Professional Documents
Culture Documents
Notice RFP ISAudit 05apr2010 PDF
Notice RFP ISAudit 05apr2010 PDF
5
RFP for Information Systems Audit
March 2010
Part A
Part A
This Request for Proposal document (“RFP”) has been prepared solely to enable the
Central the Bank of Seychelles (“the Bank”) in the selection of suitable organisation
(Service Provider – “SP”) to tender for assisting the Bank in conducting an
Information Systems Audit.
2. Information Provided
The RFP contains statements derived from information that is believed to be reliable
at the date obtained but does not purport to provide all of the information that may
be necessary or desirable to enable an intending contracting party to determine
whether or not to enter into a contract or arrangement with the Bank in relation to
the provision of services.
Neither the Bank nor any of its employees, agents, contractors, or advisers gives
any representation or warranty, express or implied as to the accuracy or
completeness of any information or statement given or made in this RFP.
Neither the Bank nor any of its employees, agents, contractors, or advisers has
carried out or will carry out an independent audit or verification or due diligence
exercise in relation to the contents of any part of the RFP.
The RFP is intended solely for the information of the party to whom it is issued
(“the Recipient”) and no other person or organisation.
6
RFP for Information Systems Audit
March 2010
Part A
4. Confidentiality
The Bank may update or revise the RFP or any part of it. The Recipient
acknowledges that any such revised or amended document is received subject to
the same terms and conditions as this original and subject to the same
confidentiality undertaking.
The Recipient will not disclose or discuss the contents of the RFP with any officer,
employee, consultant, director, agent, or other person associated or affiliated in
any way with the Bank or any of its customers, suppliers, or agents without the
prior written consent of the Bank.
5. Disclaimer
Subject to any law to the contrary, and to the maximum extent permitted by law,
the Bank and its officers, employees, contractors, agents, and advisers disclaim all
liability from any loss or damage (whether foreseeable or not) suffered by any
person acting on or refraining from acting because of any information, including
forecasts, statements, estimates, or projections contained in this RFP or conduct
ancillary to it whether or not the loss or damage arises in connection with any
negligence, omission, default, lack of care or misrepresentation on the part of the
Bank or any of its officers, employees, contractors, agents, or advisers.
All costs and expenses incurred by Respondents in any way associated with the
development, preparation, and submission of responses, including but not limited to
7
RFP for Information Systems Audit
March 2010
Part A
7. No Legal Relationship
No binding legal relationship will exist between any of the Respondents and the
Bank until execution of a contractual agreement.
The Recipient must conduct its own investigation and analysis regarding any
information contained in the RFP and the meaning and impact of that information.
9. Evaluation of Offers
Each Recipient acknowledges and accepts that the Bank may, in its absolute
discretion, apply whatever criteria it deems appropriate in the selection of
organisations, not limited to those selection criteria set out in this RFP.
The RFP will not be construed as any contract or arrangement which may result
from the issue of this RFP or any investigation or review carried out by a Recipient.
The Recipient acknowledges by submitting its response to this RFP that it has not
relied on any information, representation, or warranty given in this RFP.
Each Recipient should notify the Bank of any error, omission, or discrepancy found
in this RFP.
8
RFP for Information Systems Audit
March 2010
Part A
A Recipient will, by responding to the RFP, be deemed to have accepted the terms
as stated above from Paragraph 1 through Paragraph 10.
The cover letter must be signed by a person or persons authorised to submit the
proposal and must delineate your firm’s ability to fulfil the tasks outlined in the
Statement of Work (Annex 1).
The cover letter must clearly identify the Offeror and indicate specific points of
contact for discussions and clarifications of the proposal. Such points of contact will
include names, titles, address (including email, if available), telephone, and
facsimile numbers. A statement as to whether or not a conflict of interest might
exist through the engagement of your firm for this work should be supplied in this
section.
The cover letter must explicitly indicate if the Offeror does, or does not accept the
the Bank' standard contractual terms and conditions as identified in the RFP. In the
event that the Offeror does not accept or wishes to discuss alternative terms and
conditions, the Offeror must explicitly indicate which items are not accepted and
propose specific alternative language as appropriate.
9
RFP for Information Systems Audit
March 2010
Part A
Past or current assignments which are similar in scope and content should be
noted. Literature, references, and other information regarding your organization’s
capabilities should be presented in Section VI.
The executive summary should provide an overview of the proposed work, which
demonstrates an understanding of objectives of the tasks to be performed and
describes the approach that will be taken to achieve these objectives.
The response to statement of work should describe the methodologies that will be
employed and the approaches that will be taken to complete the work and include a
preliminary work plan which shows the phasing of the work to be accomplished and
products to be delivered in accordance with the time frames referenced in the
Statement of Work. It is expected that a final work plan with firm scheduling of
tasks and deliverables will be agreed immediately following contract award.
For each task proposed, the Management Plan should indicate the level of effort
(person hours) expected to be committed by your firm and list the categories and
number of personnel who would be assigned. The Management Plan should describe
the role and responsibility of each member of the proposed project team, and
include estimates by task of the level of effort proposed for each category of
personnel. Resumes of personnel who would be assigned to the effort should be
included in Section VI (Attachments). The Bank expects that all personnel proposed
will, in fact, conduct the work.
10
RFP for Information Systems Audit
March 2010
Part A
This must state all proposed pricing to complete the work, for each year of the
work. Pricing information should not appear in any other section of the
proposal. Proposal pricing is to be valid for a period of three (3) months from the
date of submission of the proposal. The Bank will not be responsible for any costs
incurred by Offerors in the preparation of their submissions.
The composition of the proposed professional fees must be shown in two ways:
(i) a schedule listing, for each category of personnel included in the proposed
project team, the total estimated hours, hourly rate, and estimated total
professional fees; and
(ii) estimates of the professional fees for each task included in the proposed
work plan in total and by category of personnel.
In addition, Section V must include a description of the facilities that the Offeror
would expect the Bank to provide (e.g., office space for the project team, specifying
duration and number of team members; telephone and other communications and
computing facilities; etc.).
11
RFP for Information Systems Audit
March 2010
Part A
13.Submission of Bids
12
RFP for Information Systems Audit
March 2010
Part A
Registration will be effected upon the Bank receiving the RFP response in the above
manner (point 13). If the submission to this RFP does not include all the
information required or is incomplete or submission is through an unspecified
mode, the RFP is liable to be rejected.
All submissions, will become the property of the Bank. Recipients shall be deemed
to license, and grant all rights to, the Bank to reproduce the whole or any portion of
their submission for the purpose of evaluation, to disclose the contents of the
submission to other Recipients who have registered a submission and to disclose
and/or use the contents of the submission as the basis for any resulting RFP
process, notwithstanding any copyright or other intellectual property right that may
subsist in the submission or the Banking documents.
The bids will remain valid for a period of at least three (3) months from the closing
date.
Recipients are required to direct all communications related to this RFP through the
Nominated Point of Contact person i.e.
13
RFP for Information Systems Audit
March 2010
Part A
Mahe
Seychelles
Email: philippa.samson@cbs.sc
All questions relating to the RFP, technical or otherwise, must be in writing only to
the Nominated Point of Contact.
The Bank will not answer any communication initiated by Respondents later than
five business days prior to the due date for bids submission. However, the Bank
may in its absolute discretion seek, but under no obligation to seek, additional
information or material from any Respondents after the tender closes and all such
information and material provided must be taken to form part of that Respondent’s
response.
If the Bank in its absolute discretion deems that the originator of the question will
gain an advantage by a response to a question, then the Bank reserves the right to
communicate such response to all Respondents.
The Bank may in its absolute discretion engage in discussion or negotiation with
any Respondent (or simultaneously with more than one Respondent) after the
tender closes to improve or clarify any response.
18. Notification
The Bank will notify the Respondents in writing as soon as practicable about the
outcome of the RFP evaluation process, including whether the Respondent’s RFP
response has been accepted or rejected. The Bank is not obliged to provide any
reasons for any such acceptance or rejection.
14
RFP for Information Systems Audit
March 2010
Part A
19. Disqualification
20. Process
The SPs who wish to submit responses to this RFP should note that they should
abide by all the terms and conditions contained in the RFP. If the responses contain
any extraneous conditions put in by the respondents, such responses may be
disqualified and may not be considered for the selection process.
15
RFP for Information Systems Audit
March 2010
Part A
During the assignment, the substitution of key staff identified for the assignment
will not be allowed unless such substitution becomes unavoidable to overcome the
undue delay or that such changes are critical to meet the obligation.
The SP cannot change the Project Manager during entire period of execution of the
scope unless consented in writing by the Bank.
In such circumstances, the SP can do so only with the concurrence of the Bank by
providing other staff of same level of qualifications and expertise. If the Bank is not
satisfied with the substitution, the Bank reserves the right to terminate the contract
and recover whatever payments made by the Bank to the SP during the course of
this assignment besides claiming an amount, equal to the contract value as
liquidated damages.
16
RFP for Information Systems Audit
March 2010
Part A
However, the Bank reserves the right to insist the SP to replace any team member
with another (with the qualifications and expertise as required by the Bank) during
the course of assignment.
24. Professionalism
The SP should provide professional, objective and impartial advice at all times and
hold the Bank’s interests paramount and should observe the highest standard of
ethics while executing the assignment.
The SP should adhere to laws of land and rules, regulations and guidelines
prescribed by various regulatory, statutory and Government authorities.
The Bank reserves the right to conduct an audit/ongoing audit of the consulting
services provided by the SP.
The Bank reserves the right to ascertain information from the banks and other
institutions to which the SPs have rendered their services for execution of similar
projects.
The prices should be quoted for all areas for the services offered by the SP.
17
RFP for Information Systems Audit
March 2010
Part A
It may be noted that Bank will not pay any amount/expenses / charges / fees /
travelling expenses / boarding expenses / lodging expenses / conveyance expenses
/ out of pocket expenses other than the above “Agreed Professional Fee”.
The bid should contain the resource planning proposed to be deployed for the
project which includes, inter-alia, the number of personnel, skill profile of each
personnel, duration etc.
The SP’s fees will be paid in the following manner for each item which is described
in the Commercial bid:
The Bank will impose liquidated damages (“LD”), of SCR 5,000 (Seychelles Rupees
Five thousand only) or equivalent in foreign currency per week or part thereof, for
delay in not adhering to the time schedules.
If the SP fails to complete the due performance of the contract in accordance to the
specifications and conditions agreed during the final contract negotiation, the Bank
18
RFP for Information Systems Audit
March 2010
Part A
reserves the right either to cancel the contract or to accept performance already
made by the SP.
The Bank reserves the right to recover an amount as deemed reasonable by the
Bank as LD for non-performance.
Both the above LDs are independent of each other and are applicable separately
and concurrently.
LD is not applicable for reasons attributable to the Bank and Force Majeure.
However, it is the responsibility of the SP to prove that the delay is attributed to the
Bank and Force Majeure. The SP shall submit the proof authenticated by the SP and
Bank’s officials that the delay is attributed to the Bank and Force Majeure along
with the bills requesting payment.
33. Indemnity
The SP shall indemnify Bank and keep indemnified for against any loss or damage
by executing an instrument to the effect on a Non-Judicial stamp paper that Bank
may sustain on account of violation of patent, trademarks etc. by the SP.
The SP shall indicate the authorised signatories who can discuss and correspond
with the Bank, with regard to the obligations under the contract.
The SP shall furnish proof of signature identification for above purposes as required
by the Bank.
19
RFP for Information Systems Audit
March 2010
Part A
The Contract with the SP shall be governed in accordance with the Laws of
Seychelles for the time being enforced and will be subject to the exclusive
jurisdiction of its Courts.
The Bank reserves the right to cancel the contract of the SP and recover
expenditure incurred by the Bank on the following circumstances:
The SP commits a breach of any of the terms and conditions of the
bid/contract.
The SP goes into liquidation voluntarily or otherwise.
The progress regarding execution of the contract, made by the selected SP is
found to be unsatisfactory.
If deductions on account of liquidated Damages exceeds more than 10% of
the total contract price.
After the award of the contract, if the SP does not perform satisfactorily or delays
execution of the contract, the Bank reserves the right to get the balance contract
executed by another party of its choice by giving one month notice for the same.
In this event, the SP is bound to make good the additional expenditure, which the
Bank may have to incur to carry out bidding process for the execution of the
balance of the contract. This clause is applicable, if for any reason, the contract is
cancelled.
The Bank reserves the right to recover any dues payable by the SP from any
amount outstanding to the credit of the SP, including the pending bills and/or
invoking Bank Guarantee, if any, under this contract or any other contract/order.
20
RFP for Information Systems Audit
March 2010
Part A
If any of the items/activities as mentioned in the price bid are not taken up by the
Bank during the course of this assignment, the Bank will not pay the professional
fees quoted by the SP in the Price Bid against such activity/item.
38. Assignment
Neither the contract nor any rights granted under the contract may be sold, leased,
assigned, or otherwise transferred, in whole or in part, by the SP, and any such
attempted sale, lease, assignment or otherwise transfer shall be void and of no
effect without the advance written consent of the Bank.
39. Subcontracting
The SP shall not subcontract or permit anyone other than its personnel to perform
any of the work, service or other performance required of the SP under the contract
without the prior written consent of the Bank.
The Technical Proposal will be evaluated first for technical suitability. Commercial
Proposal shall be opened only for the short-listed bidders who have qualified in the
Technical Proposal evaluation.
The evaluation of technical proposals, among other things, will be based on the
following parameters and also given the percentage of marks:
Parameter Mark
SP’s overall standing to undertake such assignment (Financials 10%
ability)
Prior experience of the SP in undertaking audits in the given areas 40%
21
RFP for Information Systems Audit
March 2010
Part A
22
RFP for Information Systems Audit
March 2010
Part B
Part B
The Central Bank of Seychelles is governed by the Central Bank of Seychelles Act
2004, amended in 2008 and 2009 (available at www.cbs.sc)
The mission of the Bank is to contribute toward the sustainable economic growth of
Seychelles through prudent monetary policy and maintenance of a sound financial
system.
Central Banking in the Seychelles started as far back as 1936, with the
establishment of the Seychelles Currency Board, similar to other British colonies of
the time. Unlike a Central Bank, however, the Currency Board did not have the
mandate to undertake monetary policy.
The Seychelles Monetary Authority was founded on 1st December 1978 and took
over the responsibilities of the Currency Board. The role of the Monetary Authority
was closer to that of a Central Banking institution. It was responsible for issuing
currency, managing external reserves, being the banker and lender of last resort to
Government and commercial banks, inspection of the financial institutions that it
regulated and monetary policy.
23
RFP for Information Systems Audit
March 2010
Part B
The Central Bank of Seychelles came into existence on 29th December 1982 when
the adjusted Seychelles Monetary Decree 1978, turned into the Central Bank of
Seychelles Act 1982, was approved by the People’s Assembly.
The Central Bank of Seychelles Act 1982 was replaced in 2004 by the Central Bank
of Seychelles Act 2004. The new Act explicitly sets out the objectives of the Bank,
which were revised in 2009, as part of the IMF-supported economic reform
programme so as to be in conformity with current developments.
The role of the TSD is to manage the Bank’s Information and Communication
Technology infrastructure and offer Information Technology services and support
for its divisions and staff. TSD also manages the Information Security, Disaster
Recovery and Business Continuity, and the Project Management Office.
24
RFP for Information Systems Audit
March 2010
Part C
Part C
1. Audit Objectives
The SP will be responsible as per the scope and timelines outlined in this RFP.
2. Audit Approaches
3. Audit Methodology
The Information System Audit work will include but are not limited to manual
procedures, computer assisted procedures and fully automated procedures.
4. Auditors
Audit should be carried out by persons having CISA / CISSP / CISM / GIAC (SANS)
qualifications with adequate experience in the audit areas given below.
25
RFP for Information Systems Audit
March 2010
Part C
5. Audit Scope
The Bank expressly stipulates that the SP’s selection under this RFP is on the
understanding that this RFP contains only the principal provisions for the entire
audit assignment. The SP shall be required to undertake to perform all such tasks,
render requisite services and make available such resources as may be required for
the successful completion of the entire audit assignment at no additional cost to the
Bank.
The SP should carry out a vulnerability assessment and penetration test covering
the operating systems, databases, and network and security infrastructure after 6
months from completion of the present audit which is part of the scope of this
audit.
Risk analyses along with risk matrices with scoring model should be submitted as
part of audit findings.
The following are indicative of what should be covered for the area-wise auditing:
Audit Report of all the areas covering the objectives, efficiency and
effectiveness
Presentation to the Top Management of the findings of the audit
26
RFP for Information Systems Audit
March 2010
Part C
Risk Analyses
Recommendations for Risk Mitigation
Gap analysis and recommendations
The check list with guidelines for the subsequent audit
Scope, guidelines and checklist for Audit of IT operations
7. Duration of Audit
The entire audit should be completed within 2 months from the date of the
acceptance of the LoA.
8. Pre-Qualification Criteria
The SP is required to meet the following minimum eligibility criteria and provide
adequate documentary evidence for each of the criteria stipulated below:
The SP should be in existence for a period of at least 3 years
The SP should be a profit making entity in the last 2 years
The SP should have a pool of resources who possess qualifications such as :
CISA / CISSP / CCNA / CISM / GIAC (SANS)
The SP should have done at least two similar audits mentioned as above in a
central bank of similar size or a commercial bank in Seychelles
27
RFP for Information Systems Audit
March 2010
Part D
Part D
1.1 Bank Property: All data or information supplied by the Bank to the SP in
connection with the services being provided by SP (“the Services”) shall
remain the property of the Bank or its licensors. All deliverables to the
extent prepared by SP hereunder for delivery to the Bank (“the
Deliverables”) shall be the property of the Bank.
1.3 Use of Deliverables and Services: The Deliverables and SP’s Services
(including any related recommendations and advice) are intended solely for
the information and use of the Bank’s Management, Directors, Officers and
28
RFP for Information Systems Audit
March 2010
Part D
employees and may not be disclosed to any other person without the prior
written consent of SP (other than the Bank’s external auditors, subject to
their agreement that none of the Deliverables, or any portion thereof, shall
be further disclosed to any other person or entity except as required by law
or professional obligation and that such auditors shall in no event make any
claims against SP arising out of or in connection with the Deliverables). If
the Deliverables or Services (including any portion, abstract or summary
thereof, whether oral or in writing) is disclosed to an unauthorized third
party, Bank agrees to indemnify and hold harmless SP, its partners,
employees, agents and advisors from and against all claims, causes of
action, liabilities, losses, damages, costs, and expenses (including, without
limitation, reasonable attorneys' fees) resulting from such disclosure.
2. Confidential Information
29
RFP for Information Systems Audit
March 2010
Part D
generally known to the public and that under all the circumstances should
reasonably to be treated as confidential or proprietary, whether or not the
material is specifically marked as confidential. Notwithstanding the
foregoing, Confidential Information does not include information that: (i) is,
as of the time of its disclosure, or thereafter becomes, part of the public
domain through a source other than the receiving party; (ii) was known to
the receiving party as of the time of its disclosure; (iii) is independently
developed by the receiving party without reference to the Confidential
Information; or (iv) is subsequently learned from a third party not known
by the receiving party to be subject to an obligation of confidentiality with
respect to the information disclosed.
2.2 Exceptions: Nothing in this Agreement shall limit the ability of a party in
possession of the Confidential Information of the other to disclose such
Confidential Information, and such party shall have no liability for such
disclosure, if such disclosure is: (i) required to be disclosed pursuant to law,
regulation, professional responsibility, government authority, duly
authorized subpoena or court order whereupon the disclosing party will
provide notice to the other party prior to such disclosure; (ii) required to be
disclosed to a court or other tribunal in connection with the enforcement of
such party’s rights under this Agreement; or (iii) is approved for disclosure
by the prior written consent of the other party.
2.3 Survival of Restrictions: The terms of this Section will survive the
termination of this Agreement and will continue in full force and effect for a
period of twelve months from the date of such termination or as otherwise
required by law or regulation.
30
RFP for Information Systems Audit
March 2010
Part D
3. Relationship of Parties
4. Testing Services
31
RFP for Information Systems Audit
March 2010
Part D
this Section shall apply and the Bank hereby consents to SP performing the
Testing Services.
If the testing services involve third party SPs, the Bank shall obtain all
necessary consents of third party SPs. This consent shall be in the form
attached to this letter.
The Bank shall have no recourse against, and shall bring no claim (in the
nature of contribution or otherwise) against, SP or their respective partners,
officers, directors, and employees with respect to (i) any third-party claim
(from all causes of action of any kind, including contract, tort or otherwise)
against the Bank or its subsidiaries or affiliates related to or arising out of
the Testing Services provided hereunder, or (ii) any losses, liabilities,
damages or expenses (including attorneys’ fees and expenses) incurred by
the Bank or its subsidiaries or affiliates as a result of any such third-party
claim. In addition, the Bank shall indemnify and hold harmless SP,and their
respective partners, officers, directors, and employees (“SP Indemnitees”)
from and against (i) all claims and causes of action of any kind, including
contract, tort or otherwise, by any third party related to or arising out of the
32
RFP for Information Systems Audit
March 2010
Part D
33
RFP for Information Systems Audit
March 2010
Annex 1
Annex 1
The Information Systems Audit at the very least must cover all of the following
areas:
1. Server Infrastructure
1.1 Hardware
1.2 Operating system software
1.3 Application software
1.4 Server configuration and setup
1.5 Server infrastructure security
2. Network
2.1 Hardware and cabling
2.2 Network configuration and setup
2.3 Local Area Network
2.4 Wide Area Network
2.5 Internet connectivity
2.6 Domain and its management
2.7 Logical access management
2.8 Networked resources
2.9 Network security
3. User Systems
3.1 Desktop computers
3.1.1 Hardware
3.1.2 Operating system software
3.1.3 Application software (standard setup)
3.1.4 Configuration and setup
3.1.5 Security of desktop computers
3.2 Laptop computers
3.2.1 Hardware
3.2.2 Operating system software
34
RFP for Information Systems Audit
March 2010
Annex 1
35
RFP for Information Systems Audit
March 2010
Annex 1
The audit report should review all the above at a minimum and should provide the
Bank with a comprehensive list of recommendations, which it can implement to
improve the services and support provided by TSD, as well as the security and
continuity of the Bank’s information assets and information processing facilities.
36