DENA BANK

Tender Ref: HO/INSP/RFP/1116/2017

Request For Proposal (RFP)

of Continuous Information
System Audit
IS AUDIT CELL HEAD OFFICE

This tender is meant for the exclusive purpose of bidding as per the terms & conditions
and specifications indicated. It shall not be transferred, reproduced or otherwise used
for purposes other than for which it is specifically issued.

I
 TABLE OF CONTENTS

SN SUBJECT PAGE
NUMBER
1. Bid Details IV
2. RFP Terminologies IV
3. Section I: Introduction and Disclaimers ……………. 1
1.1 Invitation ……………. 1
1.2 Purpose ……………. 1
1.3 Information provided ……………. 1
1.4 Disclaimer ……………. 2
1.5 Costs Borne by Respondents ……………. 2
1.6 No Legal Relationship ……………. 2
1.7 Recipient Obligation to Inform Itself ……………. 2
1.8 Evaluation of Offers ……………. 2
1.9 Errors And Omissions ……………. 3
1.10 Acceptance of Terms ……………. 3
1.11 Submission of Bids ……………. 3
1.12 Submission Will be valid if ……………. 3
1.13 Registration of RFP ……………. 3
1.14 Tender Validity Period ……………. 3
1.15 Requests For Information ……………. 3
1.16 Notification ……………. 4
1.17 Disqualification ……………. 4
1.18 Clarifications & Amendments ……………. 4
4. Section II : Background ……………. 5
2.1 About Dena Bank ……………. 5
2.2 IT Set Up ……………. 5
5. Section III: Requirements ……………. 7
3.1 Audit Objectives ……………. 7
3.2 Audit Approaches ……………. 8
3.3 Audit Methodology ……………. 8
3.4 Auditors ……………. 8
3.5 Audit Scope ……………. 8
3.6 Audit Findings & Reports ……………. 9
3.6.1 Detailed Findings / Overall Risk Rating ………. 10
3.6.2 Follow-Up and Compliance ……………. 11
3.6.3 Regulatory Compliance Certificate ……………. 11
3.6.4 Reporting Schedule ……………. 11
3.7 Duration of Audit ……………. 12
3.8 Earnest Money Deposit ……………. 12
3.9 Application Money ……………. 12
3.10 Submission of Bids ……………. 13
3.11 Technical Bid ……………. 14
3.12 Commercial Bid ……………. 14
3.13 Performance bank Guarantee ……………. 15
3.14 Security Requirements ……………. 15
3.15 Vendor‟s Obligation ……………. 15

II
SN SUBJECT PAGE
NUMBER
6. Section IV: general terms & Conditions …………. 16
4.1 Adherence to Terms and Conditions ……………. 16
4.2 Other terms and conditions ……………. 16
4.3 Substitution of Project Team Members …………. 16
4.4 Professionalism ……………. 16
4.5 Adherence to Standards ……………. 17
4.6 - 4.10 ……………. 17
4.11 Terms of Payment ……………. 17
4.12 Liquidated Damages (LD) ……………. 17
4.13 Indemnity ……………. 17
4.14 Authorized Signatory ……………. 18
4.15 Applicable Law and Jurisdiction of court ……. 18
4.16 Cancellation of Contract And Compensation …. 18
4.17 Non Payment of Professional Fees ……………. 18
4.18 Assignment ……………. 19
4.19 Subcontracting ……………. 19
4.20 SP Selection/Evaluation Process ……………. 19
4.21 Empanelment ……………. 19
7 Section V: Supplemental Terms And Conditions …. 20
5.1 Proprietary and Related Rights ……………. 20
5.2 Confidential Information ……………. 21
5.3 Management responsibilities ……………. 21
5.4 Relationship of Parties ……………. 21
5.5 Other Provisions ……………. 22
5.6 Dispute Resolution Procedures ……………. 23
5.7 Force Majeure ……………. 24
8 Section VI: Scope Of Audit ……………. 25
6.1 DCA ……………. 25
6.2 VAPT ……………. 26
6.3 DRS ……………. 27
6.4 NDR ……………. 28
6.5 SRP ……………. 28
6.6 DC-CBS …………… 28
6.7 LTS ……………. 31
6.8 SUA ……………. 31
6.9 DSMA ……………. 31
6.10 SNSD ……………. 32
6.11 NET .….………. 32
6.12 ATM / IT Products …………… 33
6.13 PSW …………… 35
6.14 ISW …………… 35
6.15 OUT …………… 36
6.16 ISA …………… 36
9 Section VII: Details of Requirements …………… 38

III
 1. Bid Details
1 Date of commencement of Bidding 23.10.2017
Process (Posting of Tender Document
on Web Site / Publication of Tender)
2 Last date and time for downloading 01.11.2017
Bidding Documents
3 Last date and time for receipt of written 01.11.2017
queries for clarification from bidders
4 Pre-Bid Meeting for bidders 06.11.2017 at
(If required) 5th Floor, Dena Corporate Centre, C-10, G Block,
BKC, Bandra (East), Mumbai-400051
5 Last Date and Time for Bid Submission 16.11.2017 at 4.00PM
6 Tentative Date and Time of Technical 16.11.2017 at 4.30PM
Bid Opening
7 Place of opening of Bids Mumbai
8 Address for communication ( Bank ) Inspection & Internal Audit Dept.
Dena Bank Building, 4th Floor,17-B Horniman Circle,
Fort, Mumbai – 400 023
9 Cost of RFP Rs.5000/-
10 Earnest Money Deposit Rs.100000/-
11 Tentative Date of Commercial Bid 27.11.2017
Opening
* All dates mentioned above are tentative dates and the bidder acknowledges that it cannot hold the Bank
responsible for breach of any of the dates.
** Bank has the discretion for reverse auction process at any stage, if found necessary

2. RFP Terminologies:
SN Words/Phrases
1 Bidder/ Service Provider
(SP)/ System Integrator
2 Supplier/ Contractor/
Vendor
3 Bank/ Purchaser
4 Proposal/ Bid
5 RFP
6 Solution/ Services/
Work/ System/IT
System
7 Project Cost
Definitions
An eligible entity/firm submitting a Proposal/Bid in response to this
RFP
Selected Bidder/System Integrator under this RFP.
Reference to “the Bank”, “Bank” and “Purchaser” shall be
determined in context and may mean without limitation “Dena
Bank”.
the Bidder‟s written reply or submission in response to this RFP
The request for proposal (this document) in its entirety, inclusive of
any addenda that may be issued by the Bank.
“Solution” or “Services” or “Work” or “System” or “IT System”
means all services, scope of work and deliverables to be provided by
a Bidder as described in the RFP and include services ancillary to the
development of the solution, such as installation, commissioning,
integration with existing systems, provision of technical assistance,
training, certifications, auditing and other obligation of the Supplier
covered under the RFP.
Project cost would be initial cost/ onetime cost/ fees / development
Cost/ installation cost/ commissioning cost/ integration cost with
existing systems/ customization cost/ training cost / technical
assistance.

IV
SECTION – I
INTRODUCTION AND DISCLAIMERS

1.1 INVITATION

DENA BANK invites sealed Technical & Commercial Bid from eligible bidders for IS Audit
assignment. The criteria and the actual process of evaluation of the responses to this RFP and
subsequent selection of the successful bidder will be entirely at Bank‟s discretion. This RFP
seeks proposal from Bidders who have the necessary experience, capability & expertise to
provide service adhering to Bank‟s requirement outlined in this RFP. This RFP is not an offer
by Bank, but an invitation to receive responses from the Bidders. No contractual obligation
whatsoever shall arise from the RFP process unless and until a formal contract is signed and
executed by duly authorized official(s) of Bank with a selected Bidder.

1.2 PURPOSE

The purpose of this RFP is to solicit proposal from qualified bidders for IS Audit assignment
of CBS & allied infrastructure as per the Scope defined in the RFP and as well as to provide
the Bidder(s) with information to assist the formulation of their proposals.
a) Bank desires to have an external examination of the IT Security by a CERT-In empanelled
reputed IS Audit firm to ward off risks in the IT Domain by arranging Systems Audit by a
professional agency and appraise the findings thereof to the Audit Committee of the Board.
b) To comply with RBI guidelines vide Circular letter No. RBI/2010-11/494;
DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated 29.04.2011on IS Audit and to use
automated tools such as automated worksheets, audit accelerators, CAATs (customized to
meet Bank‟s IS Audit requirements)
c) Determining effectiveness of planning and oversight of IT activities.

d) Evaluating adequacy of operating processes and internal controls.

e) Determining adequacy of enterprise-wide compliance efforts, related to IT policies and

internal control procedures.

f) Identifying areas with deficient internal controls, recommend corrective action to address
deficiencies and follow-up, to ensure that the management effectively implements the
required actions.

g) To determine the adequacy of existing internal IS Audits and suggestions if any, for
improvement thereof.

1.3 INFORMATION PROVIDED

The RFP document contains statements derived from information that is believed to be
reliable at the date obtained but does not purport to provide all of the information that may be
necessary or desirable to enable an intending contracting party to determine whether or not to
enter into a contract or arrangement with Bank in relation to the provision of services. Neither
Bank nor any of its employees, agents, contractors, or advisers gives any representation or
warranty, express or implied as to the accuracy or completeness of any information or
statement given or made in this RFP document. Neither Bank nor any of its employees,
agents, contractors, or advisers has carried out or will carry out an independent audit or
verification or due diligence exercise in relation to the contents of any part of the RFP
document.
1
1.4 DISCLAIMER

The information contained in this RFP document or information provided subsequently to

Bidder(s) or applicants whether verbally or in documentary form by or on behalf of Dena
Bank (Bank), is provided to the Bidder(s) on the terms and conditions set out in this RFP
document and all other terms and conditions subject to which such information is provided.
This RFP is neither an agreement nor an offer and is only an invitation by Bank to the
interested parties for submission of bids. This RFP does not claim to contain all the
information each Bidder may require. Each Bidder should conduct its own investigations and
analysis and should check the accuracy, reliability and completeness of the information in
this RFP and where necessary obtain independent advice. Bank makes no representation or
warranty and shall incur no liability under any law, statute, rules or regulations as to the
accuracy, reliability or completeness of this RFP. Bank may in its absolute discretion, but
without being under any obligation to do so, update, amend or supplement the information in
this RFP. No contractual obligation whatsoever shall arise from the RFP process until a
formal contract is signed and executed by duly authorized officers of the Bank with the
selected Bidder.

Subject to any law to the contrary, and to the maximum extent permitted by law, Bank and its
officers, employees, contractors, agents, and advisers disclaim all liability from any loss or
damage (whether foreseeable or not) suffered by any person acting on or refraining from
acting because of any information, including forecasts, statements, estimates, or projections
contained in this RFP document or conduct ancillary to it whether or not the loss or damage
arises in connection with any negligence, omission, default, lack of care or misrepresentation
on the part of Bank or any of its officers, employees, contractors, agents, or advisers.

1.5 COSTS BORNE BY RESPONDENTS

All costs and expenses incurred by Recipients / Respondents in any way associated with the
development, preparation, and submission of responses, including but not limited to
attendance at meetings, discussions, demonstrations, etc. and providing any additional
information required by Bank, will be borne entirely and exclusively by the Recipient /
Respondent.

1.6 NO LEGAL RELATIONSHIP

No binding legal relationship will exist between any of the Recipients / Respondents and
Bank until execution of a contractual agreement.

1.7 RECIPIENT OBLIGATION TO INFORM ITSELF

The Recipient must conduct its own investigation and analysis regarding any information
contained in the RFP document and the meaning and impact of that information.

1.8 EVALUATION OF OFFERS

Each Recipient acknowledges and accepts that Bank may, in its absolute discretion, apply
whatever criteria it deems appropriate in the selection of organizations, not limited to those
selection criteria set out in this RFP document.

The RFP document will not be construed as any contract or arrangement which may result
from the issue of this RFP document or any investigation or review carried out by a
Recipient. The Recipient acknowledges by submitting its response to this RFP document that
it has not relied on any information, representation, or warranty given in this RFP document.

2
1.9. ERRORS AND OMISSIONS
Each Recipient should notify Bank of any error, omission, or discrepancy found in this RFP
document.
1.10 ACCEPTANCE OF TERMS
A Recipient will, by responding to Bank RFP, be deemed to have accepted the terms of this
Introduction and Disclaimer.

1.11 SUBMISSION OF BIDS

One (1) Hard copy duly signed by authorized person and one (1) electronic copy (excluding
commercial bid) in MS-Word / PDF format on CD ROM should to be submitted to “Bank‟s
Evaluation Office” at the following address:

The Deputy General Manager (Inspection)

Dena Bank
Inspection & Internal Audit Dept.
Dena Bank Building, 4th Floor
17-B Horniman Circle
Fort, Mumbai – 400 023
1.12 SUBMISSION WILL BE VALID IF:
 Application Money is paid on or before last date of bid submission as mentioned in the
RFP.
 Copies of the RFP are submitted before the scheduled closing time.
 Bids are submitted in two separate sealed envelopes with separate marking “Technical
Proposal” & “Commercial Proposal”.
 Soft copies of all Annexure must be provided in a CD in sealed cover.
 EMD is paid & receipt is enclosed.
 Note:
1. Faxed copies of any submission are not acceptable and will be rejected by the Bank
2. If the submission does not include all the information required or is incomplete, the
Proposal is liable to be rejected.

Only One Submission Permitted

Only one submission of tender by each SP will be permitted. In case of partnerships /
consortium, only one submission is permitted through the SP.

1.13 REGISTRATION OF RFP

Registration will be effected upon Bank receiving the RFP response in the above manner
(Para 1.12). All submissions, including any Banking documents, will become the property of
Bank. Recipients shall be deemed to license, and grant all rights to, Bank to reproduce the
whole or any portion of their submission for the purpose of evaluation, to disclose the
contents of the submission to other Recipients who have registered a submission and to
disclose and/or use the contents of the submission as the basis for any resulting RFP process,
notwithstanding any copyright or other intellectual property right that may subsist in the
submission or Banking documents.
1.14 TENDER VALIDITY PERIOD
The bids will remain valid for a period of at least six (6) months from the date of opening the
technical bids.
1.15. REQUESTS FOR INFORMATION
Recipients are required to direct all communications related to this RFP through the
3
Nominated Point of Contact person i.e.

Asst. General Manager

(Inspection) Dena Bank H.O.
4th Floor, 17B-
Horniman Circle Fort,
Mumbai – 400023.
022-22665601/22665612/22665614, isauditcell@denabank.co.in
All questions relating to the RFP, technical or otherwise, must be in writing only to the
Nominated Point of Contact.

Bank will not answer any communication initiated by Respondents later than five business
days prior to the due date for bids submission. However, Bank may in its absolute discretion
seek, but under no obligation to seek, additional information or material from any
Respondents after the tender closes and all such information and material provided must be
taken to form part of that Respondent’s response.

Respondents should invariably provide details of their email address (es) as responses to
queries will only be provided to the Respondent via email.
If Bank in its absolute discretion deems that the originator of the question will gain an
advantage by a response to a question, then Bank reserves the right to communicate such
response to all Respondents.

Bank may in its absolute discretion engage in discussion or negotiation with any Respondent
(or simultaneously with more than one Respondent) after the tender closes to improve or
clarify any response.

1.16. NOTIFICATION

Bank will notify the Respondents in writing as soon as practicable about the outcome of the
RFP evaluation process, including whether the Respondent‟s RFP response has been accepted
or rejected. Bank is not obliged to provide any reasons for any such acceptance or rejection.

1.17. DISQUALIFICATION
Any form of canvassing/lobbying/influence/query regarding short listing, status etc will be a
disqualification.

1.18 CLARIFICATIONS & AMENDMENTS

1.18.1 If deemed necessary the Bank may seek clarifications on any aspect from the bidder.
However that would not entitle the bidder to change or cause any change in the substances of
the bid already submitted or the price quoted. The bidder may be asked to give presentation
for the purpose of clarification of the bid.

1.18.2 The Bidder requiring any clarification of the bidding documents should submit written
queries within 10 days of displaying of RFP at website, to the Assistant General Manager
(Inspection & Internal Audit Dept), 4th Floor, Dena Bank Building, 17-B Horniman Circle,
Fort, Mumbai 400023.

1.18.3 At any time prior to the deadline for submission of bids, Bank may modify the bidding
document by amendment.

4
Section – II
BACKGROUND

2.1 ABOUT DENA BANK

Dena Bank was founded on 26th May, 1938 by the family of Shri. Devkaran Nanjee
under the name Devkaran Nanjee Banking Company Ltd.
It became a Public Ltd. Company in December 1939 and later the name was changed to Dena
Bank Ltd.
In July 1969 Dena Bank Ltd. along with 13 other major banks was nationalized and is now
a Public Sector Bank constituted under the Banking Companies (Acquisition & Transfer of
Undertakings) Act, 1970. Under the provisions of the Banking Regulations Act 1949, in
addition to the business of banking, the Bank can undertake other business as specified in
Section 6 of the Banking Regulations Act, 1949.
The present organisational structure of the Bank consists of four tiers viz., Corporate Office
(CO), Field General Manager Offices (FGMO), Zonal Offices (ZO) and Branches. CO,
consisting of various functional departments deals with mainly policy formulation, setting of
targets and monitoring of performance. The Bank has set up 4 FGMOs and 29 Zonal Offices
to exercise immediate supervision and control over the branches under their jurisdiction. The
Bank has a network of 1874 branches spread across the length and breadth of the country
The Bank also has specialized branches catering to the specific needs of Retail customers,
Industrial units, corporate clients, Forex dealers, Exporters and Importers, Small Scale
Industries and Agricultural sector. The Bank has sponsorship in one Regional Rural Banks
(RRB).
Bank has implemented Core Banking Solution - Finacle from Infosys. Presently all the 1874
branches and ROs are connected to the CBS. The Data Centre of the Bank and the CBS
Project Office of the Bank are located at Jogeshwari-West, Mumbai
The Bank has chosen Finacle Software of M/s.Infosys Ltd., as the Core Banking Solution and
the CBS project is implemented and supported by M/s. HP. The DR Site is located at
Bangalore.

Bank’s Mission
Dena Bank will provide its customers – premier financial services of great value, staff -
positive work environment and opportunity for growth and achievement and shareholders –
superior financial returns, community – economic growth.

2.2 IT SET UP

CBS and Other Details

First branch was migrated to CBS on 12th March 2007. All branches have been brought
under the CBS platform covering 1874 centres / 29 Zones (Excluding HO) / 31 States &
Union Territories.
Bank has set up its own network named as “DENANET” using 2344 Leased Lines, 179
ISDN PRI/BRI lines and 820 VSATs connecting all branches and 35 administrative offices as
on 30.06.2017. This network supports Bank‟s inter – connected ATMs seamlessly. Critical
applications like Internet / Mobile Banking and NEFT / Real Time Gross Settlement (RTGS)
transactions and other functions like sending OLTAS data to OLTAS Nodal/Link branches,

5
the corporate e-mail service, MIS data transfer between branches, Zonal Offices & Corporate
Office and remote support to Branches / ZO are enabled by DENANET.

Data Centre & Project Office Jogeshwari (W), Mumbai

DR Site Electronic City, Bangalore

Near DR Site Vikhroli, Mumbai

Location No. of Firewalls Routers Switches NIPS

Servers
Data Centre & HO-BKC 225+26 12+4 9+2 18+10 8+2

DR Site 100 11 7 12 8

Near DR 4 2 2 10 2

A total of 1579 ATMs have been installed all over the country. Out of these ATMs, 1313 are
on site and 226 are off site as on 30.06.2017. With a view to expand the ATM access to our
customers for carrying banking transactions, we have also tied up with the following banks
and ATM networks for mutual sharing of ATMs:
1. Cash tree group of Banks
(Bank of India, United Bank of India, Syndicate Bank, Indian Bank, Union Bank of
India, Bank of Rajasthan, Indian Overseas Bank, Karnataka bank, Yes Bank,
Dhanalakshmi Bank Ltd etc)
2. Cash net group of Banks

(Axis Bank, Citibank, Corporation Bank, Development Credit Bank, Deutsche Bank,
HDFC, IDBI Bank, HSBC, Standard Chartered Bank, ING Vysya Bank, Barclays,
Kotak Mahindra Bank and Dhanalakshmi Bank Ltd)
3. National Financial Switch (NFS) group of Banks

(Allahabad Bank, Andhra Bank, Axis Bank, Bank of Baroda, Bank of India, Bank of
Maharashtra, Canara Bank, Corporation Bank, Central Bank of India, HDFC Bank,
ICICI bank, IDBI, Indian Bank, Indian Overseas Bank, Punjab National Bank, State
Bank of India, Syndicate Bank, UCO Bank, United Bank of India, Union Bank of
India, Vijaya Bank etc)
4. VISA enabled ATM network

6
Section – III
REQUIREMENTS

3.1 AUDIT OBJECTIVES

The Bank wishes to appoint competent Service Provider ( SP) for conducting an IS Audit of
its IT Security architecture and Information System resources and infrastructure with the
major objectives of evaluation of internal system and control for

3.1.1 Assessing the security, availability and efficiency of IT assets of the Bank.
3.1.2 Assessing the confidentiality, integrity and availability of information system
3.1.3 Assessing the integrity of general operating system, Database, Network connectivity,
Network equipment, Telecommunication equipment, any special security
infrastructure such as biometric equipment.
3.1.4 Assessing the integrity of sensitive and critical application systems environment,
including financial and management information.
3.1.5 Assessing the efficiency and effectiveness of Information System.
3.1.6 Guiding/helping the Bank staff in putting in place the correct practices and
conducting of a compliance audit as explained in the Terms of execution of work
3.1.7 Providing training to our IS Audit/security team with specific reference to
understanding scripts to be run on servers, conducting VAPT, analyzing outputs,
preparing reports and to share with them all the formats, check lists, scoring sheets,
scripts etc. that will be used during the process of IS Audit. Bank‟s IS Audit team will
be attached to the IS Audit/security team of the selected vendor, during the course of
audit, for on the job training. The IS Auditor should explain, to the bank‟s team, all
the processes, procedures involved in arriving at audit findings including
interpretation of outputs generated by various audit tools.
3.1.8 The IS auditors will require to concentrate on the following to ensure that the
Information Systems Assets of the organization are safeguarded:
a) Environmental Security
b) Data
c) Uninterrupted Power Supply
d) Electrical Lines
e) Data Cables & Networking Products
f) Fire Protection
g) Insurance of Assets
h) Annual Maintenance Contract
i) Logical Security & Access Control - Operating System Level
j) Logical Security & Access Control – Application System Level
k) Logical Security & Access Control – Network System Level
3.1.9 Assessment of Fraud (risk of fraud – internal and external)
3.1.10 Gap Assessment for complying with RBI guidelines ( Gopalakrishnan Committee )
3.1.11 Comply with RBI guidelines on Cyber Security Framework vide Circular
No.DBS.CO/CSITE/BC.11/33.01.001/2015-16 dated 2nd June,2016
3.1.12 Comply with RBI guidelines on Prepaid Card Audit
3.1.13 Comply with Aadhar Act-2016
3.1.14 Comply with IT Act-2000 and its subsequent amendments.
The SP will be responsible as per the scope and timelines outlined below.

7
3.2. AUDIT APPROACHES

Information Systems Audit will be facilitated through a combination of techniques and tools
in
 Audit project Planning
 Documentation review
 Manual and automated controls testing using IS Audit checklists based on globally
accepted standards and RBI guidelines/ Circulars / IT Act.

Audit reports:
High level summary for the management
Detailed findings along with recommendations
Audit findings to be classified as Low, Medium, High within each specific audits

3.3 AUDIT METHODOLOGY

The IS audit work to include manual procedures, computer assisted procedures and fully
automated procedures wherever applicable. The necessary software tools / applications will
have to be devised by the contractor to carry out IS Concurrent Audit work. Such tools /
applications will be put in use by the contractor after approval by the Bank with / without
changes, if any, suggested by the Bank. The expenditure of development of such tools /
applications will be considered as a part of contract value and no payment will be made by
the Bank separately. The software tools / applications to be deployed by the contractor shall
conform to Bank‟s software development policy, application security policy, user password
management policy of the Bank and are immune to know vulnerabilities such as web
applications not conforming to Open Web Application Security Policy Project (OWASP)
standards.

3.4 AUDITORS:
Audit should be carried out by CERT-In empanelled audit firm by persons having CISA/
CISSP / CISM/ CEH qualifications with at least one IS audit experience of Data Centre
(DC) of any scheduled commercial bank in India.
The Core Audit Team proposed by the SP should be employers on the rolls of the SP. No
part of the engagement shall be outsourced by the selected SP to third party vendor. SP must
warrant that these key auditors to be displayed in this audit have been sufficiently involved
in similar audits in the past. SP should ensure that the audit team is actively involved in the
conduct of the audit. The audit of DCA should be carried out by one team on daily visit to
Data Centre and Project Office throughout the period of contract. The other areas are to be
carried out by other team depending on the frequency of reporting with prior permission
from the Bank‟s IS Audit Head. The leader of the team conducting IS Audit of DCA shall
be the single contact point or co-ordinator for all the activities mentioned in the RFP.

3.5 AUDIT SCOPE:

A description of the envisaged scope is enumerated in brief as under and an indicate detail
in Section - VI. However, the Bank reserves its right to change the scope of the RFP
considering the size and variety of the requirements and the changing business conditions.
The Bank groups the entire proposed audits into 17 Areas as under:

SN Area Details of area for audit

1 DCA Data Centre & Project Office – Continuous IS Audit (daily)
2 VAPT Vulnerability Assessment &Penetration Testing
3 DRS DRS site – Bangalore
8
 4 NDR NDR – Mumbai
5 SRP Short Range IT Plans
6 DC-CBS DC- CBS Operation
7 LTS Long Term IT Strategy
8 SUA Software Utilisation Audit
9 DSMA Data and System Migration Audit*
System , Network and Security Devices Baseline standards and
10 SNSD
configuration Audit
11 NET Network Management
ATM, Internet Banking / Mobile Banking / IT Products/ newly
12 ATM
launched alternate delivery channel systems
13 PSW Acquisition and Implementation of Packaged Software
14 ISW Development of Software in-house and outsourced
15 OUT Audit of Outsourcing Arrangements
16 ISA Audit of Policy and Guidelines
* Bank will decide the systems for which DSMA to be conducted

Based on the contents of the RFP, the selected SP shall be required to independently arrive at
Audit Methodology, based on globally acceptable standards and best practices

The Bank expressly stipulates that the SP‟s selection under this RFP is on the understanding
that this RFP contains only the principal provisions for the entire audit assignment. The SP
shall be required to undertake to perform all such tasks, render requisite services and make
available such resources as may be required for the successful completion of the entire audit
assignment at no additional cost to the Bank.
The SP shall review compliance done by Bank on the Audit observations of the Previous
Audits of all areas. If Bank desires, during the review of compliance SP should involve one
representative of the IS Audit Cell to validate the checklist and guidelines provided by the
SP.

3.6 AUDIT FINDINGS & REPORTS:

Risk analysis along with Risk Matrix with scoring model should be submitted as part of audit
findings. Deliverables under the IS Audit – the SP will deliver detailed reports (an indicative
to cover area wise) as below:
 Verification and submission of compliance to previous audit as per the Bank‟s format
 IS Audit (Technical & Process) Report of all the areas covering the objectives,
efficiency and effectiveness
 Presentation to the Top Management of the findings of the Reports (quarterly)
 Risk Matrix Analysis Report
 Recommendations for Risk Mitigation
 Gap assessment and recommendation for mitigation
 Provide check list with guidelines for the subsequent audit (hard & soft copies)
 Provide re-designed network & security architecture along with technical
specifications of network & security solutions (if any suggested during the review of
IT infrastructure) based on the operational and business requirements of Dena Bank.
These technical specifications can be used by Dena Bank for selecting products /
solutions.
 The report findings should cover all the areas separately mentioned in the scope.
 The report findings should be submitted in PDF and MS Word formats.
 Day to Day observations (area- DCA) should be submitted in Excel format or on-line
system available in the Bank
 Significant findings should be promptly communicated to the appropriate person
9
 prior to the submission of final report.
 All observations should be thoroughly discussed with process owner before
finalization of report. 
The Report should comprise of the following sub-reports:
Executive Summary: - An executive summary should form a part of the report.
Core Findings along with Risk Analysis:
The SP will submit a report bringing out the core findings of the IS Audit exercise in the
existing practices along with Risk Analysis of individual items , with reference to the best
practices & standards. Preparation of Risk Matrix should be based upon Risk Analysis of all
the Information Systems of the Bank, as per the guidelines issued by RBI and Govt. of India,
including following steps:
 Step 1: System Characterization
 Step 2: Threat Identification
 Step 3: Vulnerability Identification
 Step 4: Control Analysis
 Step 5: Likelihood Determination
 Step 6: Impact Analysis
 Step 7: Risk Determination
Major risk factors used in scoring systems include:
Adequacy of internal controls, business criticality, regulatory requirements, amount or value
of transactions processed, if a key customer information is held, customer facing systems,
financial loss potential, number of transactions processed, availability requirements,
experience of management and staff, turnover, technical competence, degree of delegation,
technical and process complexity, stability of application, age of system, training of users,
number of interfaces, availability of documentation, extent of dependence on the IT system,
confidentiality requirements, major changes carried out, previous audit observations and
senior management oversight.
3.6.1. DETAILED FINDINGS / OVERALL RISK RATING:

The detailed findings of the Audit would be brought out in this report which will cover in
details all aspects viz. identification of flaws / gaps /vulnerabilities in the systems (specific to
equipment/resources –indicating name and IP address of the equipment with Office and
Department name), identifications of threat sources, identification of Risk, Identification of
inherent weaknesses, Servers/Resources affected with IP Addresses etc. Report should
classify the observations into Critical /Non Critical category and asses the category of Risk
Implication as EXTREMELY HIGH/VERY HIGH/HIGH/MEDIUM/LOW RISK based on
the impact. The Reports should be substantiated with the help of snap shots/evidences
/documents etc. from where the observations were made. Suitable weightage to each
observation should be given and the SP should arrive at the overall Risk rating, in terms of
Scores.
In Depth Analysis of findings /Corrective Measures & Suggestions along with Risk
Analysis:
The findings of the entire IS Audit Process should be critically analysed and controls should
be suggested as corrective /preventive measures for strengthening / safeguarding the IT assets
of the Bank against existing and future threats in the short /long term . Report should contain
suggestions/recommendations for improvement in the systems wherever required. Also, if the
formal procedures are not in place for any activity, evaluate the process & the associated risks
and give recommendations for improvement as per the best practices.
10
3.6.2 FOLLOW-UP AND COMPLIANCE

The Audit firm will submit quarterly compliance reports, summary compliance
report (furnishing total number of points, complied and pending status as per format
given by the bank) at end of each quarter and a final compliance report after all
observations are complied for the projects separately or one year from the date of
commencement of the Audit.

3.6.3. REGULATORY COMPLIANCE CERTIFICATE:

During the audit regulatory compliance certificate should be provided by the SP and some
indicative list is as under:
I) A certificate as per RBI guidelines of the Payment System Operated under the PSS Act,
2007 (RBI circular No. DPSS.AD.No./ 1206/02.27.005/2009-2010 dated 7th December, 2009
)
II) A certificate as per RBI guidelines for Internet Banking, Mobile Banking and other
delivery channels
III) IS Audit of RA Office certificate (IDRBT)
3.6.4. REPORTING SCHEDULE:

Area Details of area for audit Reporting

DCA Data Centre & Project Office Everyday submission (soft copy) & consolidated
Monthly by 10th of subsequent month
VAPT VAPT Quarterly by 10th of July, October, January &
DRS DR site – Bangalore April Including compliance verification of all
NDR NDR – Mumbai areas. Presentation to Management
SRP Short Range IT Plans (Auditee‟s compliance – Auditor‟s performance
review) and if any revisions proposed in the
Checklist or any deliverable formats should be
incorporated by the SP.
NET Network Management
ATM ATM, Internet Banking /
Mobile Banking / IT Products
Half yearly by 10th of October and April.
PSW Acquisition and
Report-H1 to cover audit period April to
Implementation of Packaged
September and H2 for October to March.
Software
ISW Development of Software in-
house and outsourced
OUT Audit of Outsourcing
Arrangements
ISA Audit of Policy and Guidelines
LTS Long Term IT Strategy
SUA Software Utilisation Audit Yearly by 10th of April with coverage of period
DSMA Data and System Migration April to March and including Compliance
Audit verification of all areas
SNSD System , Network and
Security Devices Baseline
standards and configuration
Audit

11
3.7. DURATION OF AUDIT:

The entire audit should be covered for the audit period is from 01-01-2018 to 31-12-2018
and the Bank may repeat the second audit period from 01-01-2019 to 31-12-2019 with the
same SP. The Bank reserves the right to terminate the assignment, if the assignment is not
proceeding in accordance with the terms of contract or to the satisfaction of the Bank by
giving a notice of one month. The Bank is not liable for any fees or compensation in case
the contract is terminated as above.

3.8. EARNEST MONEY DEPOSIT

Subject to compliance of Response Submission Process as elucidated in Section – I, the

intending bidders should pay along with bids an Earnest Money Deposit an amount of `.
1,00,000/- (Rupees One Lac only).The EMD shall be paid by NEFT/RTGS to the under
mentioned A/c. The receipt of RTGS/NEFT must be attached with the Tender documents.
The EMD will not carry any interest.

Details of A/c
NAME DENA BANK, INSPECTION & INTRL.AUDIT ,MUMBAI
BANK DENA BANK
A/C NO 098911023869
IFSC BKDN0INDFIN
MICR 400018084
BRANCH DENA BANK, CORPORATE BUSINESS BRANCH-II, MUMBAI
A/C TYPE CURRENT A/C

The EMD made by the bidder will be forfeited if:

1 The bidder withdraws his tender before opening of the bids.
2 The bidder withdraws his tender after opening of the bids but before acceptance of
“Letter of appointment” issued by Bank.
3 The selected bidder withdraws his tender before furnishing an unconditional and
irrevocable Performance Bank Guarantee.
4 The bidder violates any of the provisions of the terms and conditions of this tender
specification.
The EMD will be refunded to
- The successful bidder, only after furnishing an unconditional and irrevocable
Performance Bank Guarantee for 15% of the first year total contract value. The
validity of the guarantee would be 15 months from the date acceptance of first
Letter of Appointment (LoA).
- The unsuccessful bidders, only after acceptance of the “LoA” by the selected
bidder.

3.9 APPLICATION MONEY

The intending bidders should pay an Application Money of Rs 5,000/- (Rupees Five
Thousand only). The application money shall be paid by NEFT/RTGS to the under
mentioned A/c. The receipt of RTGS/NEFT must be attached with the Tender documents.
The application money is non-refundable. Application money is to be submitted on or
before Pre-bid meeting.

12
 Details of A/c
NAME DENA BANK, INSPECTION & INTRL.AUDIT ,MUMBAI
BANK DENA BANK
A/C NO 098911023869
IFSC BKDN0INDFIN
MICR 400018084
BRANCH DENA BANK, CORPORATE BUSINESS BRANCH-II, MUMBAI
A/C TYPE CURRENT A/C

3.10. SUBMISSION OF BIDS (Please refer to Section – I, Para 1.11)

3.10.1 The bids shall be in two parts viz. Technical Proposal and Commercial Proposal.
Both Technical and Commercial Bids shall be submitted in separate sealed envelopes
super scribing “TECHNICAL PROPOSAL FOR CONTINUOUS IS AUDIT:
TENDER REFERENCE NO. xxx. on top of the envelope containing the technical bid
and “COMMERCIAL PROPOSAL FOR CONTINUOUS IS AUDIT: TENDER
REFERENCE NO. xxx. on top of the envelope containing commercial bid. These two
separate sealed envelopes should be put together in the sealed master envelope super
scribing “PROPOSAL for CONTINUOUS IS AUDIT: TENDER REFERENCE
NO. xxx
3.10.2 A copy of the Commercial Proposal masking the prices is to be submitted along with
the Technical Proposal.
3.10.3 The EMD as mentioned in clause 3.8 is to be submitted along with the Technical
Proposal.
3.10.4 The Commercial Proposal shall be submitted as per Annexure - B.
3.10.5 The bidder shall submit the Proposals duly filed so that the papers are not loose. The
Bidder shall submit the proposal in suitable file such that the papers do not bulge
out and tear during scrutiny.
3.10.6 All the relevant pages of the proposals (except literatures, datasheets and brochures)
are to be numbered and be signed by authorized signatory on behalf of the Bidder.
The number should be a unique running serial no. across the entire document.
3.10.7 The bidder has to submit a soft copy of the entire proposal in a CD in sealed cover.
It should be noted that in case of any discrepancy in information submitted by the
bidder in hard-copy and soft-copy, the hard-copy will prevail. However, in case of
non-submission of any hard copy document, if the same is found submitted in the
soft-copy, Bank reserves right to accept the same at its discretion.
3.10.8 The Bids shall be addressed and submitted to the Banks Evaluation Office.
3.10.9 The bids (arranged as mentioned above) are to be submitted at the above address,
marked with the tender number, at the above address before the due date & time as
specified. The bid submitted anywhere else is liable to be rejected.
3.10.10 It may be noted that all queries, clarifications, questions etc., relating to this RFP,
technical or otherwise, must be in writing only and should be to the nominated
point of contact.
3.10.11 Bidders should provide their E-mail address in their queries without fail.
3.10.12 The bidder will submit an undertaking specifying that the bidder has obtained all
necessary statutory and obligatory permission to carry out project works, if any.
3.10.13 The proposal should be prepared in English. The e-mail address and phone/fax
numbers of the bidder should also be indicated on the sealed cover.

13
Formats of Bids: The bidders should use the formats prescribed by the Bank in the RFP for
submitting both technical and commercial bids.

3.11 TECHNICAL BID

Eligibility Criterion:

Bid is open to all Bidders who fulfil the following eligibility criteria.

3.11.1 The Bidder should be empanelled with CERT-IN which should be valid up to
31.12.2018 for IT / IS Audit / IS Security Audit.
3.11.2 The Bidder should be registered in India and has its registered office or its
representative office in Mumbai. The IS Audit firm/company should have been in
existence for at least five years as on 31.03.2017.
3.11.3 The SP should have experience in ethical hacking, vulnerability assessment &
penetration testing and dedicated qualified security professionals on-roll for these
assignments.
3.11.4 The SP should have conducted at least one audit of Data Centre (DC) of any
scheduled commercial bank in India.
3.11.5 Should have a pool of minimum 3 professionals with any of the international
accreditation like CISA (Offered by ISACA, USA), CISSP (Certified Information
System Security Professional), CISM
3.11.6 The bidder should not have been involved in implementing any of the IS security
solutions for Dena Bank.
3.11.7 The SP should not have been black listed by any public sector organisation or RBI or
IBA or any other regulator or statutory body.
3.11.8 The bidder should not have been involved in carrying out IS Audit of the Bank for
last two years.
3.11.9 The bidder must have been profitable since past 3 years in succession viz. financial
years ending 31stMarch 2015, 2016 & 2017. The bidder should submit a copy of the
full Balance Sheet, duly certified as copy of the original by its Auditor, for three
years ending 31-03-2015, 31-03-2016 and 31-03-2017 along with qualifying
remarks, disclosures, if any made therein.
3.11.10 The bidder‟s Account should not have been declared as a Non Performing Asset
(NPA) in the Books of any bank or financial institution. A certificate to this effect
should be obtained from the Auditor who has signed the Balance Sheet of the
Bidders as on 31-03-2017.
3.11.11 The bidder should have the team leader who is qualified, experienced and personally
involved in at least one similar assignment in Banking and Financial Sector/PSU
Bank in India.

All the above clauses of the eligibility criteria are mandatory and cannot be waived.
Details of the documents to be submitted supporting the above mentioned clauses are given in
Annexure-C (III).

3.12 COMMERCIAL BID:

The prices should be quoted for all areas for the services offered by the SP as per the format
enclosed as Annexure – B. It may be noted that Bank will not pay any amount/expenses /
charges / fees / travelling expenses / boarding expenses / lodging expenses / conveyance
expenses / out of pocket expenses other than the above “Agreed Professional Fee”. The SP
should quote the fees for the second year also, if Bank desires that the audit may be repeated
with the same SP for the second year.

14
3.13 PERFORMANCE BANK GUARANTEE (BG)

3.13.1 The successful Bidder has to submit a Performance Bank Guarantee of 15% of the
first year bid value valid for 15 months, within a week of receipt of formal communication
from the Bank about their successful bid. Relative Purchase order/engagement letter will be
released only after the receipt of Performance Bank Guarantee.

3.13.2 The Bank Guarantee to be furnished has to be issued by a Public Sector Bank other
than Dena Bank in favour of Inspection & Internal Audit Department, Head Office, 4th Floor,
Dena Bank Building, 17-B Horniman Circle, Fort, Mumbai-400023

3.13.3 The Bank reserves the right either to invoke the performance bank guarantee or to
cancel the purchase order or both if the bidder fails to meet the terms of this RFP or contracts
entered into with them.

3.14 Security Requirements:

The Vendor should comply with Bank‟s IS Security policy in key concern areas relevant to
the RFP. Some of the key areas are as under:

3.14.1 Responsibilities for data and application privacy and confidentiality

3.14.2 Responsibilities on system and software access control and administration
3.14.3 Custodial responsibilities for data, software, hardware and other assets of the Bank
being managed by or assigned to the Vendor
3.14.4 Physical Security of the facilities
3.14.5 Physical and logical separation from other customers of the Vendor
3.14.6 Incident response and reporting procedures
3.14.7 Password Policy of the Bank
3.14.8 Data Encryption/Protection requirement of the Bank Security requirement of the Bank
will be shared with the successful bidder

3.15 VENDOR’S OBLIGATION

3.15.1 The vendor is obliged to work closely with Bank‟s staff, act within its own authority
and abide by directives issued by Bank from time to time.

3.15.2 The Vendor is responsible for managing the activities of its personnel and will hold
itself responsible for any misdemeanours on the part of its personnel.

3.15.3 The Vendor will treat as confidential all data and information about Bank, obtained in
the process of executing its responsibilities, in strict confidence and will not reveal such
information to any other party without prior written approval of bank.

15
Section-IV
General Terms and Conditions

4.1 Adherence to Terms and Conditions:

The bidders who wish to submit responses to this RFP should note that they abide by all the
terms and conditions contained in the RFP. If the responses contain any extraneous
conditions put in by the respondents, such responses may be disqualified and may not be
considered for the selection process.

4.2 Other terms and conditions:

Bank reserves the right to:

1. Reject any and all responses received in response to the RFP

2. Waive or Change any formalities, irregularities, or inconsistencies in proposal

format delivery

3. Negotiate any aspect of proposal with any bidder and negotiate with more than one
bidder at a time

4. Extend the time for submission of all proposals

5. Select the most responsive bidder (in case no bidder satisfies the eligibility criteria
in totality)

6. Select the next most responsive bidder if negotiations with the bidder of choice fail
to result in an agreement within a specified time frame.

7. Share the information/ clarifications provided in response to RFP by any bidder, with
any other bidder(s) /others, in any form.

8. Cancel the RFP/Tender at any stage, without assigning any reason whatsoever.

4.3 Substitution of Project Team Members:

During the assignment, the substitution of key staff identified for the assignment will not be
allowed unless such substitution becomes unavoidable to overcome the undue delay or that
such changes are critical to meet the obligation. In such circumstances, the SP can do so only
with the concurrence of the Bank in writing by providing other staff of same level of
qualifications and expertise. If the Bank is not satisfied with the substitution, the Bank
reserves the right to terminate the contract and recover whatever payments made by the Bank
to the SP during the course of this assignment besides claiming an amount, equal to the
contract value as liquidated damages. However, the Bank reserves the right to insist the SP to
replace any team member with another (with the qualifications and expertise as required by
the Bank) during the course of assignment.

4.4 Professionalism:

The SP should provide professional, objective and impartial advice at all times and hold the
Bank‟s interests paramount and should observe the highest standard of ethics while executing
16
the assignment.

4.5. Adherence to Standards:

The SP should adhere to laws of land and rules, regulations and guidelines prescribed by
various regulatory, statutory and Government authorities

4.6. The Bank reserves the right to conduct an audit/on-going audit of the consulting services
provided by the SP.

4.7. The Bank reserves the right to ascertain information from the banks and other institutions
to which the bidders have rendered their services for execution of similar projects.

4.8. The bidder cannot change the DCA auditors during the audit period of execution of the
scope unless consented in written by the Bank.

4.9. The bid should contain the resource planning proposed to be deployed for the project
which includes, inter-alia, the number of personnel, skill profile of each personnel, duration
etc.

4.10 The bidder is expected to quote for the prices of the services with the applicable taxes
(except GST) as on the date of bid submission. Any upward / downward revision in the tax
rates from the date of the bid submission will be to the account of the Bank

4.11 TERMS OF PAYMENT:

The SP‟s fees will be paid in the following manner for each item which is described in the
Commercial bid (Annexure - B):
On completion audit, submission of audit findings, reports and other deliverables as per point
No 3.5 & 3.6.

4.12 LIQUIDATED DAMAGES (LD):

The Bank will impose liquidated damages, an amount equivalent to per day fee derived
from monthly amount quoted by the SP for audit of area DCA as per Annexure – B, in case
of delay in not adhering to the time schedules (3.6.3) or auditor‟s absent day.
If the selected Bidder fails to complete the due performance of the contract in accordance to
the specifications and conditions agreed during the final contract negotiation, the Bank
reserves the right either to cancel the contract or to accept performance already made by the
bidder.
Both the above Liquidated Damages are independent of each other and are applicable
separately and concurrently.
LD is not applicable for reasons attributable to the Bank and Force Majeure. However, it is
the responsibility of the bidder to prove that the delay is attributed to the Bank and Force
Majeure. The bidder shall submit the proof authenticated by the bidder and Bank‟s official
that the delay is attributed to the Bank and Force Majeure along with the bills requesting
payment.
4.13. Indemnity:
The bidder shall indemnify Bank and keep indemnified for against any loss or damage that
Bank may sustain on account of violation of patent, trademarks etc. by the bidder by
executing an instrument to the effect on a Non-Judicial stamp paper.

17
4.14. Authorized Signatory:

The selected bidder shall indicate the authorized signatories who can discuss and correspond
with the bank, with regard to the obligations under the contract.

The selected bidder shall submit at the time of signing the contract, a certified copy of the
extract of the resolution of their Board, authenticated by Bank , authorizing an official or
officials of the SP or a Power of Attorney holder to discuss, sign agreements/contracts with
the Bank. The bidder shall furnish proof of signature identification for above purposes as
required by the Bank.

4.15. Applicable Law and Jurisdiction of court:

The Contract with the selected bidder shall be governed in accordance with the Laws of India
for the time being enforced and will be subject to the exclusive jurisdiction of Courts at
Mumbai (with the exclusion of all other Courts).

4.16. CANCELLATION OF CONTRACT AND COMPENSATION:

The Bank reserves the right to cancel the contract of the selected bidder and recover
expenditure incurred by the Bank on the following circumstances:

1. The selected bidder commits a breach of any of the terms and conditions of the
bid/contract.
2. The bidder goes into liquidation voluntarily or otherwise.
3. An attachment is levied or continues to be levied for a period of 7 days upon effects of
the bid.
4. The progress regarding execution of the contract, made by the selected bidder is found
to be unsatisfactory.
5. If deductions on account of liquidated Damages exceeds more than 10% of the
contract price.
6. In case any IT related fraud emerges during audit period but the same is not detected /
captured by the auditor, the audit firm will be blacklisted and debarred by Bank for
any future assignment and loss incurred to bank will be recovered from annual
remuneration of audit firm (max. 15% of contract value)
After the award of the contract, if the selected bidder does not perform satisfactorily or delays
execution of the contract, the Bank reserves the right to get the balance contract executed by
another party of its choice by giving one month notice for the same. In this event, the selected
bidder is bound to make good the additional expenditure, which the Bank may have to incur
to carry out bidding process for the execution of the balance of the contract. This clause is
applicable, if for any reason, the contract is cancelled.

The Bank reserves the right to recover any dues payable by the selected bidder from any
amount Outstanding to the credit of the selected bidder, including the pending bills and/or
invoking Bank Guarantee, if any, under this contract or any other contract/order.

4.17. NON PAYMENT OF PROFESSIONAL FEES:

If any of the items/activities as mentioned in the price bid and also mentioned in RFP are not
taken up by the Bank during the course of this assignment, the Bank will not pay the
professional fees quoted by the SP in the Price Bid against such activity/item.

18
4.18. ASSIGNMENT:

Neither the contract nor any rights granted under the contract may be sold, leased, assigned,
or otherwise transferred, in whole or in part, by the SP, and any such attempted sale, lease,
assignment or otherwise transfer shall be void and of no effect without the advance written
consent of the Bank.

4.19 SUBCONTRACTING:

The SP shall not subcontract or permit anyone other than its personnel to perform any of the
work, Service or other performance required of the SP under the contract without the prior
written consent of the Bank.

4.20 SP Selection/Evaluation Process:

The Proposal will be evaluated first for technical suitability. Commercial Proposal shall be
opened only for the short-listed bidders who have qualified in the Technical Proposal
evaluation. At the sole discretion of the Bank, the Bank may have relevant criteria for
evaluating the proposals received in response to this RFP.

Bank may, at its sole discretion, decide to seek more information from the respondents
in order to normalize the bids. However, respondents will be notified separately, if such
normalization exercise as part of the technical evaluation is resorted to.

4.21 EMPANELMENT:

The current audit assignment will be awarded to the L1 bidder and Bank may include other
bidder in the empanelled list with a validity period of 2 years. In case of cancellation of
contract to L1 bidder due to unsuccessful discharge of their duties and / or withdrawal/refusal
by L1 bidder to undertake audit assignment, either fresh quotations will be invited from
empanelled service providers for remaining period out of 12 months or new RFP will be
floated.

19
Section-V
SUPPLEMENTAL TERMS AND CONDITIONS

5.1 Proprietary and Related Rights

1. Bank Property: All data or information supplied by the Bank to the SP in connection with
the services being provided by SP („the Services‟) shall remain the property of the Bank or its
licensors. All deliverables to the extent prepared by SP hereunder for delivery to the Bank
(„the Deliverables‟) shall be the property of the Bank.

2. SP Property: In connection with performing the Services, SP may use certain data,
modules, components, designs, utilities, subsets, objects, program listings, tools, models,
methodologies, programs, systems, analysis frameworks, leading practices and specifications
(„Technical Elements‟). However, Bank is not liable to any capacity in case of any violation
of copyright or license is observed while using such objects or tools by the SP while
performing the service. Certain Technical Elements were owned or developed by SP prior to,
or independently from, its engagement hereunder are the sole and exclusive property of SP
and SP retains all rights thereto, as well as to all modifications, enhancements and derivative
works of such Technical Elements created, developed or prepared by SP during the
performance of the Services. Certain other Technical Elements consist of third party works
and products that SP has acquired the rights to use. In addition SP retains the right to use its
knowledge, experience and know-how, including processes, ideas, concepts, and techniques
developed in the course of performing the Services, in providing services to other clients. The
Bank shall have no rights in the Technical Elements. All working papers prepared by SP in
connection with the Services shall remain the property of SP.

3. Use of Deliverables and Services: The Deliverables and SP‟s Services (including any
related recommendations and advice) are intended solely for the information and use of the
Bank‟s management, officers, directors and employees and may not be disclosed to any other
person without the prior written consent of SP (other than the Bank‟s external auditors,
subject to their agreement that none of the Deliverables, or any portion thereof, shall be
further disclosed to any other person or entity except as required by law or professional
obligation and that such auditors shall in no event make any claims against SP arising out of
or in connection with the Deliverables). If the Deliverables or Services (including any
portion, abstract or summary thereof, whether oral or in writing) is disclosed to an
unauthorized third party, Bank agrees to indemnify and hold harmless SP, its partners,
employees, agents and advisors from and against all claims, causes of action, liabilities,
losses, damages, costs, and expenses (including, without limitation, reasonable attorneys'
fees) resulting from such disclosure.

4. Systems: Unless SP has expressly agreed to do so in writing in this Agreement, the

Services do not involve identifying, addressing or correcting any errors or defects in
computer systems, other devices, or components thereof („Systems‟), due to imprecise or
ambiguous entry, storage, interpretation, processing or reporting of data, including dates, and
SP shall have no responsibility or liability for any defect or problem arising out of or related
to processing in any Systems. However, during the performance of SP‟s engagement, SP may
become aware of issues with respect to banks „Systems‟. These findings will be
communicated to you in our individual reports.

20
5.2 Confidential Information

1. Confidentiality: Except as otherwise expressly provided in the text of the engagement

letter, one party receiving Confidential Information, as defined below, in connection with the
provision of the Services shall not disclose such Confidential Information outside its
organization or use it for any purpose other than in connection with the Services.
„Confidential Information‟ means all information in which a party has rights that is not
generally known to the public and that under all the circumstances should reasonably to be
treated as confidential or proprietary, whether or not the material is specifically marked as
confidential. Notwithstanding the foregoing, Confidential Information does not include
information that: (i) is, as of the time of its disclosure, or thereafter becomes, part of the
public domain through a source other than the receiving party; (ii) was known to the
receiving party at the time of its disclosure; (iii) is independently developed by the receiving
party without reference to the Confidential Information; or (iv) is subsequently learned from
a third party not known by the receiving party to be subject to an obligation of confidentiality
with respect to the information disclosed.

2. Survival of Restrictions: The terms of this Clause 5.2 under Section V of this RFP will
survive the termination of this Agreement and will continue in full force and effect from the
date of such termination or as otherwise required by law or regulation.

3. Conflict of Interest: Subject to confidentiality restrictions set forth herein, SP and its
affiliates shall have the right to render similar services to any third parties, even if such
parties are in competition with the Bank, provided that, in the event the Bank has given SP
prior notice of a potential conflict, SP shall either obtain a waiver of both parties or in the
absence of such waiver (which should not be unreasonably withheld or delayed), refrain from
rendering similar services in a manner which would create a conflict with respect to such
circumstances.

5.3 Management responsibilities

Management of the Bank is responsible for establishing and maintaining the Bank‟s system
of internal control. The Bank‟s management and the Audit Committee are responsible for the
following:

 Determining the scope, risk, and frequency of activities performed by SP

 Evaluating the findings and results arising from the activities performed by SP
 Evaluating the adequacy of the procedures performed by SP and the findings resulting
from those activities, including actions by management, if any, necessary to respond
to the findings and among other things, obtaining reports from SP
 Ensuring that all information provided to SP is accurate and complete in all material
respects contains no material omissions and is updated on a prompt and continuous
basis. SP shall be entitled to rely on all information provided by and decisions and
approvals of the Bank in connection with SP‟s work. SP will not be responsible if any
information provided by the Bank is not complete, accurate or current. In addition, the
Bank will also be responsible for obtaining all third-party consents and security
clearances required to enable SP to access and use any third-party products necessary
to our performance

5.4 Relationship of Parties

1. Independent Contractor: Nothing herein contained will be construed to imply a joint
venture, partnership, Principal-agent relationship or co-employment or joint employment
between the Bank and SP. SP, in providing services to the Bank under the contract, is acting
21
only as an independent contractor. SP does not undertake by this Agreement or otherwise to
perform any obligation of the Bank, whether regulatory or contractual, or to assume any
responsibility for the Bank‟s business or operations. The parties agree that, to the fullest
extent permitted by applicable law; SP has not, and is not, assuming any duty or obligation
that the Bank may owe to its customers or any other person.

2. Concerning Employees: Personnel supplied by either party will be deemed employees of

such party and will not for any purpose be considered employees or agents of the other party.
Except as may otherwise be provided in this Agreement, each party shall be solely
responsible for the supervision, daily direction, and control of its employees and payment of
their salaries (including withholding of appropriate payroll taxes), workers‟ compensation,
disability benefits, and the like.

5.5 Other Provisions

1. Applicable Law; Severability: This Agreement shall be governed by the laws of the Union
of India. If any portion of this Agreement is held to be void, invalid, or otherwise
unenforceable, in whole or part, the remaining portions of this Agreement shall remain in
effect.

2. Assignment: Neither this Agreement, nor any rights or obligations hereunder, may be
assigned, in whole or in part, by either party without the prior written permission of the other
party; provided that, upon written notice to the other, either party may assign this Agreement
to a corporation or legal entity that acquires substantially all of or a controlling interest in that
party („Change of Control‟), and SP may assign this Agreement to any member or affiliated
firm of SP..

3. Entire Agreement; Applicable Law: This Agreement constitutes the entire agreement
between the parties with respect to the subject matter hereof and supersedes all agreements
and understandings between the Bank and SP with respect to the subject matter hereof made
prior to the date of this Agreement. Each of the Bank and SP confirms that it has the right,
power and authority to execute and deliver this Agreement and that it will be enforceable in
accordance with its terms.
4. Term: The term of this Agreement shall commence on the date of the Engagement Letter
(“Effective Date of contract”) and shall continue up to the completion of the engagement
(“Term”) until terminated by either party through prior notice.
5. Transition After Termination: Upon the termination of this Agreement, SP shall, subject to
the timely payment to it of all amounts owed hereunder, and the payment during the period of
transition of its fees at its then-applicable hourly rate and its expenses, cooperate with the
Bank in the orderly transition of its responsibilities to its successor, whether that be personnel
employed by the Bank or an entity retained by the Bank for such purpose. In connection with
such transition, SP will (a) continue to provide services contemplated hereunder for a
reasonable period of time and, should the Bank desire, provide such services in coordination
with the successor; and (b) make its personnel available at times mutually agreeable to
discuss its work and transition issues with the Bank and the successor.
6. Non-Solicitation of Personnel: Neither the Bank nor shall the SP solicit for employment or
hire any employee who is involved in the performance of this Agreement during the term of
this Agreement and for a period of twelve months following its termination except as may be
agreed to in writing by both parties. In case any of the parties does so, it will have to pay the
other party a sum equivalent to twelve months Cost to Bank/SP of such employee.
22
7. Changes and Delays: Changes in the type or extent of the services requested by the Bank
or that are required for any other reason including any change in applicable law, professional
standards or schedule delays or other events beyond a party‟s reasonable control
(collectively, „Unexpected Events‟), may require fee and / or date of performance revisions to
be agreed upon by both parties. If either party‟s performance is delayed or suspended as a
result of Unexpected Events, and without its fault or negligence, then the period during which
the services are to be performed shall be extended to the extent of such delay and neither
party shall incur any liability to the other party as a result of such delay or suspension.
8. Conflict and survival: In the event if any conflict, ambiguity or inconsistency between this
Annexure, the main engagement letter and any other document to which this Annexure 1 may
be annexed or which may be annexed to this Annexure 1, including any terms and conditions
on the Bank‟s purchase orders or otherwise, the terms and conditions of this Annexure 1 shall
govern. The provisions of this Agreement that give the parties rights beyond termination of
this Agreement will survive any termination of this Agreement.
9. Use of SP‟s name: Except as may be expressly permitted by this Agreement, the Bank
shall not use or publicise SP‟s name, trademark, service mark or logo in connection with the
Services, without the prior written consent of SP, which may be subject to certain conditions,
in SP‟s discretion.
10. Internet e-mail: The Bank acknowledges that: (i) SP, the Bank and others participating in
this engagement may correspond or convey documentation via Internet e-mail unless the
Bank expressly requests otherwise, (ii) no party has control over the performance, reliability,
availability, or security of Internet e-mail, and (iii) SP shall not be liable for any loss,
damage, expense, harm or inconvenience resulting from the loss, delay, interception,
corruption, or alteration of any Internet e mail due to any reason beyond SP‟s reasonable
control.
5.6 DISPUTE RESOLUTION PROCEDURES
The following procedures shall be used to resolve any controversy or claim („dispute‟) as
provided in our engagement letter to which this annexed. If any of these provisions are
determined to be invalid or unenforceable, the remaining provisions shall remain in effect and
binding on the parties to the fullest extent permitted by law.
Mediation
A dispute shall be submitted to mediation by written notice to the other party or parties. The
mediator shall be selected by agreement of the parties and any mediator so designated must
be acceptable to all parties.
If the parties cannot agree on a mediator, a mediator shall be designated by the Indian
Council of Arbitration („ICA‟) at the request of a party. Any mediator so designated must be
acceptable to all parties. The mediation shall be conducted as specified by the mediator and
agreed upon by the parties. The parties agree to discuss their differences in good faith and to
attempt, with facilitation by the mediator, to reach an amicable resolution of the dispute. The
mediation shall be treated as a settlement discussion and therefore shall be confidential. The
mediator may not testify for either party in any later proceeding relating to the dispute. No
recording or transcript shall be made of the mediation proceedings.
Each party shall bear its own costs in the mediation. The fees and expenses of the mediator
shall be shared equally by the parties.
Arbitration
If a dispute has not been resolved within 90 days after the written notice beginning the
mediation process (or a longer period, if the parties agree to extend the mediation), the
23
mediation shall terminate and the dispute shall be settled by arbitration. The arbitration will
be conducted in accordance with the procedures in this document and the Rules of the Indian
Council of Arbitration („Rules‟) as in effect on the date of the engagement letter, or such
other rules and procedures as the parties may designate by mutual agreement. In the event of
a conflict, the provisions of this document will control.
The arbitration will be conducted before a panel of three arbitrators appointed as per the
Rules of the Indian Council of Arbitration („Rules‟). Any issue concerning the extent to
which any dispute is subject to arbitration, or concerning the applicability, interpretation, or
enforceability of these procedures, including any contention that all or part of these
procedures are invalid or unenforceable, shall be governed by the currently applicable Indian
Arbitration & Conciliation Act and resolved by the arbitrators. No potential arbitrator shall be
appointed unless he or she has agreed in writing to abide and be bound by these procedures.
The arbitration body shall have no power to award non-monetary or equitable relief of any
sort. It shall also have no power to award (a) damages inconsistent with any applicable
agreement between the parties or (b) Punitive damages or any other damages not measured
by the prevailing party‟s actual damages; and the parties expressly waive their right to obtain
such damages in arbitration or in any other forum. In no event, even if any other portion of
these provisions is held to be invalid or unenforceable, shall the arbitration panel have power
to make an award or impose a remedy that could not be made or imposed by a court deciding
the matter in the same jurisdiction.
Discovery shall be permitted in connection with the arbitration only to the extent, if any,
expressly authorized by the arbitration panel upon a showing of substantial need by the party
seeking discovery.

All aspects of the arbitration shall be treated as confidential. The parties and the arbitration
panel may disclose the existence, content or results of the arbitration only as provided in the
Indian Arbitration &Conciliation Act. Before making any such disclosure, a party shall give
written notice to all other parties and shall afford such parties a reasonable opportunity to
protect their interests.
The result of the arbitration will be binding on the parties, and judgment on the arbitration
award may be entered in any court having jurisdiction in India.

5.7 FORCE MAJEURE:

5.7.1 The vendor shall not be liable for forfeiture of its performance Security, liquidated
damages or termination for default, if and to the extent that it‟s delay in performance or other
failure to perform its obligations under the contract is the result of an event of force Majeure.

5.7.2 For purposes of this clause, “Force Majeure” means an event beyond the control of the
vendor and not involving the Vendor‟s fault or negligence and not foreseeable. Such events
may include, but are not restricted to, acts of the Purchaser in its sovereign capacity, wars or
revolutions, fires, floods, epidemics, quarantine restrictions and freight embargoes.

5.7.3 If a Force Majeure situation arises, the Vendor shall promptly notify the Purchaser in
writing of such condition and the cause thereof. Unless otherwise directed by the Purchaser in
writing, the Vendor shall continue to perform its obligations under the Contract as far as is
reasonably practical, and shall seek all reasonable alternative means for performance not
prevented by the Force Majeure event.

24
Section - VI
SCOPE OF AUDIT
The details provided in the scope are indicative lists but not restricted to the following.

6.1. DCA (Data Centre & Project Office – Continuous IS Audit)

SN SCOPE OF DAILY AUDIT IN DC & PO

1 Change in Daily Bulk & Flexi Interest Rates
2 Incorporation of Revised Interest Rate changes of Deposit and Advances as per H.O.,
guidelines.
3 User Management (CBS)
4 Addition / Modification in GSPM (General Scheme Parameter Maintenance) – Due to
changes
5 Parameter level changes made in MOPM (Menu Option Maintenance.)
6 Parameter level changes made in EXCDM (Exception Code Maintenance).
7 Parameter level changes made in ACMDB (Office Account Maintenance).
8 Creation of New GL, sub GL, Currency, Office account in Finacle.
9 TDS parameters
10 Change Management Requests - vetting documents before moving any customization
to Production sever & DR server
11 Incorporation of revised Service Charges as per H.O., Guidelines.
12 Daily Batch Jobs which have failed and intimated by vendor technical team and its
rectification.
13 Deployment of patches if any received from Infosys/ software vendor in Production
Server & DR server including OS
14 Abnormal / Exceptional Transactions in CBS
15 Global processes such as interest application, recovery of charges, TDS calculation etc.
16 CBS Database - Oracle back-end updates
17 ADF Server – DBA activities
18 Internet / Mobile Server – DBA activities including parameterisation.
19 Review of Helpdesk Calls to identify root cause of problems
20 Gap assessment w.r.t. IS Security Policy, Cyber security policy, other Bank guidelines
implementation
21 Sol creation Moduling, IFSC,MISC codes updating and other parameters
22 SCFM parameters / SRGPM
23 Consistency of Application & Databases (DC, DR & NDR)
24 Reversal of proxy transactions
25 Compliance to Government / Regulators‟ guidelines Compliance to
Government/Regulators' guidelines in Deposit & Advance Schemes
26 Maker-Checker control in GL Administration
27 GL Subhead-GL Head Mapping
28 Ability to modify/ update data directly in GL and availability of audit trails

25
29 Reconciliation – DD, PO, C2C, CHR/CHP, Govt Business, OLRR, Technical Contra,
IMPS, ABPS, FI, IB, UPI daily reconciliation and Mobile Banking, Digital Wallet,
reconciliation of other App IT products.
30 For Term Deposit products, interest calculation on maturity, periodical interest pay-
outs and accruals interest calculation including TDS application in case of pre-mature
payments and A/c preferential interest shall be verified. (Sample Basis)
31 For Loan products, Trade Finance verification of interest Computation (should include
calculation of penal interest and back-valuation.) Computation, interest rate, and
application of interest, A/c preferential interest , fees and charges for transactions of
various types in Trade Finance (Sample Basis)
32 Ensure that calculations are performed accurately by the system for all income heads
(interest, exchange, commission, discount), interest accruals and interest expense,
interest payable
33 Verify that all the above types of income/expense booked are accounted for
properly and are reflected accurately in the General Ledger
34 Functionality of NPA tracking: Understand the logic and flow of the automated NPA
Tracking in Core Banking System / D2K system and verify that the classification of
assets & Provisioning by the system is accurate.
35 Evaluate the Correctness ,Completeness, Confidentiality Integrity & Availability of
System Generated Entries, GL and reconciliation thereof
36 Correctness , Completeness , Confidentiality ,Integrity, Availability of transactions
posted through bulk transaction posting utilities done centralized at data centre / GBD
HO.
37 Review process and controls over interface of FINACLE application,
including validation of interface files and handling of rejections, with the other
applications
38 Service Charges & Interest rate are levied in all accounts as per Bank Policies. If not
give details
39 Whether backup of database is performed on periodic basis
40 Service desk request emanating from branches reporting
a) Interest superseding product level interest rate
b) High Value advance drawings in excess over limit
c) NPA classification issues on random basis
41 Whether Logs are being stored properly and cannot be modified
42 Whether logs of system administrator activities in OS/Database is being monitored
43 Review the mitigation status in case of Security review / IS Audit observations
44 Any Other Software Application related Observations
45 Guarantee letter of credit, forward credit and its parameters. Application of various
charges as per banks circulars(sample basis)
46 Review of Security Operation Centre (SOC) activities.
47 Review of the application /infra changes done during the previous day

6.2. VAPT (Vulnerability Assessment &Penetration Testing)

The security assessment should use the industry standard penetration test methodologies (like
OSSTMM, ISSAF etc.) and scanning techniques, and will focus on applications. The
application tests should cover but not limited to OWASP Top 10 attacks.

26
Scope of VAPT are given hereunder -
1) Attempting to guess passwords using password-cracking tools.
2) Attempting penetration through perceivable network equipment/addressing and other
vulnerabilities.
3) Check if any Vulnerability exists in the Servers, Desktops, Database, Applications,
Network and Security devices in scope without disturbing operations.
4) Sniffing Data or information
5) To check whether there is any vulnerability present in all IT assets in scope.
6) To ascertain IDS is configured for intrusion detection, suspicious activity on host are
monitored and reported to server, firewall and IDS logs are generated and scrutinized.
7) Penetration testing (both internal and external)
8) Net scanning-vulnerability assessment
9) Router testing
10) Vulnerabilities of unnecessary utilities residing on Application server.
11) Vulnerability analysis of ATM Network,
12) Check system of penetration testing and its effectiveness for all Internet / Branch
facing servers.
13) Effectiveness of Tools being used for monitoring systems and network against
intrusions and attacks.
14) If any cases of unauthorized access through hacking, denial of service due to
technological failure is possible.
15) Any other items relevant in the case of security.
16) The assessment should include following sections for testing:-
1. Trusted & DMZ Zone
2. Remote Access
3. Network Security Assessment
4. Network Security Components
5. Network Operational Read
17) Testing of Open Source Vulnerabilities
18) Tests for DoS vulnerabilities
19) Test for Directory Traversal
20) Test for insecure services such as SNMP
21) Test for SQL, XSS and other web application related vulnerabilities
22) Check for weak encryption
23) Check for SMTP related vulnerabilities such as open mail relay
24) Check for DNS related vulnerabilities such as DNS cache poisoning and snooping
25) Test for information disclosure such as internal IP disclosure
26) Test for Remote code execution
27) Test for Weak SSL Certificate and Ciphers
28) Adequacy of hardening of all Servers and review of application of latest patches
supplied by various vendors for known vulnerabilities as published by CERT-in,
SANS, etc.

6.3. DRS (Disaster Recovery Site)

Scope of DRS Audit are given hereunder -

1) Compliance with Bank‟s Disaster Recovery plan aspects.

2) Physical Security
a. Physical Access Controls
b. Environment Management systems such as electrical supply, UPS, air-conditioning,

27
 fire drill, humidity, fire detection and suppression, generator, etc.
3) Review & audit of drill activity between Primary site and disaster recovery site
4) Log shipping management, audit of Storage level synchronous/asynchronous replication
between DC & DR Site.

Review the Disaster Recovery Plan/Procedures documented for Core Banking Solution and
its implementation at the Data Centre and Disaster Recovery Centre.
6.4. NDR (Near Disaster Recovery Site)
Scope of DRS Audit are given hereunder

i. Compliance with Bank‟s Disaster Recovery plan aspects

ii. Physical Security
a. Physical Access Controls
b. Environment Management systems such as electrical supply, UPS, air-
conditioning, fire detection and suppression, generator, etc.
iii. Review & audit of drill activity between Primary site and Near DR Site (for some
future applications, Near DR Site will work as DR Site).
iv. Log shipping management, audit of Storage level synchronous/asynchronous
replication between DC & NDR.

6.5. SRP (Short Range IT Plans)

IS Auditor should assess the Short Range IT Plan of Bank in achieving Business Plan and
goals of the bank. Expected deliverables of this area is to help the bank to assess the gap
between IT plan and implementation. It is also expected that this will help the bank in further
improvement in IT plan to achieve Business Plans and goals of the bank.

6.6. DC-CBS (DC- CBS Operation)

Scope of DC-CBS Audit are given hereunder -

(i) Physical security

a) Physical access controls
b) Environment management systems such as electrical supply, UPS, air-conditioning,
humidity, fire detection and suppression, generator, etc.

(ii) Operating System (OS)

a) Set up and maintenance of operating system parameters
b) Updating of OS Patches
c) OS Change Management Procedures
d) Use of root and other sensitive passwords
e) Use of sensitive system software utilities
f) Interfaces with external applications (such as other electronic channels in the case of
CBS and other external ATM switches such as Cashtree in the case of the ATM
system)
g) Hardening of Operating System.
(iii) Implementation of Information Security Policy with reference to this Area
(iv) Gap assessment for complying with RBI guidelines on Information Security, Electronic
Banking, Technology Risk Management and Cyber Frauds (Gopalakrishnan Committee
recommendations. RBI circular no. RBI/2010-11/494 DBS.CO.ITC.BC.No:
6/31.02.008/2010-11 dated 29.04.2011) with specific reference to IT Operations,
28
 Information Security.
(v) Gap Assessment with Aadhar Act-2016.
(vi) Gap Assessment with IT Act-2000 and its subsequent amendments.
(vii) Assessment of RCAs submitted by resp. vendors for the critical incidents occurred in
Data Centre or DR or NDR Site
(viii) Gap assessment for complying with ISO 27001:2013 based ISMS
(ix) Configuration of System mail

(x) Application Review of Core Banking software

Finacle(CBS) and Other applications viz.,Treasury(KASTLE), RTGS / NEFT, SWIFT,
HRMS, D2K, ALM (OFSA), AML(AMLOC), IRM (SAS), etc and interfaces thereof.

1. Authorization Control such as concept of maker checker, exceptions, overriding

exceptions, and error conditions.
2. Authentication mechanism.
3. User Management & Password Management
4. Parameter Maintenance & Complete Review of Application Parameterization
5. Access rights;
6. Access logs/ Audit Trail generation, Adequacy of Audit trails and meaningful logs
7. Change management procedures including procedures for testing, conversion, migration of
data, version control etc
8. Documentation of change management;
9. Documentation of Data Centre Operations.
10. Study & review the implemented functionality of Finacle core banking solution & other
applications in all the areas and to ensure correctness of functionality of each module and
all modules in totality vis a vis availability of the functionality / features in the version
currently implemented in the Bank.
11. Study the CBS& other applications for adequate input, processing and output controls and
conduct various tests to verify existence and effectiveness of the controls.
12. Perform a test of controls and functionality setup in the Core Banking & other
applications and to ensure that all the functionalities and controls are implemented
properly and completely.
13. Review/audit the presence of adequate security features in CBS & other applications to
meet the standards of confidentiality, reliability and integrity required for the application
supporting business processes.
14. Identify ineffectiveness of the intended controls in the software and analyse the cause for
its ineffectiveness. Review adequacy and completeness of controls
15. Review effectiveness and efficiency of the Applications.
16. Review of all controls including boundary controls, input controls, communication
controls, database controls, output controls, interfaces controls from security perspectives.
17. Review of all Interface of application with other system OR interface of other system
with applications for Security, accuracy, consistency and safety.
18. Identifying critical risk areas, control weakness in application systems and recommended
corrective actions from security prospective.
19. Source code review in case version change or upgrade of application.
20. Controls over automated processing / updating of records, review or check of critical
calculations such as interest rates, levying of various charges etc., review of the
functioning of automated scheduled tasks, batch processes, output reports design, reports
distribution, etc
21. Review of Capacity Utilization
22. Backup/Fallback/Restoration procedures and contingency planning
29
23. Review of segregation of roles and responsibilities with respect to application software to
improve internal controls.
24. Review of documentation for formal naming standards, design process for job roles,
activity, groups and profiles, assignment, approval and periodic review of user profiles,
assignment and use of super user access
25. Manageability with respect to ease of configuration, transaction roll backs, time taken for
end of day, day begin operations and recovery procedures.
26. Special remarks may also be made on following items- Hard coded user-id and password,
Interfacing of software with ATM switch, EDI, Web Server and Other interfaces at
Network level, Application level Recovery and restart procedures
27. Review of Software benchmark results. Load and stress testing of IT infrastructure
performed by the Vendors
28. Adherence to Legal and Statutory Requirements
29. Application Security Life Cycle (ASLC) review
30. Data Governance

(xi) DBMS and data security

a) Secure use of SQL;
b) Control procedures for changes to the parameter files;
c) Logical access controls;
d) Control procedures for sensitive database passwords;
e) Control procedures for purging of Data Files;
f) Procedures for data backup, restoration, recovery and readability of backed up data.
g) Auditing, both at client side and server side, including sufficiency and accuracy of event
logging, SQL prompt command usage, Database level logging etc
(xii) Other Application/ Software Audit
a) Identify gaps in the application security parameter setup in line with the bank‟s security
policies and leading best practices.
b) Audit of management controls including systems configuration/ parameterization &
systems development.
c) Audit of controls over operations including communication network, data preparation and
entry, production, file library, documentation and program library, capacity planning and
performance, Monitoring of outsourced operations etc.
d) Review of customizations to be done to the Software & SDLC of Software Policy
followed for such customization.
e) Verify adherence to Legal & Statutory Requirements.
f) Check the sufficiency and coverage of UAT test cases, review of defects & tracking
mechanism deployed by Bidder& resolution including re-testing & acceptance.
g) Backup/ Restoration/ Recovery procedures
h) Check whether the product meets the needs of the User Department and has necessary
security controls built-in.
i) Check whether the products have any inherent weaknesses which can be exploited to
Ban‟s disadvantage and suggest remedial measures to plug these weakness.
j) Controls over automated processing / updating of records, review or check of critical
calculations such as interest rates, levying of various charges etc., review of the
functioning of automated scheduled tasks, batch processes, output reports design, reports
distribution, etc
k) Application Security Life Cycle (ASLC) review; Secure Code Practice Review
The above should be done in consonance with standards like ISO 27001, Bank‟s current IT,
IS & Cyber Security Policies, legal & regulatory requirements and global best practices.

30
6.7. LTS (Long Term IT Strategy)

Scope of LTS Audit are given hereunder -

a) Ensuring that the management has put an effective strategic planning process in place
b) Ratifying that the business strategy is indeed aligned with IT strategy
c) Ensuring that the IT organizational structure complements the business model and its
direction
d) Ascertaining that management has implemented processes and practices that
e) ensure that the IT delivers value to the business
f) Ensuring IT investments represent a balance of risks and benefits and that
g) budgets are acceptable
h) Monitoring the method that management uses to determine the IT resources
i) needed to achieve strategic goals and provide high-level direction for sourcing and
use of IT resources
j) Ensuring proper balance of IT investments for sustaining bank‟s growth
k) Becoming aware about exposure towards IT risks and controls. And evaluating
effectiveness of management‟s monitoring of IT risks
l) Assessing Senior Management‟s performance in implementing IT strategies
m) Issuing high-level policy guidance (e.g. related to risk, funding, or sourcing tasks)
n) Confirming whether IT or business architecture is to be designed, so as to derive the
maximum business value from IT
o) Business process Review

6.8. SUA (Software Utilisation Audit)

Scope of SUA Audit are given hereunder -
a) Uses of Software, Requirement of Software licenses and its availability
b) Level of Utilisation of the licenses procured by the Bank
c) Facilities implemented and available in the software are as per Software Requirement
Specification
d) Usage of the software is as per IT Security Policy of the Bank
e) Capacity utilization of servers and applications
f) Software Asset Management (SAM) and Utilisation Audit for all the applications
licenses, Database Licenses, middleware licenses procured.
1. Audit inventory of licenses purchased under CBS contract.
2. No of licenses required as per the licensing policy of the OEM. Technical
Specifications of the servers is to be obtained on which the
application/DB/middleware is deployed.
3. Whether these licenses are under support from OEM (ATS Renewal has been done
regularly), certificate from OEM to be submitted as supporting document.
4. Any short fall in the licenses to be informed to the Bank to regularize the same.
5. Hardware inventory maintenance, its AMC and insurance etc.

6.9. DSMA (Data and System Migration Audit)

Scope of DSMA Audit are given hereunder -

a) Ensure consistent, methodical approach adopted for migration of Data or Application

b) Ensure the integrity, Completeness, Continuity, Confidentiality of data under
conversion/migration,
31
 c) Ensure Proper Documentation of Migration Activity

6.10. SNSD (System, Network and Security Devices Baseline standards and
configuration Audit)
Scope of SNSD Audit are given hereunder -
i) Configuration review of Servers, Network & Security devices.
ii) Baseline Standards, Hardening review & Assessment.

6.11. NET (Network Management)

Scope of NET Audit are given hereunder -

1) Network access control

2) Hardening of systems, switches and routers.
3) Patch update Management
4) Port based security controls
5) Process control for change management
6) security incident and management
7) access control for DMZ applications
8) content filtering for web access and data leakage
9) Network design review from security, integrity and availability point of view.
a. Review the appropriate segregation of network into various trusted zones
b. Review the traffic flow in the network
c. Review the existing routing policy
d. Review the route path and table audit
e. Review of routing protocols and security controls therein
f. Review the security measures at the entry and exit points of the network
g. Obtaining information about the architecture and address scheme of the network
h. Checking Routing and Inter-VLAN Routing and Optimization.
i. Checking of HSRP Configurations if any, and its working.
j. Checking redundancy and Load Balancing as per the requirement.
k. Routing Protocol Analysis
l. Analyse protocols used and traffic generated and means to optimize traffic
m. Analysis of load balancing mechanism
n. Analysis of latency in traffic across various links

10) Audit of setting of Network equipment from integrity, security availability

and functionality point of view
11) Evaluation of Firewall policy and its implementation..
12) Network performance testing (including suggestions for increasing the performance)
13) Network performance testing using automated tools (including suggestions for increasing
the performance)
14) Analysis at link level
15) Analysis at application level
16) Review of appropriateness of the network topology
17) Review of adequacy or otherwise of the hardware installed.
18) Network stress / Load test
19) Violation logging management
20) Implementation of Information Security Policy with reference to this Area

32
21) Implementation of IPv6
22) Gap assessment for complying with RBI guidelines on Information Security, Electronic
Banking, Technology Risk Management and Cyber Frauds (Gopalakrishnan Committee
recommendations. RBI circular no. RBI/2010-11/494 DBS.CO.ITC.BC.No:
6/31.02.008/2010-11 dated 29.04.2011) with specific reference to Information Security,
Business Continuity Planning.

6.12. ATM (ATM / Internet Banking / Mobile Banking / IT Products/ newly launched
alternate delivery channel systems / POS / ATM Switch (Opex Model))

Various IT products to be audited in this section are:-

1. ATM , ATM Switch (Opex Model), Micro ATM

2. Internet Banking / Mobile Banking
3. All App based product including Digital Wallet (Opex Model), E-UPI, Dena –
Rewardz, Pre paid Instruments (PPI) etc.

a. Scope of ATM Audit are given hereunder -

1) PIN Management
2) Card Management
3) Delivery of ATM cards/ PINs to customers
4) Hot listing of cards
5) Customer dispute resolution
6) Reconciliation within the Bank and with settlement agency/Banks
7) ATM Network Security Architecture Analysis
8) ATM functionality audit,
9) ATM Switch,
10) ATM Switch Reconciliation,
11) Database controls,
12) Backup & Recovery,
13) Analysis of administrative procedures,
14) ATM sharing arrangements with other Banks/Visa and other agencies and
compliance thereof.
15) Implementation of Information Security Policy with reference to this Area.
16) POS / ATM Switch ( Opex Model)

b. Internet / Mobile Banking / Digital Wallet (Opex Model) and App based IT products:

Scope of Internet/ Mobile Banking Audit are given hereunder -

1) To Assess Flaws in Web hosting Software i.e Security of web server and e Design of the
Applications.
2) Attempting to guess passwords using password-cracking tools.
3) Search for back door traps in the software.
4) Attempting to overload the systems using Distributed Denial of Services (DDOS) and
Denial of Services (DOS) attacks.
5) Check Vulnerabilities like IP Spoofing, Buffer Overflows, session hijacks, account
spoofing,
6) Frame Spoofing, Caching of web pages, Cross site scripting, Cookie handling, injection
flaws (SQL Injection, LDAP Injection etc)
7) Sniffing.
33
8) 128-bit SSL Certificate & PKI verification.
9) Whether solution architecture provides 24 X 7 availability to customer . If all servers are
configured to synchronize time with Central NTP server.
10) To check whether date and time stamp are appearing correctly on all reports.
13) To check whether servers are updated with latest security patches. Remote server
14) Management Software used, Web logic server is up to date, IOS version in Router is
vulnerable one.
15) Confirm Rule base in Firewall are configured properly.
16) To ascertain IDS is configured for intrusion detection, suspicious activity on host are
monitored and reported to server, firewall and IPS/IDS logs are generated and
scrutinized. IP routing is disabled.
17) For changing system parameters whether Maker-Checker concept is followed.
18) Logical Access Controls Techniques viz. Passwords, Smart Cards or Other Biometric
Technologies.
19) Proxy Server is issued between Internet and proxy systems.
20) Computer Access, messages are logged and security violations reported and acted upon.
21) Effectiveness of Tools being used for monitoring systems and network against intrusions
and attacks.
22) Proper infrastructure and schedule for back up is fixed, testing of back-up data done to
ensure readability.
23) Legal issues.
24) Electronic Record is authenticated by Asymmetric Cryptosystem and hash function.
25) Secrecy and confidentiality of Customer preserved.
26) If any cases of unauthorized transfer through hacking, denial of service due to
Technological failure is brought.
27) Regulatory and Supervisory issues.
28) Any other items relevant in the case of security.
29) All the guidelines issued by RBI and CERT-IN from time to time relating to Internet
Banking Application and Bank‟s Official Website/Web hosting Software should be
adhered to.
30) Implementation of Information Security Policy with reference to this Area
31) Digital Wallet ( Opex model)
32) Identify and verify the mobile application security vulnerabilities against industry global
standards such as OWASP, PCI DSS compliance, RBI, MPFI etc.
33) Perform audit of various functionalities provided in the application like Fund transfer,
Transactions & queries etc.
34) Check adequacy of PIN Management Controls (Generation, Re-generation,
Authorization, Verifications etc.) of Mobile Banking & Key Management features.
Gap assessment for complying with RBI guidelines on Information Security, Electronic
Banking, Technology Risk Management and Cyber Frauds (Gopalakrishnan Committee
recommendations. RBI circular no. RBI/2010-11/494 DBS.CO.ITC.BC.No:
6/31.02.008/2010-11 dated 29.04.2011) with specific reference to Information Security,
Cyber frauds.
Gap assessment for complying with RBI guidelines as per circular DPSS.CO.PD.Mobile
Banking.No./2/02.23.001/2016-2017 dated 01.07.2016
Gap assessment for complying with RBI guidelines as per circular DPSS (CO) PD
No.1462/02.14.003 / 2012-13 dated February 28, 2013 on Security and Risk Mitigation
Measures for Electronic Payment Transactions.

34
Gap assessment for complying with RBI guidelines as per circular
DBOD.No.FSD.BC.02/24.01.009/2014-15 dated July 1, 2014 on Credit Card, Debit Card and
Rupee Denominated Cobranded Prepaid Card operations of banks.
Gap assessment for complying with Operative Guidelines for Banks vides RBI Master
Circular–DPSS.CO.PD. MobileBanking.No./2/02.23.001/2016-2017 dated 01.07.2016 or the
current Master Circular as on the date of Audit.

Gap Assessment with Aadhar Act-2016.

Gap Assessment with IT Act-2000 and its subsequent amendments.
Gap Assessment for complying with RBI guidelines on Cyber Security framework dated
02.06.2016.
Gap Assessment for complying with provision of IT Act-2000 and its subsequent
amendments. rules applicable to the bank.

c. Payment and Settlement Systems (PSS)

Audit of various payment and settlement systems operated under the PSS Act, 2007
implemented by Bank such as – SFMS, RTGS, NEFT, RD-NDS, CFMS, CCIL/Clearcorp
applications such as CBLO, FX-CLEAR, FX-SWAP, NDS-OM, NDS-CALL and NDS –
AUCTION as per terms of RBI circular No – DPSS.AD.No./1206/02.27.005/2009-10 dated
07.12.2009 (The SP is required to give a separate report for this audit)
Gap assessment for complying with RBI guidelines as per circular DPSS (CO) PD
No.1462/02.14.003 / 2012-13 dated February 28, 2013 on Security and Risk Mitigation
Measures for Electronic Payment Transactions.
Audit of Central Pension Processing Centres (CPPC) is to be conducted, once in a year,
focusing on controls to be in place to ensure the CIA triad of information hosted in the
application(s) hosted by CPPC. The scope includes Application Security Review, Database
Security / File System, Valid User Test, Audit Trail features, Backup and BCP procedures,
Roles and Responsibilities of Service Providers etc.

6.13 PSW (Acquisition and Implementation of Packaged Software)

The proposed audit should cover Source code review, Adherence to business rules in the flow
and accuracy in processing, Validations of various data inputs, logical access control and
authorization, Exception handling and logging etc. in general.
Gap assessment for complying with RBI guidelines on Information Security, Electronic
Banking, Technology Risk Management and Cyber Frauds (Gopalakrishnan Committee
recommendations. RBI circular no. RBI/2010-11/494 DBS.CO.ITC.BC.No:
6/31.02.008/2010-11 dated 29.04.2011) with specific reference to this Area.

6.14 ISW (Development of Software in-house and outsourced)

The proposed audit should cover Source Code Review, Adherence to business rules in the
flow and accuracy in processing, Validations of various data inputs, logical access control
and authorization, Exception handling and logging etc. in general.
Gap assessment for complying with RBI guidelines on Information Security, Electronic
Banking, Technology Risk Management and Cyber Frauds (Gopalakrishnan Committee
recommendations. RBI circular no. RBI/2010-11/494 DBS.CO.ITC.BC.No:
6/31.02.008/2010-11 dated 29.04.2011) with specific reference to this Area.
35
6.15 OUT (Outsourcing Arrangements)
Scope of audit of Outsourcing Arrangements are given hereunder -

Outsourcing Arrangement Review –:

 The audit of the outsourced arrangements will be as per terms of RBI Circular No
RBI/2006/167 DBOD.NO.BP.40/21.04.158/2006-07 dated 03.11.2006. The Audit will
cover evaluation of the financial and operational conditions of the Service Provider,
breach in security / confidentiality, non – compliance with legal and regulatory
requirement, Bank exposed to different types of risks which can lead to financial losses,
loss of reputation to the Bank or systemic risk in wake of outsourcing.
 Gap assessment for complying with RBI guidelines on Information Security, Electronic
Banking, Technology Risk Management and Cyber Frauds (Gopalakrishnan Committee
recommendations. RBI /.CO.ITC.BC.No: 6/31.02.008/2010-11 dated 29.04.2011) with
specific reference to IT Services outsourcing
 Details of outsourcing activities may be provided to the Service Provider at the time of
issuing assignment letter.
6.16 Audit of Policy and Guidelines (ISA)
Audit of Information Security Architecture, Review of the following policies and guidelines:
1) Information Technology Security Policy
2) Cyber Security Policy
3) IT Governance Policy
4) IS Audit Policy
5) IT Procurement Policy

Review Data Classification Policy and perform data risk assessment to assess security
loopholes from where data can get leaked.
Gap assessment for complying with RBI guidelines on Information Security, Electronic
Banking, Technology Risk Management and Cyber Frauds (Gopalakrishnan Committee
recommendations. RBI circular no. RBI/2010-11/494 DBS.CO.ITC.BC.No:
6/31.02.008/2010-11 dated 29.04.2011) with specific reference to Information Technology
Governance, IS Audit, Customer Education, Legal Issues. Review of structured format for IS
Audit of branches and other administrative offices as per latest guidelines.

36
37
SECTION-VII
DETAILS OF REQUIREMENTS

INDEX
ITEM SUBJECT
Annexure-A Cover Letter Format
Annexure-B Commercial Bid Format
Annexure-C(I) Profile of the Bidder
Annexure-C(II) Organization Structure
Annexure-C(III) Declaration by Bidder
Annexure-C(IV) Manpower Details
Annexure-C(V) Expertise & Experience
Annexure-D Performance Statement of the Bidder
Annexure-E Profile of the Core Audit Team to be Assigned for the Project
Annexure-F Individual CVs for the Team Lead & Other Members of the
Core Audit Team
Annexure-G Technical Deviation Statement

38
Annexure – A
Cover Letter Format (In Letterhead of the bidder firm)
Ref No. Date:___/____/2017

The Deputy General Manager (Inspection)

Dena Bank
Inspection & Internal Audit Dept.
Dena Bank Building, 4th Floor
17-B Horniman Circle
Fort, Mumbai – 400 023

Dear Sir,

Ref:

We refer your RFP No…………..dated…………webcast on ……. and hereby confirm

having perused the same and all its annexure. We, the undersigned, offer our services for
Information Systems Audit/Review mentioned in the RFP in conformity with the Bank's
requirements and on the terms and conditions stipulated therein.

We enclose two sealed envelopes duly super scribed one containing the technical and the
other, commercial bid for your consideration.

We agree to abide by this bid for the period of 180 days after the date fixed for Technical
bid opening under Clause 1.13 of Section-I.

We undertake that, in competing for (and, if the award is made to us, in executing) the
above contract, we will strictly observe the laws against fraud and corruption in force in
India namely “Prevention of Corruption Act 1988” and its subsequent amendments.

We note that the Bank reserves the right to reject any or all the offers at any stage before
awarding the contract without assigning any reason and without incurring any liability to the
bidders therefore.

Signature: ______________________________________ Date:

(In the Capacity of) ________________________________

Duly authorized to sign bid for and on behalf of

(Name & Address of Bidder) ________________________________

Business_________________________ Address________________

39
Annexure-B
Commercial Bid Format
The price offered to the Bank must be in Indian Rupees, inclusive of all taxes and service tax
will be extra. Unit fee quoted for first year and second year as F1 and S1 respectively for the
audit area (DCA) paid on submission the respective report. If the Bank decides to get audited
1 / 3 days per week, the monthly fees will be calculated on the basis of F1 / S1 only for the
area-DCA.

Table-1

Frequency Unit Unit

Area Details for area of audit of Fee/report Fee/report
reporting (F) (S)
Data Centre – Continuous – on
DCA daily basis (Monday to Saturday Monthly (F1) (S1)
excluding Bank holidays)
Vulnerability Assessment
VAPT Quarterly (F2) (S2)
&Penetration Testing
DRS DRS site – Bangalore
Quarterly (F3) (S3)
NDR NDR – Mumbai
SRP Short Range IT Plans Quarterly (F4) (S4)
DC-CBS DC- CBS Operation Quarterly (F5) (S5)
Half
NET Network Management (F6) (S6)
Yearly
ATM, Internet Banking / Mobile Half
ATM (F7) (S7)
Banking / IT Products Yearly
Acquisition and Implementation of Half
PSW (F8) (F8)
Packaged Software Yearly
Development of Software in-house Half
ISW (F9) (F9)
and outsourced Yearly
OUT Audit of Outsourcing Arrangements Yearly (F10) (S10)
ISA Audit of Policy and Guidelines Yearly (F11) (S11)
DSMA Data and System Migration Audit Yearly (F12) (S12)
LTS Long Term IT Strategy Yearly (F13) (S13)
SUA Software Utilisation Audit Yearly (F14) (S14)
SNSD System , Network and Security Yearly (F15) (S15)
Devices Baseline standards and
configuration Audit

40
Table-2

Area First Year Fees (F) Second Year Fees (S) Total Fees (F+S)
DCA F1 X 12 S1 X 12 Cont- DCA
VAPT F2 X 4 S2 X 4
DRS+NDR F3 X 4 S3 X 4
Qrt-4
SRP F4 X 4 F4 X 4
DC-CBS F5 X 4 S5 X 4
NET F6 X 2 S6 X 2
ATM F7 X 2 S7 X 2
Hlf-4
PSW F8 X 2 S8 X 2
ISW F9 X 2 S9 X 2
OUT F10 X 1 S10 X 1
ISA F11 X 1 S11 X 1
DSMA F12 X 1 S12 X 1
Yrl-6
LTS F13 X 1 S13 X 1
SUA F14 X 1 S14 X 1
SNSD F15 X 1 S15 X 1
2 Years Total
First Year Total = (TF) Second Year Total= (TS)
(T1)= TF+TS
Grand total (GT)= (T1 + T2)

(Signature of Bidder with Name and Designation and seal)

Date:
Place:

41
 Annexure-C (I)
Profile of the Bidder

REQUIRED INFO DETAILS

Registered name of the Bidder
Registered address of the Bidder
Address for correspondence of the Bidder Address:

STD-Phone:
e-mail Id:
FAX NO:
Contact name of the official who can commit Primary Contact:
on the contractual terms and the name of an Name:
alternate official who may be contacted in the Designation:
absence of the former STD- Phone No:
Mobile Phone :
e-mail ID :
Alternate Contact:
Name :
Designation:
STD- Phone No:
Mobile Phone :
e-mail ID :
Contact addresses if different from above

Official Website Web Site URL :

Authorized Signatory with Seal

Date:
Place:

42
Annexure-C (II)
Organization Structure

REQUIRED INFO DETAILS

Business Structure of the Bidder –
Government Organization / PSU /
Partnership Firm /Limited Co. / Private Ltd.
Co. (enclose relevant registration details)
Registered Office
Bidder Organization‟s date of inception/
Commencement of Business
No. of completed years in existence as on the
last date of bid submission
Constitution
Name of Directors
Core Business of Bidder
Bidder is engaged in Information Systems
Audits since (month & year) & total
experience (in years/months) in IS Audit
services
Whether Information Systems Audit is a core
function of the bidder?
Annual Turnover from IS Audit Activities
(Amount in Crores). Substantiate with
relevant proofs.
Empanelment with CERT-In as an IS Audit Empanelment valid from :-
Organization– current status( enclose Empanelment valid up to :-
empanelment details)
Whether submitting the Bid as a part of any
consortium (Yes/No)

Authorized Signatory with Seal

Date:
Place:

43
Annexure-C (III)
Declaration by Bidder
The Bidder shall furnish, as part of his bid, documents establishing the Bidder‟s eligibility.

SUBJECT DETAILS
The Bidder should be empanelled with CERT-IN (substantiate)
which should be valid up to 31/12/2018 for IT / IS Copy of CERT-IN Empanelment as
Audit / IS Security Audit. Annexure-1.
The Bidder should be registered in India and has its (substantiate)
registered office or its representative office in Copy of In-corporation Certificate as
Mumbai. The IS Audit firm/company should have Annexure-2
been in existence for at least five years as on
31.03.2017.
The SP should have experience in ethical hacking, (substantiate)
vulnerability assessment & penetration testing and Enclose a relevant declaration
dedicated qualified security professionals on-roll /confirmation to this effect as
for these assignments. Annexure-3
The SP should have conducted at least one audit of (substantiate)
Data Centre (DC) of any scheduled commercial Copies of Purchase Order (similar IS
bank in India. The bidder should have previous Audit projects for last 3 years)
audit experience of working on similar projects for mentioning total amount quoted and &
Public/Private sector banks. Sign off documents in support of audit
completion as Annexure-4
Should have a pool of minimum 3 professionals As per Annexure-C (IV) given below.
with international accreditation like CISA (Offered Copies of Professional Qualification &
by ISACA, USA), CISSP (Certified Information CVs are to be attached.
System Security Professional), CISM
The bidder should not have been involved in Enclose a relevant declaration
implementing any of the IS security solutions for /confirmation to this effect as
Dena Bank. Annexure-5
The SP should not have been black listed by any Enclose a relevant declaration
public sector organization or RBI or IBA or any /confirmation to this effect as
other regulator or statutory body. Annexure-6
The bidder should not have been involved in Enclose a relevant declaration
carrying out IS Audit of the Bank for last two years /confirmation to this effect as
Annexure-7
The bidder must have been profitable since past 3 (substantiate)
years in succession viz. financial years ending
31stMarch 2015, 2016 & 2017.The bidder should
submit a copy of the full Balance Sheet, duly
certified as copy of the original by its Auditor, for
three years ending 31-03-2015, 31-03-2016 and 31-
03-2017 along with qualifying remarks,
disclosures, if any made therein.
The bidder‟s Account should not have been A certificate to this effect should be
declared as a Non Performing Asset (NPA) in the obtained from the Auditor who has
Books of any bank or financial institution. signed the Balance Sheet of the
Bidders as on 31-03-2017 and same
44
 should be submitted as Annexure-8

The bidder should have the team leader who is Bio-data of personnel duly
qualified, experienced and personally involved in at authenticated by authorised official of
least one similar assignment in Banking and the bidder to be enclosed as Annexure-
Financial Sector/PSU Bank in India 9

45
Annexure-C (IV)
Manpower Details

REQUIRED INFO DETAILS

Number of professional manpower
available for IS Audit in the SN QUALIFICATION NUMBER OF
Organization. (mention count for PROFESSIONALS
permanent employees only ) 1 CISA/CISM/ CISSP
2 BS7799/ISO 27000
LA
3 CCNA/CCNE
4 DISA/ISA
5 CEH/GIAC
6 MCSE/ CCIE
7 OTHER
Details Of Team leads / Project Specify number of
leads/Key Personnel, having prior IS
audit experience of DC/DRS etc. in a CISA /CISM / CISSP:
Bank or other Organization, to be
assigned for the Dena Bank IS Audit
Project.
ISO 27001 LA /CEH / GIAC/ MCSE/ CCIE:
(Enclose Individual curriculum vitae
of Team leads / Project leads and other Any Other :
key personnel to be assigned for the
Dena Bank IS Audit project).

Authorized Signatory with Seal

Date:
Place:

46
Annexure-C (V)
Expertise & Experience

REQUIRED INFO DETAILS

Detail of the assignments where the bidder SN Bank/ Nature Date Of
has performed IS audit of Data Centre / Organization of Audit Purchase
DRS & related Infrastructure in a Name Order
Bank/Other Organization During the past
One Year including VAPT.

(Enclose separate sheet for each

Organization with relevant Purchase Orders
& Audit completion certificate.)
IS Audits of DC/DRS etc. carried out in SN Bank Total No of IS
Banks & other Organizations out till Audit Conducted
30/06/2017 (enclose relevant PO details) 1
Public Sector
**should not include figures of IS Audit Bank
carried out for CBS branches 2 Private Bank
3 Foreign Bank
4 Co-operative
bank
5 Other Banks
6 Organizations
other than Banks
No of personnel having both domain and Bio-data of personnel, authenticated by
technical knowledge of Banking and IT authorised official of bidder, to be enclosed as
areas. The technology area of expertise Annexure-11.
should include IS Audit of Enterprise Data
Centre, VA&PT assignments, audit of
hardware and software, Networking and
Delivery channels, internet banking, Card
Products, Treasury and Forex etc.

Authorized Signatory with Seal

Date:
Place:

47
Annexure-D
Performance Statement of the Bidder

REQUIRED INFO DETAILS

Name of the Bank / Organization
Address of the Bank / Organization
Project Name(Mention only /VAPT & allied
Infrastructure related projects in Banks/other
organizations /Product Audit) (Enclose
Purchase Order Copy)
Scope covered in the IS Audit Project
i. IS Audit of DC/DR (Y/N)
ii. VAPT/EAPT (Y/N)
iii. Product Audit(Y/N)
IS Audit start date
Current status of the Project whether
completed (Date of completion)

(Enclose completion certificate)

Duration of the Project

Contact person details from the Bank side 1)Name:-

2) Designation :-
3) Phone No. :-
4)Email Id :-
Names of project staff/ professionals
involved
Nature of audit work that was outsourced (if
any)

Authorized Signatory with Seal

Date:
Place:

48
Annexure-E
Profile of the Core Audit Team to be Assigned for the
Project

SN Name Designation Part Role in Professional Years Of

Time/Full IS Audit Qualification IS Audit
Time Experience
1
2
3
4
5
6
7

Authorized Signatory with Seal

Date:
Place:

49
Annexure-F
Individual CVs for the Team Lead & Other Members of
the Core Audit Team

REQUIRED INFO DETAILS

Name of the member

Role of the Member

Employee of the Audit firm / Company

since:

Designation:

Educational Qualification:

Other Certifications/accreditations:

Employment history

Total IS Audit Experience

(no. of years, areas of experience)
Experience in similar IS Audit Projects over the past three years
(including client details, role of member, activities performed, duration of experience)

SN Client Organization where Duration of involvement in Details of

the member was involved months & year assignment done &
in IS Audit role assigned

NOTE: (To be furnished on separate sheet for each member of the Core Audit team)

Authorized Signatory with Seal

Date:
Place:

50
Annexure-G
Technical Deviation Statement
RFP Ref. No: _________________ Dated________

The following are the particulars of deviations from the requirements of the tender:-

CLAUSE DEVIATION REMARKS

(Including justification)

The eligibility criterion & offered IS Audit services furnished in the bidding document shall
prevail over those of any other documents forming a part of our bid except only to the extent
of deviations furnished in this statement.

Date ________________ Signature and seal of the Bidder

Note: Where there is no deviation, the statement should be returned duly signed with an
endorsement indicating “No Deviations”.

51