Empanelment Of Is Auditor For Security Cum Functional Audit Of Application Software Empanelment Of Is Auditor For Security Cum Functional Audit Of Application Software Chartered Accountant CA ICAI Chartered Accountants CA ICAI CAinINDIA ICAI Announcements Accounting Standards CA News ICAI Students ICAI Members Case Laws CPT IPCC Final ICAI Course CA Course ICAI Forum CA Question Papers ICAI Study Material

« Tenders »

Open DEMAT Account in 24 hrs
Mahanagar Telephone Nigam Limited, Lodhi Road, New Delhi
Raipur Smart City Ltd., Raipur (C.G.)
Andhra Pradesh Capital Region Development Authority, Vijayawada, A.P.
Odisha Power Generation Corporation Limited, Bhubaneswar, Odisha
Corrigendum Syama Prasad Mookerjee Port, Kolkata, West Bengal
Jharkhand Bijli Vitran Nigam Limited, Ranchi, Jharkhand
Assam Health Infrastructure Development and Management Society, Guwahati, Assam
Uttar Pradesh Real Estate Regulatory Authority, Lucknow, Uttar Pradesh
25 LPA Opening Auditor Fund Management
Punjab National Bank, Gurugram, Haryana
M.P. Water and Land Management Institute, Bhopal, Madhya Pradesh


« Housing And Urban Development Corporation Limited, New Delhi ...	Office Of The Municipal Corporation Rewa, Rewa (MP)... »
Empanelment Of Is Auditor For Security Cum Functional Audit Of Application Software

April, 02nd 2018
Punjab National Bank, Inspection & Audit Division, HO, Delhi Punjab National Bank REQUEST FOR PROPOSAL FOR EMPANELMENT OF IS AUDITOR FOR SECURITY CUM FUNCTIONAL AUDIT OF APPLICATION SOFTWARE Inspection & Audit Division Corporate Office, Plot-4, Sector-10, Dwarka New Delhi - 110075 RFP for security cum functional audit of application software Confidential 1 Punjab National Bank, Inspection & Audit Division, HO, Delhi CONTENTS 1 INTRODUCTION 1.1 Background 1.2 Purpose 1.3 Project Scope 1.4 Invitation 1.5 Time Schedule of Various bid related events 1.6 Confidentiality 1.7 Non Disclosure Clause 1.8 RFP Terminology 1.9 Disclaimer 2 BIDDING PROCESS 2.1 Bidding 2.2 Minimum Eligibility Criteria for Bidder(s) 2.3 Scope of Bid 2.4 Amendments/Supplements to Bidding Documents 2.5 Rights of PNB 2.6 Governing Law and Disputes 3 INSTRUCTIONS TO BIDDER 3.1 The Bidding Documents 3.1.1 Cost of Bidding 3.1.2 Content of Bidding Document 3.1.3 Clarification on RFP 3.1.4 Language of bids 3.2 Preparation of Bids 3.2.1 Document Constituting the Bid 3.2.2 Document Establishing Bidder's Qualification 3.2.3 Documents establishing Solution Conformity to Bidding Documents 3.2.4 Bid Security 3.2.5 Period of Validity of Bids 3.2.6 Format and Signing of Bid 3.2.7 Sealing, Marking and Submission of Bids 3.2.8 Deadline for Submission of Bids 3.2.9 Late Bids 3.2.10 Modification and Withdrawal of Bids 3.2.11 Acceptance or rejection of bid 3.2.12 Notification of award 3.3 Bid Opening and Evaluation of Bids 3.3.1 Assumptions and Agreements 3.3.2 Opening and evaluation of Technical Bids by the Bank 3.3.3 Clarification of Bids 3.3.4 Evaluation Criteria for empanelment 3.3.5 Contacting the Bank 3.3.6 Signing of Contract 3.3.7 Performance Guarantee 3.3.8 Notification of Empanelment RFP for security cum functional audit of application software Confidential 2 Punjab National Bank, Inspection & Audit Division, HO, Delhi 3.4 Award of Contract 3.4.1 Post qualification 3.4.2 Award Criteria on post empanelment 3.4.3 Dead Line / Critical Dates 3.4.4 Right to accept any Bid and to reject any or All Bids 3.4.5 Notification of Award of Contract 4 Broad Terms and Conditions 4.1 Standards 4.2 Arbitration 4.3 Notices 4.4 Use of Contract Documents and Information 4.5 Patent and Copyrights 4.6 Deliverables 4.7 Payment Terms 4.8 Taxes and Duties 4.9 Delay in the Performance 4.10 Penalty 4.11 Force Majeure 4.12 Correspondences 4.13 Successful bidder's Obligations 4.14 Contract Amendments 4.15 Extension of Bank Guarantees 4.16 Adherence to Standards 4.17 Subcontracting Annexure A Detailed Scope of Audit Annexure B Performance Guarantee Form Annexure C Technical BID FORM Annexure D Score Sheet Annexure E Undertaking 1 Annexure F Undertaking 2 Annexure G Compliance Statement Annexure H Technical Compliance Sheet Annexure I Security cum functional audit of application software assignment Annexure J Confidentiality Cum Non Disclosure Agreement Annexure K Professional's details Annexure L Check list for the Documents to be submitted RFP for security cum functional audit of application software Confidential 3 Punjab National Bank, Inspection & Audit Division, HO, Delhi Chapter - 1: Introduction 1.1. Background Punjab National Bank (PNB) has taken many IT initiatives. Bank has computerized 100% of its branches and has implemented a Centralized Banking Solution with Data Centre at New Delhi and Disaster Recovery Site at Mumbai. Bank has already implemented Data Ware House project for providing better access to information, to foster better and more informed decision-making, besides providing statutory reporting and MIS for the bank. In the bank there are several applications which are developed in house/or procured through outsourcing for internal requirements of Bank. Some of these applications are accessed through Enterprise Wide Network by different Branch Offices and also available through Internet and through Dial-up Connection. Approximately, every year 50-60 software are being developed In house / procured in our bank for which Security cum Functional Audit is required. We have alternate Delivery channels services like Internet Banking, ATM, Mobile Banking, Mobile Apps, Tab Banking and POS etc which is being also offered to the Bank customers. An ATM Switch has been installed at New Delhi in the Data Centre and a DR setup in Mumbai. Internet Banking Infrastructure is also located and integrated with the Enterprise Wide Network in a secured manner. The Operating Systems used in Different applications include different flavors of Unix like Solaris, AIX, SCO etc.), Windows NT, Windows 2008/2012 enterprise Servers, Guardian, IBM AIX, HP Unix, Novell Netware, Tandem, DOS etc. Applications, which use messaging, include SWIFT, SFMS (RBI Infinet), Cash Management Services, Electronic Funds Transfer, and other RBI Projects etc. The Mail Server is on MS Exchange Server 2010. The Data bases include Oracle, MS SQL, DB2, Access, Sybase etc. To Secure the Application software, Data bases, Data, Information etc and to ensure the availability of resources including the network to authorized users without any disruption or degradation, the bank plans to utilize the services of Information Security. The bank houses various security devices positioned across various locations to protect its infrastructure from internet threats. 1.2. Purpose For empanelment of IS Auditor for Security cum functional Audit of application software for providing independent reasonable assurance to the management on: 1. Audit of application software or any enhancement in any existing Application/IT Platform before roll out in live environment which serves our following purpose:- I. Ensure better quality of software development. II. Reducing the chances of security breach in the software. III. Improve the secure coding practices for future software development.. IV. Robust IT security. V. Mitigation of risks where there are significant control weaknesses VI. Efficient utilization of IT Resources. RFP for security cum functional audit of application software Confidential 4 Punjab National Bank, Inspection & Audit Division, HO, Delhi VII. Ensuring compliance of IT Security Policy and procedures defined by the Bank. 1.3. Project Scope Detailed scope is at Annexure A. The overall approach of the Security cum functional Audit of application software shall be constructive/ contributory. The evaluation shall be comprehensive, clear and Security cum functional Audit shall help rectify the lacunae by concise directions. 1.4. Invitation This RFP seeks Bidder(s) who are committed to the Information Security business and have the capability and experience in conducting Security cum functional audit of application software. Auditor wherever mentioned in RFP means the bidder/ company /firm who can conduct the security cum functional audit of application software. Evaluation criteria, evaluation of the responses to the RFP and subsequent selection of the successful bidder(s) will be entirely at PNB's sole discretion.Bank's decision shall be final and binding and no correspondence about the decision shall be entertained. 1.5. Time Schedule of Various bid related events 1. Date of commencement of availability 12.03.2018 of Bidding Documents for Sale 2. Last date & time for submission of 18.03.2018 queries (by e-mail). 05.00 PM 3. Last date and time for receipt of Bidding 02.04.2018 Documents. 02.00 PM 4. Date and Time of Bid Opening. 02.04.2018 (Change if any will be communicated to 03.00 PM bidders who have purchased RFP.) 5. Cost of RFP Rs. 5000/- (non refundable) to be deposited in A/C 1522002100021143, PNB IAD, IFSC PUNB0976200, Branch PNB Head Office (9762200), Sector -10Dwarka New Delhi 6. Earnest Money Deposit Amount Rs.50000/- Rs. Fifty Thousand Only to be deposited in A/C 1522002100021143, PNB IAD, IFSC PUNB0976200, Branch PNB Head Office (9762200), Sector -10Dwarka New Delhi 7. Place of opening of Bids Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office 2nd Floor, East Wing, Corporate Office, Plot-4, Sector 10, Dwarka, New Delhi 110075 Note: RFP for security cum functional audit of application software Confidential 5 Punjab National Bank, Inspection & Audit Division, HO, Delhi (i) Bids will be opened in the presence of bidders who choose to attend as above (ii) The schedule is subject to change and notice in writing of any changes will be published and communicated wherever feasible through bank's corporate web- site www.pnbindia.in. The PNB reserves the right to cancel the RFP at any time without incurring any financial obligation to any Bidder or potential Bidder. (iii) Any query regarding the RFP may be sent to iadisaudit@pnb.co.in and pankajgupta@pnb.co.in addressed to The Chief Manager, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing, Corporate Office, Plot 4, Sector-10, Dwarka, Rajendra Place, New Delhi 110075 before the Last date & time for submission of queries by e-mail. 1.6 Confidentiality The RFP document is confidential and is not to be reproduced, transmitted, or made available or disclosed in any form or manner by the Recipient to any other person. Punjab National Bank may amend or revise the RFP document or any part of it. The Recipient accepts that they will receive any such revised or amended document subject to the same terms and conditions as this original and subject also to confidentiality. The Recipient will not disclose or discuss the contents of the RFP document with any officer, employee, consultant, director, agent, or other person associated or affiliated in any way with Punjab National Bank or any of its customers, Auditors, or agents without the prior written consent of the Bank. The empanelled bidder shall execute a Confidentiality & Non Disclosure agreement with the Bank as per Annexure `J'. 1.7 Non Disclosure Clause i) The bidder (and his employees) shall not, unless the bank gives permission in writing, disclose any part or whole of this RFP document, of the proposal and/or contract, or any specification, plan, drawing, pattern, sample or information furnished by the bank, in connection therewith to any person other than a person employed by the bidder in the pursuance of the proposal and/or contract. Disclosure to any such employed person shall be made in confidence and shall be to the extent only so far as may be necessary for purposes of such performance. The bidder will ensure that the employees engaged by the bidder will maintain strict confidentiality. ii) The bidder, his employees and agents shall not without prior written consent from the bank make any use of any document or information given by the Bank, except for purposes of performing the contract award. iii) In case of breach, the bank shall take such legal action as it may deem fit. 1.8 RFP TERMINOLOGY Definitions Throughout this RFP, unless inconsistent with the subject matter or context, the following terms will have the meaning as under: i. Agreement: Any written contract to be entered into between Punjab National Bank and the Bidder(s) qualifying for empanelment with respect to providing for any deliverables or services contemplated by this RFP. Any Agreement shall be deemed to incorporate, as schedules, this RFP and all supplements issued by RFP for security cum functional audit of application software Confidential 6 Punjab National Bank, Inspection & Audit Division, HO, Delhi the Bank, the bid of the Successful Bidder(s) and any negotiated modifications thereto. ii. Bidder/Vendor/Auditor: A firm/ Company submitting a bid in response to this RFP. "Bidder" definition for this specific RFP for empanelment of IS auditors shall include bidder(s) who directly possesses capabilities of conducting such assignments. iii. Bank: Reference to "the Bank", "Bank", "PNB" and "Punjab National Bank" shall be determined in context and may mean without limitation "Punjab National Bank", a Nationalized Bank in India. iv. Proposal/Bid: The Bidder's written reply or submissions in response to this RFP. v. RFP: The Request for Proposal document in its entirety, inclusive of any supplement that may be issued by the Bank. vi. ITB: Instructions to Bidders as Contained in Chapter 3. vii Successful bidder: Empanelled IS Auditor to whom job has been awarded. 1.9 Disclaimer Subject to any law to the contrary, and to the maximum extent permitted by law, PNB and its officers, employees, contractors, agents, and advisers disclaim all liability from any loss or damage (whether foreseeable or not) suffered by any person acting on or refraining from acting because of any information including forecasts, statements, estimates, or projections contained in this RFP document or conduct ancillary to it whether or not the loss or damage arises in connection with any negligence, omission, default, lack of care or misrepresentation on the part of PNB or any of its officers, employees, contractors, agents, or advisers. Chapter 2: Bidding Process 2.1. Bidding Bidder who decides to bid will have to deposit a non-refundable amount of Rs. 5000/- (Five Thousand only) to the cost of Bidding Fee.. Bid amount to be deposited in A/C 1522002100021143, PNB IAD, IFSC PUNB0976200, Branch PNB Head Office (9762200), Sector -10Dwarka New Delhi Bidders shall submit their Bid in sealed envelope containing:- (i)Technical Compliance Sheet: - It contains the details to prove that it meets the minimum eligibility criteria with documentary evidence to support the same. RFP for security cum functional audit of application software Confidential 7 Punjab National Bank, Inspection & Audit Division, HO, Delhi (ii) Score sheet: - It contains the details with documentary evidence to score maximum on different parameter. Note: - Bid will not contain any pricing or commercial information at all. Technical compliance sheet will be opened for evaluation. Those bidders who meet the minimum eligibility criteria, as per the requirements and the terms and conditions of this document, shall be shortlisted for further processing. Scoring will be done by the technical committee for the shortlisted bidders. 2.2. Minimum Eligibility Criteria for Bidder(s) To become eligible to respond to this RFP the vendor should fulfill the following minimum eligibility criteria:- a) Bidder must be a legal entity in India and must be financially solvent. b) Should not be a vendor for Software and Hardware components of the Bank . c) Should be a Company /Firm /Organization /independent subsidiary with an average annual turnover of Rs.1 (One) crore or more for the last three financial years and should be in profit during all three financial years.(i.e. 2014- 2015,2015-2016,2016-2017) d) Should have at least 3 years experience in the field of providing Security Cum functionality audit of application software and company should have carried out similar work in the Government organization /PSUs/ Banks. The company should provide the adequate documentary evidence in support of providing similar services. For consideration of above experience in Security cum functional Audit of application software, the activities similar to given below will be considered:- I. Application Control Review. II. System Processing Logic. III. Review of parameters and other areas. IV. Interface with other applications V. Data Integrity of the report generated from the system VI. Assessment of Role based security for application under scope. VII. Adequacy of Audit trail and logs. VIII. Vulnerability assessment and penetration test [VAPT] of server/security equipment/network equipment/ Applications through intranet. IX. Verification of compliance of system and procedures as per Organization's IT Security Policy/ guidelines. X. Business Impact Analysis. XI. Migration Audit XII. Any other Computer/Mobile/IT Application. e) Should not have been blacklisted by any nationalized Bank/RBI/IBA/ PSUs or any other Government agency from offering such audit services/solutions to them. Bidder must give an Undertaking to this effect. f) Firm must have minimum 5 qualified professionals with degree from Govt. recognized reputable Universities/Institutions as BE/B.Tech/ME/M.Tech/MCA/C.A.(ICAI) and certifications as CISA/ RFP for security cum functional audit of application software Confidential 8 Punjab National Bank, Inspection & Audit Division, HO, Delhi /CISSP/CEH / Sun Certified Security Administrator (SCSECA) / OCE (Oracle Certified Expert - Security Administrator), Cisco CCIE-security along with minimum 2 years post qualification experience in security cum functional audit of application software with at least one software audit of PSUs/Banks and on permanent roll of the organization. g) Firm must be empanelled with Cert-In, Govt of India for Security Auditors with a certificate of empanelment for the block 2016-2019. Bidder must submit a detailed statement of facts and profile of company including year of commencement of business, Internet site details and name and title of the authorized signatory for their Bid and their contact numbers and e-mail address. Bidder should provide the documents in support of their eligibility in terms of above minimum eligibility criteria. 2.3. Scope of Bid The scope of the bid shall be to empanel Information System Auditor to conduct security cum functional audit of application software as per detailed scope given in Annexure A. 2.4. Amendments/Supplements to Bidding Documents At any time prior to the deadline for submission of bids, the bank may, for any reason, modify the Bidding Document by amendments at the sole discretion of the bank. All amendments will be in writing and shall be communicated and published on bank's website and will be binding on all prospective bidders. Further for any communication bidders must provide name of the contact person, mailing address, telephone number and FAX numbers on the covering letter sent along with the bids/ request for bidding document. In order to provide, prospective bidders, reasonable time to take the amendment into account in preparing their bid, the bank may, at its discretion, extend the deadline for submission of bids. 2.5. Rights of PNB PNB reserves the right to:- Modify any terms, conditions and specifications of the RFP. Negotiate with Bidders. Accept any Bid in whole or in part. Split orders in favor of more than one Bidder. Release order, part order or more than one order. Finalize the bill of material and repeat orders. Issue the amendments to the RFP at anytime, prior to the deadline for the submission of Bids. From the date of issue, amendments to Tender Document shall be deemed to form an integral part of the Tender Document. The Bids received and accepted will be evaluated by PNB to ascertain the best in the interest of PNB. However, PNB does not bind itself to accept any Bid and reserves the right to reject any or all Bids at any point of time prior to the placing of order without assigning any reasons whatsoever. PNB reserves the right to re-tender. PNB shall not incur any liability to the affected Bidder(s) on account of such rejection. PNB shall not be obliged to inform the affected Bidder(s) of the grounds for PNB's decision of rejection. It RFP for security cum functional audit of application software Confidential 9 Punjab National Bank, Inspection & Audit Division, HO, Delhi is to be understood clearly by the Bidders that the selection process requires them to have adequate expertise in the audit domain. 2.6. Governing Law and Disputes The Bid and the resulting Contract with the successful Bidders shall be governed in accordance with the Laws of India for the time being in force. All disputes or differences whatsoever arising between PNB and the Bidders out of the meaning and operation or effect of this Tender Document or breach thereof, shall be settled amicably. If, however, the parties, as above, are not able to resolve them amicably, the same shall be settled by Arbitration in accordance with the Arbitration and Conciliation Act 1996, and the award made in pursuance thereof shall be binding on the parties. Any appeal will be subject to the exclusive jurisdiction of the courts at Delhi (India). In such instances, the Successful bidder shall continue to work under the Contract during the arbitration proceedings unless otherwise directed in writing by PNB or unless the matter is such that the work cannot possibly be continued until the decision of the Arbitrator or of the umpire, as the case may be, is obtained. The venue of the arbitration shall be Delhi, India. Chapter 3: Instructions to Bidders (ITB) 3.1. The Bidding Documents 3.1.1. Cost of Bidding The cost of bidding and submission of tender documents in response to this RFP is entirely the responsibility of bidders, regardless of the conduct or outcome of the tendering process. PNB will not be liable for any costs incurred by the Bidder in replying to this RFP. It is also clarified that no binding relationship will exist between any of the Respondents and the Bank until execution of a contractual agreement. 3.1.2. Content of Bidding Document The bidding document provides overview of the requirements, bidding procedures and contract terms. It includes Introduction, eligibility criteria; Instruction to Bidders, Broad terms and conditions of Contract and Bid, The bidder must conduct its own investigation and analysis regarding any information contained in the RFP document and the meaning and impact of that information. The Bidder is expected to examine all instructions, statements, forms, terms and specifications in the bidding documents. Failure to furnish all information required by the bidding documents or submission of a bid not responsive to the bidding documents in every respect will be at the Bidder's risk and may result in rejection of the bid. While the Bank has made considerable effort to ensure that accurate information is contained in this RFP, the information contained in this RFP is supplied solely as a guideline for Bidders. Furthermore, during the RFP process, the Bank has disclosed or will disclose in the RFP and supplement as applicable, available information relevant to the Work to the extent, detail, and accuracy allowed by prevailing circumstances. Subject to the provision in the previous sentence, the Bank has used or will use its best judgment and assessment to fairly and reasonably represent the nature and scope of the Work in order for Bidders to submit viable Proposals. However, the Bank shall not be deemed to give any guarantees or warranties of accuracy of any of the information in this RFP or any RFP for security cum functional audit of application software Confidential 10 Punjab National Bank, Inspection & Audit Division, HO, Delhi supplement, nor of its being comprehensive or exhaustive. Nothing in this RFP or any supplement is intended to relieve Bidders from forming their own opinions and conclusions in respect of the matters addressed in this RFP or any supplement, as applicable. 3.1.3. Clarification on RFP The Bidder shall carefully examine and understand the specifications / conditions of RFP and seek written clarifications, if required, to ensure that they have understood all specifications / conditions of RFP. Written requests for clarification may be submitted to PNB before last date specified for queries (through email) in this regard. Thereafter, no more clarification other than that asked by the last date specified for this purpose shall be entertained. No oral consultation either shall be entertained thereafter. The Bid should not carry any sections like clarifications, 'as orally told', `to be discussed', interpretations and assumptions. With the submission of the Bid, the Bidder acknowledges that he/she has carefully studied and understood the RFP in totality. Any questions concerning this RFP must be submitted through email at iadisaudit@pnb.co.in, pankajgupta@pnb.co.in on or before the last date of submission of queries to: Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Plot-4, Sector-10, Dwarka, New Delhi 110075 No requests for clarification will be accepted by over telephone. 3.1.4 Language of Bid The bid prepared by the Bidder, as well as all correspondence and documents relating to the bid exchanged between the Bidder and the Bank shall be written in English language only. 3.2 Preparation of Bids 3.2.1 Document Constituting the Bid The bid prepared by the Bidder shall comprise the following components: a) Technical Compliance Sheet:- Details establishing the qualification of the bidder as per Minimum eligibility criteria (see Chapter-2) for the Bidders. Annexure-H b) Point wise compliance of the terms and conditions enumerated in Tender Document. Any technical/commercial deviation with the Tender Document should be clearly stated with the reasons thereof. c) Documentary evidence established in accordance with ITB Section 3.2.2 that the Bidder is qualified to perform the contract if its bid is accepted and that the bidder has financial, technical capability necessary to perform the contract and meets the criteria outlined in the Qualification Requirement and fulfills all the conditions of the Contract. RFP for security cum functional audit of application software Confidential 11 Punjab National Bank, Inspection & Audit Division, HO, Delhi d) - Bid security furnished in accordance with ITB Section 3.2.4. e) An undertaking from the bidder (As per Annexure C) that the bidder is complying with all the conditions of the Contract and Technical Specifications of the Bidding Document as no deviation will be acceptable to the Bank. f) Score Sheet (Annexure-D) g) Compliance statement as per the Annexure-G. This will be evaluated by the technical committee as per the procedure elaborated in ITB Section 3.3.2(v). 3.2.2 Document Establishing Bidder's Qualification. Pursuant to ITB section 3.2.1, the Bidder shall furnish, as part of its Bid, documents establishing the Bidder's qualification to perform the Contract if the bid is accepted. The documentary evidence of Bidder's qualification to perform the Contract if the bid is accepted should establish to the Bank's full satisfaction that the bidder has the financial, technical and performance capability necessary to perform the Contract and meets the criteria outlined in the Minimum eligibility Criteria specified in this RFP. Bids that do not fully comply with minimum eligibility criteria will be rejected, Technical scoring will be done for only for bidders who fulfill minimum eligibility criteria and have been shortlisted. 3.2.3 Documents establishing Solution Conformity to Bidding Documents All the documents must accompany the response to this RFP as per Annexure L. Willful misrepresentation of the facts will lead to the cancellation of the contract without prejudice to any other action that the Bank may take. All the submissions, including any accompanying documents, will become property of Punjab National Bank. The bidders shall be deemed to have license, and grant all rights to, Punjab National Bank, to reproduce the whole or any portion of thereof for the purpose of evaluation, to disclose the contents of submission to other bidders and to disclose and/or use the contents of submission as the basis for RFP process. 3.2.4 Bid Security (i) Pursuant to ITB Section 3.2.2, the Bidder shall furnish, as part of its bid, a bid security of INR 50000/-(Rupees Fifty Thousand only). (ii) The bid security is required to protect the Bank against the risk of Bidder's misconduct, which would result in the forfeiture for the bid security. (iii) The bid security shall be in Indian Rupees and shall be in the form of a Draft /Banker's cheque, in favor of Punjab National Bank, Inspection & Audit Division, payable at Delhi. (iv) Any bid, not secured in accordance with above will be rejected by the Bank as non-responsive. (v) Unsuccessful bidder's bid security will be discharged/returned as promptly as possible but not later than 30 days after the expiry of the period of bid validity prescribed by the Bank. Bank will not be liable for any delay beyond 30 days as aforesaid and no claim for delayed interest will be allowed RFP for security cum functional audit of application software Confidential 12 Punjab National Bank, Inspection & Audit Division, HO, Delhi (vi) Bid security of bidders who have qualified for empanelment will be discharged upon the Bidder signing the Contract, and furnishing the Performance Guarantee. (vii) The bid security may be forfeited, if a Bidder a) Withdraws its bid during the period of bid validity specified by the Bidder on the Bid Form; or does not accept the correction of errors or attempts to influence the Bank in its decisions on bid evaluation or bid comparison b) In case of a successful Bidder, if the Bidder fails: To sign the Contract in accordance with Section 3.3.6; or To furnish Performance Guarantee in accordance with Section 3.3.7. 3.2.5 Period of Validity of Bids The bids shall be valid for a period of 180 days from the date of closure for submission of the bid. The bid valid for shorter period shall be rejected as non-responsive. In exceptional circumstances, the Bank may solicit the Bidder's consent to an extension of the period of validity. The request and the response thereto shall be made in writing (or by fax). The bid security validity period shall also be suitably extended. A Bidder may refuse the request without forfeiting its bid security. A Bidder granting the request of extension will not be required nor permitted to modify its bid. 3.2.6 Format and Signing of Bid (i) The Bidder shall prepare Bid in accordance with ITB Section 3.2.1. (ii) The bid shall be typed or written in indelible ink, numbered and shall be signed by the Bidder or a person or persons duly authorized to bind the Bidder to the Contract. The authorization shall be indicated by a written power-of-attorney or a board resolution accompanying the bid. The person or persons signing the bid shall sign & seal all pages of the bid; (iii) Any interlineations, erasures or overwriting shall be valid only if the person or persons signing the bid sign them. (iv) Bid should be typed and submitted on A4 size paper and bound securely. Bidders responding to this RFP must comply with the following format requirements: (a) COVER LETTER/BIDDER CERTIFICATIONS: Certificates and other supporting document may be attached with covering letter while submitting the proposal. Proposals submitted in response to this RFP must be signed by the person working in the bidder's organization who is responsible for the decision or by a person who has been authorized in writing to act as agent for the person responsible for the decision. Each bid shall stipulate that it is predicated upon the terms and conditions of this RFP and any supplement or revision thereof. By submitting a signed proposal, the bidder's signatories certify that in connection with this assignment: The bidder's organization or an agent of the bidder's organization has submitted the bid without consultation, communication or agreement with any other respondent or with any competitor for the purpose of restricting competition. RFP for security cum functional audit of application software Confidential 13 Punjab National Bank, Inspection & Audit Division, HO, Delhi No attempt has been made or will be made by the bidder's organization or by any agent of the bidder's organization to induce any other person or firm to submit or not to submit a bid for the purpose of restricting competition. (b) REFERENCE DATA SHEET: For the services offered, Bidder must furnish a list of minimum of two (2) references that will be capable of verifying information supplied by the Bidders in proposal. Bidders should submit additional Reference Data Sheet forms if they have more than two (2) references. The Bank reserves the right to contact and/or visit any party listed as a reference, which has previously utilized or is presently utilizing service(s) identical or similar to those being proposed by the bidder. The Bank may also utilize other sources of information about the product(s) and/or service(s) proposed by the Bidder where these sources are publicly available and are equally available for all competing bidders. The Bidder should not be present during site visits. (c)FINANCIAL STABILITY DOCUMENTATION: Bidders responding to this RFP must be able to substantiate their financial stability. Audited Financial statements along with additional supporting documentation must be submitted with the bid. (d) RESPONSE TO GENERAL, TECHNICAL, PERFORMANCE AND SUPPORT REQUIREMENTS: Provide a point-by-point response to each and every requirement specified in this RFP. Responses must indicate that either bidder's bid "does comply" with specifications or that it "does not comply." A succinct explanation of how each requirement can be met or cannot be met must be included. (e) ADDITIONAL INFORMATION: Include additional information, which will be essential to an understanding of the proposal. This might include diagrams, excerpts from manuals, or other explanatory documentation, which would clarify and/or substantiate the bid. Any material included here should be specifically referenced elsewhere in the bid. (f) GLOSSARY: Provide a glossary of all abbreviations, acronyms, and technical terms used to describe the services or products proposed. This glossary should be provided even if these terms are described or defined at their first use in the bid response. 3.2.7 SEALING, MARKING AND SUBMISSION OF BIDS Bidders should provide their `Minimum Eligibility Criteria' and `Score Sheet in one original and two additional copies and shall be labeled as "Original" or "Copy" as appropriate. Each of these shall then be sealed in a separate envelope labeled "Original Tender" or "Copy Tender" as appropriate. All the sealed envelopes containing Technical responses shall then be sealed in one envelope marked " Bid for Empanelment of IS Auditor For Security Cum Functional Audit Of Application Software" in the top left hand RFP for security cum functional audit of application software Confidential 14 Punjab National Bank, Inspection & Audit Division, HO, Delhi corner. The Bids, which are not sealed as indicated above, are liable to be rejected. PNB will not be liable for Postal/Courier delay, non-receipt/non-delivery of documents, loss of documents in transit, etc., if any, in the Bidder receiving the RFP and/or in submitting the Bid before the scheduled time. All pages of the Bid including Brochures are to be numbered as Page --- (current page) of --- (total pages). The numbering shall be done for the whole Bid and not section-wise. The envelopes shall be dated with the current date in the top right hand corner and addressed to as below: The Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Sector-10, Dwarka New Delhi 110075 If the envelope is not sealed and marked, the Bank will assume no responsibility for the bid's misplacement or premature opening. Telex, Email or fax bids will be rejected. 3.2.8 Deadline for Submission of Bids Bid must be received by the Bank at the address specified under Section 3.2.7 on or before the last date of receipt of the Bid. In the event of the specified date for the submission of Bids being declared a holiday for the Bank, the Bids will be received up to the appointed time on the next working day. The Bank may, at its discretion, extend this deadline for submission of bids by amending the bid documents in accordance with section 2.5, in which case all rights and obligations of the Bank and Bidders previously subject to the deadline will thereafter be subject to the deadline as extended. 3.2.9 Late Bids Any bid received by the Bank after the deadline fixed for submission of the bids will not be considered. PNB will not be liable for any delayed receipt due to Postal/Courier delay. Bidder shall ensure timely dispatch so that the same reaches the Bank before deadline. 3.2.10 Modification and Withdrawal of Bids i) The Bidder may modify or withdraw its bid after the bid's submission, provided that written notice of the modification or withdrawal is received by the Bank prior to the deadline prescribed for submission of bids. ii) The Bidder's modification or withdrawal notice should be sealed and marked accordingly. iii) No bid can be modified subsequent to the deadline for submission of bids. iv) No bid can be withdrawn during the interval period between the deadline for submission of bids and the expiration of period of bid validity. The act of withdrawal of a bid during this interval will result in the forfeiture of the Bidder's bid security. In other words, no withdrawal of the Bid is allowed after the Dead Line fixed for Submission of the Bid. RFP for security cum functional audit of application software Confidential 15 Punjab National Bank, Inspection & Audit Division, HO, Delhi 3.2.11 Acceptance or rejection of bid Incomplete Bid(s), conditional Bid(s), Bid(s) not conforming to the terms and conditions, Bid without EMD are liable for rejection by PNB. The Bank reserves the right not to accept any bid, or to accept or reject a particular bid at its sole discretion without assigning any reason whatsoever. 3.2.12 Notification Any relevant information regarding the bid will be published on bank's web site www.pnbindia.in & www.pnbinida.biz only. 3.3 Bid Opening and Evaluation of Bids 3.3.1. Assumptions and Agreements PNB, at its discretion, may make modifications to the selection criteria and the weightage pattern, which will be notified to the bidders. PNB reserves the right to accept or reject any proposal without assigning any reason whatsoever. 3.3.2. Opening and evaluation of Technical Bids by the Bank I. The Bank will open the bid, in the Inspection and Audit division, Punjab National Bank, 2nd Floor, East Wing, , Plot-4, Sector 10, Dwarka, New Delhi. Bidders' representatives who choose to attend at the date/time and venue specified in section 1.5. shall have to sign a register evidencing their attendance. In case no representatives attend the bid opening, the bids shall be opened in their absence. In the event of the specified date of Bid opening being declared a holiday for the Bank or bids cannot be opened due to any unavoidable circumstances, the Bids shall be opened at the time and location on the next working day or any other day as decided by the Bank. II. The bidder's names, bid modifications or withdrawals and the presence or absence of requisite bid security and such other details as the Bank at its discretion may consider appropriate will be announced at the time of bid opening. III. Bids that are not opened and read out at bid opening shall not be considered for further evaluation, irrespective of the circumstances. IV. The Bank will prepare minutes of the bid opening. V. The Minimum eligibility criteria and score sheet would be evaluated by the Technical Committee. Score sheet would be evaluated as per the following criteria/weight- SNo Details Scale of Measurement (Marks) 1 No. of qualified auditor in Maximum Marks -30 the firm as defined in 2.2. (i) 15 or more qualified auditor : 30 Marks (f) on the permanent roll of (ii) More than or equal to 10 but less than 15: 20 the organization. Marks Maximum Marks -30 (iii) More than or equal to 5 but less than 10: 15 Marks RFP for security cum functional audit of application software Confidential 16 Punjab National Bank, Inspection & Audit Division, HO, Delhi 2 No. of completed Security Maximum Marks -40 cum Functional Audit of 1. Total no. of application software audit in PSU/Govt./ Application software in Bank in last 5 years Government organization (i) More than 25 software audit - 40 Marks /PSUs/ Banks during last 5 (ii) More than or equal to 15 but less than 25- 30 years. Marks (iii) More than or equal to 10 but less than 15- 20 (Maximum Marks -50) Marks Maximum Marks 10 1. Audit of Application software in Banks (i) Audit of Core Banking Solution (CBS) project of the Bank in any bank having more than 200 offices- 10 Marks (ii) Audit of financial software other than above (like ATM, IBS, Treasury) of any bank having more than 200 offices- 7 marks (iii) Other than above- 5 Marks 3 Total no. of PSU/Banks No. of PSU/Bank customer dealt in last 5 year. customer for the purpose Maximum Marks 20 of security cum functional (i) More than or equal to 5 Customer-20 Marks audit of application (ii) More than or equal to 2 but less than 5 Customer- software during last 5 15 Marks years: (iii) 1 Customers-10 Marks (Maximum Marks -20) Bidders have to submit the details as above with documentary proof. Scoring for shortlisted bidders will be done on the parameter as given above. Bidders scoring more than or equal to 60% marks will qualify for empanelment for security cum functional audit of application software. In case there are less than 5 firms who qualify with a score of 60% or above, the bank may at its discretion include the next top scoring firms so that total number of selected firms is at least 5(Five).However Bank reserves the rights of lowering the qualifying marks in case of non-qualifying of stipulated number of bidders . In case more than one firm have secured same score and selection for empanelment of top 5 firms requires inclusion of one or more firm(s) at that score, then all the firms on that score will be selected for empanelment. VI If a bid is not responsive or not fulfilling all the conditions of the Contract or not meeting Technical Specifications and Qualification Requirement, it will be rejected by the bank out rightly and may not subsequently be made responsive by the Bidder by correction of the non- Conformity. VI. Proposal will be reviewed to assess compliance with the requirements set out on this RFP. Proposals that do not fully comply with the minimum requirements will be rejected without further consideration. RFP for security cum functional audit of application software Confidential 17 Punjab National Bank, Inspection & Audit Division, HO, Delhi 3.3.3. Clarification of Bids During evaluation of bids, the Bank may, at its discretion, ask the Bidder for a clarification of its bid. The request for clarification and the response shall be in writing. 3.3.4. Evaluation Criteria for Empanelment:- i) Preliminary scrutiny of all the bids received will be done and bids not meeting the minimum eligibility criteria would be rejected. ii) Scoring would be done only for shortlisted bidders who qualify the minimum eligibility criteria. iii) Shortlisted bidders will qualify for empanelment as IS Auditors on the basis of scores procured by the bidders and as per process defined in section 3.3.2(v). iv) Technical evaluation committee would recommend the name of bidders who qualify for empanelment after evaluating the score sheet. v) In the process of scrutiny of the proposals, Bank may seek additional inputs and clarifications as may be needed and also may request the service providers to make a presentation. 3.3.5. Contacting the Bank No Bidder shall contact the Bank or its employees on any matter relating to its bid, from the time of the bid opening to the time the empanelment is completed. If the bidder wishes to bring additional information to the notice of the Bank, it should do so in writing. Any effort by a Bidder to influence the Bank in its decisions on bid evaluation or bid comparison may result in rejection of the Bidder's bid and forfeiture of their Bid Security. 3.3.6 Signing of Contract At the same time as the Bank notifies the successful bidders that they have been qualified for empanelment; the Bank will send the bidders the Contract Form incorporating all agreements between the parties as enumerated in RFP. Within 7 days of receipt of the Contract Form, the successful bidder shall sign and date the Contract and return it to the Bank. The Bidder will agree to all the terms and conditions as mentioned in this RFP. 3.3.7 Performance Guarantee Within 7 days of the receipt of notification for qualifying for empanelment from the Bank, the successful Bidder shall furnish the Performance Guarantee from a scheduled commercial public sector bank, payable on demand for an amount of Rs. 100000/-(One Lakh Only) for the due performance and fulfillment of the contract by the empanelled bidder, in accordance with the conditions of Contract, in the Performance Guarantee Form provided in the bidding documents or in another form acceptable to the Bank. The Performance Guarantee may be discharged by the PNB upon being satisfied that there has been due performance of the obligations by the Successful bidder under the contract during the empanelment period. The Performance Guarantee shall be valid till the end of the empanelment Period. RFP for security cum functional audit of application software Confidential 18 Punjab National Bank, Inspection & Audit Division, HO, Delhi Failure of the successful bidder to comply with the requirement shall constitute sufficient grounds for the annulment of the empanelment and forfeiture of the bid security. 3.3.8 Notification of Empanelment: The process of empanelment would complete only after signing of Contract, Confidentiality cum Non Disclosure Agreement and furnishing of Performance Guarantee by the bidders who have qualified for empanelment. The Bank will notify the successful bidders in writing by registered letter / courier/ email or by fax that they have been empanelled, as IS Auditor for Security Cum Functional Audit of Application Software for a period of 2 years. Upon the successful Bidders' furnishing of Performance Guarantee as specified in Section 3.3.7 thereof, the Bank will promptly discharge the bid security. 3.4 Award of Contract 3.4.1. Post qualification The Bank will determine to its satisfaction whether the empanelled IS Auditor is qualified to perform the contract satisfactorily. The determination will take into account the Bidder's financial, technical and performance capabilities. It will be based upon an examination of the documentary evidence of the Bidder's qualifications, expertise, capability submitted by the bidder as well as such other information as the Bank deems necessary and appropriate. The empanelment doesn't entitle the empanelled IS Auditor the right of getting any assignment during the contract period & it will be solely subject to requirement and discretion of bank. Empanelment would be initially for the period of 2 years subject to review of performance on yearly basis. 3.4.2 Award Criteria on Post Empanelment All the empanelled IS auditors would be asked to submit their commercial bid for security cum functional audit of application software as per requirement of the bank. For this purpose requisite applicable documents will be provided to them for each software separately from the list given below:- 1. System documentation (Details of Systems/OS/RDBMS/development platform /Web Server etc.) 2. User Requirement Specifications frozen for customization 3. Change request Documentation (for packages undergoing enhancement) 4. User Manual & Other instructions 5. Details of Acceptance Tests conducted along with details 6. Pilot testing reports in case of packages released for implementation 7. Problems reported during the pilot testing and their resolution details 8. Release / implementation instructions (The above list not exhaustive) RFP for security cum functional audit of application software Confidential 19 Punjab National Bank, Inspection & Audit Division, HO, Delhi E-Mail asking the empanelled auditors to submit their commercials within a specified date will be sent by the bank as and when requirement of audit of application software(s) will arise. It will be binding on all the empanelled auditors to participate in the bidding process whenever initiated by the Bank. Bank may also consider online bidding whenever required and all bidders shall be required to participate in the online bidding process as stipulated by the bank. On failing to participate in the bidding process for any 3 consecutive occasions during the empanelment period bank may cancel the empanelment of the respective bidder as well as may forfeit the amount of the performance bank guarantee. Empanelled auditors would submit their commercials for the job separately for each software within the specified date in a sealed envelope through courier/registered post or online whichever mode decided by the bank. The commercial bids so received will be opened by the Bank as per intimated date & time and in presence of the representatives of the bidders whoever whishes to attend otherwise the same would be opened in their absence. The job of audit of application software will be awarded to the empanelled auditor whose commercial bid would be lowest for that particular software. On assignment of job Empanelled auditor will submit the audit plan along with full credentials of Audit team within 3 days as per the annexure-`A'(3.1). The job of Audit must be commenced within 7 days of assignment. The bank retains the right to finally negotiate the commercials with the lowest bidder to arrive at reasonable remuneration before awarding the job. It may be noted that the Bank will not entertain any price negotiation with any other bidder, till the successful bidder declines to accept the offer, in which event the Bank may make the award to the next lowest bidder or call for new bids 3.4.3 Dead Line / Critical Dates The empanelled auditor to whom job would be awarded shall complete/perform all activities before last date. If audit activity awarded by the bank is not carried-out by the L1 bidder as per the timeline then bidder shall be liable of strict action including cancellation of audit assignment and de-empanelment of the bidder firm. Bank may also terminate the contract after giving a notice of 30 days at its sole discretion without assigning any reason. (For last date please refer Annexure- `A' Time lines clause 3.1.) 3.4.4 Right to accept any Bid and to reject any or All Commercial Bids (a) The Bank reserves the right to accept or reject any or all Bids without assigning any reasons. Bids may be accepted or rejected in total or in any part or items thereof. Any Bid not containing sufficient information, in view of the Bank, so as to enable a thorough analysis may be rejected. (b) The Bank reserves the right to verify the validity of bid information, and to reject any bid where the contents appear to be incorrect, inaccurate or inappropriate in the Bank's estimation. (c) The Bank shall have the right to determine in its own best judgment, the Bidders who will qualify for the short list, if any, and thereafter, the final successful bidder shall undertake the work. RFP for security cum functional audit of application software Confidential 20 Punjab National Bank, Inspection & Audit Division, HO, Delhi (d) Bids not conforming to the requirements of the Bank may not be considered. However, the Bank reserves the right, at any time, to waive any of the requirements of the RFP, if, in the sole discretion of the Bank, the best interests of the Bank would be served by such change. (e) If, in the opinion of the Bank, any Bidder has clearly misinterpreted the Work and /or underestimated the hours and / or value of the Work to be performed as reflected in the bid content and quoted price(s)/rate(s), then the Bank may reject the bid as unbalanced (i.e. not representative of the Work Scope). (f) Further, the bank shall have the right to cancel the Bid process at any time prior to execution of the contract, without thereby incurring any liability to the affected Bidder or bidders. Reasons for cancellation, as determined by the Bank in its sole discretion, include, but are not limited to, the following: (i) Services contemplated are no longer required; (ii) Requirements and terms of reference (scope of work) of the RFP were not adequately or clearly defined due to unforeseen circumstances and /or factors and /or new developments; (iii) The RFP did not allow for consideration of all significant elements of the Bank for the work (e.g. new/additional matters have arisen); (iv) Proposed price is unacceptable for the Work; and (v) The Project is not in the best interest of the Bank (vi) Any other reason 3.4.5 Notification of Award of Contract Prior to the expiration of the period of bid validity, the Bank will notify the successful bidder in writing by registered letter / courier/ email or by fax, to be confirmed in writing by registered letter, that its bid has been accepted. The notification of empanelment will constitute the formation of the Contract and agreement shall be executed with all the empanelled bidders separately. Chapter 4: Broad Terms and Conditions This chapter describes the general terms and conditions of the Contract. However, the terms and conditions are not conclusive and PNB reserves the right to add, delete, modify or alter all or any of these terms and conditions in any manner, as deemed necessary by PNB. If any irregularity is detected anytime in respect of the above, PNB will have the right to take appropriate action against the Bidder, as deemed fit by PNB. Successful bidder wherever mentioned under this chapter shall mean the empanelled IS Auditor to whom job has been awarded. 4.1. Standards The services rendered under the contract shall in conformity with the industry standards/ best practices. 4.2. Arbitration All disputes and differences of any kind, whatsoever, between the parties i.e. empanelled IS Auditor and PNB, arising out of or in relation to the construction, RFP for security cum functional audit of application software Confidential 21 Punjab National Bank, Inspection & Audit Division, HO, Delhi meaning, operation or effect of the Contract, shall be settled amicably. If, however, the parties are not able to resolve any dispute or differences amicably, the same shall be settled by arbitration in accordance with the provisions of Arbitration and Conciliation Act, 1996 and the award made in pursuance thereof shall be binding on the parties. The Successful bidder shall continue to work under the Contract during the arbitration proceedings unless otherwise directed in writing by PNB or unless the matter is such that the work cannot possibly be continued until the decision of the Arbitrator or of the umpire, as the case may be, is obtained. Save as those, which are otherwise explicitly provided in the contract, no payment due or payable by PNB, to the successful bidder shall be withheld on account of the ongoing arbitration proceedings, if any, unless it is the subject matter or one of the subject matters thereof. The venue of the arbitration shall be Delhi, India & arbitration will be in English. 4.3. Notices Notice or other communications given or required to be given under the Contract shall be in writing and shall be hand-delivered with acknowledgement thereof, or transmitted by pre-paid registered post or by recognized courier, or by facsimile, provided that where such notice is sent by facsimile, a confirmation copy shall be sent by pre-paid registered post or by recognized courier within five days of the transmission by facsimile, to the address of the receiving party by the other in writing, provided such change of address has been notified at least ten days prior to the date on which such notice has been given under the terms of the contract. Any notice or other communications shall be deemed to have validly given on date of delivery if hand-delivered; if sent by registered post or by recognized courier, then on the expiration of seven days from the date of posting; and if transmitted by facsimile, then on the next business date after the date of transmission. 4.4. Use of Contract Documents and Information The empanelled IS Auditor shall not, without PNB's prior written consent, disclose the Contract or any provision thereof, or any specification or information furnished by or on behalf of PNB in connection therewith, to any person other than a person employed by the empanelled IS Auditor in the performance of the Contract. Disclosure to any such employed person shall be made in confidence against Non-disclosure agreements completed prior to disclosure and disclosure shall extend only so far, as may be necessary for the purposes of such performance. Any document, other than the Contract itself, shall remain the property of PNB and all copies thereof shall be returned to PNB on termination of the Contract. 4.5. Patent and Copyrights The empanelled IS Auditor shall, at its own cost and expenses, defend and indemnify and keep indemnified PNB against all third-party claims including those of the infringement of Intellectual Property Rights, including patent, trademark, copyright, trade secret or industrial design rights, arising from use of the Products or services or any part thereof in India. RFP for security cum functional audit of application software Confidential 22 Punjab National Bank, Inspection & Audit Division, HO, Delhi If PNB is required to pay compensation to a third party resulting from such infringement, the empanelled IS Auditor shall be fully responsible therefore, including all expenses and cost and legal fees. PNB will give notice to the empanelled IS Auditor of any such claim and shall provide reasonable assistance to the empanelled IS Auditor in disposing of the claim. The empanelled IS Auditor shall also be liable to indemnify PNB, at its own cost and expenses, against all losses/damages, which PNB may suffer on account of violation by the empanelled IS Auditor of any or all national/international trade laws, norms, standards, procedures etc. The empanelled IS Auditor shall be liable to indemnify PNB, at its own cost and expense, in respect of any losses sustained or suffered by any third party, on account of breach of any stipulation of this agreement by the Empanelled IS Auditor or any negligent or fraudulent act or omission by Empanelled IS Auditor in course of fulfilling its obligations under the RFP. 4.6. Deliverables Schedule of audit and reports required are covered in scope of audit. (Annexure-`A') 4.7. Payment Terms The successful bidder will be entitled to claim 80% payment on submission of final report of security cum functional audit of application software and 20% on completion of compliance audit of the observations. In case of factors not attributed to auditor for delay in completion of compliance audit, 20% payment will also be released to the IS auditor after 30 days of submission of final report. 4.8 Taxes and Duties Price will be quoted excluding all taxes. All applicable Taxes and Duties should be indicated in the Commercial Bid separately and will be payable on actual basis on providing the proof of the payment. 4.9 Delays in the Performance The Successful bidder must strictly adhere to the audit schedule, as specified in the contract in the performance of the obligations and any delay in this regard will enable PNB to resort to any or both of the following: (a) Claiming Liquidated Damages (b) Termination of the agreement fully or partly and claim liquidated damages. (c) Imposing penalty. 4.10 Penalty Delayed start of audit, Delayed completion of audit and Delayed submission of report as per agreed terms defined in scope of audit will attract penalty of 1 % per day on delay of total amount payable for the audit of software(maximum up to 15% of the fees).If the report is not submitted within 15 days after completion of audit, the bank may cancel the order. RFP for security cum functional audit of application software Confidential 23 Punjab National Bank, Inspection & Audit Division, HO, Delhi PNB will have the rights to recover the liquidated damages, if any, from any amount payable to the Successful bidder. 4.11 Force Majeure The Successful bidder or PNB shall not be responsible for delays or non-performance of any or all contractual obligations, caused by war, revolution, insurrection, civil commotion, riots, mobilizations, strikes, blockade, acts of God, Plague or other epidemics, fire, flood, obstructions of navigation by ice of Port of dispatch, acts of government or public enemy or any other event beyond the control of either party, which directly, materially and adversely affect the performance of any or all such contractual obligations. Provided either party shall within ten (10) days from the occurrence of such a cause notify the other in writing of such causes. Unless otherwise directed by the Bank in writing, the Successful bidder shall continue to perform his obligations under the contract as far as possible, and shall seek all means for performance of all other obligations, not prevented by the Force Majeure event. 4.12 Correspondences PNB and the empanelled IS Auditors shall nominate a Project Manager each immediately on empanelment, who shall be the single point of contact for the projects to be assigned for IS Audit. However, for escalation purpose, details of other persons shall also be given. The project manager nominated by the Bidder should have prior experience in implementing similar systems in the past and should be a qualified professional. 4.13 Successful bidder's Obligations The following form illustrative obligations of the Successful bidder. These are not exhaustive. The Successful bidder will abide by the job safety, customs and immigration measures prevalent and laws in force in India, and will indemnify PNB against all demands or responsibilities arising from accidents or loss of life, the cause of which is the Successful bidder's negligence. The Successful bidder will pay all indemnities arising from such incidents and will not hold PNB responsible or obligated. The Successful bidder is responsible for, and obligated to conduct all contracted activities with due care and diligence, in accordance with the Contract and using state-of-the-art methods and economic principles, and exercising all reasonable means to achieve the performance specified in the Contract. The Successful bidder is obliged to work closely with PNB's staff, act within its own authority, and abide by directives issued by PNB that are consistent with the terms of the Contract. The Successful bidder is responsible for managing the activities of its personnel, and will hold itself responsible for any misdemeanors. The Successful bidder shall be solely responsible for the performance of the contract to the satisfaction of PNB. No right to employment in bank shall accrue of arise by virtue of empanelment of the successful bidder. Neither the successful bidder nor its employees, agents or representative shall hold out or represent as agents of bank. None of the employees, representatives or agents of successful bidder shall be entitled to claim permanent absorption or any other RFP for security cum functional audit of application software Confidential 24 Punjab National Bank, Inspection & Audit Division, HO, Delhi claim or benefit against the bank/employment. The personnel employed by the successful bidder shall not have any claim whatsoever against the bank. 4.14 Contract Amendments Any change made in any clause of the contract which shall modify the purview of the contract within the validity and currency of the contract shall be deemed as an Amendment. Such an amendment can and will be made and be deemed legal only when the parties to the contract provide their written consent about the amendment, subsequent to which the amendment is duly signed by the parties and shall be construed as a part of the contract. The details of the procedure for amendment shall be as specified in the contract. 4.15 Extension of Bank Guarantees The Bidder shall be responsible for extending the validity date and claim period of all the bank guarantees as and when it is due. PNB shall invoke the guarantee before expiry of validity if work is not completed and the guarantee is not extended, accordingly. 4.16 Adherence to Standards & Right of Audit/Visit The selected Bidder must adhere to laws of land and rules, regulations and guidelines prescribed by various regulatory, statutory and Government authorities. The Bank and Regulatory bodies such as RBI reserve the right itself or through a consultant to conduct audit/ongoing audit or visit the office locations of the selected Bidders. The cost of the audit/Consultant shall be borne by the Bank. 4.17 Subcontracting No Subcontracting of the work will be permissible to the empanelled bidders. RFP for security cum functional audit of application software Confidential 25 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure A 1 SCOPE Scope of Security cum Functional Audit of the application software i.e. Programs/ Webscripts/Applications etc coded in any computer programming language, during the contract period will include:- Functionality implemented vis-à-vis the Bank's requirements. Input, processing and output controls across various schemes across the bank Controls for performing/changing parameter setup of functionality across applications. Through-put validation Automated batch processing, scheduled tasks, critical calculations etc IT General Control Review In case of web based application, the validation against top 10 OWASP vulnerabilities. Regular updation of job cards with new version releases. Checks against network attacks Code Review, wherever possible Application Security & Controls Review Database Security & Integrity Review Review of Interface Controls with other applications Review of Network & Communication Controls with relation to the application package Test of robustness of the system by running a specific number of transactions on it Evaluation of Efficiency & Effectiveness of the package vis-à-vis business processes and requirements. Whether the objectives of the application are likely to be fulfilled by implementation. Assessment of the risk component in the package Compliance testing of the changes in software made for mitigation of the discrepancies pointed out in the audit report Availability of necessary audit logs and its accuracy and effectiveness. Integration with Delivery Channels including data and transaction integrity for the same. Suggestions for mitigating the risks. If outsourced, escrow arrangement with application vendors. The above scope is illustrative and subject to change as per the requirement of the Bank and may vary on case to case basis. . 1.2 VULNERABILITY/THREAT ASSESSMENT & PENETRATION TESTING (INTERNAL/EXTERNAL) Testing should not disrupt our services. Test cases should not be selected that are destructive. The techniques, the tools used should have been thoroughly tested. RFP for security cum functional audit of application software Confidential 26 Punjab National Bank, Inspection & Audit Division, HO, Delhi Exercise will be carried out from the place where servers are placed. The same will also be carried out from a selected branch outlet for selected sample critical application/ servers. Appropriate updated tools should be used for each phase of test. a) Vulnerability assessment of all newly developed application software servers. b) Placement/ Deployment of security equipments, network equipments for securing database, application, web servers of various applications. c) In Penetration testing on applications through internal network (Intranet). NOTE: Penetration testing should include network and application layer testing as well as controls & processes around the networks & applications, and should conduct from inside the network (internal testing). 1.3 OPEARATING SYSTEM (OS) i. Set up and maintenance of operative system parameters. ii. All the Security features available in the OS are enabled/taken advantage of as far as possible. iii. Vulnerabilities in OS are being taken care off. Compensatory controls for known vulnerabilities are in place. iv. Security configuration of devices with respect to OEM latest released patches and software versions. v. Changes in system software are controlled in line with the organization's change management procedures. Proper record is maintained and authenticated regarding installation, its up-gradation, re-installation and maintenance. vi. Use of sensitive system software utilities is in controlled manner and it is monitored and logged. vii. Root and sensitive passwords are used in controlled manner. Their use is logged and monitored. viii. Performance, scalability and availability. 1. 4 DATA BASE MANAGEMENT SYSTEM AND DATA SECURITY a) Use of Data Repository System (DRS), Data Definition Language (DDL), Data Manipulation Language (DML). b) Storage of duplicate copy of Data Definition and DRS at off-site. c) Monitoring of log of changes to the Data Definitions. d) Data Dictionary and Data Directory System e) Procedures to ensure that all data are classified in terms of sensitivity by a formal and explicit decision by the data owner and necessary safeguards for its confidentiality, integrity and authenticity are taken as per IT Security Policy. f) Logical access controls which ensure the access to data is restricted to unauthorized users g) Confidentiality and privacy requirements are met. h) Authorization, authentication and access control are in place i) Segregation of duties is ensured for accessing data. RFP for security cum functional audit of application software Confidential 27 Punjab National Bank, Inspection & Audit Division, HO, Delhi j) Purging policy-procedures of Data Files. k) How the database integrity is ensured in case tables are not properly updated by application software due to various reasons, i.e. break in link, bug in software, etc. In case of direct Updation /modification of database is done by opening the tables in live environment, evaluate the controls. l) Protection of Sensitive Information during Transmission and Transport. m) Separation of duties. n) Rotation of duties. o) Patches and new versions are updated as and when released by vendor/ Research and Development team. If not done then comment upon vulnerabilities and availability of services of existing version being used. Evaluate procedure for correct updation of the same and confirmation by user/ Research and Development team. 1.5 OUTSOURCING a) Service levels are defined and managed. b) Non Disclosure agreement NDA is in place. c) Responsibility and liability of vendors have been defined. d) Service Level Agreements (SLAs) covers key performance indicators which formalize the performance criteria with penalty clause against which the quantity and quality of service is measured. e) Monitoring of vendors activities as per SLAs. f) Imposing penalties wherever there are deviations. g) Formal agreements are entered which takes care of all the risks associated with outsourcing. 1.6 Migration Audit a) Review of Data Migration strategy/methodology followed by the Bank.Review of data mapping performed by the Bank. b) Review of Data Migration tools/scripts configured/developed by Bank. c) Review of data validation performed by the Bank. d) Review of logs of data migration activity and the identified errors in accuracy, integrity, conformity and completeness of data reconciled and uploaded into Target System and whether they have been rectified by Bank. e) Review of appropriate data integrity checks like batch totals, check digit totals, number of records & other value parameters. 1.7 Other Audit a) Special Audit such as for RA Audit or any regulatory guidelines etc. b) Any other Audit as and when required. 2 Schedule of Audit: Successful bidder will have to visit the respective location and no remote access will be given. Audit location shall be primarily 5, Sansad Marg, New Delhi however in case of any change same shall be informed accordingly. Audit to be completed as per schedule mentioned under point no. 3.1 of the scope. 3 DELIVERABLES: RFP for security cum functional audit of application software Confidential 28 Punjab National Bank, Inspection & Audit Division, HO, Delhi 3.1 Time Lines 1. On acceptance of the commercials for audit of application software, the successful bidder will provide schedule of audit, within 2 working days with full credentials of Audit team (qualification & experience as defined in RFP) who will be conducting the audit of the software. Audit should be commenced not later than 3 days from the award of the application audit work. 2. Completion of each software audit as per the scope within 7 working days from the date of commencement of audit. 3. Giving draft report for discussions with owners within 2 working days after completion of audit. 4. Discussion of the issues with owner after 2 working days of submission of draft report.. 5. Give digitally signed final report within 2 working days after discussions with owners. 6. If recommendation for risk mitigation/ removal could not be implemented as suggested, alternate solutions will be provided over phone/ email or personal visits to respective location if required. Response over phone/ email should come within 4 hours of receipt of request and personal visit should be made within 4 days. 7. Compliance testing of the changes in software made for mitigation of the discrepancies pointed out in the audit report should be completed within 2 days from the submission of compliance report by the auditee. Compliance testing report should be submitted through email/Hard copy not later than 3 days after compliance testing. 8. Resources strength with experience as defined in 2.2(f) will be deployed keeping in view the scope of audit and time schedule. 9. No inexperienced / less qualified resource should be deployed for audit. Resume of auditor will be provided to Bank before hand and will be deputed to assignment only after Bank's consent. 10. Single point of contact person should not be changed frequently. 3.2 REPORTS: Report should be wherever possible provided with snap shot / evidence/ documents details from which observation made wherever required by Bank. Report shall be submitted in digitally singed soft copies as well as signed hard copies. Audit Report format should at the minimum include:- a) Broad domain categorization of activity (Port/SQL injection/ Services/Logical access control etc.) b) Risk category High, Medium, Low c) Risk / Implication d) Recommendation for risk mitigation/ removal as per bank's existing environmental setup step wise. If not resolved, alternate solutions will be provided over phone/ email or personal visits to department if required. Response over phone/ email should come within 4 hours of receipt of request. RFP for security cum functional audit of application software Confidential 29 Punjab National Bank, Inspection & Audit Division, HO, Delhi e) Provision for updating owner's compliance comments. f) Explicit reference to key policy and procedure documents of the Bank against identified risk/observation. g) Additional mandatory or voluntary standards or regulations applicable to the banking industry as best practices should be reported under "Improvement /suggestions" h) Summary of audit findings including identification tests, tools used and results of tests performed (like vulnerability assessment, application security assessment a. Tools used b. List of vulnerabilities identified. c. Description of vulnerability d. Test cases used for assessing the vulnerabilities and Analysis of vulnerabilities and issues of concern i) Personnel involved in the audit, including identification of any trainees The auditor may further provide any other required information as per the approach adopted by them and which they feel is relevant to the audit process. Report will be given in editable and non editable softcopy so that editable can be used in updating compliances by User Department Report will be given in signed hard copy also. Presentation on findings of audit will be given to Management by the person who audited accompanied by senior consultant after completion of each software audit within a week time of giving final report whenever requested by the bank. 3.3 Training: The successful bidders (who will be awarded with maximum work orders during the period) shall have to provide 1 day training on half yearly basis at Bank's Premise at New Delhi without charging any cost. The training shall be provided to Bank's in-house software developers/internal auditors regarding secure code practices and secured application development. RFP for security cum functional audit of application software Confidential 30 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure B Performance Guarantee Form Date: The Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Sector-10, Dwarka New Delhi 110075 Dear Sir, PERFORMANCE BANK GUARANTEE SECURITY CUM FUNCTIONAL AUDIT OF APPLICATION SOFTWARE OF THE PUNJAB NATIONAL BANK AS PER SCOPE IN RFP. WHEREAS M/s.(name of Auditor), a company/Firm registered under the Companies Act, 1956,(as applicable) having its registered and corporate office at (address of the Auditor), ( hereinafter referred to as "our constituent", which expression, unless excluded or repugnant to the context or meaning thereof, includes its successors and assigns), entered into a Agreement dated.........(hereinafter , referred to as "the said Agreement") with you ( Punjab National Bank) for Security cum functional audit of application software as detailed in the said Agreement. We are aware of the fact that in terms of sub-para (...), Section (...), Chapter (...) of the said Agreement, our constituent is required to furnish a Bank Guarantee for an amount Rs 100000/-(Rs. One Lakh only) as per the said Agreement, as security against breach/default of the said Agreement by our Constituent. In consideration of the fact that our constituent is our valued customer and the fact that he has entered into the said Agreement with you, we, (name and address of the bank), have agreed to issue this Performance Bank Guarantee. Therefore, we (name and address of the bank) hereby unconditionally and irrevocably Guarantee you as under: I. We (Name of the Bank), do hereby undertake to pay the amounts due and payable under this guarantee without any demur, merely on a demand from Punjab National Bank that the amount clamed is due by way of loss or damage caused to or would be caused to or suffered by Punjab National Bank by reason of breach by our constituent, of any of the terms or conditions contained in the said agreement. II. Notwithstanding anything to the contrary, as contained in the said Agreement, We agree that your decision as to whether our constituent has made any such default/s/ breach/es, as afore-said and the amount or amounts to which you are RFP for security cum functional audit of application software Confidential 31 Punjab National Bank, Inspection & Audit Division, HO, Delhi entitled by reasons thereof, subject to the terms and conditions of the said Agreement, will be binding on us and we shall not be entitled to ask you to establish your claim or claims under this Performance Bank Guarantee, but will pay the same forthwith on your demand without any protest or demur. III. This Performance Bank Guarantee shall continue and hold good till the completion of 30 months from the date of agreement i.e. (date), subject to the terms and conditions in the said Agreement. IV. We bind ourselves to pay the above said amount at any point of time commencing from the date of the said Agreement until the completion of the contract. V. We further agree that the termination of the said Agreement, for reasons solely attributable to our constituent, virtually empowers you to demand for the payment of the above said amount under this guarantee and we have an obligation to honour the same without demur. VI. In order to give full effect to the guarantee contained herein, we (name and address of the bank), agree that you shall be entitled to act as if we were your principal debtors in respect of your claims against our constituent. We hereby expressly waive all our rights of surety ship and other rights, if any, which are in any way inconsistent with any of the provisions of this Performance Bank Guarantee. VII. We confirm that this Performance Bank Guarantee will cover your claim/s against our constituent made in accordance with this Guarantee from time to time, arising out of or in relation to the said Agreement and in respect of which your claim is lodged with us on or before the data of expiry of this Performance Guarantee, irrespective of your entitlement to other claims, rights and relief, as provided in the said Agreement. VIII. Any notice by way of demand or otherwise hereunder may be sent by special courier, telex, fax, registered post or other electronic media to our address, as aforesaid and if sent by post, it shall be deemed to have been given to us after the expiry of 48 hours when the same has been posted. IX. If it is necessary to extend this guarantee on account of any reason whatsoever, we undertake to extend the period of this guarantee on the request of our constituent under intimation to you (Punjab National Bank). X. This Performance Bank Guarantee shall not be affected by any change in the constitution of our constituent nor shall it be affected by any change in our constitution or by any amalgamation or absorption thereof or therewith or reconstruction or winding up, but will ensure the benefit to you and be available to and be enforceable by you. XI. Notwithstanding anything contained hereinabove, our liability under this Performance Guarantee is restricted to Rs.100000/-(Rs. One Lakh only) and shall continue to exist, subject to the terms and conditions contained herein, RFP for security cum functional audit of application software Confidential 32 Punjab National Bank, Inspection & Audit Division, HO, Delhi unless a written claim is lodged on us on or before the afore-said date of expiry of this guarantee. XII. We hereby confirm that we have the power/s to issue this Guarantee in your favour and the undersigned is/are the recipient of authority by express delegation of power/s and has/have full power/s to execute this guarantee under the Power of Attorney issued by the bank in his/their favour. XIII. We further agree that the exercise of any of your rights against our constituent to enforce or forbear to enforce or any other indulgence of facility, extended to our constituent to carry out the contractual obligations as per the said Agreement, would not release our liability under this guarantee and that your right against us shall remain in full force and effect, notwithstanding any arrangement that may be entered into between you and our constituent, during the entire currency of this guarantee. Notwithstanding anything contained herein: a. Our liability under this Performance Bank Guarantee shall not exceed Rs 100000/- ( Rs. One Lakh only)) ; b. This Performance Bank Guarantee shall be valid only up to ..............( and c. We are liable to pay the guaranteed amount or part thereof under this Performance Bank Guarantee only and only if we receive a written claim or demand on or before ...........( . This Performance Bank Guarantee must be returned to the bank upon expiry of the claim period as under (c) above. If the Performance Bank Guarantee is not received by the bank within the above-mentioned period, subject to the terms and conditions contained herein, it shall be deemed to be automatically cancelled. Dated......................this...............day.............20... Yours faithfully, For and on behalf of the ..............Bank, (Signature) Designation (Address of the Bank) Note: a) This guarantee will attract stamp duty as a security bond. b) A duly certified copy of the requisite authority conferred on the official/s to execute the guarantee on behalf of the bank should be annexed to this guarantee for verification and retention thereof as documentary evidence in the matter. RFP for security cum functional audit of application software Confidential 33 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure C TECHNICAL BID FORM Date: The Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Sector-10, Dwarka New Delhi 110075 Dear Sir, Reg: Security cum functional audit of application software(s) of the Punjab National Bank as per scope in RFP. Dear Sir, Having examined the RFP Documents, the receipt of which is hereby duly acknowledged, we, the undersigned, offer to conduct security cum functional audit of application software in conformity with the said RFP Documents and hereby undertake that we accept all the conditions of the contract as per the Bidding Document and will audit the application software as per the Scope of audit (Annexure-`A'). We further undertake that we fulfill the Minimum eligibility criteria stated in Chapter 2 clause 2.2 and for this purpose we enclose the details. In addition to this, the particulars of our organization such as legal status, principal place of business, details of experience and past performance, service support details, capability statement and the required bid security in shape of bank draft are furnished with this bid form. We further undertake, if our bid is accepted, to execute the audit assignment in accordance with the requirements and the delivery schedule as mentioned in the Schedule of Requirements. If our bid is accepted, we will obtain the guarantee of a bank in the form prescribed by you for a sum equivalent to Rs. 100000/- for the due performance of the Contract. We agree to abide by this bid for the Bid validity period specified in section 3.2.5 of the ITB and it shall remain binding upon us and may be accepted at any time before the expiration of that period. Until a formal contract is prepared and executed, this bid, together with your written acceptance thereof and your notification of award shall constitute a binding Contract between us. We undertake that, in competing for (and, if the award is made to us, in executing) the above contract, we will strictly observe the laws against fraud and corruption in force in India namely "Prevention of Corruption Act. We understand that you are not bound to accept the lowest or any bid you may receive. Dated this ........... Day of ............... 20..... (Signature and the capacity of the person duly authorized to sign Bid for and on behalf of) RFP for security cum functional audit of application software Confidential 34 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure D Score Sheet SNo Criteria Details 1 No. of qualified auditor in Bio data of the qualified auditors to be deployed for the firm as defined in 2.2. audit is to be given as per Annexure K. (f) on the permanent roll of the organization. Maximum Marks -30 2 No. of completed Security Details of Security cum functional audit of application cum Functional Audit of software conducted in Government organization Application software in /PSUs/ Banks during last 5 years with details as given Government organization in Annexure-I. /PSUs/ Banks during last 5 years. Details of Security cum functional audit of application software in Banks with bifurcation as given below in (Maximum Marks -50) Annexure-I. (i) Audit of Core Banking Solution (CBS) project of the Bank in any bank having more than 200 offices. (ii) Audit of financial software other than above (like ATM, IBS, Treasury) of any bank having more than 200 offices. (iii) Other than above. 3 Total no. of PSU/Banks No. & name of PSU/Bank for the security cum customer for the purpose functional audit of application software in last 5 of security cum functional year.(Attach work order in support of audit work). audit of application software during last 5 years. (Maximum Marks -20) RFP for security cum functional audit of application software Confidential 35 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure E Undertaking- 1 To, Date The Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Sector-10, Dwarka New Delhi 110075 Dear Sir, Reg: Security cum functional audit of application software(s) of the Punjab National Bank as per scope in RFP. We understand that a) You are not bound to accept the lowest or any bid received by you, and you may reject all or any bid. b) If we qualify for the empanelment, we undertake to enter into and execute at our cost, when called upon by the bank to do so, a contract in the prescribed form. Unless and until a formal contract is prepared and executed, this bid together with your written acceptance thereof shall constitute a binding contract between us. c) After empanelment if our commercials are accepted, we are responsible for the due performance of the contract. d) You may accept or entrust the entire work to one vendor or divide the work to more than one vendor without assigning any reason or giving any explanation whatsoever. (Vendor means the bidder who is decided and declared so after examination of commercial bids submitted by empanelled IS Auditor.) Dated at____________this _______________day of __________20. (Signature and the capacity of the person duly authorized to sign Bid for and on behalf of) RFP for security cum functional audit of application software Confidential 36 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure F Undertaking 2 To, Date The Chief Manager, Punjab National Bank, IT Audit Cell, Inspection & Audit Division, Head Office, 2nd Floor, East Wing Corporate Office, Sector-10, Dwarka New Delhi 110075 Dear Sir, Reg: Security cum functional audit of application software(s) of the Punjab National Bank as per scope in RFP. a) We hereby confirm that all the requirements as enumerated in RFP as per requirement of the Bank have been included in the bid. Further, we hereby undertake and agree to abide by all the terms and conditions stipulated by the Bank in this RFP. We understand that any deviation may result in disqualification of bids. b) We undertake that adequate number of qualified auditors will be deployed for audit process to complete the audit within stipulated time as per clause 3.1 of annexure A. c) We undertake that reporting formats should at the minimum include all the requirements as per clause 3.2 of annexure A. d) We undertake that we will have legal right to use any third party software if required for audit and under such licenses, in terms set out under any relevant license or sub-license agreement. We will indemnify the Bank for any and all costs that may arise out of the use of software, in which it is alleged that any rights of the owners of such software have been infringed. e) We shall provide Risk Movement for various activities as desired. f) We have not been blacklisted by any nationalized Bank/ RBI/IBA or any other Government agency. No legal action is pending against us for any cause in any legal jurisdiction. (Deviation to the above if any, the Bidder must provide details of such action (s).) 1) 2) 3) 4) (Signature and the capacity of the person duly authorized to sign Bid for and on behalf of) RFP for security cum functional audit of application software Confidential 37 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure-G COMPLIANCE STATEMENT DECLARATION We hereby undertake and agree to abide by all the terms & conditions and Scope of audit stipulated by the Bank in the RFP including all annexure, addendum and corrigendum. Signature and Seal of Bidder Date:- RFP for security cum functional audit of application software Confidential 38 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure - H Technical Compliance Sheet S. Criteria Details No a Bidder must prove that it is a current Bidder's Firm/Company Name: Registered Head office: legal entity in India and must warrant that it is financially solvent. Offices at other locations: 1 2 Brief Profile: Year of commencement of Business Website: Authorized person: Designation: Phone No Email Address b Must not be a vendor for Software and Provided following hardware and Hardware components of the Bank. software to the Bank: c Must be a Company /Firm /Organization Turnover and profit during last 3 /independent subsidiary with an average years: (In Indian Rupee) annual turnover of Rs.1 (One) Crore or 2014-15 2015-16 2016-17 more during the last three financial years Turnover and should be in profit during all three Profit financial years. Attach copy of audited balance sheets of above periods. d Must have at least 3 years experience in Conducted following Security the field of providing Security Cum cum functional Audit of functionality audit of application software application software in last three and The company should provide the years: adequate documentary evidence in support Organizations of providing similar services. Fill details in Annexure I e Must not have been blacklisted by any Signed Undertaking in annexure nationalized Bank/ RBI/IBA or any other F Government agency. f Firm must have minimum 5 qualified Number of such Professionals on professionals with degree from Govt. the permanent roll of the bidding recognized reputable company with certifications Universities/Institutions as CISA BE/B.Tech/ME/M.Tech/MCA/C.A.(ICAI) CISSP and certifications as CISA/ CISSP/CEH / CEH Sun Certified Security Administrator SCSECA/OCE (SCSECA) / OCE (Oracle Certified Expert - CCIE-Security Security Administrator), Cisco CCIE- RFP for security cum functional audit of application software Confidential 39 Punjab National Bank, Inspection & Audit Division, HO, Delhi security along with 2 or more years post Others(Specify) qualification experience of security cum functional audit of application software with at least one software audit of PSUs/Banks and on permanent roll of the organization. g Must be empanelled with Cert-in, Govt of Attach self attested copy of India for Security audit with a certificate certificate of empanelment. of empanelment for the Block 2016-2019 i Must be able to provide deliverables as Undertaking by the bidder. per clause 3 of Annexure A of RFP. Place: Date: Seal & Signature of Bidder RFP for security cum functional audit of application software Confidential 40 Punjab National Bank, Inspection & Audit Division, HO, Delhi ANNEXURE I Security cum functional audit of application software assignment: Organization Scope of Audit Date/ Details of software Period Website: (Attach copy of when address: order / contract) conducted Place: Date: Seal & Signature of Bidder RFP for security cum functional audit of application software Confidential 41 Punjab National Bank, Inspection & Audit Division, HO, Delhi Annexure J CONFIDENTIALITY - CUM - NON DISCLOSURE AGREEMENT If it is not a company, This Confidentiality cum- Nondisclosure Agreement is entered into at Constituti on this day of 2016, between (Insert Name of the on and Service Provider) a company within the meaning of Companies Act, 1956, address having its Registered Office at (herein after called `Service be Provider') and Punjab National Bank, a Body Corporate constituted under stated the Banking Companies (Acquisition & Transfer of Undertakings) Act, 1970 appropria having its Head Office at ,Plot-4, Sector-10, Dwarka, New Delhi 110 075 and inter-alia, its Information & Technology Division at 5 Sansad Marg, New Delhi 110 001 (herein after referred to as `PNB'). The Service Provider and PNB would be having discussions and negotiations concerning the establishment of and during continuance of a business relationship between them as per Agreement dated (hereinafter referred to as `Agreement'). In the course of such discussions and negotiations, it is anticipated that either party may disclose or deliver to the other party certain of its trade secrets or confidential or proprietary information for the purpose of enabling the other party to evaluate the feasibility of such a business relationship. The parties have entered into this Agreement, in order to assure the confidentiality of such trade secrets and confidential and proprietary information in accordance with the terms of this Agreement. As used in this Agreement, the party disclosing Proprietary Information (as defined below) is referred to as the `Disclosing Party' and will include its affiliates and subsidiaries, the party receiving such Proprietary Information is referred to as the `Recipient', and will include its affiliates and subsidiaries. Now this Agreement witnessed:- 1. Proprietary Information: As used in this Agreement, the term `Proprietary Information' shall mean all trade secrets or confidential or Proprietary Information designated as such in writing by the Disclosing Party, whether by letter or by the use of an appropriate prominently placed Proprietary stamp or legend, prior to or at the time such trade secret or confidential or Proprietary Information is disclosed by the Disclosing Party to the Recipient. Notwithstanding the forgoing, information which is orally or visually disclosed to the recipient by the Disclosing Party or is disclosed in writing unaccompanied by a covering letter, proprietary stamp or legend, shall constitute proprietary information if the disclosing party, within 10 (ten) days after such disclosure, delivers to the Recipient a written document or documents describing such Proprietary Information and referencing the place and date of such oral, visual or written disclosure and the names of the employees or officers of the Recipient to whom such disclosure was made. RFP for security cum functional audit of application software Confidential 42 Punjab National Bank, Inspection & Audit Division, HO, Delhi 2. Confidentiality: a) Each party shall keep secret and treat in strictest confidence all confidential information it has received about the other party or its customers and will not use the confidential information otherwise than for the purpose of performing its obligations under this Agreement in accordance with its terms and so far as may be required for the proper exercise of the Parties' respective rights under this Agreement. b) The term `confidential information' shall include all written or oral information (including information received from third parties that the `Disclosing Party' is obligated to treat as confidential) that is (i) clearly identified in writing at the time of disclosure as confidential and in case of oral or visual disclosure, or (ii) that a reasonable person at the time of disclosure reasonably would assume, under the circumstances, to be confidential. Confidential information shall also include, without limitation, software programs, technical data, methodologies, know-how, processes, designs, new products, developmental work, ma rket in g requirements, marketing plans, customer names, prospective customer names, customer information and business information of the `Disclosing Party'. 3. Non-Disclosure o f Proprietary Information: For the period during the Agreement or its renewal, the Recipient will: (a) Use such Proprietary Information only for the purpose for which it was disclosed and without prior written authorization of the Disclosing Party shall not use or exploit such Proprietary Information for its own benefit or the benefit of others. (b) Protect the Proprietary Information against disclosure to third parties in the same manner and with the reasonable degree of care, with which it protects its confidential information of similar importance: and (c) Limit disclosure of Proprietary Information received under this Agreement to persons within its organization and to those 3rd party contractors performing tasks that would otherwise customarily or routinely be performed by its employees, who have a need to know such Proprietary Information in the course of performance of their duties and who are bound to protect the confidentiality of such Proprietary Information. 4. Limit on Obligations: The obligations of the Recipient specified in clause 3 above shall not apply and the Recipient shall have no further obligations, with respect to any Proprietary Information to the extent that such Proprietary Information: is generally known to the public at the time of disclosure or becomes generally known without any wrongful act on the part of the Recipient, a) is in the Recipient's possession at the time of disclosure otherwise than as a result of the Recipient's breach of a legal obligation; RFP for security cum functional audit of application software Confidential 43 Punjab National Bank, Inspection & Audit Division, HO, Delhi b) Becomes known to the Recipient through disclosure by any other source, other than the Disclosing Party, having the legal right to disclose such Proprietary Information. c) Is independently developed by the Recipient without reference to or reliance upon the Proprietary Information; or d) Is required to be disclosed by the Recipient to comply with applicable laws or governmental regulation, provided that the recipient provides prior written notice of such disclosure to the Disclosing Party and takes reasonable and lawful actions to avoid and/or minimize the extent of such disclosure. 5. Return of Documents: The Recipient shall, upon the request of the Disclosing Party, in writing, return to the Disclosing Party all drawings, documents and other tangible manifestations of Proprietary Information received by the Recipient pursuant to this Agreement (and all copies and reproductions thereof) within a reasonable period. Each party agrees that in the event it is not inclined to proceed further with the engagement, business discussions and negotiations, or in the event of termination of this Agreement, the Recipient party will promptly return to the other party or with the consent of the other party, destroy the Proprietary Information of the other party. 6. Communications: Written communications requesting or transferring Proprietary Information under this Agreement shall be addressed only to the respective designees as follows (or to such designees as the parties hereto may from time to time designate in writing) M/s __________________________________ (PNB) Attn: _________________________________ Attn: ________________________________ 7. Term: The obligation pursuant to Clause 2 and 3 (Confidentiality and Non- Disclosure of Proprietary Information) will survive for ----- years following the term of the Agreement dated . Nothing herein contained shall be construed as a grant by implication, estoppels, or otherwise or a license by either party to the other to make, have made, use or sell any product using Proprietary Information or as a license under any patent, patent application, utility model, copyright or any other industrial or intellectual property right covering same. 8. Damages: The provisions of this Agreement are necessary for the protection of the business goodwill of the parties and are considered by the parties to be reasonable for such purposes. Both the parties agree that any breach of this Agreement will cause substantial and irreparable damages to the other party and, therefore, in the event RFP for security cum functional audit of application software Confidential 44 Punjab National Bank, Inspection & Audit Division, HO, Delhi of such breach, in addition to other remedies, which may be available, the party violating the terms of Agreement shall be liable for the entire loss and damages on account of such disclosure. Each party agrees to indemnify the other against loss suffered due to breach of contract and undertakes to make good the financial loss caused directly or indirectly by claims brought about by its customers or by third parties. 9. Miscellaneous: a) This Agreement may not be modified, changed or discharged, in whole or in part, except by a further Agreement in writing signed by both the parties. b) This Agreement will be binding upon and ensure to the benefit of the parties hereto and it also includes their respective successors and assigns c) The Agreement shall be construed and interpreted in accordance with the laws prevailing in India. In witness whereof, the parties hereto have agreed, accepted and a cknowledged and signed these presents, on the day, month and year mentioned herein above. For M/s Authorized Signatory Shri Designation For Punjab National Bank Authorized Signatory Shri Designation _____________ RFP for security cum functional audit of application software Confidential 45 Punjab National Bank, Inspection & Audit Division, HO, Delhi ANNEXURE-`K' Professional's Details:- SNo. Name Designation Educational Qualification Certifications Total Experience Since when in the bidder organization Conducted Security cum functional audit of application software for organization(s) with brief scope and when conducted Role, which may be given by the bidder in the assignment Employee profile (Domain Specific & others e.g. Banking, Ethical Hacking, Sun Solaris security, Oracle DB Security, Network Security etc.) Whether member is part of the team proposed to be deployed for PNB Project (Yes/No) Important Note: CVs of minimum 5 qualified professional as per Para 2.2 (F) are to be furnished on a separate sheet including their Credential in the specialized qualification and their previous employment record. Attach copy of certificate for proof of qualification & certification of qualified professional as per para 2.2(F). Place: Date: Seal & Signature of Bidder RFP for security cum functional audit of application software Confidential 46 Punjab National Bank, Inspection & Audit Division, HO, Delhi ANNEXURE L Check list for the Documents to be submitted Document Particular YES/NO Page No. From To Company Details Brief Profile Audited Balance Copy of balance sheets for 2016- Sheets 2017, 2015-16 and 2014-15 Authorization Power of Attorney for authorized Letter for signatory, duly attested by notary Signatory public/Board resolution. Annexure C Technical BID FORM Annexure D Score Sheet Annexure E Undertaking 1 Annexure F Undertaking 2 Annexure G Compliance Statement Annexure H Technical Compliance Sheet Annexure I Security cum functional audit of application software assignment (copy of purchase order/completion) Annexure J Confidentiality cum Non- disclosure agreement. Annexure K Professional Details with copy of certificates. RFP for security cum functional audit of application software Confidential 47