Corporation Bank Corporation Bank Corporation Bank Corporation Bank

Corporation Bank
Tender Reference Number: ITD/07/2013-

ITD/07/2013-14
Date: 19.
19.09.2013
For Availing
Managed IT Security Services
Price of Tender Document : Rs. 5,000/-

5,000/- (Rupees Five Thousand only)
Ernest Money Deposit : Rs. 2,00,000/
2,00,000/-- (Rupees Two Lakhs Only)
Page 1 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

TABLE OF CONTENTS
Introduction ................................................................
................................................................................................
................................................................................................
...........................................................................
........................................... .4
4
Request for Quotation ................................................................
................................................................................................
............................................................................................
............................................................ 4
Tender Reference...................................................................................................................................................... 4
Contact Numbers ..................................................................................................................................................... 4
Opening of technical offers .................................................................................................................................. 4
Instructions to Service Providers ................................................................
................................................................................................
..............................................................................
.............................................. 5
1. Two Bid System Offer ............................................................................................................................... 5
2. Schedule of Requirements ....................................................................................................................... 5
3. Qualification Criteria................................................................................................................................ 6
4. Terms and Conditions .............................................................................................................................. 6
5. Offer Validity Period ................................................................................................................................. 6
6. Address for Communication ................................................................................................................... 7
7. Proposal Ownership ................................................................................................................................. 7
8. Modification and Withdrawal of Offers ................................................................................................ 7
9. Opening of Technical offers ................................................................................................................... 7
10. Preliminary Scrutiny .................................................................................................................................. 7
11. Clarification of Offers .............................................................................................................................. 7
12. No Commitment to Accept Lowest or Any Offer ................................................................................ 7
13. Documentation .......................................................................................................................................... 7
14. Submission of Technical Details ............................................................................................................. 8
15. Format for Technical Offer...................................................................................................................... 8
16. Format for Commercial Offer ................................................................................................................ 8
17. Erasures or Alterations ............................................................................................................................. 9
18. Costs & Currency ...................................................................................................................................... 9
19. Fixed Price................................................................................................................................................. 10
20. Price Comparison.................................................................................................................................... 10
21. Negotiation............................................................................................................................................... 10
22. Short-listing of Bidders / Techno Commercial Evaluation................................................. 10
23. Rightto alter the availment of any specific Services…………………………………………..…….14
24. Downloading of Tender document from bank’s website ................................................................ 14
Qualification Criteria ................................................................
................................................................................................
............................................................................................
............................................................ 16
1. Eligibility of the Service Provider........................................................................................................... 16
Terms and Conditions ................................................................
................................................................................................
..........................................................................................
.......................................................... 17
1. Payment Terms ........................................................................................................................................ 17
2. Pricing & Payments ................................................................................................................................. 17
3. Contract period – .................................................................................................................................... 17
4. Start of Services ....................................................................................................................................... 17
5. Delay in operationalising the services................................................................................................. 18
6. Liquidated Damages .............................................................................................................................. 18
7. Service Level Agreement ........................................................................................................................ 18
8. Review of the Agreement……………………………………………………………………………………………………..……... 13
9. Repeat order............................................................................................................................................. 24
10. Review of performance ......................................................................................................................... 24
11. Confidentiality & Non-Disclosure......................................................................................................... 25
12. Performance bank guarantee ............................................................................................................... 25
13. Cancellation of Order ............................................................................................................................ 25
14. Termination of Services by the Service Provider 25
15. Indemnity .................................................................................................................................................. 25
16. Business Resumption and Contingency Plans 26

17. Publicity .................................................................................................................................................... 26
18. Force Majeure ....................................................................................................................................... 26
Annexure A – Scope/Specifications of the Services ................................................................

..............................................................................
.............................................. 28
Annexure B - Checklist for Product Documentation ................................................................
.............................................................................
............................................. 54
Annexure C - Covering letter format ................................................................
................................................................................................
....................................................................
.................................... 54
Annexure D – Details of the Service Provider ................................................................
.......................................................................................
....................................................... 57
Annexure E - Track Record of Past Operations ................................................................
....................................................................................
.................................................... 59
Annexure F – Format For Submission of Technical Bid ................................................................
........................................................................
........................................ 60
Annexure G - Price Schedule Technical Bid ................................................................
..........................................................................................
.......................................................... 61
Annexure H – Price Schedule Commercial Bid ................................................................
....................................................................................
.................................................... 64
Annexure I – Standard reports to be provided by the service provider ................................................
................................................ 67
Annexure J – Inventory Details …………………………………………………………………………… 68
Annexure K - Format of BG for EMD……………………………………………………………………………….. 69
Annexure L- Format of BG for Performance Guarantee …………………………………………………… 72
Annexure M - IMPLEMENTATION OF RBI WORKGROUP RECOMMENDATIONS – BROAD SCOPE ……………………. 74

Request for Quotation
Corporation Bank hereinafter referred to as the Bank, invites sealed offers (technical and
commercial) for providing Managed IT Security Services described in short under ‘Schedule of
Requirements’ and more fully described in Annexure A of this document, for a period of 3 years. The
details are given below:
Tender Reference ITD/07/2013-14 Date: 19.09.2013

Start of the sale of tender document 19.09.2013
Date of Pre-bid meeting 03.10.2013
Last Date for receipts of offers 11.10.2013 at 16:00 Hours
Date and time of opening technical 11.10.2013 at 16:30 Hours
offer
Address for Communication The Deputy General Manager
Information Technology Division
Corporation Bank,
Head Office, Mangaladevi Temple Road,
Mangalore – 575001
Contact Numbers Phone : (0824) 2426416 to 2426420
2426445 (Direct)
Email : skumar@corpbank.co.in
Fax : (0824) 2421712
Opening of technical offers:
Technical offers received by the Bank will be opened in the presence of the vendors’
representatives who choose to attend the opening on the date and time specified above. Only
the Vendors who have submitted their offers in response to this tender are permitted to attend
the opening.
The vendors interested in participating in the purchase process under this tender may send
queries on or before 28.09.2013 in writing to the above address and the mail-id
purchase@corpbank.co.in. The Bank will publish changes in terms and conditions, if any, on the
Bank’s website www.corpbank.in before one week of closing date of the tender. In order to
ensure facilitate timely clarification and submission of offer, any queries submitted beyond the
above date specified will not be considered for a response from the Bank. The vendors
interested in participating in the purchase process under this tender may revisit our website
www.corpbank.in for clarifications, if any, issued in respect of this tender.
Earnest Money Deposit (EMD) of Rs. 2.00 lacs must accompany the Technical Offer as specified
in this tender document. Offers received without EMD will be rejected. EMD can be submitted
through a Demand Draft payable at Mangalore or through a Bank Guarantee (as per Format K)
issued by a Public Sector Bank, valid for nine (9) months from the date of issue.

Instructions to Service Providers
Two Bid System Offer
Two copies of the offers (both Technical & commercial) must be submitted at the same time, giving
full particulars in TWO SEPARATE sealed envelopes at the Bank’s address given below, on or before
16.00 hours on 11.10.2013.
Bank’s address
The Deputy General Manager
Corporation Bank,
Head Office, Mangala Devi Temple Road
Offers received after the last date and time specified for such receipt will be rejected. All envelopes should
be securely sealed and stamped.
All the TWO SEPARATE sealed envelopes containing offers must be submitted to the Bank
directly as under :
Envelope-T : Technical [Original] & Technical [Duplicate]

Envelope-C : Commercial [Original] & Commercial [Duplicate]
Each of the above offers must be labeled with the following information:
• Type of Offer : (Technical or Commercial)

• Copy : (Original or Duplicate)
• Tender Reference Number :
• Due Date :
• Name of the Vendor:
The Duplicate Offer must be identical in all respects to the Original offer submitted to the Bank, and must
contain all the above information specified.
ENVELOPE- T (Technical Offer): [2 Copies i.e., Original and Duplicate]
The Technical offer (T.O) should be complete in all respects and contain all information asked for, except
prices, as per Annexure A. The Technical Offer should not contain any price information. The
Technical offer should be submitted in 2 copies in a closed envelope to the Bank (marked as original and
duplicate). The T.O. should be complete to indicate that all products and services asked for are quoted. For
example, the Technical Offer should mention that Charges for all the services sought in this tender are
included in the Commercial Offer. Further, it should also contain a confirmation by the bidder that has
quoted amount in respect of each row and column without any omission or clubbing, as required in the
commercial offer fully.
EMD DD/BG and Tender cost should be enclosed with the original Technical Offer being
submitted to the Bank. The offers not in line with the above will be summarily rejected without
assigning any reasons.
ENVELOPE-C (Commercial Offer): [2 Copies – i.e., Original and Duplicate]
The Commercial Offer (C.O) should give all relevant price information and should not contradict the T.O. in
any manner. The Commercial offer should be submitted in 2 copies in a closed envelope to the Bank
(marked as original and duplicate)..
Technical and Commercial Offers must be submitted separately, in different envelopes. It may be
noted that if any envelope is found to contain both technical and commercial offers, such offer will be
rejected.
Schedule of Requirements
The Bank intends to strengthen its Information Systems Security by engaging vendors for continuous
review, monitoring, management and mitigation of IT risks, threats and vulnerabilities. The bank is

envisaging a model, which will be a combination of onsite and remote services offered by the vendor.
Under this engagement, the prospective vendor is expected to provide On-site services by deploying
appropriate resource personnel at Bank’s Data Centre on 24x7 basis(3 shifts with minimum of a
resource for each of the shift)and provide the remote services from their Security Operations Center
(SOC). The scope of the engagement involves monitoring of the infrastructure & operations in Data
Centre at Bangalore, DR Centre at Mangalore and other IT Assets at Mumbai. The vendor shall
provide the resources as per the requirements detailed under the para- Service Delivery Methodology.
As a part of this engagement, the selected vendor will be required to deliver the following on a
continuous basis:
Prescribe, manage and implement baseline security levels for infrastructure assets
Security monitoring of assets against attacks
Monitor ATM / Mobile banking / Internet Banking interfaces to Core Banking
Manage security of applications and processes
• Provide total Anti-Phishing services in respect of Bank’s website and Internet Banking websites
• Ensure Malware Scanning / protection
Provide Security Intelligence on continuous basis
Vulnerability assessment ,Intrusion detection and Penetration testing at periodic intervals
Mitigate security risks identified
Implement the best practices / baselined secured configuration of assets
Provide updates on the latest Operating Systems Patches and their relevance to our systems
Monitor the changes in security settings / routing rules in networking devices / Servers
Proactive monitoring of assets against DOS/ DDOS attacks
Review various IT related policies of the Bank in terms of adequacy, appropriateness and
concurrency to the present environment
Recommend enhancement of security with proper justification wherever required.
Preparation, Implementation & certification work related to both preparatory and actual
process of certification in respect of implementation of ISMS and ISO 27001 certification.
Services in respect of implementation of the recommendations of the RBI workgroup on IT
Domains, in the Bank – a one-time exercise.
This document constitutes a formal Request For Proposal (RFP) from Service Providers (SP) for
outsourcing Managed Security Services operations of under scope of work mentioned in Annexure A
Qualification Criteria
Only the Service Providers who meet all the qualifications mentioned in “Qualification
Qualification Criteria”
Criteria of the
tender are eligible to participate in the tender. The bidder should provide sufficient proof /
documents.
Terms and Conditions
Terms and conditions for bidders who participate in this tender are specified in the section named
“Terms
Terms and Conditions”.
Conditions These terms and conditions are binding on all the Service Providers. These
terms and conditions will form part of the Purchase Order [PO] and SLA to be entered into with the
successful bidder.
Offer Validity Period
The Offer should hold good for a period of 180 days from the date of opening of the commercial
offer.

Address for Communication

Corporation Bank
I.T.Division, Head Office
Mangala Devi Temple Road,
Phone : 0824 2426445
Proposal Ownership
The proposal and all supporting documentation submitted by the Service Provider shall become the
property of the Bank.
Modification and Withdrawal of Offers
Service Providers are not allowed to modify their offers once submitted. However, Service Providers
are allowed to withdraw their offers any time before the last date and time specified for closing of the
tender. No offer can be withdrawn by a Service Provider after the closing date and time for
submission of offers.
Opening of Technical offers
Technical Offers received within the prescribed closing date and time will be opened in the presence
of bidder’s representatives who choose to attend the opening of the Offer on the date and time
specified in this tender document. The bidder’s representatives present shall sign a register of
attendance.
Preliminary Scrutiny
The Bank will scrutinize the offers received to determine whether they are complete and as per tender
requirement, whether technical documentation as asked for and required to evaluate the offer has
been submitted, whether the documents have been properly signed and whether items are offered as
per the tender requirements. Offers not meeting the qualification criteria will be rejected.
Clarification of Offers
To assist in the scrutiny, evaluation and comparison of offers, the Bank may, at its discretion, ask
some or all bidders for clarifications on the offer made by them. The request for such clarifications
and the bidder’s response will necessarily be in writing and shall be received by the Bank before the
date for submission of the queries as mentioned in the letter. The clarification submitted by the
vendors will form part of the offer document.
No Commitment to Accept Lowest or Any Offer
The Bank is under no obligation to accept the lowest or any other offer received in response to this
Tender and reserves its right to reject all the offers including incomplete offers without assigning any
reason whatsoever.
Documentation
Technical information in the form of Brochures/Manuals/CD etc. must be submitted in support of the
Offer made. Annexure B provides a suggested checklist for documentation to be submitted by the
bidder.

Submission of Technical
Technical Details
It is mandatory to provide the technical details in the exact format (Annexure F) given in this tender.
The offer may not be evaluated and can be rejected by the Bank in case of non-adherence to the
format or partial submission of technical information as per the format given in the offer. The Bank
shall not allow/permit changes in technical specifications after due date for submission of offers.
Failure to submit the required information along with the Technical Offer could result in
disqualification of the offer.
It should be distinctly understood that in case of ambiguity or lack of clarity in the documents
submitted by the bidders towards scoring criteria, the decision of the Bank is final for awarding the
marks against each of the specified items. Hence, it is imperative that the bidder should submit all the
documents / POs/ letters from other Banks with clarity of the services rendered. The Bank is not under
any obligation to seek clarifications from the bidder in this regard, but will proceed to award marks
on the basis of the documents submitted.
Format for Technical Offer
The Technical Offer should be made in an organized, structured and neat manner. Brochures/leaflets
etc. should not be submitted in loose form.
The suggested format for submission of Technical Offer is as follows:
1. Index
2. Covering letter. This should be as per Annexure C.
3. Details of the bidder as per Annexure D.
4. Technical Offer as per Specifications as given in Annexure A and in the format provided in
Annexure F,F complete with all the columns filled in.
5. Terms and Conditions Compliance Table in Annexure C1. C1 This annexure must cover bidder’s
response to all the terms and conditions specified in the offer document, as below:
Term Short Description of Complied Detailed explanation about

No term (Yes/No) deviation, if not complied
1
To
19(last)
6. Technical Documentation (Product Brochures, leaflets, manuals etc.) as per Annexure B.

B An
index of technical documentation submitted with the offer must be enclosed.
7. Track record, as per Annexure E
8. Annexure G [Technical Version]
9. Bidder’s Financial Details (audited balance sheets etc.) and other supporting documents, as
asked in the tender document
10. Earnest Money Deposit (EMD) – Refer Annexure K for format
Format for Commercial Offer
The Commercial offer must not contradict the Technical Offer in any manner. The suggested format
for submission of Commercial Offer is as follows:
Index
Covering letter as per Annexure C.
C
Price Schedule as per Annexure H.

A statement that the bidder is agreeable to the Payment schedule given in the tender.
The commercial offer should not contain anything other than specified in the Annexure H –
Commercial version.
version More particularly, statement or request for deviation in either Technical
specifications or Terms & Conditions specified in the Tender should not form part of Commercial
Offer. In case, if any commercial offers contain such requests or submissions the offer will be
summarily rejected without any further process or communication in this regard. Any commercial
offer, which is conditional and /or qualified or subjected to suggestions, will also be summarily
rejected. Further, the amount should be quoted in respect of each row and column without any
omission or clubbing, as required in the commercial offer fully.
The format shall not be modified by the bidder and such changes in the format may lead to rejection
of the bid.
Erasures or Alterations
The Offers containing erasures or alterations will not be considered. There should be no hand-written
material, corrections or alterations in the offer. Technical details must be completely filled in. Correct
technical information of the product being offered must be filled in. Filling up of the information using
terms such as “OK”, “accepted”, “noted”, “as given in brochure/manual” is not acceptable. The Bank
may treat such Offers as not adhering to the tender guidelines and as unacceptable.
Location of Service
The bank is envisaging a model, which will be a combination of onsite and remote services offered
by the vendor. Under this engagement, the prospective vendor is expected to provide the On-site
services by deploying appropriate dedicated resource personnel, with required qualification and
experience, at Bank’s Data Centre on 24x7 basis (3 shifts with minimum of a resource for each of the
shift) located at Bangalore and provide the remote services from their Security Operations Center
(SOC). The scope of the engagement involves monitoring of the infrastructures & operations in our
Data Centre / Reliance Managed Data Centre, Bangalore, DR centre at Mangalore and other IT
Assets at Mumbai.
Costs & Currency
The Offer must be made in Indian Rupees only, including the following:
1. Charges for all the Service envisaged in this Tender, including any levies, duties& charges etc.
2. The cost quoted should include the dedicated competent & qualified on-site resource personnel
on 24 x 7 basis for exclusive work of Managed Security Services. The team deployed so is towards
providing various services specified and hence the cost of this onsite team should also be included
along with the respective charges for each of the services. There will not be any separate payment
towards onsite support, as it should be included as a part of the respective cost of services.
3. The cost quoted should include the monitoring services rendered through their SOC on 24 x 7
basis.
4. The cost quoted should include all other expenses that may arise on account of any tie-up
required, as no separate charges will be paid.
5. All other incidental expenses of what so ever nature it be for rendering the required services, as
no separate charges will be paid.
6. No other additional cost shall be payable by the Bank on account of any software / tools used by
the Service Provider for rendering the services as required in the Tender. The Service Provider
should make his own arrangement for providing such software / tools used at his own cost. Bank
is only availing services of the Service Provider. The responsibility to ensure that only legal,
authorized, licensed versions of software / tools [provided by the Service Provider and used by its
employees] are used for extending the required services, lies with the Service Provider only.

7. The rates quoted shall be exclusive of all taxes including service taxes.
8. However, the Service Provider should indicate all current taxes applicable, as on date of
submission of offer, in respect of the services to be extended by them as required in the Tender.
Please indicate both in Annexure G and Annexure H.
Fixed Price
The Commercial Offer shall be on a fixed price basis, but exclusive of all taxes.
taxes No price increase is
permitted, other than the variation of applicable tax as announced by the tax authorities. In case of
any variation in tax, the Service Provider should submit the relevant guidelines describing the change
in the tax structure or applicability. Please note that the Bank will not pay any amount towards any
customization towards meeting specifications of services mentioned in Annexure A.
Price Comparison
All the offers will be compared on the basis of the price offered (exclusive
exclusive all the taxes)
taxes and will be
taken-up for techno commercial evaluation.
Negotiation
It is absolutely essential for the Service Providers to quote the lowest price
price at the time of making the
offer in their own interest, as the Bank will not enter into any price negotiations,
negotiations except with the
technically qualified bidder securing highest score in the techno-
techno-commercial evaluation in line with
evaluation methodology specified in this tender.
Short-
Short-listing of Service Providers
The Bank will prepare a short-list of SP on the basis of submission of proof towards eligibility,
suitability of the technical service delivery methodology as compared to the specifications provided in
this tender and acceptance of the terms & conditions. The overall technical evaluation and short-
listing will be based on the following aspects :
submission of proof towards Qualification Criteria specified in the tender
Compliance to Technical specifications / requirements as against Technical requirement specified
suitability of the technical service delivery methodology / implementation Methodology described
in Technical Bid, as compared to the specifications provided in this tender
acceptance of the terms & conditions in full without any deviation
Past experience and past performance of the vendor, as evidenced by the documents and by the
Bank’s experience
The Bank will short list the service providers on the above basis and the commercial offers of only
these short listed Service Providers will be opened. The Bank will intimate the date and time of
opening of Commercial Offers to the Service Providers, whose offers are shortlisted. After opening of
the Commercial Offers of the shortlisted vendors, a techno commercial evaluation (the methodology
is specified in this tender document) will be made to determine the successful bidder.
Technical Bid
Eligibility criterion for the service providers to qualify is clearly mentioned in the Para “Qualification
Criteria” specified in the tender. The Service Providers should submit the documents / PO copies /
credential letters issued by other Banks etc against each of the item 1.1 to 1.10 specified in the Para
“Qualification Criteria”. All the credentials of the service provider necessarily need to be relevant to
the Indian market. The relevant submissions, along with supporting documents are to be submitted
by the Bidder in the Technical Bid. Service providers who meet these criteria would only qualify for
further evaluation in the tender process. The decision of the Bank shall be final and binding on all the

bidders to this document. The Bank may accept or reject an offer without assigning any reason
whatsoever.
The service provider should submit their offering and compliance to various items listed in the
“Specification of Services” along with the Technical Bid. The submissions / compliance will be
evaluated during the technical bid evaluation stage for short-listing of service providers for the
purpose of further evaluation in the tender. Hence, the service provider has to respond with their
compliance as to clear ‘yes’ or ‘no’.
In case if it is required for the purpose of assisting the technical evaluation, the Bank may call for
presentation at any time before opening commercial bids to satisfy itself about the capabilities of the
SP, their facilities etc. In case, if the SP, when called for, does not come with presentation or not turn
up for presentation, it will be construed that SP is not interested in the proposal and shall stand
disqualified from the process, without assigning any further reasons.
Technical Evaluation and scoring
The Service Providers should submit the documents / PO copies / credential letters issued by Banks
etc against each of the item specified in Para “Technical
Technical Bid Scoring Evaluation Criteria”.
Criteria All the
credentials of the service provider necessarily need to be relevant to the Indian market and from the
type of institution specified therein. The relevant submissions, along with supporting documents, to be
submitted by the Bidder in the Technical Bid. It is imperative that the bidder should submit all the
documents / POs/ letters from other Banks with clarity of the services rendered. The Bank is not under
any obligation to seek clarifications from the bidder in this regard, but to proceed to award marks on
the basis of the documents submitted. In case of ambiguity or lack of clarity in the documents
submitted by the service providers towards scoring criteria, the decision of the Bank is final for
awarding the marks against each of the specified items.
Technical Bid Scoring Evaluation Criteria
The table below highlights the parameters under the technical criteria and methodology for awarding
marks to the Service Provider based on the credentials to be submitted. The vendor to submit
appropriate credentials [other than self-certification] in respect of each of the item
Crit
Crit Evaluation Parameters / Credentials for awarding score Max
eria Credentials / Experience / It should be distinctly understood that in case of Marks
ambiguity or lack of clarity in the documents submitted,
the decision of the Bank is final for awarding the marks
against each of the specified items.
01 Bidder’s Number of years of The marks to be awarded as per the credentials 8
experience in providing SOC submitted in respect of clients serviced:
services 8 marks for 5 years and above
4 marks for 3 years and above
Please provide PO copies for the customers serviced
from the bidder SOC and also proof of establishment of
SOC also.
02 The Bidders experience in The marks to be awarded as per the credentials 8
providing Managed IT security submitted in respect of clients serviced:
services to PSU Banks 8 marks for providing services to more than 3 PSU
Banks
6 marks for providing services to more than 2 PSU
Banks
4 marks for providing services to one PSU Bank
3 marks for providing services only to other
financial organizations

Crit
Please provide PO copies for the customers serviced
from the bidder SOC and also proof of establishment of
SOC also.
03 Experience in respect of 3 marks for each of the activity if provided for one 30
having provided various PSU Bank and 6 marks for each activity if provided
services sought in this RFP to for more than one Bank.
other PSU Banks
[a] Log monitoring The credential letters should be clear that the
[b] Security Base lining service provider has provided the activity to those
[c] Malware scanning banks. Credential letter & POs should be provided
[d] Website monitoring (with with clarity on the services provided in order to
techniques like digital award appropriate marks.
watermark& by SP and not
outsourced)
[e] Vulnerability Assessment
04 Proposed SOC solution of the 6 marks for those bidders who have implemented 6
bidder should be of Gartner the solution present in Gartner leaders quadrant.
leader quadrant 2 marks for others
Please provide the Gartner report of recent years.
05 Anti-phishing Services 10 Marks for Anti-phishing Services provided 10
through Bidder’s SOC deploying their own tools
for detection and monitoring software.
6marks for services in case if they are dependent
on third party vendor for identifying the attacks
and do not have their own capabilities for
detection.
Please provide the credential letters from the Banks
for having implemented
06 Penetration Testing 8 Marks for provided Penetration testing to three or 10
more PSU Banks
6 Marks for provided Penetration testing to two or
more PSU Banks
4 Marks for provided Penetration testing to at least
one PSU Bank
2 Marks if the Credential based Penetration testing
is provided to any PSU Bank
06 Service Provider’s experience in 10 marks for implementation in three PSU Banks 10
implementation of ISMS in PSU 8 marks for implementation in two PSU Banks
Banks / implementation of ISO 5 marks for implementation at least in one PSU
27001 in PSU Banks Bank
3 marks for implementation in other financial
organizations only and not in any PSU Banks.
07 Total number of Technical 6 marks for more than 10 professional 6
Resources having professional 4 marks for more than 5 professional and
certifications of CISA / CISSP, 2marks if less than 5.

Crit
in the organization. They Need to share the profiles & certification copies of
should also have experience the resources and commitment letter that at least
in SOC operations. two will lead the project for the Bank
08 Integrated Delivery console of Single window of all the status of the services 6
the Portal delivered through an online web access without
any configuration at client ; (i) Should provide
screen shots of the features available in the
Integrated Delivery Console and if need be, should
be able to demonstrate to the satisfaction of the
Bank – 3 marks ; (ii) Certificate from the existing
customer with remarks on coverage of various
services delivered - 3 marks;
09 Service Provider’s experience in 6 marks for implementation in three PSU Banks 6

conducting gap analysis in 3 marks for implementation in less than three PSU
respect of implementation of Banks but at least in one PSU Bank
recommendations of RBI Please provide the credential letters from the Banks
Workgroup (Sri. for having implemented
G.Gopalakrishna Committee)
and implementation of the same
Total Marks for the technical evaluation 100
Only the Bidder/s scoring 50 marks and above shall be considered as Technically qualified and are
further eligible for Techno Commercial evaluation.
Note:
- PSU Banks means Public Sector Banks in India
- Banks include all Commercial Banks, except RRBs and Co-operative Banks
- Terms – Bidder, Service Provider [SP] and Vendor are used interchangeably
- The bidder is required to provide documentary evidence for each of the above criteria.
- The Bank shall verify the credentials submitted with the respective issuer and understand the
credentials claimed for the purpose of evaluation and awarding marks.
Commercial Bid
Commercial bids of only those vendors who have qualified in the technical evaluation will be opened.
The lowest Total Cost of Service (TCS) shall be taken into consideration for evaluation of the
commercial bid. The SP shall not add any conditions / deviations in the commercial bid. Any
statement or request for deviation in either Technical specifications or Terms & Conditions specified in
the Tender should not form part of Commercial Offer. In case if any commercial offers contain such
requests or submissions the offer will be summarily rejected without any further process or
communication in this regard. Any commercial offer, which is conditional and /or qualified or
subjected to suggestions, will also be summarily rejected. Rate per month, rate for 12 months,
applicable taxes for each of the rows must be filled and should not be left blank. Individual amount
to be mentioned in respect of each row / column and clubbing is not permitted. If so, the bid attracts
rejection.

Techno-
Techno-Commercial Evaluation criteria:
There will be a Techno-commercial evaluation and accordingly the Technical evaluation shall have
70% weight-age and the Commercial evaluation shall have 30% weight-age. This weight-age shall
be taken into consideration for arriving at the Successful Bidder. The bidder getting highest score in
the techno-commercial evaluation will be declared as successful bidder. The evaluation methodology
vis-à-vis the weight-ages are as under:
Score (S) will be calculated for all technically qualified bidders using the following formula:
Technical Score of the Bid X 70 + Lowest TCS of all Bids X 30

100 (Max tech score) TCS of the Bid
C stands for TCS quoted in a particular bid; C (low) stands for the lowest TCS value among all the
bids;
bids; T stands for technical score secured;
secured; TCS stands for Total Cost of Services.
Technical (C low / C )*
Bid Price
# Bidder Evaluation (T /100) * 70 30 Score (S)
(`C`)
Marks (T)
1 BID-1 63 81 (63/100)*70 68/81*30 69.28
=44.10 = 25.18
2 BID-2 60 72 (60/100)*70 68/72*30 68.33
=42 = 28.33
3 BID-3 57 68 (57/100)*70 68/68*30 69.90
= 39.90 = 30
In the above example, C low is 68

In the above example, BID-3, with the highest score(S)
(S),
(S) becomes the successful bidder.
Bank reserves the right to negotiate the price with the highest scoring bidder before awarding the
contract in case of necessity. It may be noted that Bank will not entertain any price negotiations with
any other bidder.
Right to alter the availment of any specific Services
The Bank has specified the required services in the Annexure A and also sought the details of the cost
of services in respect each of the services in the Annexure G [Technical] and Annexure H –
Commercial Bid, for the purpose of uniform evaluation of the Bids. However, the Bank reserves the
right to avail or not avail any of the services specified in this Tender document, according to the
actual requirement under the changed circumstances, either at the start of contract or with prior
intimation subsequently. The Service Provider to consider the above and submit the pricing in the
commercial bid accordingly with all the bifurcations, so that each of the activity is properly priced as
an individual component. The Commercial Bid without bifurcation of cost for each of the activity &
for each line item will be summarily rejected.
Downloading of Tender document from bank’s website
The tender document is also available for download from the bank’s website www.corpbank.in.
Those who choose to download the tender document from our website are required to pay the price
of tender along with submission of their offer. They are also required to confirm in writing that they
have not modified any part of the tender and abide by the same.
same If any Bidder fails to pay the price
of the tender document, his offer will be rejected.

In case of any dispute/discrepancy, the physical version of the tender available with the Bank will be
final & binding on everyone participating in the tender.
Address for placing Purchase Order
Bidder should clearly indicate the address of their office to which the Bank has to send the Purchase
Order if the bidder emerges as successful in the tender process.
Service Level Agreement (SLA)
The successful bidder should execute a Service Level Agreement (SLA) to provide necessary service on
24 x 7 basis covering all Terms & Conditions of this Tender.

Qualification Criteria
Eligibility of
of the Service Provider
1.1 The bidder should be a registered corporate in India registered under the Companies Act,
1956 or A company/statutory body owned by Central/State Government. [Provide
documentary proof in respect of this]
1.2 The bidder should be a CERT IN Empanelled member [Please provide CERT IN empanelment
letter/ credential]
1.3 The bidder should have been providing Managed IT security services in India for minimum of
three years as on 30.06.2013. [Provide PO copies in support of the same]
1.4 The bidder should own and have been managing well established Security Operations Centre
(SOC) in India. Bidder shall provide the details of the SOC owned by them like the location,
infrastructure, tools used, companies served, process and methodology, staff employed,
availability of DR facilities etc. [Provide document in support of having established SOC]
1.5 The SOC should be ISO 27001 certified offering similar services [at least major services listed
in RFP, including Anti-Phishing Services, VA&PT, Web site monitoring etc.] to minimum 3 Indian
financial institutions out of which at least ONE should be a PSU Bank. [Provide PO copies in
support of the same]
1.6 SOC should be operational with at least one PSU Bank as the servicing client in last two years.
[Provide PO copies in support of the same for the last two years]
1.7 The bidder should have executed at least One security project in India, of minimum Rs.25
lakhs per annum which does not include the product cost, but only services cost. [Provide PO
copies in support of the same].
1.8 The Lead Project Manager should have been with the bidding firm for at least two years and
should have prior experience in handling at least one big security services project for a BFSI
customer in India
1.9 The service provider shall not assign or sub-contract the assignment or any part thereof to any
other person/firm.
1.10 The bidder shall submit a letter of undertaking that they have not been blacklisted by any
commercial bank in India.
The eligibility will be seen based on the above criteria and the bank reserves the right to reject
responses not meeting the qualification criteria. The tender participants shall provide documentary
proof for each of the above qualification criteria.. A list with brief details of documents submitted
against each of the above should be submitted along with the covering letter format as per Annexure-
C.
Earnest Money Deposit (EMD)
Vendors are required to give EMD by way of a Demand Draft/Bank Guarantee valid for 180 days
from the due date of the tender for Rs 2,00,000/- (Rupees Two Lakhs only) as Earnest
money Deposit (EMD) along with their Offer. Offers made without E.M.D. will be rejected. The
format for the Bank Guarantee is attached to this tender document (Annexure K).
EMD amount of unsuccessful bidders will be returned after completion of tender process. EMD
amount of successful bidder will be returned against a performance Bank Guarantee as specified
in Annexure L of the Tender, after completion of one month of satisfactory services.

Terms and Conditions
1. Payment Terms
[a] The Bank shall make the payments on a monthly basis in arrears based on the Tax Invoice
submitted by the Service Provider for each of the activity undertaken and included under “Annual
Annual
Recurring Charges for MSS” in the commercial bid format of the tender.
[b] The Bank shall make payments as under in respect of the “Charges towards ISMS implementation
and certification”
i. 30% of the amount on preparation of statement of applicability and filing the application and
presentation to the management
ii. 35% of the amount on completion of the audit process for certification
iii. 15% of the amount on completion of the certification
iv. 10% of the amount on completion of the surveillance audit
v. 10% of the amount on completion of the surveillance audit
[c] The Bank shall make payments as under in respect of the “Service support charges towards
implementation of RBI Workgroup recommendations on IT domains/ IT Security”
i. 20% of the amount after arriving at precise action plan in respect of all pending
recommendations and finalization with the Bank’s Project Team.
ii. 80% on the amount after implementation and presentation to the Management.
[d] The Bank shall make payments on a monthly basis in respect of take down of phishing sites at the
rates arrived, as per the actual number of take downs permitted by the Bank and complied with
the same by the SP during the completed calendar month, against submission of necessary
documentary evidence and tax invoice.
2. Pricing & Payments
The price offered to the Bank must be in Indian Rupees, exclusive all taxes. No price increase is
permitted, other than the variation of applicable tax as announced by the tax authorities. In case of
any variation in tax the Service Provider should submit the relevant guidelines describing the change
in the tax structure or applicability.
3. Contract period
The contract shall be for a period of three years,

years from the date of start of Services and it is subject to
a review of performance at the end of every year. The bidder, if successful, shall also undertake to
continuing support, even after expiry of three years contract period, till the next Service Provider
finalized by the Bank takes over the services.
4. Start of Services
The Service Provider shall be responsible for operationalising all the services under the tender in
consultation with Bank within one month from the date of Letter of Intent / Purchase Order. However,
the vendor to deploy resources within 15 days from the date of Letter of Intent / Purchase Order and
start transition process. The responsibility of collecting all the required information pertaining to the
present systems of the bank shall be with the service provider. All tools/software used by the Service
Provider should be authenticated and licensed and there shall not be any license related issue for use
while delivering the service in the Bank and / or to be used in the Bank towards delivering the service
under this engagement. The Bank shall not make any additional investment in this regard, except for
the charges quoted in the commercial offer and accepted by the Bank.

5. Delay in operationalising the services
For any delay in operationalisation beyond 2 months, a penalty of 0.5% of yearly order value per
week will be charged. For any delay less than a week, the penalty will be charged proportionately.
6. Liquidated Damages
If the Service Provider fails in operationalising the services as per the terms of this tender or the
vendor is not able to provide the service as per Service Level Agreement (SLA), the Bank shall be
entitled to charge penalty/liquidated damages @ 0.5% of the yearly order value per week or part
thereof, subject to a maximum of 10% of the order value.
7.Service Level Agreement
The vendor need to execute a Service Level Agreement with the Bank covering all terms and
conditions of this tender. Vendors need to strictly adhere to Service Level Agreements (SLA). Services
delivered by vendor should comply with the SLA mentioned in the table below and in Annexure-A.
SLA will be reviewed on a quarterly basis. SLA violation will attract penalties at the rate of Rs.10,000/-
for every incident of violation, due to the reasons attributable to the vendor. This penalty to be levied
in the year cumulatively shall be subject to a maximum of 15% of the value of the annual recurring
charges payable to the vendor under this assignment.
Sl. Service
Service Area SLA
No.

1 Infrastructure and Application Security Log • 24x7 event monitoring and correlation
Monitoring • Incident alerting
o <30 min for very high and high priority
Security log Monitoring the following events
infrastructure assets and assets that may o <90 min for medium priority events
be added/ listed from time-to-time • Initial incident response
o <30 min for very high and high events
-WAN with all the components like o <60 min for medium priority events
switches, routers, Firewalls, IDS, IPS etc. • Mitigation of security events/ threats
• Availability of relevant logs for 90 days
- Internet banking – Servers, Firewalls, • Weekly Summary Reports on every Monday
IDS, IPS, Switches, routers etc.
• Monthly consolidated reports
- Core Banking – Servers, Switches,
o By 7th of every Month
routers, Firewalls, IDS, IPS etc.
o Quarterly reports
- CAPS, FTS & ATMs – Servers, Switches,
o Standard/Exceptional reports
routers, firewalls, HSM, IDS, IPS etc.
• Monitoring reports should be of these categories
- ITMS – Servers, switches, routers,
firewalls, HSM, IDS, IPS etc. o Executive summary report for
- Mobile banking - Servers, Switches, management
Routers, Firewalls etc. o User activity monitoring
- DR for all above. Account Lock-out events
Failed log on activities
Administrative access
Blocked user account access
o Operations monitoring
Change request reports
Configuration changes
Operations overview reports
Account management & user
management reports
o Configuration change monitoring
Top Configuration Changes
Unauthorized configuration
changes
o Policy adherence
Firewall changes
Critical commands executed
Device configuration changes
o Incident monitoring reports
Top Targeted Ports
Top Targets
Top Attackers
Attackers by geography
Top Internal Attackers
Top Destinations

2 Infrastructure vulnerability Assessment • Discovery, valuation, repository update of assets
in DC, DR within 10 days of introduction
Manage baseline security for • Assessment Frequency
infrastructure assets. Infrastrucutre assets o Quarterly for high value assets
would include Servers, Operating o Half yearly for medium value assets
Systems, web Servers, databases, ATM o Yearly for low value assets
switch / interfaces, mobile banking • Benchmarking Vulnerabilities in assets
interfaces, messaging applications, o Within 3 days of receiving security
network & security devices, Remote advisory for high value vulnerabilities in
Access Servers. assets
o Within 6 days of receiving security
advisory for medium value assets
• Vulnerability Mitigation
• Provide baseline security documentation for
Switches/ Routers/ fire Walls/ Servers etc.
3 Conducting of Vulnerability Assessment Assessment Frequency
and Penetrating Testing (VA & PT) on • Quarterly for high value assets
regular basis • Half yearly for medium value assets
• Yearly for low value assets
Amongst others, the tests to be
performed depending upon requirement • Conducting of Vulnerability Assessment and
have been specified elsewhere in this Penetrating Testing in respect of all critical assets
tender document. of the Bank (existing as well as assets which are to
be added in future) and securing the assets
against Vulnerability by undertaking detective,
preventive and mitigation measures:
• For all the network devices installed at Critical
centres this shall be once in every quarter.
• For all the critical applications [CBS, ATM Switch,
Internet Banking, Mobile Banking, Treasury, and
CAPS] the VA& PT shall be done every quarter.
The test shall be conducted on alternative basis as
with and without credential.
• For other non-critical applications credential
based VA& PT shall be conducted once in a year.
4 Application security Assessment Assessment frequency
• Grey box/ Authenticated assessments in
Alternate quarters for critical applications
• Black box assessment in alternate quarters for
critical applications
• Grey box/ Authenticated assessments once a
year for other applications
5 Security Intelligence and advisory services Advisories within 12hours of vulnerability

for vulnerability & threats / Monitor / disclosure/global threat detection
Mitigate security threats Initiation & Resolution of remedial / mitigatary
measures to thwart such security vulnerabilities
within 24 hours.

6 Anti Phishing • 24X7x365 monitoring
• Alert within 15 min from the time of detection of an
incident
• Initial response within 60 minutes with action plan on
blocking/ containment/ recovery
• Take down of the sites with 8 hours median
calculated quarterly basis (optional)
Resolution within 120 minutes. However, in a few
exceptional cases, whenever certain specific issues
are faced by the Service Provider, additional time will
be provided on specific case, depending on merits of
the case.
7 Malware scanning
scanning// Web malware • 24X7x365monitoring
monitoring services and Anti-
Anti-phishing • Malware Monitoring number of scans shall be
Services minimum four.
• Alert within 15 min from the time of detection of an
incident
• Initial response within 60 minutes with action plan on
blocking/ containment/ recovery
• Take down of the sites with 8 hours median
calculated quarterly basis (optional)
• Resolution within 120 minutes. However, in a few
exceptional cases, whenever certain specific issues
are faced by the Service Provider, additional time will
be provided on specific case, depending on merits of
the case.
8 Regular review of Policies / Guidelines / • Prescribe /implement the best practices
Business Continuity Plan / Disaster /guidelines /other documents related to
Recovery Plan / Data Centre Operations Information Security/Business Continuity/Disaster
Manual – all pertaining to Information Recovery Review etc and undertake formulation/
Technology and Information Security review/renewal as prescribed periodically the
Review of observations in various IS Audit Information Security Policy and Information
Reports Security Guidelines / IT Outsourcing Policy/
Business Continuity Plan / Disaster Recovery
Review Plan and other related documents like
Data Centre Operations Manual and suggesting/
incorporating necessary changes commensurate
with the security / operational / technology risks.
• For the purpose of SLA and compliance, this

review, on all these reference documents, shall be
done before December every year the report
should be submitted with 15 days from thereof.
• Evaluation of Information Security related audit

observations of the bank and providing the views
on the same within three weeks of such reference
made. Further facilitating the rectification thereof
should also be undertaken.

9 Continuously manage the baseline • Assess the current environment and set up a
security levels for infrastructure assets,
assets, baseline security level for assets
applications and processes • Drive the implementation of the baseline security
for all IT assets / infrastructure
• Ensure that the baseline is maintained on an
ongoing basis and hence assets are secured
against all risks at any point in time
• Ensure that new initiatives of bank are rolled out
with appropriate security baseline
• Recommend for enhancement of security
wherever & whenever required with appropriate
justification
• Upgrades/Patch Management for all operating
Systems and application software of related
infrastructure components
• Provide Server hardening reports for all the
Servers monitored
• Drive the implementation of the baseline security
for all applications
ongoing basis and hence applications are secured
• Ensure that new applications of bank rolled out
• Assess the current environment and set up a
baseline security level for business processes
around IT for banking channels including Internet
Banking, ATM, Mobile Banking, Core Banking,
Collection & Payments System, Treasury etc.
• Drive the implementation of the baseline security
for all the listed channels
ongoing basis and hence channels are secured
• Ensure that new channels of bank are rolled out

10 Unified Dashboard/
Dashboard/ Portal for service • Should be web based portal which can be
delivery accessed by the pre-determined/ authorized user
from anywhere
• Should provide summarised activities/ charts as

well as detailed view to various class of users like
Executives, analysts, project team etc.
Also the solution should have the following

features:
• Solution should provide access to monitoring,
Phishing, VA reports and incidents
• Solution should have ability to configure ACL to users
accessing the portal
• Solution should allow users to define dashboards
from the information available in the portal.
• Provide a consolidated view of asset properties such
asset details (IP addresses, OS, administrator, owner
etc), asset vulnerabilities, asset service tickets etc
• Solution should have risk repository for the platforms
monitored
• Solution should allow users to query the portal for
historical data as needed
• Solution should have access to request for more
information on specific event or a report
• Solution should allow users to schedule activities on
the portal
• Benchmark IT assets against standard configuration
of different technology platforms e.g. Windows, Unix,
Solaris, IIS, Apache, Cisco, IIS, Oracle etc.
• Show Asset linkages / trusted assets
11 ISMS implementation / Compliance • Prepare and implement the information security

Management Services including ISO best practices and standards and facilitate the
27001 Bank to get certifications for ISO 27001 in
respect of Banks Data Centre and IT Division HO,
including DR Site.
• Provide all the services required in respect of

certification of ISO 27001 including
implementation of ISMS, putting in practices
required, preparation of statement of
applicability, submitting application, handholding
certification process, co-ordinate for inspection
and obtaining final certifications.
• Submission for Certification – Within 6 months

from date of purchase Order
• Arranging for audit and certification thereof

12 Services in respect of implementation of • Study and validate the already identified gaps,
RBI Workgroup recommendations on IT prepare action plan for implementation in
domains/ IT Security – a one time respect of the gaps, implement the
exercise recommendations of the RBI Workgroup on IT
domains/ IT security.
• Finalisation of Action Plan for implementation of

gaps and presentation to Management- Within
60 days from date of Purchase Order.
• Implementation of the pending recommendations

by 31/03/2014 and presentation to
management.
8. Review of the Agreement
The bank reserves the right to review the rates & services every year, subject to the ceiling of the
initially agreed rates.
The performance of the agency shall be reviewed after every 3 months. However, the bank reserves
the right to terminate the contract at any point of time after giving 60 days’ notice without assigning
any reasons, in case of any change in the Bank’s plan or due to performance related issues of the
vendor.
The Service Providers shall at the end of each financial year, provide to the Bank the most recent audited
financial statements and annual reports as well as other indicators for evaluating technological expenditure
and the level of investment in Technology for consistent supporting of the Bank’s out sourcing activity
undertaken by the Service Providers.
9. Repeat order
The bank reserves the right to extend the agreement for further period after expiry of the contract
period, in case, it is necessary for any specific reason, at the option of the bank at the same terms
and conditions after negotiating the rates.
10. Periodic
Periodic Review of Services
Following operationalisation of the services, the Bank will conduct review of the services rendered by
the Service Provider at mutually agreed schedules, dates and locations and representatives from both
the Bank and Service Provider should attend such performance review meetings.
Apart from the above review, the Service Provider’s SOC facility would be subject to Bank’s Internal /
Appointed External / Statutory / RBI-AFI audits, as and when required.
The Service Provider shall agree and undertake that they shall not impede or interfere with the
ability of the Bank to effectively oversee and mange its activity or impede the Reserve Bank of India in
carrying out its supervisory functions and objectives. The Bank shall have the right to inspect / audit
the SOC, Tools, Techniques and procedure adopted by the Service Provider for the activity outsourced
by the Bank, independently or through the outsourced experts and call for detailed report without
compromising the Service Provider’s Security.

11. Confidentiality & Non-
Non-Disclosure
The document contains information confidential and proprietary to the bank. Additionally, the
selected Service Provider will be exposed by virtue of the contracted activities to the internal business
and operational information of the bank, affiliates, and/or business partners. Disclosure of receipt of
this tender or any part of the aforementioned information to parties not directly involved in providing
the requested services could result in the disqualification of the Service Providers, premature
termination of the contract, or legal action against the Service Provider for breach of trust. The
successful bidder should sign a Non-Disclosure Agreement on awarding of contract by the Bank.
In instances, where service provider acts as an outsourcing agent for multiple Banks, care should be
taken to build strong safeguards so that there is no mixing together of information/ documents,
records and assets. The Service provider should undertake to maintain confidentiality of the Bank’s
information even after the termination / expiry of the contracts.
No news release, public announcement or any other reference to this tender, relating to the
contracted work if allotted with the assignment, or any program hereunder shall be made without
written consent from the bank.
Reproduction of this tender, without prior written consent of the bank by photographic, electronic or
other means is strictly prohibited.
12. Performance bank guarantee
The Service Provider, before claiming the first payment, has to provide Performance Bank Guarantee
from a Public Sector Bank valid for 3 years, for an amount equivalent to the Total Recurring Cost of
Services for Managed Security Services for a period of 12 months. [ Please Refer Annexure -L]
13. Cancellation of Order
The Bank reserves its right to cancel the Purchase Order at any time, in the event of delay in
operationalising the service beyond the specified period or for any other reason with or without
assigning any reasons, by giving 60 days’ notice, in case of any change in the Bank’s plan or due to
performance related issues of the vendor.
In addition to the cancellation of Purchase order, the Bank reserves the right to invoke the Bank
Guarantee given by the Service Provider to recover the penalty.
14. Termination of Services by the Service Provider
In view of the criticality of the services to be rendered under this tender, in order to enable the Bank to
engage any other Service Provider for continuity of services, the selected Service Provider under this
tender process should give a minimum of six months’ notice in writing(clearly specifying a future date)
for terminating the contract, in case if they desire so.
15. Indemnity
The Service Provider shall indemnify, protect and save the Bank against all claims, losses, costs,
damages, expenses, action suits and other proceedings, resulting from any actions of the employees
or agents or deficiency of service of the Service Provider. In respect of the above, under normal
circumstances, the Service Provider shall indemnify upto an amount equivalent to the Service Charges
payable to the Service Provider [exclusive of taxes] for a period of one year under the terms of the
tender.

The Service Provider shall indemnify, protect and save the Bank against all claims, losses, costs,
damages, expenses, action suits and other proceedings, resulting from infringement of any law
pertaining to patent, trademarks, copyrights etc. or such other statutory infringements in respect of all
the hardware and software used by them.
16. Business Resumption and Contingency Plans
While submitting the offer and at periodic intervals as required by the Bank, the Service Provider to
submit / spell out their Contingency and BCP in respect of the following areas wherever applicable:
The Service providers Contingency Plans and BCP should address the service provider’s responsibility
for back-up and record protection, including equipment, program and data files to the extent
applicable for the activity outsourced by the Bank. The information to include testing of the plans,
actual testing and the results thereof. The Bank shall consider independencies among service
providers when determining business resumption testing requirements. The Service provider shall
provide the Bank with methodology / procedures relating to Business resumption and contingency
plans of the Service Provider.
17. Publicity
Any publicity by the Service Provider in which the name of the Bank is to be used will be done only
with the explicit written permission of the Bank.
18. Force Majeure
The Service Provider or the bank shall not be liable for default or non-performance of the obligations
under the contract, if such default or non-performance of the obligations under this contract is caused
by any reason or circumstances or occurrences beyond the control of the Service Provider or the
bank, i.e. Force Majeure.
For the purpose of this clause, “Force Majeure” shall mean an event beyond the control of the
parties, due to or as a result of or caused by acts of God, wars, insurrections, riots, earthquake and
fire, events not foreseeable but does not include any fault or negligence or carelessness on the part of
the parties, resulting in such a situation.
In the event of any such intervening Force Majeure, either party shall notify the other in writing of
such circumstances and the cause thereof immediately within five calendar days. Unless otherwise
directed by the Bank, the Service Provider shall continue to perform/render/discharge other
obligations as far as they can reasonably be attended/fulfilled and shall seek all reasonable
alternative means for performance affected by the Event of Force Majeure.
In such a case, the time for performance shall be extended by a period(s) not less than the duration
of such delay. If the duration of delay continues beyond a period of one month, the Bank and the
Service Provider shall hold consultations with each other in an endeavor to find a solution to the
problem. Not withstanding above, the decision of the Bank shall be final and binding on the Service
Provider.
19.
19. Resolution of Disputes
All disputes and differences of any kind whatsoever, arising out of or in connection with this Offer or
in the discharge of any obligation arising under this Offer (whether during the course of execution of
the order or after completion and whether before or after termination, abandonment or breach of the
Agreement) shall be resolved amicably. In case of failure to resolve the disputes and differences
amicably the matter may be referred to a sole arbitrator mutually agreed upon after issue of at least
30 days notice in writing to the other party clearly setting out therein the specific disputes. In the

event of absence of consensus about the single arbitrator, the dispute may be referred to joint
arbitrators, one to be nominated by each party, and the said arbitrators shall appoint a presiding
arbitrator. The provisions of the Indian Arbitration and Conciliation Act, 1996, shall govern the
arbitration. The venue of the arbitration shall be Mangalore.
Mangalore

Annexure A – Scope/Specifications of the Services
Continuously manage
manage the baseline security levels for infrastructure assets
o Assess the current environment and set up a baseline security level for assets
o Drive the implementation of the baseline security for all IT assets / infrastructure
o Ensure that the baseline is maintained on an ongoing basis and hence assets are secured
o Ensure that new initiatives of bank are rolled out with appropriate security baseline
o Recommend for enhancement of security wherever & whenever required with appropriate
justification
o Upgrades/Patch Management for all operating Systems and application software of
related infrastructure components
o Provide Server hardening reports for all the Servers monitored
Continuous security monitoring of attacks against bank’s assets

o 24X7 log monitoring
o Rapid response to incidents
o Evaluation of incidents
o Forensics to identify the origin of threats, mitigation thereof, initiation of measures to
prevent recurrence
Continuous
Continuous monitoring of WAN, ATM, Internet banking, ITMS, mobile banking, CAPS
systems & interfaces for security threats [Including components like Servers, Switches,
Routers, Firewalls, IDS etc.]
o 24X7 application log monitoring
prevent recurrence
Continuously manage application security

o Assess the current environment and set up a baseline security level for all applications like
Internet Banking, ATM, Mobile Banking, Core Banking, Collection & Payments System
and Treasury
o Drive the implementation of the baseline security for all applications
o Ensure that the baseline is maintained on an ongoing basis and hence applications are
secured against all risks at any point in time
o Ensure that new applications of bank rolled out with appropriate security baseline
o Patches and upgrades management, help in installation
Continuously manage process security

o Assess the current environment and set up a baseline security level for IT processes
o Assess the current environment and set up a baseline security level for business processes
around IT for banking channels including Internet Banking, ATM, Mobile Banking, Core
Banking, Collection & Payments System and Treasury
o Drive the implementation of the baseline security for all the listed channels
o Ensure that the baseline is maintained on an ongoing basis and hence channels are
secured against all risks at any point in time

o Ensure that new channels of bank are rolled out with appropriate security baseline
Anti-
Anti-Phishing services
o 24X7 monitoring of phishing attacks against the bank

o Rapid response to phishing attacks and takedown of phishing sites
prevent recurrence
o The Bank expects that the Anti-phishing Services to be provided through Bidder’s SOC
deploying their own tools for detection and monitoring software and not to dependent on
third party vendor for identifying the attacks.
Malware Scanning
o 24X7 malware scanning of Internet banking and corporate website, WAN and other
networks, point of entries
prevent recurrence
o Malware scanning should be provided by the Onsite support team placed at the Bank
Security Intelligence
o Continuous tracking of global threats and vulnerabilities to tackle evolving threats and
vulnerabilities
o Advisories to bank on relevant threats and vulnerabilities
o Benchmark bank’s environment against evolving threats and vulnerabilities
Vulnerability Assessment & Penetration

Penetration Testing and follow-
follow-up for mitigation thereof
o Conduct Vulnerability Assessment of Infrastructure (Configuration Review),

o Conduct Infrastructure Penetration Testing (Internal & External),
o Conduct Application Penetration Testing (Grey box & Black Box) and follow-up for
mitigation thereof
o The test shall be conducted on both manual and automated mode
o The test shall be conducted using more recent and sophisticated tools available at any
point of time in the industry
o Submit report to the Bank on the findings after filtering
filtering false positives through Manual /
automated process
o Classify the findings depending upon the criticality and risk and highlight the high level
risk specifically
o Track mitigation against identified risk during the tests conducted
o Conducting Penetration Testing at periodic intervals, with the following indicative tests as
the guiding factor behind this service, on various critical IT assets of the Bank and follow-
up for mitigation thereof :

1. Buffer Overflows 22. Password Cracking
2. Bypass Authentication 23. Password Guessing
3. Info from Case Studies, Presentations 24. Ping Sweep
4. Command Injection 25. Port Scanning
5. Cross Site Request Forgery 26. Info from Press Releases,
6. Cross Site Scripting Newsletters
7. Cross Site Tracing 27. Info from Publicly available
8. Database Scan resumes
9. Default Passwords 28. Router Vulnerability Detection
10. Directory Traversal 29. Look for Sensitive Error Messages
11. Info from DNS Records 30. Server/Service Fingerprinting
12. Fire walking 31. Session Id Prediction
13. Firewall Vulnerability Detection 32. SNMP Scan
14. Hard Coded Secrets 33. SQL Injection
15. HTML Source Code Analysis 34. SSL Configuration
16. Integer overflows 35. Info from Trade Publications
17. Info from Job Postings 36. Validate Cryptographic Strength
18. LDAP Injection 37. Vulnerable Sample Applications
19. Info from Mailing Lists 38. Web Server Vulnerability Scan
20. Open relay scan 39. Info from WHOIS Records
21. OS Fingerprinting 40. XPATH Injection
Review various IT related policies of the Bank
o Review of Policies / Guidelines / Business Continuity Plan / Disaster Recovery Plan / Data
Centre Operations Manual – all pertaining to Information Technology and Information
Security
o Review shall be in terms of adequacy, appropriateness and concurrency to the present IT
environment and suggest necessary changes commensurate with risks
o Provide input to the Bank on the annual review in respect of the above
o Review of observations in various IS Audit Reports and provide the Bank suggestions for
rectification, facilitate rectification, provide work around for certain observations and
provide opinion on certain observations on the feasibility of implementation
Unified Security Dash Board /Portal

Since the bank is looking to obtain many services, it will be difficult to track the activities and
important alerts and reports from all these services. Moreover, since most of these services are
interrelated, a correlated information will help the bank in taking important decisions. The
vendor shall provide a unified portal that will meet this requirement
The vendor should implement web based integrated online security dashboard for services
provided to the bank. Security dashboard should be implemented onsite in the bank’s premises
and should be accessible to identified personnel of the Bank through web browser.
ISMS Implementation and ISO ISO 27001 Certification

o Prepare and implement the information security best practices and standards and
facilitate the Bank to get certifications for ISO 27001 in respect of Banks Data Centre
and IT Division HO, including DR Site.

o Provide all the services required in respect of certification of ISO 27001 including
implementation of ISMS, putting in practices required, preparation of statement of
applicability, submitting application, handholding certification process, co-ordinate for
inspection and obtaining final certifications.
o Submission for Certification – Within 6 months from date of purchase Order
Implementation of RBI Workgroup (Sri.

(Sri. G. Gopala
Gopalakrishna Committee) Recommendations
o Study and validate the already identified gaps, prepare action plan for implementation
in respect of the gaps, implement the recommendations of the RBI Workgroup on IT
domains/ IT security.
o Finalisation of Action Plan for implementation of gaps and presentation to

Management- Within 60 days from date of Purchase Order.
o Implementation of the pending recommendations by 31/03/2014 and presentation to

Management.
Service Delivery Methodology
The vendor shall :
Deliver all of the above as onsite services at bank’s premises by deploying resources at the
Bank’s premises. The vendor has to specify which of the exact services which cannot be
offered at onsite and that they will be offered from vendor’s Security Operations Center
(SOC). The vendor need to bring clarity on this very clearly in the technical bid submission
stage itself for evaluation by the Bank accordingly.
Services like anti-phishing, security intelligence shall be delivered from vendor SOC by
deploying their own tools. In case if they are dependent on third party vendor for identifying
the attacks and do not have their own capabilities for detection, should submit so to the Bank
with clarity and the nature of arrangement.
The other services including baseline security for applications, infrastructure and processes,
log monitoring, Malware scanning etc. shall be taken up at the bank’s premises to yield the
desired results.
Provide at least three resources onsite [to cover 24 x 7] for coordination of mitigation activities
as well as for other services delivered onsite-3 shifts with minimum of a resource for each of
the shift apart from an on-site Project Manager with CISA/CISSP Certification as per details of
resource requirements given below:
Service Personnel/ Resource Personnel and deployment:
Onsite Resource Requirement

Vendor should provide 24x7 onsite monitoring of Operating systems, web servers,
databases, and network and security devices. The services have to be provided from
within the bank’s premises.
Onsite Project Manager: Vendor should provide one resource with minimum 5 years of
experience to work from bank premises during banks business hours.
Resource shall be CISA /CISSP certification and broadly undertake the following activity:
• Track Incident detection and reporting along with closure
• Continuous ISMS management
• Customer Management - Single point of contact for customer escalations
• Identify new alert requirements
• Resource Management
• SLA tracking in adherence
• System Planning
For 24x7 monitoring minimum one resource during three shifts in a day broadly
undertake the following activities:
Analyst Responsibilities
• Monitor SIEM Console for real time alerts

• Raise incident alerts to impacted IT teams
• Incident tracking and follow up
• Daily operations and documentation
• Configure SIEM filters, rules, dashboards, Escalations
• Configure aggregation, filtering rules on agent
• Co-ordinate with OEM for technical escalations and resolutions
• Provide assistance to IT team for follow-up action and closure of security incidents
• Report on Incident SLA adherence
SKILLS
• Minimum 3 years of Total IT Experience with at least 2 years in IT Security

• Minimum 1 year of operating experience on SIEM
• Experience in coordinating and working with OEM on technical resolutions
be
Profiles and Proof/ credential of resources personnel to be deployed in the project needs
to be submitted well in advance.
Set up processes, contemporary, state of the art tools and provide skill set for security
management.
Prescribe / Implement the best practices in line with the IS Policy / IS Guidelines / BCP/ DRP
etc. of the bank and those prescribed from time to time by the concerned statutory agencies
like RBI, Ministry, CERT-IN, IBA etc.
Implement the best practices like ISO 27001, RBI work group recommendations etc., and
help the Bank for certification thereof for bank’s information security infrastructure /
compliance. The lead resources should visit the Bank during the implementation and review
phases.

Nominate the Resource Personnel for coordinating incident management, RCA, &
vulnerability assessment & mitigation and evaluation of audit observations.
Impart on the job training for required number of officials of the Bank, in order to manage
the Banks own SOC which may be set up at a later date.
Also help the Bank in setting up its own SOC within a period of 2 years.
Vendor shall provide the required monitoring agents, Software/Tools required for monitoring
Security of the equipments at their own cost, as a part of their service delivery. These agents
to be deployed in the hardware like Servers, Firewalls, IDS / IPS etc and applications, if
required, for monitoring / analysis / providing alerts.
The Bank at its discretion, will visit and analyse the technical capabilities of the Security
Operations Centre [SOC] based on these above criterion. The Service Provider’s SOC facility
would be subject to Bank’s Internal / Appointed External / Statutory / RBI-AFI audit by the Bank,
as and when required.
Specification of the services
The general scope & specification based on which the Managed Security Services [MSS] are made
operational as follows:
1. Infrastructure Log Monitoring Services

2. Application Security Monitoring
3. Vulnerability Assessment of Infrastructure [Configuration Review]
4. Infrastructure Penetration Testing [Internal & External]
5. Application Penetration Testing [ Grey Box & Black Box]
6. Provide Security Intelligence / Monitor / Mitigate security threats
7. Anti-
Anti-Phishing Services including identification and mitigation of attacks
8. Malware Scanning and Mitigation Services,
Services, Website monitoring using features/
technology like digital water mark
9. Security Service Desk System Requirements
10. Unified Security Dash board
11. Security Analysis, Mitigation and reporting thereof
12. Regular Review of IT and IS Related policies
13. Wide Area Network Security Monitoring
14. ISMS
ISMS Implementation and ISO 27001 Certification
15. Implementation of RBI Workgroup Recommendations – a one time- time-activity
1. Infrastructure Log Monitoring Services (Please see the details of S/N in Annexure F )
Vendor should provide 24x7 remote monitoring of Operating systems, web servers, databases,
network and security devices. The services have to be provided from within the banks premises.
Sl. No Requirement S/N Remarks
1.1 24*7 monitoring of security events to detect
attacks and raise alerts for any suspicious events
that may lead to security breach in bank’s
environment & block the same.
1.2 Detection of both internal & external attacks
1.3 Vendor should implement tools and processes
for detection and correlation of events from

multiple sources
1.4 Vendor should provide coordinated rapid
response to any security incident. Vendor
should contain attacks & coordinate restoration
of services
1.5 Evidences of security incidents should be made
available for legal and regulatory purposes
1.6 Vendor should develop log baselines for all the
platforms in the bank. Vendor should coordinate
deployment of baselines with the respective IT
teams
1.7 Vendor should provide multiple reports to the
bank including top attackers, attacks, attack
targets, trends etc. Vendor should provide
weekly and monthly reports. Vendor should also
have the provision to provide bank reports on
demand on a case to case basis
1.8 Vendor should conduct forensic analysis for
security incidents and facilitate mitigation
thereof
1.9 Vendor should do root cause analysis for
security incidents and coordinate
implementation of controls to prevent
reoccurrence
1.10 The Vendor should analyze the logs [OS,
database, security, network, servers] and the
vendor should deploy industry standard tools for
log analysis [ furnish full details of the tools /
functionality / deliverables separately ] and
correlation
1.11 The solution provided should be
OS/application/hardware independent
1.12 Solution should have support for both agent and
agent-less architecture
1.13 Agent should be light and non interfering
1.14 Should support events collection from wide
range of network & security devices, viz.
Routers, Switches, Firewalls, IDS/IPS, Proxy
hosts and systems like Windows, Solaris &
Linux. It should also support event collection
from databases, web servers, AV agents &
Vulnerability Scanners.
1.15 The solution must support at least 3000 events
per second for real-time analysis
1.16 Solution should not be an open-source or
freeware tool and an established OEM should
support it
1.17 Support for the Integration of Security Logs
from Existing Routers and L3 Switches
1.18 Support for the Integration of Security Logs

from existing operating systems Database
Servers & Application Servers
1.19 Solution should have the ability to integrate
information from leading vulnerability scanners
1.20 Should track access-list violations
1.21 Log transmission between Agent & manager
should be through SSL or encrypted connection
1.22 Tool should offer correlation of the events /
aggregated events from multiple firewalls,
IDS/IPS and other network, security devices
&applications’ security logs.
1.23 Even during heavy log generation
peaks/connectivity issues it is critical that the
proposed solution has caching mechanisms to
collect events and correlate thereafter.
1.24 Service should have the ability to map real time
attacks to the vulnerability state of the target.
1.25 Event correlation should include attributes like
events, asset, vulnerability, business value in the
threat calculation.
1.26 Services should support the normalization of the
data for the collection of logs from disparate
devices
1.27 Solution should support filtering of noise events
from being sent to SOC by the agents deployed
on bank assets
1.28 Should support creation of custom correlation
rules
1.29 Solution should be capable of freely
customizing the format and frequency of
reporting
1.30 Solution should be capable of creating custom
reports
1.31 Solution should support role-based
administration
1.32 Solution should support the audit trail of
administrative access & configuration changes
1.33 Solution should be capable of compressing the
collected log file data during network transport
1.34 Solution should be capable of validating the
authenticity and integrity of log data
1.35 Solution should be capable of assisting in
finding log entries on originating systems for
use in forensic investigations
1.36 Solution should provide a security portal to
view real time dashboards corresponding to
monitoring data
1.37 Provide a summarized weekly / monthly report
on the logs analyzed in respect of the assets
monitored

2. Application Security Monitoring
Vendor should provide 24x7 remote monitoring of security issues on ATM, Internet banking, mobile
banking, WAN channels. Vendor solution should be capable of analyzing ATM, Internet banking, mobile
banking application logs and WAN network logs. The services have to be provided from within the
banks premises.
S. No Requirement S/N Remarks

2.1 24*7 monitoring of security events in ATM
switch, mobile banking, internet banking,
WAN
2.2 Detection of both internal & external attacks
2.3 Vendor should implement tools and
processes for monitoring application logs
2.4 Vendor should provide coordinated rapid
response to any security incident. Vendor
should contain attack & coordinate
restoration of services
2.5 Evidence for any security incident should be
made available for legal and regulatory
purposes
2.6 Vendor should develop all log baselines for
ATM, internet banking, mobile banking and
WAN. Vendor should coordinate
deployment of baselines with the respective
teams
2.7 Vendor should provide multiple reports to
the bank including top attackers, attacks and
trends. Vendor should provide weekly and
monthly reports. Vendor should also have
the provision to provide the bank with,
reports on demand on a case to case basis
2.8 Vendor should conduct forensic analysis for
security incidents and facilitate mitigation
thereof
2.9 Vendor should do root cause analysis for
security incidents and coordinate
implementation of controls to prevent
recurrence
2.10 Vendor should deploy industry standard
tools for log analysis and correlation
2.11 Agent should be light and non interfering
2.12 Solution should not be an open-source or
freeware tool and an established OEM
should support it
2.13 Solution should provide rule based analysis
of transaction logs
2.14 Solution should detect transaction frauds.
Examples include multiple transactions

using same ATM card from multiple cities,
transactions beyond a certain value, security
intensive alerts etc
2.15 Solution should provide mechanism to
detect the man in the middle attack in
respect of the Internet Banking operations.
2.16 It should support the normalization of the
data for collection of logs from disparate
devices
2.17 Should support creation of custom
correlation rules
2.18 Solution should be capable of freely
customizing the format and frequency of
reporting
2.19 Solution should be capable of creating
custom reports
2.20 Solution should be capable of validating the
authenticity and integrity of log data
2.21 Solution should be capable of assisting in
finding log entries on originating systems
for use in forensic investigations
2.22 Solution should provide a security portal to
view real time dashboards corresponding to
monitoring data and facilitate analytics /
intelligence to respond / mitigate the threats
/ vulnerabilities/penetration testing
3. Vulnerability Assessment of Infrastructure (Configuration Review)
Vendor should assess, track and mitigate vulnerabilities in IT infrastructure assets. Infrastrucutre assets
would include Operating Systems, web servers, databases, messaging applications, network and security
devices. Please refer to the inventory list in the annexure. The services have to be provided from
within the banks premises.
Sl No Requirement S/N Remarks

3.1 Asset identification & valuation. Asset in this
context refers to all the technology / related
infrastructure assets. All assets should be
discovered using relevant tools on a periodic
basis
3.2 An asset database should be maintained as part
of the solution to capture asset details. Asset
database should capture value of asset,
location, business unit, owner, CIA value,
platform details and details of assets getting
added, deleted, changed
3.3 Asset rating should be captured in terms of its
value to business and risk profile to prioritize
security measures
3.4 Asset database should be integrated with

security dashboard
3.5 Asset database should have the features to
filter on assets based on location, business
units, value of assets
3.6 The vendor should develop and maintain a risk
baseline which lists the risks and the
corresponding controls for the following
categories
a. Operating Systems
b. Databases
c. Infrastructure applications
d. Network Devices
e. Security Devices
3.7 The risk baseline should be codified in a
software and should be available online
3.8 The risk baseline should be integrated with the
asset register and the security dashboard
3.9 The risk baseline should be consistently
updated with new risks discovered globally
3.10 The risk baseline should always reflect the
current state of risks in the bank
3.11 Risk baseline should be categorized based on
the value of risks
3.12 Risk baseline should be benchmarked with
standards including SANS, NIST, CIS
3.13 Risk baseline software should have provision
to add, delete, modify risks
3.14 Risk baseline software should uniquely
identify risks using Risk ID
3.15 Risk baseline software should have the
provision to add custom risks along with the
value of risks
3.16 Vendor should conduct periodic vulnerability
assessment and penetration testing exercise for
all assets against the defined risk baseline.
Vulnerability assessment should be done once
in a quarter for high value assets, once in six
months for medim value assets and once in a
year for low value assets
3.17 Vulnerability assessments and penetration
testing should check for compliance to various
security parameters of the assets in line with
risk baseline including accounts, services,
password policies, directory permissions,
audit settings, network settings, protocols,
patches, domain policies(for Windows),
registry parameters(for Windows)
3.18 Vendor should implement a vulnerability
assessment and penetration testing tool onsite.
The tool should support assessment of the

following parameters including accounts,
services, password policies, directory
permissions, audit settings, network settings,
protocols, patches, domain policies (for
Windows), registry parameters(for Windows)
3.19 Vulnerability assessment and penetration
testing tool should support all the platforms of
the bank
testing tool should provide reports that clearly
lists the non-compliances with appropriate risk
rating. Toolshould also specify the solution for
the risk.
testing tool should be an online web interface
driven tool
3.22 The vendor should provide an online
remediation tracking mechanism to track
vulnerabilities, controls for mitigation, status
with online reports.
3.23 The vendor onsite team should provide

support for testing recommendations in UAT,
prepare plan for implementation in production
and provide support for production rollout.
3.24 Evaluate the audit observations of the IS

Auditors on critical technology infrastructure
and facilitate and guide to rectify the
deficiencies / irregularities. Recommend to the
bank regarding feasibility of implementation
and help in implementation.
3.25 Vendor should report security status of assets
in a security dashboard. [more details are
specified in the security dashboard section ]
3.26 Vendor should implement / facilitate for

appropriate and timely installation of upgrades
/ patches
4. Infrastructure Penetration Testing (Internal & External)
Vendor should assess, track and mitigate vulnerabilities in business applications. Please refer inventory
list in the annexure. The services have to be provided from within the banks premises.
Sl Requirement S/N Remarks
No.
4.1 An asset database should be available as part of
the solution to capture asset details. Asset in

this context refers to all the technology and
related infrastructure / applications. Asset
database should capture value of asset,
location, business unit, owner, CIA value,
platform details
4.2 Asset database should be maintained as assets
get added, deleted, changed
4.3 Asset rating should be captured in terms of its
value to business and risk profile to prioritize
security measures
4.4 Asset database should be integrated with
security dashboard
baseline which lists the risks and the
corresponding controls
asset register and the security dashboard
4.8 The risk baseline should be consistently
updated with new risks discovered globally
4.10 Risk baseline should be categorized based on
the value of risks
application security standards including
OWASP
4.12 Risk baseline software should have provision
to add, delete, modify risks
4.13 Risk baseline software should uniquely identify
risks using Risk ID
4.14 Risk baseline software should have the
provision to add custom risks along with the
value of risks
4.15 Vendor should conduct periodic assessment
exercise for all applications against the defined
risk baseline. Assessment frequency for
applications should be atleast once a year
4.16 Vulnerability assessments and penetration
testing should check for compliance to various
security parameters of the applications in line
with risk baseline including accounts, services,
passwords, IS Policies, IS Guidelines,
authentication controls, authorization controls,
SQL injection, cross-site scripting, session
manipulation, encryption strength

4.17 Vendor should carry tools required for
application security assessments.

remediation tracking mechanism to track
vulnerabilities, controls for mitigation, status
with online reports
4.19 The vendor onsite team should provide support
for testing recommendations in UAT and
provide support for production rollout.
4.20 Evaluate the audit observations of the IS
Auditors and facilitate and guide to rectify the
deficiencies / irregularities. Recommend to the
bank regarding feasibility of implementation
and help in implementation
4.21 Vendor should report security status of
applications in a security dashboard, more
details are specified in the security dashboard
section
5. Application Penetration Testing (Grey Box & Black Box)
Vendor should assess, track and mitigate vulnerabilities in IT processes as well as business processes
around IT. The services have to be provided from within the banks premises.
Sl No. Requirement S/N Remarks

baseline for processes which lists the risks and
the corresponding controls
security dashboard
5.4 The risk baseline should be consistently updated
with new risks
5.6 Risk baseline should be categorized based on the
value of risks
ISO27001, COBIT and ITIL
5.8 Risk baseline software should have provision to
add, delete, modify risks
5.9 Risk baseline software should uniquely identify
risks using Risk ID
5.10 Risk baseline software should have the provision
to add custom risks along with the value of risks

5.11 Vendor should assess and coordinate mitigation
of risks across all critical IT processes including
Backup Management, Incident Management,
Change Management, Third Party Access,
Antivirus Management, Patch Management,
Physical Security, Access control, Disaster
Recovery, Information Classification,
Application development & maintenance, User
Provisioning, Segregation of duties against the
defined risk baseline.
5.12 Vendor should assess and coordinate mitigation

of risks across business processes around IT for
channels including Core banking, Internet
Banking, ATM, Call Center, Treasury, SMS
banking, Mobile Banking,CAPS
5.13 Vendor should carry their own tools required for
process security
remediation tracking mechanism to track non-
compliances, controls for mitigation, status with
online reports
5.15 Vendor should report security status of
processes in a security dashboard, more details
are specified in the security dashboard section
6. Security Intelligence
Vendor should track emerging vulnerabilities and threats relevant to the bank’s assets.
Sl No. Description S/N Remarks

6.1 Identification of evolving vulnerabilities and
threats to IT infrastructure assets, deployed in the
bank. This includes
Top global attack sources
Top global attack targets
Vulnerabilities
Attack forms
Worms & Viruses
6.2 Vendor SOC should send timely security

advisories for evolving vulnerabilities and
threats. Advisories should also detail mitigation
measures

6.3 Vendor should track impact of new
vulnerabilities and threats on bank’s assets.
Vendor should track, coordinate and facilitate for
closure of vulnerabilities on assets that are
affected
6.4 The security dashboard should give an online
view of the global vulnerabilities and threats
applicable to the bank’s environment, number of
assets affected and status of mitigation
6.5 The vendor to provide the log entries, evidences,

forensic analysis in respect of the fraud /
suspicion transactions identified and provide all
other related details to the Bank and help the
Bank in the investigation process.
7. Anti-Phishing Services
Vendor should provide 24X7 monitoring of phishing attacks against the bank.
Sl. No Description S/N) Remarks

7.1 24X7 monitoring for phishing attacks
7.2 Vendor should implement real time detection
mechanisms
7.3 Vendor should implement tools for referrer log

analysis of web server
7.4 Vendor should monitor similar domain name

registration
7.5 Vendor should monitor spam traps to detect

phishing mails
7.6 Vendor should do web site analysis to detect

phishing sites
7.7 The Bank expects that the vendor should have

the reach on their own or through official
business partnerships to take up closure /
mitigatory measures on phishing sites
anywhere in the world.
7.7.1 In Case of Take-downs using the services of

CERT IN:
Vendor should quote for 100 take downs per
annum as an OPTIONAL ITEM, toward
phishing sites which are targeting the Bank’s
Systems -Both Direct and Indirect attacks. The
Bank at it’s discretion may choose to opt for

taking-down such phishing sites.

OTHER THAN CERT IN :
annum as an OPTIONAL ITEM, towards
phishing sites, which are direct in nature
targeting specifically only Systems of CorpBank
from that Host. The Bank at it’s discretion may
choose to opt for taking-down DIRECT
phishing sites.
OTHER THAN CERT IN :

annum as an OPTIONAL ITEM, toward
phishing site which are INDIRECT in nature in
targeting the Bank’s Systems also, apart from
other financial institutions. The Bank at it’s
discretion may choose to opt for taking-down
indirect phishing sites.
7.7.4 A phishing site / IP/URL as mentioned in para
7.7.1, 7.7.2 & 7.7.3 above, once taken-down
shall be counted as one incident only till 180
days from date of take-down irrespective of
the fact that it is reactivated or other-wise
within 180 days and the vendor shall take-
down such reactivated attacks without any
additional cost to the Bank.
7.8 Vendor should have alternative response
mechanisms other than web site take down to
minimize impact of phishing [Furnish details].
7.9 Vendor should be in a position to block the
phishing sites in Internet Explorer or Firefox etc.
7.10 Vendor should assist bank in identifying affected

customer IDs
7.11 Vendor should assist the bank for coordination

with law enforcement agencies, CERT, etc
7.12 Vendor should benchmark bank website and
suggest controls required to minimize impact
from phishing attacks
7.13 Vendor should assist bank in assessing
vulnerabilities and on a timely basis penetration
testing

7.14 Vendor should provide Anti-phishing Services
through Bidder’s SOC by deploying their
own tools for detection and monitoring
software and not depend on third party
7.15 The vendor should not dependent on third
party vendor for identifying the phishing
attacks or do not have their own capabilities
for detection.
8. Malware scanning services
Vendor should provide 24X7 monitoring for malware injection attacks and infection
Sl No. S/N Remarks

Description
8.1 24X7 monitoring for Malicious Mobile Code
(MMC) infection of Internet Banking and
Corporate website
8.2 Real time detection of MMC infection/injection
8.3 Solution should be a tool based automated
solution
8.4 Solution should support scanning to a depth of at

least two pages
8.5 Solution should support scanning of static and

dynamic links
8.6 Vendor should takedown MMC injection server

once it is identified as the source
8.7 Vendor should manage incidents for MMC
infection/injection including solution,
coordination for recovery in the shortest possible
time
8.8 Solution should be independent of application

platform
8.9 Bidder services should have ability to provide

alerts on identification of the infection on the
monitored website
8.10 Service should have web based access to access
the findings of the services and reports for
scanning
8.11 Service should alert the bank on detection of
changes identified from the baseline defined
8.12 Service should also detect behavioral patterns,

known worms and signatures to protect the

bank’s sites
8.13 Service should also detect the defacement

attempts made towards bank’s sites
9. Security Service Desk System Requirements
Vendor should implement a security service desk customized for the services provided at the bank
premises
Sl No. Description S/N Remarks
9.1 The tool should be customized with forms,
fields, workflows corresponding to security
monitoring, incident management, infrastructure
and application baseline security, secure
commissioning of new servers and applications
9.2 The service desk should be configured with
escalation workflows
9.3 Service desk should be a web based portal with
ready access to service requests
9.4 Bank should be able to generate reports on
demand from the service desk portal
9.5 Service desk should support concurrent login
for at least three users
9.6 Service request should contain at least the
request Number, description of request, date &
time of opening, update and closure, asset
details for which the service has been opened,
action taken
10. Unified Security Dashboard
The vendor should implement an integrated online security dashboard for services provided to the bank.
Security dashboard should be implemented onsite in the bank’s premises and should be accessible to
identified personnel of the Bank preferably through our Network / Web based access.
Sl. No Requirement S/N Remarks

10.1 The dashboard should be web based online
portal
10.2 The dashboard should integrate with the
following
1. Risk baseline
2. Asset database
3. Security event/log monitoring tool
4. Security Intelligence
10.3 Dashboard should display asset list and
capture details including name, location,
owner, value, business unit, IP address,

platform details
10.4 Dashboard should display risk baseline
corresponding to multiple categories for IT
infrastructure, applications and processes
10.5 The dashboard should display the security
status of IT infrastructure assets in the
bank. Dashboard should have graphical
display of asset security status based on
locations, business units
10.6 Dashboard should capture the status of
applications in the bank. Dashboard should
have a graphical display of application
security status based on locations, business
units
10.7 Dashboard should capture risks in each
asset. Dashboard should have the provision
to click on the asset and track mitigation
status corresponding to risks
10.8 There should be a graphical representation
of risks across business units/locations.
Dashboard should support drill down
graphs to move to the level of individual
assets and should support wide array of
analytics and intelligence capabilities.
10.9 The bank should be able to benchmark and
track mitigation for new global threats and
vulnerabilities using the dashboard. The
applicability of new threats to the bank’s
assets should also be displayed. A drill
down of assets affected by new threats,
vulnerabilities and status of mitigation
should be supported.
10.10 SLA data should be captured in the

dashboard with compliance details
11. Security Analysis, Mitigation and reporting thereof
Vendor should service deliverables for the security events monitoring, event correlation, analysis,
mitigation both reactive to incidents and proactive to those events anticipated, basic audit and reporting.
Periodic analysis of the security events with the recommendations. Periodic “Service Delivery Review”
with customer and the feedback on the service window & other deliverables.

11.1 Monitoring for the security events and raise
the alerts for any unauthorized access that may
lead to security breach
11.2 Identify and rectify any virus/worm or any

other malware infected system based on the
viruses/worms activity observed at the
firewalls, proxies, servers etc. and take
remedial action
11.3 Security Devices availability, utilization
(CPU, RAM, HDD, Sessions)
violation/exception alerting
11.4 Provide initial review and resolution of
security incidents and provide technical advice
/ initiate steps for prevention of such
incidents.
11.5 Maintain security device configuration based
on industry level practices and as requested
within the scope.
11.6 Comply with the policies, standards &
regulations applicable to the bank for
information systems, personnel, physical &
technical security for the security devices
covered in the scope.
11.7 Develop & document security monitoring
procedures that meet requirements and adhere
to defined security policies, guidelines &
standards in place.
11.8 Maintain & provide audit information
including access, general logs, and application
logs in accordance with banks security
policies & standards for the security devices
and application
11.9 Unified secured web portal interface for
viewing, real-time monitoring of data of
firewall events after correlation and providing
periodic reports
11.10 Reporting security device status on
compliance as per recommended format and
schedule
12. Regular Review of IS and IT related policies
Vendor shall formulate/ review IS and IT related policies of the Bank at regular intervals
12.1 o Review of Policies / Guidelines /
Business Continuity Plan / Disaster
Recovery Plan / Data Centre
Operations Manual – all pertaining
to Information Technology and
Information Security
12.2 o Review shall be in terms of

adequacy, appropriateness and
concurrency to the present IT

environment and suggest
necessary changes commensurate
with risks
12.3 o Provide input to the Bank on the

annual review in respect of the
above
12.4 o Review of observations in various

IS Audit Reports and provide the
Bank suggestions for rectification,
facilitate rectification, provide work
around for certain observations
and provide opinion on certain
observations on the feasibility of
implementation
13. Wide Area Network Security Monitoring
Vendor should define the objectives for ensuring the integration of the security components
with the other security & Wide area networking components to deliver a framework support

13.1 Integrate the security devices with the other
wide area network components to strengthen
the overall security posture as recommended
13.2 Integration of security devices with wide area
network components for the administrative
access framework & audit trails
13.3 Provide suggestions for any Wide area
network and security upgrades/patches/
changes that can enhance the security posture
and/or add business value to the delivery
framework
13.4 Provide necessary guidance to WAN service
providers and liaise with them for execution in
order to protect overall WAN infrastructure
14. ISMS Implementation
The bidder should implement ISMS standards for the Bank’s IT Inftastructure.
14.1 Study of existing policies, business processes,
documents and records maintained (like
contracts, SLAs, MOUs etc), Outsourcing, 3rd

Party Access, Security Setup, Infrastructure,
etc as per ISO 27001 standards.
14.2 Identify gaps in IT security products
deployment to detect, analyse and comply
with Bank’s security policy and industry best
practices and standards
14.3 Submission of Gap Analysis Report and road
map including measurable goals of the
project with suggested areas of improvement
14.4 Define the scope and boundaries of the ISMS
in terms of its location, assets and technology
14.5 Development of asset register & Asset
classification
14.6 Risk Assessment shall include Identification of
risks and threats on identified assets under
scope; evaluation of probability and impact;
risk value and analysis & Risk Treatment Plan
14.7 Risk Assessment should also include technical
vulnerability assessment, penetration testing,
web application security testing, review of
network architecture etc.
14.8 Prepare a Statement of Applicability in
consultation with the Bank’s officials
14.9 Prepare a statement of exclusion of any
control objectives and controls in SOA with
the justification for their exclusion
14.10 Review of controls and control objectives
already implemented and recommending for
addition/ modification required in the
existing controls implemented
14.11 Consultants must review the existing polices
& procedures of the Bank against ISO 27001
standards and, either update the existing
policies or develop new policies, if required.
14.12 Review and finalization of various ISMS
documents should be done along with the
security team of the Bank
14.13 Extend support during the implementation of
ISMS procedures and technical support for
fixing of any technical gaps pointed during
the Risk Assessment phase
14.14 Provide training / knowledge transfer for
Bank’s officials
14.15 Provide information security & policy
awareness trainings to all officials of ITD
14.16 Engage external agency for accredited
training on “ISO 27001 Lead Implementer” &

“ISO Lead Auditor” for 10 Participants
14.17 Internal Compliance Audits against ISO 27001
standards
14.18 Support for Closing Open Items
14.19 Coordination with third-party for certification
14.20 Co-ordinate with bank and Certification
bodies during Stage –I and Stage –II
certification audits & surveillance audits.
14.21 Provide assistance to Bank’s internal team for
closure of audit findings
14.22 Arranging/coordinate with the Registered
Certification Body (RCB) of Bank’s choice for
the following assignments:
o First year Stage –I and Stage –II audits
o Second year Surveillance audit
o Third Year Surveillance audit
14.23 Assist the Bank in External/Internal audits
and developing the CAPA formats
14.24 Vendor shall also extend support for review
and check the readiness for the surveillance
audit, one month before the external audit by
the RCB
14.25 Bidder to provide automated tool to maintain
ISMS with following Features
The tool must be able to provide asset
management from identifying an asset, asset
classification , the value of the asset base on
Confidentiality, Availability and Integrity
The tool must have maker and checker
capability to verify the assets identified and
their evaluation
• The tool must be able to provide risk
assessment process from identified
assets, Threats list, Vulnerabilities,
Controls list and calculate the
residual risk.
• The tool should support Risk
Treatment Planning. Select the
controls from the ISO 133 controls
(these controls will be mapped to
Industry controls) and custom define
list of controls which is not in ISO 133
controls.
• The tool should show
implementation progress report and
effectiveness of control metric
measurement report once Risk

Treatment plan is implemented.
• The tool should showcase risk levels
before the Risk Treatment and after
the Risk Treatment. This report
should be generated from the tool to
be presented to management.
• The tool should have facility to create
Internal Audit checklist (best practice)
and custom define check lists.
• The tool should give feature to map
findings of an audit to various
compliances and report compliance
gaps
• The tool should give facility to plan
remediation for audit findings,
tracking and closure
Ongoing Review and monthly activity
reporting
Surveillance audit for the year 2 and 3
15. Implementation of RBI Workgroup Recommendations
The bidder should implement ISMS standards for the Bank’s IT Inftastructure.
15.1 • Bank has already performed Gap
Analysis with respect to RBI Workgroup
Recommendations on IT Domains ( Sri.
GopalaKrishna Committee
Recommendations) guidelines issued
vide RBI Circular no: RBI/2010-11/494
DBS.CO.ITC.BC.No. 6 /31.02.008/2010-
11 April 29, 2011.
15.2 • The successful Vendor shall review the

Gap Analysis and recommend for
improvements if any in the Gap
Analysis.
•
15.3 • Review of GAP Analysis is focused on
documentation and services rather than
tool implementation.
15.4 • The Vendor shall also initiate the

compliance for the non-complied portion
of the Guidelines with definite time-line
of 6 months from date of Purchase
Order
•
The Bank has listed out As per Annexure M, major areas which requires vendor support for
implementation. The list is indicative and not exhaustive.

Dated this ______ day of _________2013
Signature: ______________________________________
(in the Capacity of:) ________________________________
Duly authorized to sign the offer for and on behalf of

Annexure B - Checklist for Product Documentation
1. Service Providers are required to provide printed technical documentation for the items listed
in Table below.
2. Availability of adequate, correct and relevant technical documentation is essential for
evaluation of any offer.
3. Service Providers are requested to provide original copies of the documentation. In case the
original copies are not available, Service Providers can provide clear readable photocopies.
4. Mark the column “Documentation Provided” with Tick mark () or Cross (), as appropriate.
5. Service Provider may add any other documentation, which will support their offer.
S.No. Item Details Documentation

provided
provided or
1. Details of Software used for Managed

Security Services
2. Details of Hardware used for Managed
Security Services
3. Details of tools used for log monitoring
4. Details of tools used for Anti-Phishing
Services
5. Details of tools used for Malware
Scanning
6. Details of tools used for banking security
management
7. Details of Software/ Hardware used for
Incident Management
8. Details of Security Dash Board
9. Details of Security Analytics / Intelligence
tools
10. Details of Key personnel responsible to
provide these services, with brief profile
Dated this ______ day of _________2013
Signature: ______________________________________

Annexure C - Covering letter format
Date:_______2013
Offer Reference No.:________________________________________
To:
I.T Division, Corporation Bank,
Head Office, Mangala Devi Temple Road
Mangalore - 575001
Dear Sir,
Tender Ref: ITD/07/2013-14 dated 19/09/2013
Having examined the tender document including all Annexure the receipt of which is hereby duly
acknowledged, we, the undersigned, offer to undertake all the services for a period of THREE
years [with an option to extend the services as per terms of the Tender] in conformity with the said
tender in accordance with the Schedule of Prices indicated in the commercial offer and made part
of this offer.
If our offer is accepted, we undertake to commence operations within one month calculated from
the date of Letter of Intent or Purchase Order issued on us. However, we undertake to deploy
resources within 15 days from the date of Letter of Intent / Purchase Order issued on us and start
transition process.
We agree to abide by this offer till 180 days from the date of opening of the commercial offer by
the Bank and our offer shall remain binding upon us and may be accepted by the Bank any time
before the expiration of that period.
We confirm that the our Lead Project Manager specified in this offer, is having the requisite
qualification and experience sought in the eligibility criteria of the Tender and we agree to
deploy him in the Bank’s project as per the terms of the Tender and will obtain prior consent from
the Bank moving such resource from the project.
We agree & will abide by the terms of the Tender that we will not assign or sub-contract the
assignment or any part thereof to any other person/firm. We confirm that we have not modified
the tender format published in any manner. We confirm that the duplicate copy of the offer is
exact replica of the original offer in all respects.
We confirm that we have not been blacklisted by any commercial bank in India.
We agree that until a formal contract is prepared and executed, this offer, together with the
Bank’s written acceptance thereof and the Bank’s notification of award, shall constitute a binding
contract between us.
We understand that the Bank is not bound to accept the lowest or any offer the Bank may receive
without assigning any reason whatsoever.

The list documents submitted against each of the points mentioned in Qualification Criteria is
enclosed herewith for your ready reference..
Dated this ______ day of _________2013
Signature: ______________________________________

______________________________________________

Annexure C1 - Terms and Conditions Compliance Table
The Offer must specify the unconditional willingness to abide by the Terms and Conditions of the Tender. The
Terms and Conditions specified elsewhere in the Tender should be complied along with the compliance / conformity
/ willingness to offer as per the terms of the Tender towards requirements of the Bank as under:
Term Short Description of term Accepted / Detailed Explanation about

No. [This column Not to be altered Complied deviation, if not complied
by the Bidder] (Yes/No) [Note : Deviation can be
[Blanks not mentioned only if compliance
permitted; column is shown as ‘NO’
either yes otherwise it will construed as
or no only] complied as per the requirement
of Bank] Please note that
specifying Deviation elsewhere in
the Offer document will not be
considered, if here it is
mentioned as complied –YES
1 Payment Terms
2 Pricing & Payments
3 Contract Period
4 Start of Services
5 Delay in operationalizing the Services
6 Liquidated Damages
7 Service Level Agreement
8 Review of the Agreement
9 Repeat Order
10 Periodic Review of Services
11 Confidentiality & Non-disclosure
12 Performance Bank Guarantee
13 Cancellation of Order
14 Termination of Services by Service
Provider
15 Indemnity
16 Business Resumption & contingency
plans
17 Publicity
18 Force Majeure
19 Resolution of Disputes
Dated this day of 2013
Signature :
In the Capacity of :
Duly Authorised to Sign the Offer and Terms and Conditions on behalf of
(Company)

Annexure D – Details of the Service Provider
Details filled in this form must be accompanied by sufficient documentary evidence, in order to
facilitate the Bank to verify the correctness of the information.
Sl. No Item Details

1 Name of Company
2 Postal Address
3 Telephone, mobile and Fax numbers
4 Constitution of the Company
5 Name and designation of the person authorized to make
commitments to the Bank
6 Email Address
7 Year of commencement of Business
8 Sales Tax Number
9 Income Tax Number
10 Brief description of facilities of the organization for undertaking
the services
11 Website of the Company

12 Certificate of Incorporation under the Companies Act, 1956.
13 Details of Security Operations Centre in India, like location,
Infrastructure, Tools used, Companies served, process and
methodology etc.
14 Details of ISO 27001 Certification
15 Details of Three contracts executed for 3 Financial Institutions
(of which one should be for Commercial Bank in India with 500
branches) [enclose the documentary proof]
16 Details of at least one Commercial Bank [with 500 branches]
Customer in last one year serviced by the SOC.
17 Details of One security project in India, of minimum Rs.25
lakhs per annum which does not include the product cost, but
only services cost.
18 Details of the Lead Project Manager with CISA/ CISSP
Certification who has been with the bidding firm for at least
two years and having prior experience in handling at least one
big security services project for a BFSI customer in India
19 Name of Contact Person in respect of this Tender, Mobile Name :
Number and email-ID. Phone :
[All the communication in respect of this Tender will be sent to Mobile :
the above contact person] Email :
20 The Address of your office on whom the Purchase Order shall

be placed
Dated this ______ day of _________2013

Signature: ______________________________________

_______________________________________________

Annexure E - Track Record of Past
Past Operations
Name of the Service Provider ___________________________________________
[Please attach proof for these track record of past operations]

Sl. Name of the Client Service Offered Time Period of Contact person of
No Location, Specify the actual individual services the services the Client
offered like Log Monitoring, Anti-
Brief Scope phishing, VA&PT, ISMS Implementation extended - Name
etc. Please note that for these items - Tel. No.
necessary documentary proof should
be submitted in the technical bid for
- Fax No.
consideration by the Bank - Address
From To
Dated this ______ day of _________2013
Signature: ______________________________________

Annexure F – Format For Submission of Technical Bid
The Service Provider should provide a response to the requirements, which could be any one
from the following categories – S/N i.e. Standard ( S ),
) or Not Feasible ( N ). Please respond in
accordance with the following guidelines.
S – Standard :This is a standard feature of the system and is available in ready-to-

implement mode immediately.
N - Not feasible :The function does not exist in the current system. In such case, please
suggest alternative method of achieving the requirement.
For requirements mentioned in Annexure A, A, as specification of services in detail, individual item

wise response should be given by marking S or N for each row and Where a response requires
explanation, provide the explanation in the REMARKS column or on a separate page, if
necessary, with reference to the requirement number.
Sl. No Requirement S/C/N Remarks
….
……
Dated this ______ day of _________2013
Signature: ______________________________________

Annexure G – Masked Price Schedule [Technical Bid Version] [Enclose with Technical Bid]
Please note that statement or request for deviation in either Technical specifications or Terms &
Conditions specified in the Tender should not form part of Commercial Offer. In case if any commercial
offers contain such requests or submissions the offer will be summarily rejected without any further
process or communication in this regard. Any commercial offer, which is conditional and /or qualified
or subjected to suggestions, will also be summarily rejected.
Rate per month, rate for 12 months, applicable taxes for each of the rows must be filled and
should not be left blank. Individual amount to be mentioned in respect of each row / column
and clubbing is not permitted and if so, offer will be rejected]
Note :
This schedule of services must be attached in Technical Offer with masking of price information and
with commercial offer with full price information. The format will be identical for both Technical and
Commercial Offers, except that the Technical Offer should not contain any price information.
Technical Offers without this price masked schedule of services will be liable for rejection.
Vendor must take care in filling price information in the Commercial Offer, to ensure that there are no
typographical or arithmetic errors. All fields must be filled up correctly.
Sl. Brief Heading of Services offered and onsite Rate per Rate for 12 Months Any Taxes
No. support Month (in Rupees) applicable for
this service as
[More fully described in 1. Service Level (in Rupees) on date
Agreement 2. Annexure-A 3. Service Specify nature
Delivery Methodology 4. Specification of the of tax and rate
services of the Tender Document] in % only
[This column
should be
filled in this
technical bid
also]
(a) Regular Activity towards managing IT Security
1. Security log Monitoring of the IT infrastructure / IT
assets including reporting, action and follow-up for
mitigation (including Wide Area Network
monitoring )
2. Managing and monitoring of security for IT
Applications and Processes including reporting,
action, follow-up for mitigation and continuous
review with application owners.
3. Monitor / Manage / Periodic Review of the baseline
security for IT Infrastructure / IT Assets / IT
Applications
4. Security Intelligence, Advisory services, identify
threats and Monitor / Mitigate findings & threats,
Security Analysis, Mitigation & prompt reporting
5. Vulnerability Assessment
[Black Box and Grey Box]
6. Penetration Testing

7. Malware scanning services for IT Assets deploy
tools and techniques for detection, monitor and
provide alerts, follow-up
8. Anti-Phishing services for Bank’s Web domains
including deploy vendor’s own tools and techniques
for detection, monitor and provide alerts, follow-up
9. Regular Review of Policies / Guidelines / Business
Continuity Plan / Disaster Recovery Plan / Data
Centre Operations Manual – all pertaining to
Information Technology and Information Security.
Review of observations in various IS Audit Reports
10. Security Service Desk System requirements, Security
Dash Board, Threat Monitoring, Vulnerability
analysis & mitigation
Annual Recurring Charges for MSS (including Onsite
support charges)
(b) One Time Service Charges–
Charges–On milestones
11. Charges towards preparation, implementation
of ISMS and certification at locations specified
/ISO 27001 certification, On-going Review &
monitoring, reporting & Surveillance audit for
2nd and 3rd year
12. Service support charges towards
implementation of RBI Workgroup
recommendations on IT domains/ IT Security
(c) Optional Items
13. Charges for 100 take downs per annum as an
OPTIONAL ITEM using the services of CERT
IN, towards phishing sites, which are DIRECT
and INDIRECT in nature.
Charges for 100 take downs per annum as an
14. OPTIONAL ITEM using the services of other
than CERT IN, towards phishing sites, which
are DIRECT in nature targeting specifically only
Systems of CorpBank from that Host.
OPTIONAL ITEM using the services of other
than CERT IN, towards phishing sites which
are INDIRECT in nature in targeting the Bank’s
Systems also, apart from other financial
institutions.
Total Cost of Services of Managed Security Services
[for comparison and will be taken for techno- techno-
commercial evaluation (a)+(b) +(c) above]
above]
1. We confirm that the above schedule includes the cost of all the services and
deliverables covered in the schedule of requirements and as per the Terms and
Conditions specified in the Tender.

2. We confirm that the Bank is not liable to pay any other charges / fees / outflow
of whatsoever nature it be on account of rendering these services.
3. We confirm that the above commercial offer is in full & unconditional, and not
subject to any conditions / qualifications / suggestions / deviations.
4. We confirm that the above Pricing is excusive of applicable taxes, and in the
last column the taxes applicable as on date is indicated as a percentage %.
5. We understand that the above-mentioned figure is for price-comparison

purpose only and the Bank will pay on actuals, taking into account the actual
services availed by the Bank from time to time.
6. We are agreeable to the payment terms specified in the Tender and to provide
the services mentioned in the Tender as per the above rates specified for a
period of 3 years.
Dated this ______ day of _________2013
Signature: ______________________________________
(In the Capacity of:) ________________________________

_______________________________________________
NOTE :The Service Provider to submit the pricing in the commercial bid with all the bifurcations.
The Commercial Bid without bifurcation of cost for each of the activity & for each line item will be
summarily rejected

Annexure H - Price Schedule – Commercial Bid Format [Enclose with Commercial Bid]
Please note that statement or request for deviation in either Technical specifications or Terms &
Conditions specified in the Tender should not form part of Commercial Offer. In case if any commercial
offers contain such requests or submissions the offer will be summarily rejected without any further
process or communication in this regard. Any commercial offer, which is conditional and /or qualified
or subjected to suggestions, will also be summarily rejected.
Rate per month, rate for 12 months, applicable taxes for each of the rows must be filled and
should not be left blank. Individual amount to be mentioned in respect of each row / column
and clubbing is not permitted and if so, offer will be rejected]
Note :
Vendor must take care in filling price information in the Commercial Offer, to ensure that there are no
typographical or arithmetic errors. All fields must be filled up correctly.
Sl. Brief Heading of Services offered and onsite Rate per Month Rate for 12 Any Taxes
No. support (in Rupees) Months applicable for
this service as
[More fully described in 1. Service Level (in Rupees) on date -
Agreement 2. Annexure-
Annexure-A 3.Service Delivery Specify nature
Methodology 4. Specification of the services of tax and rate
of the Tender Document] in % only
(a) Regular Activity towards managing IT Security
1. Security log Monitoring of the IT infrastructure / IT
assets including reporting, action and follow-up for
mitigation (including Wide Area Network
monitoring )
2. Managing and monitoring of security for IT
Applications and Processes including reporting,
action, follow-up for mitigation and continuous
review with application owners.
3. Monitor / Manage / Periodic Review of the baseline
security for IT Infrastructure / IT Assets / IT
Applications
4. Security Intelligence, Advisory services, identify
threats and Monitor / Mitigate findings & threats,
Security Analysis, Mitigation & prompt reporting
5. Vulnerability Assessment
6. Penetration Testing
7. Malware scanning services for IT Assets deploy
tools and techniques for detection, monitor and
provide alerts, follow-up
8. Anti-Phishing services for Bank’s Web domains
including deploy vendor’s own tools and techniques
for detection, monitor and provide alerts, follow-up
9. Regular Review of Policies / Guidelines / Business
Continuity Plan / Disaster Recovery Plan / Data
Centre Operations Manual – all pertaining to
Information Technology and Information Security.
Review of observations in various IS Audit Reports

10. Security Service Desk System requirements, Security
Dash Board, Threat Monitoring, Vulnerability
analysis & mitigation
Annual Recurring Charges for MSS (including Onsite
support charges)
(b) One Time Service Charges–
Charges–On milestones
11. Charges towards preparation, implementation
of ISMS and certification at locations specified
/ISO 27001 certification, On-going Review &
monitoring, reporting & Surveillance audit for
2nd and 3rd year
12. Service support charges towards
implementation of RBI Workgroup
recommendations on IT domains/ IT Security
(c) Optional Items
OPTIONAL ITEM using the services of CERT
IN, towards phishing sites, which are DIRECT
and INDIRECT in nature.
Charges for 100 take downs per annum as an
14. OPTIONAL ITEM using the services of other
than CERT IN, towards phishing sites, which
are DIRECT in nature targeting specifically only
Systems of CorpBank from that Host.
OPTIONAL ITEM using the services of other
than CERT IN, towards phishing sites which
are INDIRECT in nature in targeting the Bank’s
Systems also, apart from other financial
institutions.
Total Cost of Services of Managed Security Services
[for comparison and will be taken for techno- techno-
commercial evaluation (a)+(b) +(c) above]
above]
Total cost of Services towards Managed Security Services per year exclusive of all Taxes per year
is Rs……………… (in figures)
(Rupees………………………………………………………………………………………………………
…………………………Only)
1. We Confirm that the cost towards On-site Support (for Monitoring & Mitigation)
on 24x7 basis with three shifts per day with a minimum of one resources per
shift is included in the respective service charges for each of the services, as
the team is deployed for providing various services only. Separate payment
towards onsite support will not be claimed, as it is included as a part of the
respective cost of services. A phishing site once taken-down, no charges shall
be levied for subsequent take-downs in respect of the same site/URL/IP
consequent to re-activation of attacks till 180 days from date of first take-
down.

2. We confirm that the above schedule includes the cost of all the services and
deliverables covered in the schedule of requirements and as per the Terms and
Conditions specified in the Tender.
3. We confirm that the Bank is not liable to pay any other charges / fees / outflow
of whatsoever nature it be on account of rendering these services.
4. We confirm that the Bank need not pay any amount to the vendor towards any
tools / software utilized for rendering the services, except for the commercial
quoted herein above.
5. We confirm that the above commercial offer is in full & unconditional, and not
subject to any conditions / qualifications / suggestions / deviations.
6. We confirm that the above Pricing is excusive of applicable taxes, and in the
last column the taxes applicable as on date is indicated as a percentage %.
7. We understand that the above-mentioned figure is for price-comparison

purpose only and the Bank will pay on actuals, taking into account the actual
services availed by the Bank from time to time.
8. We are agreeable to the payment terms specified in the Tender and to provide
the services mentioned in the Tender as per the above rates specified for a
period of 3 years.
Dated this ______ day of _________2013
Signature: ______________________________________
(In the Capacity of:) ________________________________

_______________________________________________
NOTE :The Service Provider to submit the pricing in the commercial bid with all the bifurcations.
The Commercial Bid without bifurcation of cost for each of the activity & for each line item will be
summarily rejected

Annexure I – Standard / Exceptional reports that should
should be provided by the service provider
Standard Reports & Exception Reports

• Daily activity wise report
• Weekly Summary Reports on every Monday
• Monthly consolidated reports
o By 7th of every Month
o Quarterly reports
o Standard/Exceptional reports
• Monitoring reports should be of these categories
o Executive summary report for management
o User activity monitoring
Account Lock-out events
Failed log on activities
Administrative access
Blocked user account access
o Operations monitoring
Change request reports
Configuration changes
Operations overview reports
Account management & user management reports
o Configuration change monitoring
Top Configuration Changes
Unauthorized configuration changes
o Policy adherence
Firewall changes
Critical commands executed
Device configuration changes
o Incident monitoring reports
Top Targeted Ports
Top Targets
Top Attackers
Attackers by geography
Top Internal Attackers
Top Destinations
Dash board report

Executive Summary about the current updation in the Dash Board
Summary report on alerts
Exceptions report with executive summary on a monthly basis

Annexure J - Inventory Details
The following table provides the inventory list for infrastructure assets in scope for security monitoring
Sl. No. Asset Description Location No of

units
1 Firewalls Data Center – Cisco Pix 535 /ASA 8
DRS – Cisco Pix515 / ASA
FTS Centre – Cisco Pix 515
IIBD – Cisco Pix 515
RTGS - Cisco Pix 515
Web centre – Checkpoint firewall
MS Exchange Mail – Check Point Firewall
FCS Centre – Cisco Pix Firewall
2 IDS Mumbai IIBD 1
3 Routers Cisco Router 7507- (2 Nos) at Data Centre & DRS
Cisco Router 3745 (24 Nos) In various 100 plus
DC(Distribution Centre)
Cisco Router 2651 – 6 Nos
Cisco Router 60 Nos
Cisco Router 1700 Series In IIBD Mumbai and other
Branch locations #
FTS Router
Mangalore L3
4 Servers Sun E6900 SF V490 SF V480 Xeon
Data Centre 2
FTS 2
Web centre 3
FCS Centre 2
DR Site 1 3
IIBD 2
RTGS, IIBD &DRS 15
HRMS 1 1(V440) 3 V220
MS-EXCHANGE
StorEdge 3510 – 13 Nos at Data Centre & 6 Nos at
DRS Hitachi/ StorEdge A1000 – 2 Nos IIBD
StorEdge3320–4Nos Web Centre
CTS centres -2
Sun M8000- Data Centre – 2Nos
Sun M8000- DR Site – 2Nos
Sun T3 - Data Centre – 2Nos
Sun T3 - Dr Site – 2Nos
NB : This inventory could change depending upon installation of new systems and components
based on bank’s requirements, during the course of the period of assignment. The vendor chosen
shall, however, undertake to support / such new additions to the infrastructure also without any
additional commercials.
commercials.
#Cisco Router 17oo series (Access routers) provided to all the branches for WAN connectivity.

Annexure K – Bank Guarantee format for EMD
Corporation Bank
Head Office,
Mangala Devi Temple Road
Mangalore - 575 001.
WHEREAS..........................................(Company Name) registered under the Indian Companies Act

1956 and having its Registered Office at .................................................................. India
(hereinafter referred to as “the VENDOR”) proposes to tender and offer in response to tender Ref.
No.026/2011-12- For availing Managing IT Security Services (hereinafter called the “TENDER”)
AND WHEREAS, in terms of the conditions as stipulated in the TENDER, the VENDOR is required to
furnish a Bank Guarantee in lieu of the Earnest Money Deposit (EMD), issued by a scheduled
commercial bank in India in your favour to secure the order under Schedule 1 of the Tender in
accordance with the Tender Document (which guarantee is hereinafter called as “BANK GUARANTEE”)
AND WHEREAS the VENDOR has approached us, ............................................................ for

providing the BANK GUARANTEE.
AND WHEREAS at the request of the VENDOR and in consideration of the proposed TENDER to you,
WE, ..................................................................having
............................................................Office at..........................................................., India
have agreed to issue the BANK GUARANTEE.
THEREFORE, WE, ......................................................., through our local office at ...................

India furnish you the Bank GUARANTEE in manner hereinafter contained and agree with you as
follows:
1. We....................................., undertake to pay the amounts due and payable under this
Guarantee without any demur, merely on demand from you and undertake to indemnify you
and keep you indemnified from time to time to the extent of Rs........................(Rupees
..............................only) an amount equivalent to the EMD against any loss or damage
caused to or suffered by or that may be caused to or suffered by you on account of any breach
or breaches on the part of the VENDOR of any of the terms and conditions contained in the
Tender and in the event of the VENDOR commits default or defaults in carrying out any of the
work or discharging any obligation in relation thereto under the TENDER or otherwise in the
observance and performance of any of the terms and conditions relating thereto in accordance
with the true intent and meaning thereof, we shall forthwith on demand pay to you such sum
or sums not exceeding the sum of Rs......................(Rupees.........................................
only) as may be claimed by you on account of breach on the part of the VENDOR of their
obligations in terms of the TENDER.
1. Notwithstanding anything to the contrary contained herein or elsewhere, we agree that your
decision as to whether the VENDOR has committed any such default or defaults and the amount
or amounts to which you are entitled by reasons thereof will be binding on us and we shall not be
entitled to ask you to establish your claim or claims under Bank Guarantee but will pay the same
forthwith on your demand without any protest or demur.
2. This Bank Guarantee shall continue and hold good until it is released by you on the application by
the VENDOR after expiry of the relative guarantee period of the Tender and after the VENDOR
had discharged all his obligations under the Tender and produced a certificate of due completion
of work under the said Tender and submitted a “ No Demand Certificate “ provided always that the
guarantee shall in no event remain in force after the day of ...........................without prejudice
to your claim or claims arisen and demanded from or otherwise notified to us in writing before the
expiry of the said date which will be enforceable against us notwithstanding that the same is or
are enforced after the said date.

3. Should it be necessary to extend Bank Guarantee on account of any reason whatsoever, we
undertake to extend the period of Bank Guarantee on your request under intimation to the
VENDOR till such time as may be required by you. Your decision in this respect shall be final and
binding on us.
4. You will have the fullest liberty without affecting Bank Guarantee from time to time to vary any of
the terms and conditions of the Tender or extend the time of performance of the Tender or to
postpone any time or from time to time any of your rights or powers against the VENDOR and
either to enforce or forbear to enforce any of the terms and conditions of the said Tender and we
shall not be released from our liability under Bank Guarantee by exercise of your liberty with
reference to matters aforesaid or by reason of any time being given to the VENDOR or any other
forbearance, act or omission on your part of or any indulgence by you to the VENDOR or by any
variation or modification of the Tender or any other act, matter or things whatsoever which under
law relating to sureties, would but for the provisions hereof have the effect of so releasing us from
our liability hereunder provided always that nothing herein contained will enlarge our liability
hereunder beyond the limit of Rs..................( Rupees....................................only ) as
aforesaid or extend the period of the guarantee beyond the said day of ...................... unless
expressly agreed to by us in writing.
5. The Bank Guarantee shall not in any way be affected by your taking or giving up any securities
from the VENDOR or any other person, firm or company on its behalf or by the winding up,
dissolution, insolvency or death as the case may be of the VENDOR.
6. In order to give full effect to the guarantee herein contained, you shall be entitled to act as if we
were your principal debtors in respect of all your claims against the VENDOR hereby guaranteed
by us as aforesaid and we hereby expressly waive all our rights of surety ship and other rights, if
any, which are in any way inconsistent with any of the provisions of Bank Guarantee.
7. Subject to the maximum limit of our liability as aforesaid, Bank Guarantee will cover all your claim
or claims against the VENDOR from time to time arising out of or in relation to the said Tender
and in respect of which your claim in writing is lodged on us before expiry of Bank Guarantee.
8. Any notice by way of demand or otherwise hereunder may be sent by special courier, telex, fax or
registered post to our local address as aforesaid and if sent accordingly it shall be deemed to
have been given when the same has been posted.
9. The Bank Guarantee and the powers and provisions herein contained are in addition to and not by
way of limitation of or substitution for any other guarantee or guarantees here before given to you
by us ( whether jointly with others or alone ) and now existing un-cancelled and that Bank
Guarantee is not intended to and shall not revoke or limit such guarantee or guarantees.
10. The Bank Guarantee shall not be affected by any change in the constitution of the VENDOR or us
nor shall it be affected by any change in your constitution or by any amalgamation or absorption
thereof or therewith but will ensure to the benefit of and be available to and be enforceable by the
absorbing or amalgamated company or concern.
11. The Bank Guarantee shall come into force from the date of its execution and shall not be revoked
by us any time during its currency without your previous consent in writing.
12. We further agree and undertake to pay you the amount demanded by you in writing irrespective
of any dispute or controversy between you and the VENDOR.
13. Notwithstanding anything contained herein above;
i) our liability under this Guarantee shall not exceed

Rs...............................................( Rupees.........................................only) ;
ii) this Bank Guarantee shall be valid upto and including the date ............. ; and

iii) we are liable to pay the guaranteed amount or any part thereof under this Bank
Guarantee only and only if you serve upon us a written claim or demand on or before
the expiry of this guarantee.
14. We have the power to issue this Bank Guarantee in your favour under the Memorandum and
Articles of Association of our Bank and the undersigned has full power to execute this Bank
Guarantee under the Power of Attorney issued by the Bank.
For and on behalf of
Branch Manager
Seal
Address

Annexure L- Format for PERFORMANCE BANK GUARANTEE
To:
Corporation Bank
Head Office,
Information Technology Division,
Mangalore - 575 001.
WHEREAS ...................................(Company Name) registered under the Indian Companies Act

1956 and having its Registered Office at .......................................................................,
hereinafter referred to as the VENDOR has undertaken to Supply and deliver the Hardware /
Software, including supply of Spares, Comprehensive inland Transportation, Storage at site, their
installation, Testing and Commissioning and demonstration of Guaranteed Performance and Training
of Personnel in respect of Hardware / Software in terms of the Purchase Order bearing No. ..............
dated ............................, hereinafter referred to as “the CONTRACT.
AND WHEREAS in terms of the Conditions stipulated in the said Contract, the VENDOR is required to
furnish, performance Bank Guarantee issued by a Scheduled Commercial Bank in your favour to
secure due and satisfactory compliance of the obligations of the VENDOR in accordance with the
Contract ;
THEREFORE, WE, ...........................(Name of the Bank) furnish you this Performance Guarantee in
the manner hereinafter contained and agree with you as follows:
1. We, ..................................Bank do hereby undertake to pay the amounts due and payable
under this Guarantee without any demur, merely on a demand, which has to be served on us
before the expiry of this guarantee, time being essence of the contract, from you stating that
the amount claimed is due by way of loss or damage caused to or would be caused to or
suffered by you by reason of breach by the said vendor of any of the terms and conditions
contained in the Contract or by reason of the vendor’s failure to perform the said contract.
Any such demand made on us within the time stipulated above shall be conclusive as regards
the amount due and payable by us under this guarantee. However, our liability under this
guarantee shall be restricted to an amount not exceeding ` .............. (Rupees -----------
Only).
2. We undertake to pay to you any money so demanded notwithstanding any dispute/s raised by
the vendor in any suit or proceeding before any Court or Tribunal relating thereto, our liability
under these presents being absolute and unequivocal. The payment so made by us under this
guarantee shall be a valid discharge of our liability for payment there under and the vendor
shall have no claim against us for making such payment.
3. We further agree that, if demand. as stated above, is made on us within the stipulated period,
the guarantee herein contained shall remain in full force and effect and that it shall continue to
be enforceable till all your dues under or by virtue of the said contract have been fully paid
and your claims satisfied or discharged or till you certify that the terms and conditions of the
said contract have been fully and properly carried out by the said vendor and accordingly
discharge this guarantee. Provided, however, serving of a written claim / demand in terms
hereof on us for payment under this guarantee on or before the stipulated period , time being
the essence of contract, shall be a condition precedent for accrual of our liability / your rights
under this guarantee.
4. We further agree with you that you shall have the fullest liberty without our consent and without
affecting in any manner our obligations hereunder, to vary any of the terms and conditions of
the said Contract or to extend time for performance by the said vendor from time to time or to
postpone for any time or from time to time any of the powers exercisable by us against the
said VENDOR and to forbear or enforce any of the terms and conditions relating to the said
Contract and we shall not be relieved from our liability by reason of such variation, or
extension being granted to the said Vendor or for any forbearance, act or omission on our part

or any indulgence by us to the said vendor or by any such matter or thing whatsoever which
under the law relating to sureties would, but for this provision, have effect of so relieving us.
5. This Guarantee will not be discharged due to the change in the constitution of our Bank or the
Vendor.
6. We lastly undertake not to revoke this guarantee during its currency except with your written
consent.
. NOTWITHSTANDING anything contained herein above;
(i) Our liability under this Guarantee shall not exceed `...............................................
( Rupees.........................................only ) ;
(Ii) This Guarantee shall be valid upto and including the ............(mention date); and
(Iii) We are liable to pay the guaranteed amount or any part thereof under this Bank
Guarantee only and only if you serve upon us a written claim or demand on or before
the expiry of this guarantee.
Dated the ------------ day of --------2013

For --------------------------- BANK
OFFICER MANAGER

Annexure-M
IMPLEMENTATION OF RBI WORKGROUP RECOMMENDATIONS – BROAD SCOPE

[This is indicative Gist and not exhaustive – Implementation to consider the full recommendations]
Requirement
IT Governance
• IT balanced scorecard are to be implemented to measure performance along dimensions:
financial, customer satisfaction, process effectiveness, future capability and assess IT
management performance based on metrics such as scheduled uptime, service levels,
transaction throughput and response times and application availability. Best practices of ISACA
shall be used for delivering the same.
• Vendor shall measure the maturity level of IT Governance structure already implemented in the
Bank and also design an action plan to be implemented in future.
• Vendor shall review the current control structure and suggest automated tools if any available in
the market for implementing classification of Information Assets across the organization in line
with the Bank’s Information Security Policy.
• A more detailed and formal compliance audit, independently testing the ISMS against the
requirements specified in ISO 27001. The auditors will seek evidence to confirm that the
management system has been properly designed and implemented, and is in fact in operation and
will arrive at the gaps and prepare statement of applicability.
Information Security
• Review the IT asset life cycle and provide systematic procedural improvements.
• Vendor shall also review the Bank’s IT & IS policies and suggest additions if any to cover the RBI
guidelines.
• Vendor shall review & design Information Security Governance Framework in line with the Bank’s
IT and Information Security policies and Procedures.
• Provide inputs on the Data Leak Prevention strategy to be adopted by the Bank to safe guard the
sensitive Information. The document shall cover the procedures and template policies to be
implemented with DLP on Network, Web Gateway and Host.
• Provide the strategy document on Virtualization and cloud computing adoption and necessary
security controls to be implemented.
IT Operations
• Vendor shall review the existing IT Strategy policy and define strategy framework to assist IT
operations as required by Business and defined SLA/OLAs. Vendor shall also provide IT Strategy
processes/ guidelines that can be used by the banks to design, develop, and implement IT
Operation not only as an organizational capability but as a strategic asset.
• Shall define Financial Management process as described under IT operations Chapter. Provides
mechanism and techniques to IT operations to quantify in financial terms, value of IT services it
supports, value of assets underlying the provisioning of these services, and qualification of
operational forecasting.
• Service Valuation:
Vendor shall implement Service Valuation mechanism in the Bank to quantify services, which are
available to customers (internal or external) and supported by IT operations in financial terms.
Objective of implementing this mechanism assisting IT Operation functions to showcase the
involvement of function in supporting the bank's core business. The Vendor shall design and
implement Service Valuation mechanism for IT operations with two components: i.e.,
(i) Provisioning Value:
The actual underlying cost of IT, related to provisioning a service, including all fulfillment
elements–tangible and intangible. Input comes from financial systems and consists of payment of
actual resources consumed by the IT in the provisioning of services.
(ii) Service Value Potential:
Is the value-added component based on a customer’s perception of value from the service or
expected marginal utility and warranty from using the services in comparison with what is

possible using the customer’s own assets.
• Port folio Management:
Vendor shall design and implement Portfolio Management framework for bank highlighting
controls, which are defined to develop an IT Service from conceptual phase to go-live phase and
then to transition to production environment. During the development of IT services financial
impact of the new service on IT Operation should also be ascertained which will assist IT
Operations in Service Validation.
• Demand Management:
Vendor shall design and submit Demand Management process providing guidelines which can be
used by bank to understand the business processes IT operations supports to identify, analyze,
and codify Patterns of business activities (PBA) to provide sufficient basic for capacity
requirement. Analyzing and tracking the activity patterns of the business process makes it
possible to predict demand for services.
• Design
The Vendor shall design the document describing the design phase of the IT operations providing
the guidelines and processes, which can be used by the bank to manage the change in the
business landscape. Components which should be considered when designing a new IT service or
making a change to the existing IT service are:
• Business Processes
• IT Services
• Service-level Agreements
• IT Infrastructure
• IT Environment
• Information Data
• Applications
• Support Services
• Support Teams
• Suppliers
It is also to be noted that while preparing the above document, Vendor shall consider:
Service design: This should not consider components in isolation, but must also consider the
relationship between each of the components and their dependencies on any other component or
service.
Design phase: Provides a set of processes and guidelines that can be used by banks to design IT
services, supported by IT operations, that satisfies business objectives, compliance requirements
and risk and security requirements. The processes also provide guidelines to identify and manage
risks and to design secure and resilient IT services.
• Service Catalogue Management
Selected vendor must formulate Service Catalogue Management process, which provides
guidelines, that can be used by banks to define and manage service catalogue, which provides a
consistent and accurate information on all IT services available to customers (internal or
external)
Following attributes to be included into the service catalogue:
1. Definition of Service
2. Categorization of Service
(business application and IT support)
3. Service Criticality
4. Disaster Recovery Class
5. Service-level Agreement Parameters
6.Service Environment (Production, Testing, Quality Assurance, Staging, etc.)
7. IT Support Status (Operational and Transaction, etc.)
8. Configuration Management Group
9. Incident Management Group
10. Problem Management Group
11. Change and Release Management Group
12. Service Owner
13. Service-level Manager
14. Principal Business Activities Details
15. Interdependency on Configuration Items

16. Interdependency on Service Portfolio
• Service Level Management
Vendor should define Service Level Management process which meets the following objectives:
• Define, document, agree, monitor, measure, report and review the level of IT services
• Ensure specific and quantifiable targets are defined for IT services
• Ensure that IT Operations and consumers have clear, unambiguous expectations of the level of
services to be delivered
• Ensure that pro-active measures, to improve the level of service delivered, are implemented if
cost-justified
While defining SLM framework for banks, the following aspects should also be considered by
vendor
• Operational-level agreement to ensure that Operational Level Agreements (OLAs) with other
support groups are defined and developed; these OLAs should be in line with SLAs which it
supports
• Underpinning supplier contract to ensure all underpinning supplier contracts with the vendors
or suppliers are defined and developed: these contracts should be in line with SLAs, which it
supports
• Capacity Management
Vendor should define Capacity Management process, which provides guidelines to:
• Produce and maintain capacity plan that reflects the current and future business requirements
• Manage service performance so that it meets or exceeds the agreed performance targets
• Diagnosis and resolution of performance and capacity-related incidents and problems
• Assess impact of all changes on capacity plan and performance of IT services supported by IT
Operations
• Ensure that pro-active measures are undertaken to improve the performance of services,
whenever it is cost-justifiable.
• Availability Management
Vendor should define Availability Management process, which provides guidelines so that banks
can:
• Produce and maintain an appropriate up-to-date Availability Plan that reflects the current and
future needs of the business
• Ensure that service availability achievements meet or exceed agreed targets, by managing
services and resources-related availability targets
• Assist with diagnosis and resolution of availability-related incidents and problems
• Ensure that pro-active measures to improve the availability of services are implemented
wherever it is cost justifiable to do so
• Service Asset and Configuration Management

Service Asset and Configuration Management process defined by vendor should provide
framework and guidelines that can be used by the banks to manage service assets and
configuration items that supports business services.
The framework provides guidelines to:
• Identify, control, record, audit and verify service assets and configuration items, including
service baseline version controls their attributes and relationships.
• Manage and protect integrity of service assets and configuration items through the service
lifecycle by ensuring only authorised assets are used and only authorized changes are made.
• Ensure integrity of configuration items required to support business services and IT
infrastructure by establishing and maintaining an accurate and complete Configuration
Management System.
• Provide accurate information of configuration items to assist in change and release
management process.
• Event Management
Vendor should define Event Management process, which provides the guidelines which can be
used by the banks to define the framework for monitoring all the relevant events that occurs
through the IT infrastructure. It provides the entry point for the execution of many Service
Operations processes and activities.
Event can be defined as any detectable or discernible occurrence that has significance for the
management of the IT infrastructure, or delivery of IT services. "

Defined Event Management framework when defined will have two mechanisms for monitoring,
these are:
• Active Monitoring: Active monitoring is related to polling of business significant Configuration
Items to determine their status and availability. Any diversion from normal status should be
reported to appropriate team for action.
• Passive Monitoring: Passive monitoring detects and correlate operational alerts or
communications generated by Configuration Items"
• Incident Management
Vendor should define Incident Management process, which provides guidelines that can be
implemented by the banks for the management of incidents so that restoration of service
operations as quickly as possible and to minimize adverse impact on business operations.
• Problem Management
Vendor should define Problem Management process, which provides a framework, which can be
implemented by banks to minimize the adverse impact of incidents on the IT Infrastructure and
the business by identifying root cause, logging known errors, providing and communicating
workarounds, finding permanent solutions, and preventing recurrence of incidents related to
these errors.
• Access Management
Vendor should define Access Management process, which provides the guidelines, which can be
implemented by banks to limit access to IT services only to those individuals and applications
that are duly authorized based on organizational policies and standards. Access Management
enables the organization to manage confidentiality, integrity of the organization’s data, IT
infrastructure, and applications.
IT Services Outsourcing
Review existing outsourcing policy and procedures with respect to RBI guidelines and update the
same, if required
IS Audit
• Vendor shall review the IS audit policy of the Bank in line with the ISO27001 and RBI Guidelines
and suggest changes to be incorporated in the policy.
• Vendor shall design and submit document establishing a quality assurance process (e.g.,
interviews, customer satisfaction surveys, assignment performance surveys, etc.) to understand
the auditee’s needs and expectations relevant to the IS audit function. These needs should be
evaluated against the policy with a view to improving the service or changing service delivery or
Audit Charter or Policy, as considered necessary.
• The Quality assurance document shall be designed with a view to provide assurance to bank’s
management and regulators, on the banks Internal Audit including IS Audit to validate the
approach and practices adopted by them in the discharge of its responsibilities as laid out in the
Audit Charter / Audit Policy
• While preparing the above documentation, Vendor shall consider that the IS Audit Universe will
be built around the four types of IT resources and various IT processes like application systems,
information or data, infrastructure(technology and facilities like hardware, operating systems,
database management systems, networking, multimedia, etc., and the environment that houses
and supports them that enable the processing of the applications) and people (internal or
outsourced personnel required to plan, organize, acquire, implement, deliver, support, monitor
and evaluate the information systems and services).
• The IS Audit plan/charter shall cover periodically reviewing the results of internal control
processes and analyze financial or operational data for any impact on a risk assessment or
scoring.
• Vendor shall review the existing process and procedures being followed by Inspection
Department and suggest using of testing accelerators — tools and/or techniques that help
support the procedures IS Auditors will be performing — to increase the efficiency and
effectiveness of the audit.
• Vendor shall review the current auditing structure in Banks critical infrastructure at DC and DRC
and suggest, wherever possible, for critical systems, continuous auditing approach which is a
method used to perform control and risk assessments automatically on a more frequent basis
using technology.

Cyber Frauds
• Vendor shall review the existing systems in place for transaction monitoring and suggest the
changes required in line with the Reserve Bank guidelines.
Business Continuity Planning
• The Vendorshall review our BCP /DR Plan and suggest changes if any. Vendor shall consider
various BCP methodologies and standards, like ISO 22301 as inputs for Bank’s BCP framework
and suggest the changes to be incorporated.
• BCP methodology should include: Business Impact Analysis, Risk Assessment, determining
Choices & Business Continuity Strategy and Developing and Implementing BCP as suggested by
RBI in the Circular.
• Key Factors to be considered for BCP Design are:
o Probability of unplanned events, including natural or man-made disasters, earthquakes, fire,
hurricanes or bio-chemical disaster.
o Security threats
o Increasing infrastructure and application interdependencies
o Regulatory and compliance requirements, which are growing increasingly complex
o Failure of key third party arrangements
o Globalization and the challenges of operating in multiple countries.
• BCP shall also include measures to identify and reduce probability of risk to limit the
consequences of damaging incidents and enable the timely resumption of essential operations.
BCP should amongst others, consider reputation, operational, financial, regulatory risks.
Customer Education
• Vendor shall also provide material on Customer awareness / educative slides or content on cyber
frauds and prevention. So that the material submitted shall be used by Bank for sending the
alerts / awareness mails. Vendor shall provide systematic process of development of an
awareness program through the stages of planning and design, execution and management and
evaluation and course correction.
Legal Issues arising out of use of IT
• Vendor shall study the RBI guidelines issued on legal issues and suggest the changes to be made
in the current IT infrastructure/services to comply with the guidelines.
• Gap analysis w.r.t IT Act 2000 and 2008
o The Vendor shall conduct Gap Analysis with IT Act 2000 and subsequent amendment in 2008
and provide detailed document covering Gaps needs to be submitted with recommended
activities to be taken up to comply with the requirements.
o Any documentation like policies & procedures, process required to comply with Indian IT act
2000 and 2008 are to be prepared by the Vendor and submitted to Bank.
o If compliance requires implementation of specific IT infrastructure/ setup shall be advised to
Bank as part of the Gap Analysis.

Corporation Bank Corporation Bank Corporation Bank Corporation Bank

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Corporation Bank Corporation Bank Corporation Bank Corporation Bank

Uploaded by

Copyright:

Available Formats

Corporation Bank

Tender Reference Number: ITD/07/2013-

Managed IT Security Services

Price of Tender Document : Rs. 5,000/-

Page 1 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Page 2 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Annexure A – Scope/Specifications of the Services ................................................................

Annexure K - Format of BG for EMD……………………………………………………………………………….. 69

Annexure L- Format of BG for Performance Guarantee …………………………………………………… 72

Annexure M - IMPLEMENTATION OF RBI WORKGROUP RECOMMENDATIONS – BROAD SCOPE ……………………. 74

Page 3 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Tender Reference ITD/07/2013-14 Date: 19.09.2013

Opening of technical offers:

Page 4 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Two Bid System Offer

Envelope-T : Technical [Original] & Technical [Duplicate]

• Type of Offer : (Technical or Commercial)

ENVELOPE- T (Technical Offer): [2 Copies i.e., Original and Duplicate]

ENVELOPE-C (Commercial Offer): [2 Copies – i.e., Original and Duplicate]

Page 5 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Terms and Conditions

Offer Validity Period

Page 6 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

The Deputy General Manager

Modification and Withdrawal of Offers

Opening of Technical offers

No Commitment to Accept Lowest or Any Offer

Page 7 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Format for Technical Offer

The suggested format for submission of Technical Offer is as follows:

Term Short Description of Complied Detailed explanation about

6. Technical Documentation (Product Brochures, leaflets, manuals etc.) as per Annexure B.

Format for Commercial Offer

Page 8 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Costs & Currency

Page 9 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Page 10 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Technical Evaluation and scoring

Technical Bid Scoring Evaluation Criteria

Page 11 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Page 12 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

09 Service Provider’s experience in 6 marks for implementation in three PSU Banks 6

Page 13 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Technical Score of the Bid X 70 + Lowest TCS of all Bids X 30

In the above example, C low is 68

Right to alter the availment of any specific Services

Downloading of Tender document from bank’s website

Page 14 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Address for placing Purchase Order

Service Level Agreement (SLA)

Page 15 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Earnest Money Deposit (EMD)

Page 16 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

2. Pricing & Payments

The contract shall be for a period of three years,

Page 17 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

7.Service Level Agreement

Page 18 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

Page 19 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

5 Security Intelligence and advisory services Advisories within 12hours of vulnerability

Page 20 of 78 Corporation Bank Tender - ITD/07/2013-14 dated 19/09/2013

• For the purpose of SLA and compliance, this

• Evaluation of Information Security related audit