This Confidentiality cum- Nondisclosure Agreement is entered into at
Constituti on this day of 2016, between (Insert Name of the
on and Service Provider) a company within the meaning of Companies Act, 1956,
address having its Registered Office at (herein after called `Service
be Provider') and Punjab National Bank, a Body Corporate constituted under
stated the Banking Companies (Acquisition & Transfer of Undertakings) Act, 1970
appropria having its Head Office at ,Plot-4, Sector-10, Dwarka, New Delhi 110
075 and inter-alia, its Information & Technology Division at 5 Sansad Marg,
New Delhi 110 001
(herein after referred to as `PNB').
The Service Provider and PNB would be having discussions and
negotiations concerning the establishment of and during continuance of a
business relationship between them as per Agreement dated (hereinafter
referred to as `Agreement'). In the course of such discussions and negotiations,
it is anticipated that either party may disclose or deliver to the other party certain
of its trade secrets or confidential or proprietary information for the purpose of
enabling the other party to evaluate the feasibility of such a business relationship.
The parties have entered into this Agreement, in order to assure the
confidentiality of such trade secrets and confidential and proprietary information
in accordance with the terms of this Agreement. As used in this Agreement, the
party disclosing Proprietary Information (as defined below) is referred to as the
`Disclosing Party' and will include its affiliates and subsidiaries, the party
receiving such Proprietary Information is referred to as the `Recipient', and will
include its affiliates and subsidiaries.
Now this Agreement witnessed:-
1. Proprietary Information: As used in this Agreement, the term `Proprietary
Information' shall mean all trade secrets or confidential or Proprietary Information
designated as such in writing by the Disclosing Party, whether by letter or by the
use of an appropriate prominently placed Proprietary stamp or legend, prior to or at
the time such trade secret or confidential or Proprietary Information is disclosed
by the Disclosing Party to the Recipient. Notwithstanding the forgoing,
information which is orally or visually disclosed to the recipient by the
Disclosing Party or is disclosed in writing unaccompanied by a covering letter,
proprietary stamp or legend, shall constitute proprietary information if the
disclosing party, within 10 (ten) days after such disclosure, delivers to the
Recipient a written document or documents describing such Proprietary
Information and referencing the place and date of such oral, visual or written
disclosure and the names of the employees or officers of the Recipient to whom
such disclosure was made.
RFP for security cum functional audit of application software Confidential
42
Punjab National Bank, Inspection & Audit Division, HO, Delhi
2. Confidentiality:
a) Each party shall keep secret and treat in strictest confidence all
confidential information it has received about the other party or its
customers and will not use the confidential information otherwise than for the
purpose of performing its obligations under this Agreement in accordance
with its terms and so far as may be required for the proper exercise of the
Parties' respective rights under this Agreement.
b) The term `confidential information' shall include all written or oral
information (including information received from third parties that the
`Disclosing Party' is obligated to treat as confidential) that is (i) clearly
identified in writing at the time of disclosure as confidential and in case of oral
or visual disclosure, or (ii) that a reasonable person at the time of disclosure
reasonably would assume, under the circumstances, to be confidential.
Confidential information shall also include, without limitation, software programs,
technical data, methodologies, know-how, processes, designs, new products,
developmental work, ma rket in g requirements, marketing plans, customer
names, prospective customer names, customer information and business
information of the `Disclosing Party'.
3. Non-Disclosure o f Proprietary Information: For the period during the Agreement
or its renewal, the Recipient will:
(a) Use such Proprietary Information only for the purpose for which it was
disclosed and without prior written authorization of the Disclosing Party shall
not use or exploit such Proprietary Information for its own benefit or the benefit
of others.
(b) Protect the Proprietary Information against disclosure to third parties in the
same manner and with the reasonable degree of care, with which it protects its
confidential information of similar importance: and
(c) Limit disclosure of Proprietary Information received under this Agreement to
persons within its organization and to those 3rd party contractors performing
tasks that would otherwise customarily or routinely be performed by its
employees, who have a need to know such Proprietary Information in the course of
performance of their duties and who are bound to protect the confidentiality of such
Proprietary Information.
4. Limit on Obligations: The obligations of the Recipient specified in clause 3 above
shall not apply and the Recipient shall have no further obligations, with respect to
any Proprietary Information to the extent that such Proprietary Information:
is generally known to the public at the time of disclosure or becomes generally
known without any wrongful act on the part of the Recipient,
a) is in the Recipient's possession at the time of disclosure otherwise than as
a result of the Recipient's breach of a legal obligation;
RFP for security cum functional audit of application software Confidential
43
Punjab National Bank, Inspection & Audit Division, HO, Delhi
b) Becomes known to the Recipient through disclosure by any other source,
other than the Disclosing Party, having the legal right to disclose such
Proprietary Information.
c) Is independently developed by the Recipient without reference to or reliance
upon the Proprietary Information; or
d) Is required to be disclosed by the Recipient to comply with applicable laws or
governmental regulation, provided that the recipient provides prior written notice
of such disclosure to the Disclosing Party and takes reasonable and lawful
actions to avoid and/or minimize the extent of such disclosure.
5. Return of Documents: The Recipient shall, upon the request of the Disclosing
Party, in writing, return to the Disclosing Party all drawings, documents and other
tangible manifestations of Proprietary Information received by the Recipient
pursuant to this Agreement (and all copies and reproductions thereof) within a
reasonable period. Each party agrees that in the event it is not inclined to proceed
further with the engagement, business discussions and negotiations, or in the event
of termination of this Agreement, the Recipient party will promptly return to the other
party or with the consent of the other party, destroy the Proprietary Information of the
other party.
6. Communications: Written communications requesting or transferring Proprietary
Information under this Agreement shall be addressed only to the respective
designees as follows (or to such designees as the parties hereto may from time to
time designate in writing)
M/s __________________________________ (PNB)
Attn: _________________________________ Attn:
________________________________
7. Term: The obligation pursuant to Clause 2 and 3 (Confidentiality and Non-
Disclosure of Proprietary Information) will survive for ----- years following the
term of the Agreement dated .
Nothing herein contained shall be construed as a grant by implication,
estoppels, or otherwise or a license by either party to the other to make, have
made, use or sell any product using Proprietary Information or as a license
under any patent, patent application, utility model, copyright or any other
industrial or intellectual property right covering same.
8. Damages:
The provisions of this Agreement are necessary for the protection of the business
goodwill of the parties and are considered by the parties to be reasonable for such
purposes. Both the parties agree that any breach of this Agreement will cause
substantial and irreparable damages to the other party and, therefore, in the event
RFP for security cum functional audit of application software Confidential
44
Punjab National Bank, Inspection & Audit Division, HO, Delhi
of such breach, in addition to other remedies, which may be available, the party
violating the terms of Agreement shall be liable for the entire loss and damages on
account of such disclosure.
Each party agrees to indemnify the other against loss suffered due to breach of
contract and undertakes to make good the financial loss caused directly or
indirectly by claims brought about by its customers or by third parties.
9. Miscellaneous:
a) This Agreement may not be modified, changed or discharged, in whole or in
part, except by a further Agreement in writing signed by both the parties.
b) This Agreement will be binding upon and ensure to the benefit of the parties
hereto and it also includes their respective successors and assigns
c) The Agreement shall be construed and interpreted in accordance with the laws
prevailing in India.
In witness whereof, the parties hereto have agreed, accepted and a cknowledged
and signed these presents, on the day, month and year mentioned herein above.
For M/s
Authorized Signatory
Shri
Designation
For Punjab National Bank
Authorized Signatory
Shri
Designation _____________
RFP for security cum functional audit of application software Confidential
45
Punjab National Bank, Inspection & Audit Division, HO, Delhi
ANNEXURE-`K'
Professional's Details:-
SNo.
Name
Designation
Educational Qualification
Certifications
Total Experience
Since when in the bidder organization
Conducted Security cum functional audit of application software for
organization(s) with brief scope and when conducted
Role, which may be given by the bidder in the assignment
Employee profile (Domain Specific & others e.g. Banking, Ethical Hacking,
Sun Solaris security, Oracle DB Security, Network Security etc.)
Whether member is part of the team proposed to be deployed for PNB
Project (Yes/No)
Important Note: CVs of minimum 5 qualified professional as per Para 2.2 (F) are to
be furnished on a separate sheet including their Credential in the specialized
qualification and their previous employment record.
Attach copy of certificate for proof of qualification & certification of qualified
professional as per para 2.2(F).
Place:
Date: Seal & Signature of Bidder
RFP for security cum functional audit of application software Confidential
46
Punjab National Bank, Inspection & Audit Division, HO, Delhi
ANNEXURE L
Check list for the Documents to be submitted
Document Particular YES/NO Page No.
From To
Company Details Brief Profile
Audited Balance Copy of balance sheets for 2016-
Sheets 2017, 2015-16 and 2014-15
Authorization Power of Attorney for authorized
Letter for signatory, duly attested by notary
Signatory public/Board resolution.
Annexure C Technical BID FORM
Annexure D Score Sheet
Annexure E Undertaking 1
Annexure F Undertaking 2
Annexure G Compliance Statement
Annexure H Technical Compliance Sheet
Annexure I Security cum functional audit of
application software assignment
(copy of purchase order/completion)
Annexure J Confidentiality cum Non-
disclosure agreement.
Annexure K Professional Details with copy of
certificates.
RFP for security cum functional audit of application software Confidential
47
|