Central Audit & Inspection Department

Request for Proposal (RFP)

For

Selection of CERT-in Empanelled Information

System Audit Service Provider for Conducting
Information System Audit of IT Systems and
Processes

Central Audit & Inspection Department,

Union Bank of India,
Earnest House, 7th floor, NCPA Marg,
Nariman Point, Mumbai 400021
Contact Tel: 022-22802602
 DISCLAIMER

The information contained in this Request for Proposal (RFP) is provided to the
Bidder(s) on the terms and conditions set out in this RFP document. The RFP
document contains statements derived from information that is believed to be
true and reliable at the date obtained but does not purport to provide all of
the information that may be necessary or desirable to enable an intending
contracting party to determine whether or not to enter into a contract or
arrangement with Bank in relation to the provision of services.

The RFP document is not a recommendation, offer or invitation to enter into a

contract, agreement or any other arrangement, in respect of the services. The
provision of the services is subject to observance of selection process and
appropriate documentation being agreed between the Bank and any successful
Bidder as identified by the Bank, after completion of the selection process as
detailed in this document. No contractual obligation whatsoever shall arise
from the RFP process unless and until a formal contract is signed and executed
by duly authorized officers of Union Bank of India with the Bidder. The purpose
of this RFP is to provide the Bidder(s) with information to assist the
formulation of their proposals. This RFP does not claim to contain all the
information each Bidder may require. Each Bidder should conduct their own
investigations and analysis and should check the accuracy, reliability and
completeness of the information in this RFP and where necessary obtain
independent advice. Union Bank of India makes no representation or warranty
and shall incur no liability under any law, statute, rules or regulations as to the
accuracy, reliability or completeness of this RFP. Union Bank of India may in its
absolute discretion, but without being under any obligation to do so, update,
amend or supplement the information in this RFP.

This document is the property of Union Bank of India and is meant for the
exclusive purpose of bidding as per the Specification, Terms, Condition and
Scope indicated. It shall not be copied, distributed or recorded on any
medium, electronic or otherwise, without written permission thereof. The use
of the contents of this document, even by the authorized personnel / agencies
for any purpose other than the purpose specified herein, is strictly prohibited
and shall amount to copyright violation and thus, shall be punishable under the
Indian Law.

Page 2 of 62
Bid Details: RFP Ref. No. UBI/CA&ID/IS Audit/2020-21/01
Activity
1. Release date of RFP
2. Bid Price
3. Date and Time of Pre-Bid
Meeting
4. Address for
Receipt/submission
of Bid
5. BID SUBMISSION
6. Last date & time for
Submission
7. BID SECURITY
8. BID OPENING DATE
9. Methodology of
commercial selection
of bidder
10. Contact Details
Details
17.02.2020 at 11.00 Hours
Rs. 1500/-
25.02.2020 at 11.00am
The General Manager, Central Audit and Inspection
Department, Earnest House, 7th Floor, NCPA Marg,
Nariman Point, MUMBAI - 400021.
BIDS AS PER RFP TERMS TO BE SUBMITTED IN 2
DIFFERENT SEALED ENVELOPES MARKED:
“Selection of CERT-in Empanelled Information System
Audit Service Provider for Conducting Information
System Audit of IT Systems and Processes - Technical
Bid”
“Selection of CERT-in Empanelled Information System
Audit Service Provider for Conducting Information
System Audit of IT Systems and Processes -
Commercial Bid”
10.03.2020 at 16.00 Hours
BID SECURITY IN THE FORM OF: Account payee
Demand Draft (DD) for Rs.2,00,000/- (Rupees
Two Lac) only as Earnest Money Deposit (EMD),
payable at Mumbai in favour of Union Bank of India.
Issued by a Scheduled Bank other than Union Bank Of
India, which would carry no interest.
OR
with an equivalent amount of Bank Guarantee (BG)
issued by a Scheduled Bank valid for 180 days from the
date of opening of the Tender as per format given in
the Formats Section with minimum claim period of 60
days.
10.03.2020 , AT 16:30 hrs at
CONFERENCE ROOM , Central Audit and Inspection
Department, Earnest House, 7th Floor, NCPA Marg,
Nariman Point, MUMBAI – 400021
Lowest Bidder (L-1) Method
Interested Bidders are requested to send the email to:
Ashwinivittal@unionbankofindia.com
Vishalkumar@unionbankofindia.com
d.upadhyay@unionbankofindia.com
tajvinder@unionbankofindia.com
containing below mentioned information, so that in
case of any clarification same may be issued: Name of
company, contact person, Mailing address with Pin
Code, Telephone No., Mobile No., email address etc.
Page 3 of 62
 TABLE OF CONTENTS

1. INTRODUCTION 6
2. DEFINITION 7
3. OBJECTIVES OF THE RFP 7
4. INVITATION OF TENDER BIDS 7
5. ELIGIBILITY CRITERIA 8
5.1. THE SERVICE PROVIDER SHOULD 8
5.2. THE SERVICE PROVIDER SHOULD NOT 9
5.3. SUPPORTING DOCUMENTS TO BE SUBMITTED 10
6. SYSTEMS DESCRIPTION 10
6.1. CORE BANKING RELATED SYSTEMS 10
6.2 OTHER IMPORTANT SYSTEMS HOUSED IN DATA CENTRE 12
6.3 OUTSOURCED ACTIVITIES (OTHER THAN THOSE MENTIONED IN ABOVE) 13
7. SCOPE OF WORK 14
7.1 SCOPE OF WORK RELATED TO IS (INFORMATION SYSTEMS) AUDIT: 14
7.2 THE SCOPE OF WORK ALSO INCLUDES 18
8. PRE-IMPLEMENTATION AUDIT 19
9. WEB BASED AUDIT PACKAGE 20
10. TERMS OF EXECUTION OF WORK: 20
11. PROJECT MANAGEMENT 20
12. COST & CURRENCY 21
13. PRICE VALIDITY AND SINGLE POINT OF CONTACT 21
14. LANGUAGE OF BID 21
15. TERMS AND CONDITIONS 21
15.1. COST OF RFP 21
15.2. BID SECURITY/EMD (REFUNDABLE): 22
15.3. PERFORMANCE BANK GUARANTEE (PBG) 23
15.4. PERIOD OF VALIDITY OF BIDS 23
15.5. AMENDMENT OF BIDDING DOCUMENTS 23
15.6. AUTHORIZATION TO BID 24
15.7. CLARIFICATIONS ON THE RFP 24
15.8. TWO PART OFFER: 25
15.9. NO ERASURES OR ALTERATIONS: 26
15.10. TECHNICAL PROPOSAL: 26
15.11. COMMERCIAL PROPOSAL: 27
15.12. PRICE COMPOSITION: 27
15.13. PAYMENT OF OTHER EXPENSES: 28
15.14. EVALUATION PROCEDURE: 28
15.15. RIGHT TO ALTER QUANTITIES 28
15.16. NO COMMITMENT TO ACCEPT LOWEST OR ANY TENDER 29
15.17. ROTATION OF AUDIT TEAM 29
15.18. PRICE FREEZING AND CONTRACT PERIOD 29
16. PAYMENT TERMS 29
17. CANCELLATION OF THE ASSIGNMENT 30
18. LIQUIDATED DAMAGES 30
19. RFP OWNERSHIP 30
20. PROPOSAL OWNERSHIP 30
21. CONFIDENTIALITY 30
22. INDEMNITY 31
23. INTELLECTUAL PROPERTY RIGHTS 33
24. MINIMUM WAGES 33
Page 4 of 62
25. NON-TRANSFERABLE OFFER 34
26. RESPONSIBILITY FOR COMPLETENESS 34
27. FORCE MAJEURE 34
28. SUB CONTRACT 34
29. CONFLICT OF INTEREST 35
30. TENDER/RFP CANCELLATION 35
31. PUBLICITY 35
32. ARBITRATION 35
33. JURISDICTION 35
34. RFP RESPONSE FORMATS 36

Page 5 of 62
1. Introduction
Union Bank of India, a body corporate constituted under the Banking Company
(Acquisition & Transfer of Undertakings) Act 1970, having its Corporate Office at
#239, Union Bank Bhavan, Nariman Point, Mumbai 400021 (which expression unless
repugnant to the context or meaning thereof shall mean and include its successors
and assigns) intends to issue this bid document, hereinafter called “RFP”, to
eligible Bidders to participate in the competitive bidding for Selection of CERT-In
Empanelled Information System Audit Service Provider for Conducting Information
System Audit of IT Systems and Processes of amalgamated entity of Union Bank of
India, Andhra Bank and Corporation Bank, herein after called the “Bank”.

The bidders desirous of taking up the project for supply of the services for the Bank
as per the terms of reference are invited to submit their technical and commercial
proposal in response to this RFP. The criteria and actual process of the evaluation
of the responses to this RFP and subsequent selection of the successful bidder will
be entirely at the Bank’s discretion. Bidders have to adhere to the Bank’s
requirements outlined in this RFP.

The information provided by the bidders in response to this RFP document will
become the property of the Bank and will not be returned. Bank reserves the right
to amend, rescind or reissue this RFP and all amendments will be advised through
the Bank’s website and such amendments will be binding on them.

a) This RFP will be open to the bidders who have the necessary eligibility,
experience, capability and expertise.

b) This RFP is not an offer or recommendation by the Bank, but an invitation to

receive responses from the Bidders. No contractual obligation whatsoever
shall arise from the RFP process unless and until a formal contract is signed
and executed by the Bank with the selected bidder.

Each bidder acknowledges and accepts that the Bank may, at its sole and absolute
discretion, apply criteria like independent assessment of the market reputation and
perception of ability to perform, but not limited to those selection criteria set out
in this RFP document. The Recipient unconditionally acknowledges by submitting its
response to this RFP document that it has not relied on any idea, information,
statement, representation or warrant given in this RFP document

The Bank has its operations across India and International presence in Hongkong,
Sydney, Dubai, UK and other locations. The Bank caters to its customers from all
fields, through its branches and various delivery channels. It has implemented Core
Banking Solution (CBS) with Primary Data centre, Near Site and DR site at Mumbai,
Hyderabad, Bangalore, Chennai etc. All the branches are connected to the Data
Centre, through a Wide Area Network by leased lines / ISDN Lines / VSATs / GPRS.

Page 6 of 62
2. Definition
2.1. ‘Bank’ means unless excluded by and repugnant context or the meaning
thereof, shall mean ‘Union Bank of India’, described in more detail in
paragraph 1 above and which has invited bids under this Request for Proposal
and shall be deemed to include it successors and permitted assigns.
2.2. ‘RFP’ means this Request for Proposal prepared by Union Bank of India for
Selection of CERT-in Empanelled Information System Audit Service Provider for
Conducting Information System Audit of IT Systems and Processes of the Bank.
2.3. ‘Bidder’ means a vendor submitting the proposal in response to this RFP.
2.4. ‘Contract’ means the agreement signed by successful bidder and the Bank at
the conclusion of bidding process, wherever required.
2.5. ‘Proposal’ means that Technical/Financial proposal including any documents
submitted by the bidder as per the formats prescribed in the RFP.

3. Objectives of the RFP

This RFP seeks to engage a CERT-in empanelled service provider who has the
capability and experience for Conducting Information Systems (IS) Audit including
Application audit of Core Banking Solution, banking & related applications and to
make appropriate recommendations, as covered under the Scope of Work. Carrying
out risk analysis of all IT assets of the Bank and preparation of Risk Matrix based on
applicable guidelines issued by RBI, Govt. of India etc.

The aim of the RFP is to solicit proposals from qualified bidders for undertaking
above detailed assignment. Interested eligible bidders may download the RFP from
Union Bank of India website www.unionbankofindia.co.in/tender.aspx or from
Govt. of India web site eprocure.gov.in.

4. Invitation of Tender Bids

Bank invites proposal from the interested CERT-in empanelled Information System
Audit Service Provider for Conducting Information System Audit of IT Systems and
Processes of Bank.

Service provider is expected to establish processes and guidelines along with

governance required to ensure that the aimed information system audit is executed
smoothly without affecting customer service and having fully complied with
regulatory requirements as well as achieving Bank’s objective.

In view of the entirety and enormity of information system audit, if any service
which essentially forms part of project scope is not explicitly mentioned in scope of
work, will be considered as part of the RFP and the successful bidder will have to
provide the same at no cost to the Bank in the larger interest. Any later plea by the
bidder for excluding/omitting of services on the pretext that same was not
explicitly mentioned in the RFP will not be accepted by the Bank.
Page 7 of 62
 The bidders will have to make their own travel & lodging/boarding arrangements
during contract period for visiting various offices namely Head office, corporate
office, IT centres, DR sites, Vendor premises (wherever necessary to accomplish the
audit objective) etc. of Bank as part of the project.
No contractual obligation on behalf of the Bank whatsoever shall arise from the RFP
process unless and until a formal contract is signed & executed by duly authorized
officers of the Bank and the successful bidder. However, until a formal contract is
prepared and executed, this offer together with Bank’s written acceptance &
notification of award shall constitute a binding contract with the successful bidder.
Bidders are expected to examine all instructions, forms, terms, specifications, and
other information in the RFP document. Failure to furnish any information required
by the RFP document or to submit a bid not substantially responsive to the RFP
document in every respect will be at the Bidder’s risk and shall result in the
rejection of its bid. The procedure and terms & conditions for submission of bid are
enumerated in this RFP.
All offers of the bidders shall be unconditional and once accepted whether with or
without modifications by the Bank shall be binding between the Bank and such
Bidder.
The Document may be obtained from the Bank at the communication address given
below or can be downloaded from Bank’s Website www.unionbankofindia.co.in or
from government portal eprocure.gov.in.

5. Eligibility Criteria
Only those bidders who fulfil the following criteria are eligible to respond to the
RFP. Offers received from the bidders who do not fulfil all or any of the following
eligibility criteria are liable to be rejected.

5.1. The service provider should

i. Be a registered company under Company Act 1956 or
2013/PSU/PSE/Government Organization/ partnership firm / LLP and
should be in existence for last 3 years from the date of RFP. Certificate of
incorporation/certificate for commencement of business/other relevant
documentary proof is to be submitted.
ii. Be a current legal entity (Company /Firm /Organization/ independent
subsidiary) in India.
iii. Be in business of Information System auditing in India at least for last
three years.
iv. Having an average annual turnover of Rs.3 (Three) crores or more for
each of the last three financial years (2016-17, 2017-18, 2018-19).
v. The bidder should have positive operating Profit (as EBITDA i.e. Earnings,
Before Interest, Tax, Depreciation & Amortization) in the last three
financial years i.e. 2016-17, 2017-18 & 2018-19. Copies of the audited
Page 8 of 62
 balance sheet and Profit/Loss statement of the company is to be
submitted.
vi. have conducted at least two Information System audits of data centers
and other IT Infrastructure of two banks having minimum 1000 branches
in India (including all the following aspects), , in any of the past three
years (2016-17, 2017-18, 2018-19):
a) Vulnerability assessment of servers/IT security equipment/ network
equipment.
b) External attack and penetration test of equipments/application
exposed to outside world through internet.
c) Application audit of Core Banking Solution in at least one Bank with a
minimum 1000 branches.
d) Information Technology General Controls (ITGC) audit for IT setup.
vii. have minimum 5 professionals with CISA/CISM/CISSP or similar
qualifications and should be on permanent role of the organization.
viii. Audit team having relevant auditing experience of minimum 3 years,
after the date of related qualification including at least one CISA
throughout the audit period. (Undertaking by bidder)
ix. Have a valid CERT-In empanelment as on the last date of submission of
tender.

5.2. The service provider should not

i. Be a vendor for Software and/or Hardware of the Bank at Data Centre,
Treasury and/or their respective DR Sites.
ii. Be appointed as consultant or having participation in implementing or
managing IT Applications, IT Security and network and related
infrastructure of the Bank. (If involved in any specific activity which does
not affect auditor’s independence for current audit assignment may be
considered at the discretion of the Bank).
iii. Be an existing IS Auditor appointed by the Bank (Union Bank of India,
Andhra Bank & Corporation Bank) during FY 2019-20. As per the Bank’s
policy, the IS Auditor will enter into a cooling period of one year, during
which he will not be able to participate in the Annual IS Audit program of
the bank.
iv. Have been blacklisted, as on the date of tender submission, by any
nationalized Bank / RBI /IBA or any other Central / State Government
department / agency.

Note: The service provider must comply with all the above mentioned criteria. Non-
compliance of any of the criteria will entail rejection of the offer summarily. Photocopies
of relevant documents/certificates should be submitted as proof in support of the claims
made. The Bank reserves the right to verify/evaluate the claims made by the vendor
independently.

Page 9 of 62
 5.3. Supporting documents to be submitted
i. Copies of certificates of Registration, Incorporation and commencement
of business, etc., as the case may be.
ii. Copies of the audited and published financial reports/ CA certificate for
the past three financial years (2016-17, 2017-18, 2018-19).
iii. Letters from the organizations for which the service provider had
conducted Information Systems audit during past three years (the scope
of the assignment should have been clearly mentioned).
iv. Letters from the organizations for which the service provider had
conducted audit of Core Banking and related application during past
three years (the scope of the assignment should have been clearly
mentioned).
v. Resume/Profile of Information Systems Audit professionals (CISA, CISM,
CISSP etc.) including copies of their relevant certifications as per the
prescribed format.
vi. Self-declaration and certification to confirm compliance of as detailed in
RFP.
vii. Documentary evidence showing bidder is a CERT-in empanelment IS
Auditor.
viii. Any other undertaking as mentioned in RFP.

6. Systems Description
The Bank has several information systems, which are bifurcated into
following broad categories, as follows:

6.1. Core Banking related Systems

 Bank has implemented Centralized Core Banking Solution (CBS)

Finacle from Infosys. As the bank is under amalgamation, for interim
period Finacle version 10.x and Finacle 7.x is in use as Core Banking
Solution.
 Bank has set up an Enterprise Wide Network connecting all branches
and offices spread across the country. Modes of connectivity to the
branches/offices are combination of MPLS, leased lines, ISDN, VSATs,
Wi-Max etc.
 Data centre houses multiple servers hosting critical Core Banking and
related application, database of financial and non-financial
information. As per the operational convenience IT systems are
hosted in Mumbai, Hyderabad, and Bangalore and other locations.
 Apart with CBS, Bank has also set up of delivery channels such as
ATM, Internet Banking, Mobile banking,UPI, IMPS, BBPS, SMS alerts
etc. All types of delivery channel Systems are integrated with Core
Banking systems, observing IT security norms.

Page 10 of 62
 Bank has ATMs connected to Bank’s ATM Switch, which in turn is
integrated with Core Banking Systems. Bank’s ATM switch is
connected to NFS switch for ensuring ATM sharing arrangements with
other banks. All ATMs of the Bank accept VISA/Master/Rupay cards.
 Internet Banking System has separate servers for web, application
and database integrated with Core Banking Solution.
 Bank, is in tie-up with CDSL for providing depository services to its
customers. Branches open DEMAT accounts for their customers. The
server is interfaced with Internet Banking system, so that the
customer can view and do online trading in their DEMAT account
through Internet banking.
 As a part of providing Value added services, Bank has tie-ups with
many other service providers to facilitate online utility bill payment,
tax payments, e-commerce, online trading etc.
 Fully functional Call center under outsourced arrangement to provide
customer service both through Inter-active Voice Response System
(IVRS) and Customer service executives.
 Bank has Mobile Banking /SMS Banking /Phone Banking services etc.
 In order to secure its Information assets, the Bank has drawn and
implemented its IT Security Setup (Security Operation Centre),
consisting of firewalls, Network based and Host based intruder
detection systems, Network Intrusion Prevention System, two factor
authentication systems, anti-virus systems, Patch Management
system, Network Access Control systems etc. Bank has also created
VLANs, militarized and de-militarized zones in the process. Along with
this IT security appliances are also implemented.
 Bank has outsourced monitoring of the datacenter, network, IT
security, ATMs and ATM switch and the respective service providers
monitor the respective systems using tools.
 Bank has Biometric System at all its branches and offices for Finacle
(Core Banking System) User Authentication.
 Bank is having overseas presences as well including once subsidiary at
UK. These branches are also under CBS. IT Systems supporting these
branches are hosted at data centre, Mumbai
 Bank has dedicated UPI Switch for UPI Transactions, Bharat QR 4.0,
and National Electronic Toll Collection (NETC).
 Bank is having all in one Mobile App (Umobile) connected with ATM
Switch , CBS , Contact Center , Credit Card, BBPS , UPI , NETC ,
Bharat QR, UPI 2.0 , ASBA etc.
 Bank has is having Advance API Management Solution which is
connected with CBS as well as other IT eco systems.

Page 11 of 62
6.2 Other important Systems housed in Data Centre
 Bank has implemented Management Information System (MIS) package
for generation of various reports.
 LAS (Lending Automation System) for Credit Processing & Monitoring
are also implemented. LAS is integrated with several credit rating
agencies of real time fetching of credit report.
 Bank hosted its own intranet website – which is accessed by all staff
members working in the bank to access information hosted in the web
site.
 E-remit is another web based system, which helps the
branches/customers in providing easy fund remittance facilities from
overseas locations.
 Bank has established a separate system for providing “Cash
Management Services” (CMS) (Payment and Collection) to the
customers.
 Bank has implemented an Enterprise Application Integration system
(middleware) to seamlessly integrate Core Banking system with other
applications like PFMS, Union Parivar, SWIFT, Treasury package etc.
 Bank has implemented Document Management System. All offices
/branches of the Bank can access the server to store/retrieve
documents.
 Bank has implemented centralized web conferencing solutions and
Unified Communication solution between different offices/branches.
 Bank has implemented centralized digital display solutions of bank’s
product information /marquee.
 Public Fund Management System for various government bodies.
 Matched Fund Transfer Pricing (MFTP): Bank has implemented
modules of Oracle Financial Services Analytical Application (OFSAA).
 Financial Inclusion (FI) Gateway and related Systems.
 Bank is in the advanced stages of establishing its own Data
warehouse.
 Bank has Implemented Operational Customer Relationship
Management solution (OCRM) Siebel from Oracle.
 Bank uses ‘Oracle GL’ software in Central Accounts department, for
consolidation of Bank’s Balance sheet and other statements.
 Bank has a corporate email setup based on IBM Lotus Notes Solution
including mobile component i.e. Lotus traveler
 Bank has implemented PeopleSoft HRM package known as Union
Parivar.
 Bank has Campaign Management and Lead Management system
process.
 Bank has integrated treasury Management solution by Infosys. The
Treasury system is integrated with systems such as Reuters,
Bloomberg, Payment system Gateway and also SWIFT.
Page 12 of 62
  Bank has established a Payment Systems Gateway and connected it to
RBI through INFINET. Bank uses many applications such as SFMS,
RTGS, NEFT, etc., through the Payment Gateway System.
 Bank uses SWIFT system for securely communicating the financial and
non-financial messages with its counterparts internationally.
 Bank established a web based system for distribution of the clearing
and ECS data to the member banks.
 Bank has also implemented Cheque Truncation System (CTS).
 Bank has its own Internet web site. i.e. Corporate Website
(Hindi/English)

6.3 Outsourced Activities (Other than those mentioned in above)

 Bank has outsourced arrangement for Credit Card system for
providing end to end services.
 Bank has outsourced the job of issuance, maintenance and dispatch
of debit cards and prepaid cards, Issuance of Pin etc.
 Bank has outsourced Reconciliation of settlements with NPCI, VISA,
Master and other networks arising out of ATM/POS/Internet
transactions. Vendor uses their systems to upload the data from the
Bank/Networks, reconcile the data and provide all the reports as per
requirements.
 Bank has deployed Point of Sale (POS) terminals. Providing end-to-
end services relating to POS has been outsourced. Vendor uses their
own systems and provides end-to-end services to the Bank which
includes Switching, connectivity to VISA/MASTER/NPCI, Transaction
Processing, Monitoring, Risk & Dispute Management, Reconciliation,
Merchant Payment Reports, Merchant Management Module, Helpdesk
etc.
 Bank has outsourced Card Payment Gateway Services which includes
switching, Connectivity to VISA/MASTER/NPCI, transaction processing
reconciliation, Merchant Payment Reports, Merchant Management
Module etc. Bank has also outsourced Control Server services for
additional authentication for Debit / Credit Card online transactions
as mandated by RBI/VISA/MASTER/NPCI.
 Bank has deployed ATMs under fully outsourced model and other
Service Providers which are connected to our Network and ATM
switch.
 Bank has an outsourced arrangement for maintaining and managing
Reward Point calculation for our Debit and Credit Card transactions
carried out at POS/Internet.
 Bank has outsourced the ATM managed services.
 Bharat QR 4.0 (merchant on boarding).
 National electronic toll collection (NETC).

Page 13 of 62
 As a part of audit, in order to achieve the audit objectives, auditor need
to visit respective service/solution provider’s office/premises to
undertook assessment of system being used to facilitate service to the
bank.

The above mentioned details are indicative only to provide an overview of

Bank’s IT environment. Based on the business and regulatory requirement
new applications/system are being introduced in the Bank. Selected bidder
is expected to undertake IS audit of all such systems as per the prevailing
best practices and regulatory guidelines.

7. Scope of Work
7.1 Scope of Work Related to IS (Information Systems) Audit:
7.1.1 The Scope of work is conducting Information System Audit including
Cyber Security Audit of different Information systems/applications/
Databases / Operating Systems / Security devices, appliances and
Solutions/ Network Equipments/ Information Technology (IT) Process like
sharing information through web services, host to host etc. in use by the
Bank, as listed in Annexure-I, including those systems used by other
agencies for providing services in respect of activities which are
outsourced. The scope also includes the VAPT of all systems as listed in
Annexure-I wherever applicable. The IS Audit should be conducted as per
the guidelines given by RBI, Govt. of India, NPCI, UIDAI,SWIFT and
Bank’s IT security Policies & Procedures, Cyber Security Policy and
prevailing ISACA/COBIT guidelines etc.
IS Audit of each of the systems should cover but not limited to the
following aspects:
− Physical and Environmental controls
− Logical access Controls
− Operating System/database review including Vulnerability
Assessment
− Application Review
− Business process Review
− Network and Security Review including VA and Penetration test
− Backup procedure Review
− Business Continuity/Disaster Recovery plans/practices
− Review of Outsourced Activities
− Virus protection and Patch management.
− Review of Basic minimum Configuration applicable for each system
as per best practice i.e. Baseline Secure Configuration review.
− Application Security Life Cycle (ASLC) review.
− Secure Code Practice Review.

Page 14 of 62
7.1.2 Vulnerability Assessment and Penetration Tests (VAPT)
The scope also includes conducting Vulnerability Assessment and
Penetration Tests (VAPT) covering operating systems, database,
networking and Security Infrastructure and various on-line applications
facing customers as listed in Annexure-I.

7.1.3 Application Audit

The scope further includes Application Audit of the Applications used by

the Bank. Some critical applications are named here below:
 Core Banking Application – “FINACLE” of Infosys, Government Business
Module (GBM), etc.
 Core Banking Application – “FINACLE” of Infosys Ltd for Overseas
branches and UK subsidiary of Bank
 Application Audit for Internet Banking for Domestic and overseas
branches
 Treasury Application from M/s Infosys
 Demat
 LAS (Lending Automation Solution)
 MIS (Management Information System)
 PeopleSoft HRM Solution
 MFTP (Matched Fund Transfer Pricing)
 Mobile Application Development Platform (MADP)
 SWIFT
 ATM Switch
 Document Management System (Account Opening Process)
 Enterprise Application Integrator (EAI)
 Oracle GL
 Centralised FI gateway Application including E-KYC, Demo Auth,
Adhaar Payment Bridge System (APBM), etc.
 E-Remit
 GSTN
 Cheque Truncation system etc.
 All in one Mobile App (Umobile)
 Application Programming interface Management (APIM)

7.1.4 POS/Mobile Application Audit

 Umobile, M-Passbook, U-Control, Mobile NPA Recovery App, Tabulous

Banking, Merchant Aadhar Pay, Union Parivar, Mobile Based Lead
Monitoring App, Union Prajana (e-learning) etc.
 POS Applications for Credit Card/Debit Card
 POS application used for AEPS / Card Based Transaction.

Page 15 of 62
The audit of Applications will be with reference to:

 Auditing Application Architecture with respect to the bank’s

business/operational requirements, adherence to bank’s IT Security
Policy, Cyber Security Policy, OWASP top 10, Industry best practices
etc.
 Study CBS and other applications for adequacy of Input, Processing
and Output controls and conduct various tests to verify existence and
effectiveness of controls.
 Review / audit the presence of adequate security features in CBS
application to meet the standards of confidentiality, reliability,
availability and integrity required for the application supporting
business processes.
 Logical access control, User maintenance and password policies being
followed.
 Authorization mechanism and control such as concept of maker
checker, exceptions, overriding exceptions and error conditions.
 Controls over automated processing / updating of records, review or
check of critical calculations such as interest rates, levying of various
charges etc., review of the functioning of automated scheduled tasks,
batch processes, output reports design, reports distribution, etc.
 Review of all controls including boundary controls, input controls,
communication controls, database controls, output controls and
interfaces controls from security perspectives.
 Review effectiveness and efficiency of the Applications. Identify
ineffectiveness of the intended controls in the software and analyze
the cause for its ineffectiveness. Review adequacy and completeness
of controls
 Review of Capacity Utilization.
 Identify gaps in the application security parameter setup in line with
the bank’s security policies and leading applicable practices.
 Auditing, both at client side and server side, including sufficiency and
accuracy of event logging, SQL prompt command usage, Database
level logging etc.
 Review of Application Parameterization and Change Management
process.
 Backup/Fallback/Restoration procedures and contingency planning.
 Review of segregation of roles and responsibilities with respect to
application software to improve internal controls.
 Review of documentation for formal naming standards, design process
for job roles, activity, groups and profiles, assignment, approval and
periodic review of user profiles, assignment and use of super user
access.

Page 16 of 62
  Manageability with respect to ease of configuration, transaction roll
backs, time taken for end of day, day begin operations and recovery
procedures.
 Special remarks may also be made on following items- Hard coded
user-id and password, Interfacing of software with ATM switch, EDI,
Web Server and Other interfaces at Network level, Application level
Recovery and restart procedures.
 Sufficiency and coverage of UAT test cases, review of UAT defects
and tracking mechanism deployed by vendor and resolution including
re-testing and acceptance Review of customizations done to the
software and the SDLC policy followed for such customization.
Proposed change management procedure during conversion, migration
of data, version control etc.
 Review of Software benchmark results. Load and stress testing of IT
infrastructure performed by the Vendors.
 Adequacy of Audit trails and meaningful logs.
 Adherence to Legal and Statutory Requirements.
 Adequacy of hardening of all Servers and review of application of
latest patches supplied by various vendors for known vulnerabilities as
published by CERT-in, SANS, etc.

7.1.5 Vendor need to assess

 Application-level risks at system and data-level include, system

integrity risks relating to the incomplete, inaccurate, untimely or
unauthorized processing of data; system-security risks relating to
unauthorized access to systems or data; data risks relating to its
completeness, integrity, confidentiality and accuracy; system-
availability risks relating to the lack of system operational capability;
and system maintainability risks in terms of adequate change control
procedures.
 As part of documenting the flow of transactions, information gathered
should include both computerized and manual aspects of the system.
Focus should be on data input (electronic or manual), processing,
storage and output which are of significance to the audit objective.
 Consideration should be given to audit of application interfaces with
other systems or interface of other system with application. The
auditor may perform procedures such as a walk-through test.
 Review of Baseline configuration of application.
 Review of Secure code practices.
 Review controls in relation with those Application Integrated with
other applications either in house or third party application through
Web services and Host to Host etc.

Page 17 of 62
  Reserve Bank of India has notified Cyber Security framework vide its
circular no. DBS.CO/CSITE/BC.11/33.01.001/2015-16 dated
02/06/2016 Accordingly, Risk Management Department has framed
Cyber Security Policy. Since Cyber Security is distinct but subset of
Information Security with emphasis on cyber security aspects, these
controls needs to tested as part of Information Security Audit. Review
cyber security controls as per various advisory issued by RBI or Cert-in
on time to time.
 Auditors need to carry out Audit in reference to Banks IT Security
Policy, Cyber Security Policy, and RBI Guidelines, Government of India
rules and regulations, / Master circulars and industry best practices.

7.2 The scope of work also includes

 Evaluating completeness of Information System Audit Policy, Cyber

Security Policy and Information Security Policy, Outsourcing policy of
the Bank.
 Evaluating completeness of procedures/ guidelines documents.
 Evaluating Bank’s IT Governance structure including IT Strategy, IT
Steering Committee, Information Security Committee (ISC) etc.
 Providing minimum baseline security standard / practices in a
checklist format to be implemented to achieve a reasonably secure IT
environment for technologies deployed at Union Bank of India
separately for different Information systems, covering OS, Database,
network equipments, security equipments and other relevant aspects
of IS Audit.
 Evaluation of Software and Hardware procurement Policy and
Maintenance Process.
 Review of RBI, IT examination report ( GAP assessment of Cyber
Security Control)
 The scope of work further includes guiding/helping the Bank staff in
putting in place the correct practices and conducting of a compliance
audit as explained in the Terms of execution of work.
 The scope of work also includes extending training to our IS Audit
team with specific reference to understanding scripts to be run on
servers, conducting VAPT, analyzing outputs, preparing reports and
to share with them all the formats, check lists, scoring sheets, scripts
etc. that will be used during the process of IS Audit. Bank’s IS Audit
team will be attached to the IS Audit team of the selected vendor,
during the course of audit, for on the job training. The IS Auditor
should explain, to the bank’s team, all the processes, procedures
involved in arriving at audit findings including interpretation of
outputs generated by various audit tools.

Page 18 of 62
  The scope of work includes development of risk profile and drawing
up of risk matrix taking into account inherent business risk and
effectiveness of the control system for monitoring the risk.
Preparation of Risk Matrix should be based upon Risk Analysis of all
the Information Systems of the Bank, as per the guidelines issued by
RBI and Govt. of India, including following steps :
Step 1: System Characterization
Step 2: Threat Identification
Step 3: Vulnerability Identification
Step 4: Control Analysis
Step 5: Likelihood Determination
Step 6: Impact Analysis
Step 7: Risk Determination

The Risk Analysis / Risk Matrix will be based on Adequacy of internal

controls, business criticality, regulatory requirements, amount or
value of transactions processed, if a key customer information is held,
customer facing systems, financial loss potential, number of
transactions processed, availability requirements, experience of
management and staff, turnover, technical competence, degree of
delegation, technical and process complexity, stability of application,
age of system, training of users, number of interfaces, availability of
documentation, extent of dependence on the IT system,
confidentiality requirements, major changes carried out, previous
audit observations and senior management oversight.

8. Pre-implementation Audit
Based on the business requirement, new IT systems/applications are being
introduced in the Bank. In order to ensure seamless introduction and to
avoid any possible cyber security breach, it is required that pre-
implementation IS audit of application/system shall be carried out. In view
of this, selected vendor is expected to undertake pre-implementation audit
of any such application during the audit period. Broad scope of such audit
but not limited to will be as under.

 IT General Controls
 OS/DB review
 Application review
 External Penetration Testing
 Baseline Configuration review etc

Depending upon the nature and usage of system, bidder is expected to

undertake IS audit on applicable parameters. Pre-implementation audit as per
the Bank’s requirement is to be treated as part of scope of work.
Page 19 of 62
9. Web based audit package
Bank has implemented web based audit management software for audit
management. The selected bidder is expected to upload/record all the audit
observation in the said packages (i.e. uploading and authorization) post
completion of main audit and compliance audit.

10. Terms of Execution of work:

10.1 Bank expect the service provider to conduct IS audit of the systems as
detailed in the Scope of work in phases as per the mutual agreement with
Bank.
10.2 The selected vendor has to go through the audit reports of previous two
years and has to check whether all the observations are complied. They
have to comment on status of non-complied observations, while
undertaking fresh audit under this RFP.
10.3 During the course of audit, if the service provider observes any major
deficiencies, they should immediately bring such observations,
deficiencies, areas of improvement and suggestions for improvement to
the notice of the concerned persons. The service provider should also
discuss with, guide/help the Bank staff in implementation of the critical
and important suggestions.
10.4 At the end of each phase, the service provider should submit a detailed
report containing all the observations, deficiencies, areas of improvement
and suggestions for improvement, for each system separately.
10.5 Since it will take some time setting right the deficiencies, on the Bank
intimating them to do so, the service provider should conduct a
compliance audit, to confirm setting right of the deficiencies and
implementation of the suggestions. The service provider should submit a
detailed report after compliance audit.
10.6 The reports arising out of the scope of work, should be submitted as and
when audit of one system is completed or at the latest on completion of
each phase.
10.7 The assignment will be for conducting audit on time. Bank, at its option,
will review and entrust the assignment either in full or in part
subsequently.
10.8 Bidder is expected to submit Soft copy (excel/word) and three hard
copies of audit report (Main audit and Compliance Audit) along with
recording/uploading observations in eTHIC package.

11. Project Management

During the execution of audit, vendor is expected to appoint one project
manager who will be responsible for overcall co-ordination and execution of
audit program. Details of audit plan such as schedule date of initiation,
execution, completion etc. shall be communicated to Bank well in advance.

Page 20 of 62
 Along with appointing project manager, bidder is also required to provide
escalation matrix for their organization to escalate any issue that bank may
feel require attention of vendor‘s senior management.

12. Cost & Currency

The commercial offer must be made in Indian Rupees only as per Format of
Commercial bid specified in RFP.

13. Price Validity and Single Point of Contact

Prices payable to the successful bidder as stated in the Contract shall be firm
and not subject to any changes at any circumstances during the contract
period. The selected bidder should have a local office in India, preferably in
Mumbai, and has to provide details of single point of contact viz. name,
designation, address, e-mail address, telephone/ mobile no. etc for all
communications.

14. Language of Bid

The language of the bid response and any communication with the Bank must
be in written English only. Supporting documents provided with the RFP
response can be in another language so long as it is accompanied by an
attested translation in English, in which case, for purpose of evaluation of the
bids, the English translation will govern.
15. Terms and Conditions:
15.1. Cost of RFP
RFP document can be purchased against payment of Rs.1,500/- (non-
refundable) in the form of a demand draft issued by a scheduled
commercial bank favoring Union Bank of India payable at Mumbai. In
case of bidders registered with National Small Industries Corporation
Limited (NSIC)/MSME, they are eligible for waiver of RFP document
cost. However, they need to provide valid MSME/NSIC Certificate
clearly mentioning that they are registered with NSIC/MSME under
single point registration scheme.
RFP document can also be downloaded from the Bank's website
www.unionbankofindia.co.in or Government tender portal
www.eprocure.gov.in.
In the event of non-payment of the fee of Rs.1,500/- towards the RFP
form, the offer will be rejected.
All costs and expenses (whether in terms of time or material or
money) incurred by the Recipient/ Bidder in any way associated with
the development, preparation and submission of responses, including
but not limited to attendance at meetings, discussions,
demonstrations, etc. and providing any additional information

Page 21 of 62
 required by the Bank, will be borne entirely and exclusively by the
Bidder.

15.2. Bid Security/EMD (Refundable):

i. Service provider will have to provide a Bid security of Rs. 2.00 lakh
(Rupees Two lakh only) by way of either demand draft / Pay Order
issued in favour of Union Bank of India by a scheduled commercial
bank in India, payable at Mumbai or a Bank Guarantee of equivalent
amount, valid for a period of one year with claim period of 60 days,
issued by a Scheduled Commercial Bank from other then Union Bank
of India in favour of Union Bank of India.
ii. In case of bidders registered with NSIC/MSME, they are eligible for
waiver of EMD. However, they need to provide valid NSIC/MSME
Certificate clearly mentioning that they are registered with NSIC
under single point registration scheme.
iii. The Bank reserves its right to reject the proposal, in the event of
non-submission of the bid-security money of Rs. 2.00 lakh.
iv. No interest will be payable on the Bid Security amount.
v. The bid security amount will be forfeited if the vendor refuses to
accept the purchase order or having accepted the purchase order,
fails to carry out his obligations mentioned therein.
vi. The Bid Security will be refunded to the unsuccessful bidders only
after completion of the bid process.
vii. The Bid security of the successful bidder would be refunded while
releasing the payment due after the last mile stone. Hence the
successful bidder has to ensure that validity of Bank Guarantee is
extended, till completion of the project.
viii. Bid Security will be forfeited in the following cases:
 If a bidder withdraws its bid during the period of bid validity;
or
 If a Bidder makes any statement or encloses any form which
turns out to be false / incorrect at any time prior to signing of
Contract.
 In case of a successful Bidder, if the Bidder fails:
o To execute Contract within the stipulated time or
o To furnish Performance Bank Guarantee as mentioned in
Performance Bank Guarantee herein.
o If the bidder refuses to accept the corrections of errors
calculated in accordance with the terms of RFP.
ix. The successful Bidders Bid security will be discharged upon the Bidder
signing the Contract Agreement and against submission of
performance bank guarantee (other than Union Bank of India) valid

Page 22 of 62
 for contract period with the claim period of minimum 60 days as per
the format mentioned in RFP, for 10% of contract value/TCO.

15.3. Performance Bank Guarantee (PBG)

The successful bidder shall provide a Performance Bank Guarantee for

10% of contract value/TCO valid for contract period or 1 year whichever
is higher within 60 days from the date of receipt of purchase order or
signing of the contract whichever is earlier in the format as provided in
RFP with a claim period of 60 days and such other extended period as
the Bank may decide for due performance of the project obligations.
The PBG should be of scheduled Commercial Bank, other than Union
Bank of India.
In the event of non-performance of obligation or failure to meet terms
of this tender the Bank shall be entitled to invoke the performance
guarantee without notice or right of demur to the successful bidder. Any
amount pending for payment due to non achieving of milestone/s set
under the agreement or any other reason solely attributable to the
successful bidder should be included in the remaining amount of the
contract value.
The Bank reserves the right to recover any dues payable by the selected
bidders from any amount outstanding to the credit of the selected
bidders, including the pending bills and/or invoking Performance
Guarantee, if any, under this contract.
If the Performance bank guarantee is not submitted within the
stipulated time, the Bank reserves the right to cancel the order /
contract and the earnest money deposit taken from the successful
bidder, will be forfeited.

15.4. Period of Validity of Bids

Bids should remain valid for the period of at least 180 days from the last
date for submission of bid prescribed by the Bank. In case the last date
of submission of bids is extended, the Bidder shall ensure that validity of
bid is reckoned from modified date for submission. Further extension of
the validity of the bid will be decided by the bank in case of need. The
price quoted in Final Commercial Offer will be valid for at least 180 days
from the date of offer.

15.5. Amendment of Bidding Documents

Prior to the last date for bid-submission, the Bank may, for any reason,
whether at its own initiative or in response to clarification(s) sought
Page 23 of 62
 from the prospective Bidders, modify the RFP contents/ covenants by
amendment. Clarification /amendment, if any, will be notified on
Bank’s website. No individual communication would be made in this
respect. In order to provide, Bidders, reasonable time to take the
amendment into account for preparing their bid, the purchaser may, at
its discretion, extend the last date of submission of bids.

15.6. Authorization to Bid

The proposal/ bid being submitted would be binding on the Bidder. As

such, it is necessary that authorized personnel (acceptable to bank) of
the firm or organization sign the bid documents. The designated
personnel should be authorized by a senior official of the organization
having authority. The Bid should be signed by the authorized signatory
of the bidder. A power of attorney to that effect shall be submitted by
the bidders.

I. All pages of the bid shall be initialed by the person or persons

signing the bid.
II. Bid form shall be signed in full & official seal affixed.
III. Any inter-lineation, erasure or overwriting shall be valid only if
they are initialed by the person or persons signing the Bid.
IV. All such initials shall be supported by a rubber stamp impression
of the Bidder’s firm.
V. The proposal must be accompanied with an undertaking letter
duly signed by the designated personnel providing a bid
commitment. The letter should also indicate the complete name
and designation of the designated personnel.
15.7. Clarifications on the RFP
i Queries/clarifications would not be entertained over phone.
ii All the queries and clarifications must be sought in writing to the
email id:
Ashwinivittal@unionbankofindia.com
Vishalkumar@unionbankofindia.com
iii Service providers are also requested to collate queries and submit
them together seeking clarifications/responses from the Bank. It
should be ensured that all the queries and clarifications are
communicated in writing on or before 26.02.2020. Queries received
thereafter will not be entertained. Bidders are requested to visit
Bank’s website for clarifications and other communications
iv Any modification of the RFP, which may become necessary as a result
of the queries, shall be made available by the Bank exclusively
through the issue of Corrigendum on Bank’s website
Page 24 of 62
 www.unionbankofindia.co.in, government tender portal
www.eprocure.gov.in.

15.8. Two Part Offer:

i One hard copy of the Technical Bid and One Copy of the Commercial
Bid must be submitted at the same time, giving full particulars in
separate sealed envelopes at the Bank’s address given below on or
before the schedule given above. The bidder should submit a soft
copy of the technical bid on a CD/Pen drive. Offers (Technical &
Commercial) must be submitted at the same time, giving full
particulars in separate sealed envelopes addressed to

The General Manager (CA&ID)

Union Bank of India,
IS Audit Cell, Central Audit & Inspection Department,
The Earnest House, 7th floor,
Nariman Point, Mumbai-400021

ii All envelopes must be super-scribed with the following information –

Type of Offer- Selection of CERT-in Empanelled Information System

Audit Service Provider for Conducting Information System Audit of IT
Systems and Processes - Technical Bid

Type of Offer- Selection of CERT-in Empanelled Information System

Audit Service Provider for Conducting Information System Audit of IT
Systems and Processes - Commercial Bid

Due Date :
Name of Bidder :
Name of the Authorized Person :
Contact Number :

iii All schedules, Formats and Annexure should be stamped and signed
by an authorized official of the bidder’s company.
iv The offer should be hand delivered or by post at the given address on
or before the bid submission date and time. Bids sent by fax, e-mail,
will not be considered for evaluation.
v Tender offers will be opened in the presence of the bidder
representatives who choose to attend the opening of tender on the
above-specified date, time and place. All bidders are advised to be
present at the time of bid opening. No separate intimation will be
given in this regard.

Page 25 of 62
15.9. No Erasures or Alterations:
i The original offer (Technical Offer and Commercial Offer) shall be
prepared in indelible ink.
ii Technical details must be completely filled up. All the hand-written
details in the offer must be initialed by the persons or person who
sign(s) the proposals.
iii All the pages of the offer must be initialed by an authorized
representative with a round stamp of the bidding firm.

15.10. Technical Proposal:

i. The Technical Proposal should be complete in all respects and
contain all the information asked for in this RFP document in an
organized and structured manner. All the details sought must be
submitted in the prescribed pro-forma only (as per the attached
formats). Additional/supporting documents, write-ups, etc., if any
should be furnished separately.
ii. The Technical Proposal should be submitted in separate sealed
envelope as detailed in RFP document.
iii. The Technical Proposal should not contain any price information.
iv. The UNPRICED commercial proposal would be a replica of the
commercial proposal except the price. It must indicate all the details
except the price. It should be sufficient to ensure that all products
and services asked for are quoted along with the quantity of each
item quoted in the commercial proposal. The un-priced commercial
proposal should be part of technical proposal.
v. The Bank, at its discretion, may not evaluate a proposal in case of
non-submission or partial submission of details sought.
vi. The Technical Proposal should comprise of following (as per the
formats):
 Letter in the prescribed format confirming compliance to the
Bank's terms and conditions.
 Service provider Profile
 Details of Professional Personnel
 Details of reference sites –IS Audits
 Details of reference sites – Core Banking Application Audit
 Proposed Methodology and work plan
 UNPRICED Commercial Offer as per Format, which should be
replica of the Commercial proposal without price information
 Bid Security amount (by way of DD/PO drawn in favour of Union
Bank of India issued by a Scheduled Commercial bank payable at
Mumbai or Bank Guarantee of equivalent amount issued by a
Scheduled Commercial bank valid for one year as detailed in RFP)
 Supporting documents and undertakings as mentioned in RFP.

Page 26 of 62
  Self-declaration and certification to confirm compliance of
“should not”.
 “Know Your Employee Annexure” Duly signed by competent
Authority.

Bidders are strictly advised to submit documents as per the

formats enclosed in RFP.

15.11. Commercial Proposal:

i. The Commercial Proposal should be submitted in separate sealed
envelope, superscribed as detailed in RFP.
ii. The Commercial Proposal should provide all relevant price
information in Indian Rupees only.
iii. It should not contradict the unpriced Commercial proposal in any
manner.
iv. The responses should be strictly as per the terms and conditions of
this RFP. Service Providers are advised not to attach or specify any
terms and conditions. The Bank reserves its right to reject the
proposals received with any additional terms and conditions specified
by the Service provider.
v. The Commercial Proposal should be as per format.
vi. The prices mentioned in the commercial proposal should strictly be in
conformity with the price composition specified in RFP.
vii. The Commercial Bid should be exclusive of applicable taxes.
viii. The total cost must be quoted in WORDS AND FIGURES. In case of
discrepancy between the words and figures, lower of the two would
be considered as the price quoted and the same will be binding on
the vendor.
ix. Commercial Offers of only those vendors, who qualify in Technical Bid
evaluation, will be opened.

15.12. Price Composition:

i The price quoted should be inclusive of following:
 Professional Charges
 Travel and Halting expenses, including local conveyance
 Out of pocket expenses.

ii Work Contract tax, if any, applicable should be borne by the Service

provider. The commercial offer shall be on a fixed price basis and in
Indian Rupees. No price variation should be asked for relating to
increases in customs duty and/or any taxes, foreign currency price
variation etc., However, if there is any reduction in government
levies/taxes, during the validity of offer, the same shall be passed on
to the Bank.

Page 27 of 62
 iii The costs of preparing the offer and of negotiating the contract will
not be borne by the Bank and, are not reimbursable. All costs and
expenses incurred by Respondents in any way associated with the
development, preparation, and submission of responses, including
the attendance at meetings, discussions, demonstrations, reference
site visits etc. and providing any additional information required by
Union Bank Of India, will be borne entirely and exclusively by the
Respondent.

15.13. Payment of Other Expenses:

The selected vendor will have to visit various offices of the Bank, at
various locations namely Mumbai, Bengaluru, Hyderabad, Banglore,
Mangalore, Chennai etc. The Bank WILL NOT pay any expenses towards
travelling, lodging and boarding of the members of IS Audit team of the
selected vendor. They will have to make their own travel and stay
arrangements.

15.14. Evaluation Procedure:

i The evaluation of technical proposals will be done based on
 scrutiny of eligibility criteria to determine the eligibility of
vendors;
 scrutiny of the proposals to verify whether the same is in
accordance with the RFP terms; and
 Reference site feedback about the service.
ii In the process of scrutiny of the proposals, Bank may seek additional
inputs and clarifications as may be needed and also may request the
service providers to make a presentation. The request for such
clarifications and the response will necessarily be in writing.
iii Proposals found to be meeting the Bank’s requirements based on the
technical evaluation only will be considered for commercial
evaluation. Cost comparison will be on the basis of TCO (total cost of
ownership).

15.15. Right to Alter Quantities

i The Bank reserves the right to alter quantities, revise/modify all or
any of the specifications, delete some items specified in this offer,
when finalizing its requirements or declare the RFP void, without
assigning any reason, before or after receiving the responses. That is,
the Bank reserves its right to add or remove the Information systems
in respect of which the IS Audit is to be conducted.

ii The Bank also reserves the right to get the IS audit done for some of
the systems only. In the event of change of quantities, the TCO would
be worked out after normalizing the Commercial Offer to suit to the
Page 28 of 62
 required systems. The amounts quoted for the line items in the
commercial proposal would form base for such normalization process.
The TCO worked out by the Bank after normalization, would be
binding on the service provider.

15.16. No Commitment to Accept Lowest or Any Tender

The Bank shall be under no obligation to accept the lowest or any other
offer received in response to this tender notice and shall be entitled to
reject any or all tenders without assigning any reason whatsoever.

15.17. Rotation of Audit Team

Selected vendor is expected to rotate the auditors based on their
expertise in order to maintained quality and independence of
assessment.
15.18. Price freezing and Contract Period

i The final prices stated above, shall remain frozen for a minimum
period up to three years from the date of the purchase order.
ii Initial Contract would be valid of for one year and can be further
extended for a period of maximum two more years (1+1) subject to
satisfactory performance of the IS Auditors. Performance of the
auditors would be evaluated annually.
iii Bank reserves its right to place repeat orders for the assignment in
full or in parts at the same price and terms, as per its requirements,
by addition or deletion of few information systems during the price
validity period i.e., three years which is subject to the Service
Provider’s performance meeting the Bank’s benchmark for IS Audit.

16. Payment Terms

The terms of payment will be as follows:
i No advance payment will be made along with the Purchase order.
ii Entire IS audit process for information system will be divided into
phases. The amount quoted as TCO will be divided equally among the
phases.
iii Each phase will have two rounds of audit. One round of audit for
which vendor is expected to undertake audit as per the scope of work
and submit report detailing identified gaps. Post confirmation from
Bank, 2nd round i.e. compliance audit shall be conducted for the
same.
iv Payment of each phase will be divided into two part- 70% after 1st
round (audit) and 30% after 2nd round (Compliance).
v Applicable TDS will be deducted by the Bank at the time of making
payment toward invoice raised by the bidder. Payment will be made
through electronic mode only

Page 29 of 62
17. Cancellation of the assignment
The Bank reserves its right to cancel the assignment in the event of one
or more of the following conditions:
 Delay in commencement of the IS Audit beyond two weeks after
the assignment order or beyond the date given by the bank in the
purchase order.
 Delay in completion of all the three phases of the IS Audits
beyond the time specified in the assignment letter.

18. Liquidated Damages

18.1 Notwithstanding the Bank's right to cancel the assignment, 0.5% of the
order value per week or part thereof would be payable to the Bank for
delay in the execution of this assignment order beyond specified
schedule, subject to a maximum of 5% of the value of the said phase.
18.2 Bank reserves its right to recover these amounts by any mode such as
adjusting from any payments to be made by the Bank to the company.
18.3 The Bank however may review and consider waiving imposing of
liquidated damages for delays beyond the control of the Service
Provider.

19. RFP Ownership

The RFP and all supporting documentation are the sole property of Union
Bank of India and should NOT be redistributed without prior written
consent of Union Bank. Violation of this would be a breach of trust and
may, inter-alia cause the vendors to be irrevocably disqualified. The
aforementioned material must be returned to Union Bank while
submitting the proposal, or upon request. However, service providers
can retain one copy for reference.

20. Proposal Ownership

The proposal and all supporting documentation submitted by the service
providers shall become the property of the Bank. The proposal and
documentation may be retained, returned or destroyed as the Bank
decides.

21. Confidentiality
This document contains information confidential and proprietary to the
Bank. Additionally, the service providers will be exposed by virtue of the
contracted activities to the internal business information of the Bank.
Disclosures of receipt of this RFP or any part of the aforementioned
information to parties not directly involved in providing the services
requested could result in the disqualification of the service providers,

Page 30 of 62
 premature termination of the contract, or legal action against the
service providers for breach of trust.

Selected service provider will have to sign a legal non-disclosure

agreement with the Bank before starting the project.

22. Indemnity
22.1 Bidder shall indemnify, protect and save the Bank and hold the
Bank harmless from and against all claims, losses, costs, damages,
expenses, action suits and other proceedings, (including reasonable
attorney fees), relating to or resulting directly or indirectly from

22.1.1 an act or omission of the Bidder, its employees, its agents,

or employees of the consortium in the performance of the
services provided by this contract,
22.1.2 breach of any of the terms of this RFP or breach of any
representation or warranty by the Bidder
22.1.3 use of the deliverables and or services provided by the
Bidder,
22.1.4 Infringement of any patent trademarks copyrights etc. or
such other statutory infringements in respect of all
components provided to fulfill the scope of this project.
Bidder shall further indemnify the Bank against any loss or
damage to the Bank’s premises or property, Bank’s data,
direct financial loss, loss of life, etc., due to the acts of the
Bidder’s employees or representatives. The Bidder shall
further indemnify the Bank against any loss or damage
arising out of loss of data, claims of infringement of third-
party copyright, patents, or other intellectual property, and
third-party claims on the Bank for malfunctioning of the
equipment or software or deliverables at all points of time,
provided however,
22.1.4.1 The Bank notifies the bidder in writing in a
reasonable time frame on being aware of such
claim,
22.1.4.2 The Bidder has sole control of defense and all
related settlement negotiations,
22.1.4.3 The Bank provides the Bidder with the assistance,
information and authority as it deems fit to
perform the above.
22.2 It is clarified that the bidder shall in no event enter into a settlement,
compromise or makes any statement (including failure to take
appropriate steps) that may be detrimental to the Bank’s (and/or its
customers, users and service providers) rights, interest and reputation.
Page 31 of 62
22.3 Bidder shall be responsible for any loss of data, loss of life, etc, due to
acts of Bidder’s representatives, and not just arising out of gross
negligence or misconduct, etc, as such liabilities pose significant risk.
22.4 Bidder should take full responsibility for its and its employee’s actions.
Further, since the Bank’s data could be integrated / used under Bidder
provided software, the Bidder should be responsible for
loss/compromise or damage to Bank’s data and for causing reputation
risk to bank.
22.5 The bidders should indemnify the Bank (including its employees,
directors or representatives) from and against claims, losses,
liabilities, penalties, fines and suits arising from:
22.5.1.1 IP infringement under any laws including Copyrights Act 1957
& IT Act 2000 and such other statutory acts and amendments
thereto.
22.5.1.2 Negligence and misconduct of the Bidder, its employees, and
agents.
22.5.1.3 Breach of any terms of RFP, Representation or Warranty.
22.5.1.4 Act or omission in performance of service.
22.5.1.5 Loss of data due to any of the reasons mentioned above.
22.5.1.6 Non-compliance of the bidder with Laws/Governmental
/regulatory Requirements.

22.6 In the event that the Bank is called as a defendant for IPR
infringement of patent, trademark or industrial design rights arising
from use of any of the components of the supplied solution, the Bidder
on its own expense will undertake to defend the Bank.
22.7 It will be the Bidder’s responsibility to rapidly do away with such
third-party claims. The Bidder will also pay any compensation arising
from the infringement claims and the Bank will in no manner be
responsible for such payments. In addition, the Bidder will bear all the
related expenses and legal fees.
22.8 On its part, the Bank will immediately relay to the Bidder any such
claims and offer assistance within reasonable limits to rid the claim.
22.9 The Bidder must undertake to indemnify that all the components
delivered are free of defects, are brand new and original. If at some
stage it is discovered that the components do not meet these criteria,
the Bank has the right to cancel the order and the Bidder will have to
refund the total amount received from the Bank along with the
interest and separate penalties. Similar conditions apply to software;
as well the system software must be licensed and original.

Page 32 of 62
23. Intellectual Property Rights

The Bidder claims and represents that it has obtained appropriate rights
to provide the Deliverables and Services upon the terms and conditions
contained in this RFP.
23.1 The Bidder shall be responsible at its own cost for obtaining
all necessary authorizations and consents from third party
licensors of Software used by Bidder in performing its
obligations under this Project.
23.2 If a third party’s claim endangers or disrupts the Bank’s use of
the Deliverables, the Bidder shall at no further expense,
charge, fee or cost to the Bank, (i) obtain a license so that the
Bank may continue use of the Deliverables in accordance with
the terms of this RFP.
23.3 Bidder shall indemnify and keep fully and effectively
indemnified the Bank from all legal actions, claims, or damages
from third parties arising out of use of software, designs or
processes used by Bidder or his subcontractors or in respect of
any other services rendered under this RFP.

24. Minimum Wages

The bidder hereby agrees and undertakes that during the subsistence of this
agreement it will not employ any personnel/individual below the Minimum
Wages fixed by appropriate Government on this behalf from time to time, as
per the provisions of Minimum Wages Act 1948. In this effect, bidder has to
submit undertaking on their company letterhead signed by authorized
signatory.
The successful bidder will ensure strict compliance of all labour laws,
insurance, minimum wages to the staff employed /deployed /engaged for
the work assigned and the Bank will not be liable for any such
persons/personnel of successful bidder and shall not be liable for any levies /
penalties etc. that may be imposed by the authorities concerned for their
action/inaction. There shall be no employer employee relationship
whatsoever between the bank and the successful bidder /their employees
and the bidder or his employees, staff, agents will not be entitled to any
employment with Bank. In the event of any demand/fines/penalty made by
any of the authorities on bank in respect of the conduct/actions taken by the
bidder/their employees/labourers, the Bank will be entitled to recover the
said amounts from the bills / amount payable or from the performance
guarantee and also take appropriate action against said persons of
bidder/bidder for their misconduct, if any.

Page 33 of 62
25. Non-Transferable offer

This Request for Proposal (RFP) is not transferable. Only the bidder who has
submitted the bid will be eligible for participation in the evaluation process.

26. Responsibility for Completeness

Any supplies and services, which might not have been specifically mentioned
in this tender but, are necessary for the installation, Configuration,
testing, commissioning, performance or completeness of the order, shall
be provided / made available as per the time schedule for smooth and
efficient operation and maintenance of the system under Indian conditions.

The bidder shall be responsible for any discrepancies, errors and omissions in
the technical details submitted by him/them, irrespective of whether these
have been approved , reviewed or otherwise , accepted by the Bank or not.
The Bidder shall take all corrective measures arising out of discrepancies,
errors and omissions in drawing and other information as mentioned above
within the time schedule and without extra cost to the Bank.

27. Force Majeure

Force Majeure is herein defined as any cause, which is beyond the control
of the selected Bidders or the Bank as the case may be which they could
not foresee or with a reasonable amount of diligence could not have
foreseen and which substantially affect the performance of the Contract,
such as:
 Natural phenomena, including but not limited to
floods, droughts, earthquakes, epidemics,
 Acts of any Government, including but not limited to
war, declared or undeclared, priorities, quarantines,
embargoes,
 Terrorist attacks, public unrest in work area;

Provided either party shall within ten (10) days from the occurrence of such a
cause notify the other in writing of such causes. The Bidder or the Bank
shall not be liable for delay in performing his/her obligations resulting from
any Force Majeure cause as referred to and/or defined above.
28. Sub Contract

The selected bidder shall not sub contract or permit anyone other than its
personnel to perform any of the work, service or other performance required of
the vendor under the contract without the prior written consent of the bank.

Page 34 of 62
29. Conflict of Interest

Bank requires that bidder provide professional, objective, and impartial advice
and at all times hold Bank’s interests paramount, strictly avoid conflicts with
other Assignment(s)/ Job(s) or their own corporate interests and act without any
expectations/ consideration for award of any future assignment(s) from Bank.

Bidder have an obligation to disclose any situation of actual or potential

conflict in assignment/job, activities and relationships that impacts their
capacity to serve the best interest of Bank, or that may reasonably be perceived
as having this effect. If the Bidder fails to disclose said situations and if Bank
comes to know about any such situation at any time, it may lead to the
disqualification of the Bidder during bidding process or the termination of its
Contract during execution of assignment.

30. Tender/RFP Cancellation

The Bank reserves the right to cancel the Tender/RFP at any time without
assigning any reasons whatsoever.
31. Publicity
Any publicity by the Service Provider in which the name of the Bank is to be
used, will be done only with the explicit written permission of the Bank.
32. Arbitration

All disputes and differences of any kind whatsoever arising out of or in

connection with the purchase order shall be referred to arbitration. The
arbitrator may be appointed by both the parties or in case of disagreement
each party may appoint an arbitrator and such arbitrators shall appoint an
Umpire before entering on the reference. The decision of the Umpire shall
be final. Such arbitration shall be governed by the provisions of Indian
Arbitration and Conciliation Act 1996. All arbitration proceedings shall be at
Mumbai, Maharashtra State, India only.
33. Jurisdiction

Notwithstanding anything contained herein above, in case of any dispute,

claim and legal action arising out of this RFP, the parties shall be subject to
the jurisdiction of courts at Mumbai, Maharashtra State, India only

Page 35 of 62
34. RFP Response Formats

1. Format-I: Letter to the Bank on the Service provider’s letter head

2. Format – II: Service Provider Profile
3. Format – III: CV of Professional Personnel
4. Format – IV(a): References of IS Audits done for Banks.
5. Format –IV (b): References of Core Banking Application Audits done for
Banks.
6. Format – V: Proposed Methodology & Work Plan
7. Format – VI: Commercial Offer
8. Format – VII: Unpriced Commercial Offer
9. FORMAT –VIII: FORMAT FOR BANK GUARANTEE
10. FORMAT –IX: Format of Performance Bank Guarantee
11. FORMAT-X: Know Your Employee Annexure
12. FORMAT-XI: Bid Query Format
13. Annexure-I – Indicative list of applications
14. Annexure-II – Format for integrity Pact

All above mentioned format are to be signed and submitted at the time of
bid submission.

Page 36 of 62
 1. Format – I: Letter to the Bank on the Service
provider’s letterhead
To

Union Bank of India,

Central Audit & Inspection Department,
The Earnest House, 7th Floor,
Nariman Point, Mumbai - 400 021

Dear Sir,

Sub: Response to RFP for Selection of CERT-in Empanelled Information System

Audit Service Provider for Conducting Information System Audit of IT Systems
and Processes

With reference to the above RFP, having examined and understood the instructions, terms
and conditions, we hereby enclose our offer for conducting IS Audit of the systems, as
detailed in your above referred inquiry.

We confirm that the offer is in conformity with the terms and conditions as mentioned in
your above referred RFP. We further confirm that the information furnished in the
proposal, annexure, formats, is correct. Bank may make its own inquiries for verification
and we understand that the Bank has the right to disqualify and reject the proposal, if any
of the information furnished in the proposal is not correct.

We also confirm that the prices offered shall remain fixed for a period of one hundred and
eighty (180) days from the date of submission of the offer.

We also understand that the Bank is not bound to accept the offer either in part or in full.
If the Bank rejects the offer in full or in part, the Bank may do so without assigning any
reasons thereof.

We further understand that the finalized prices will be frozen for a period of three years
from the date of entrustment of assignment and that the Bank, at its discretion may
entrust the assignment again in full or parts at the same price and terms as per its
requirements with addition / deletion of few information systems to be audited.

We hereby declare that all the information & Statements made in this RFP are true
and accept that any misinterpretation contained in it may lead to our
disqualification. We agree to all terms & conditions of the RFP including all
addendum, corrigendum etc.

Yours faithfully,

Authorized Signatories
(Name, Designation and Seal of the Company)
Date:
Page 37 of 62
 2. Format – II: Service Provider Profile

S. Particulars Response
No.
1 Name of the Service Provider
2 Address for Communication
3 Contact Person 1
4 Phone / Mobile Number
5 Email id
6 Contact Person 2
7 Phone / Mobile Number
8 Email id
9 Experience in the business in India (No. of
Completed Years (Minimum Three Years))
10 Total Number of staff in India
11 No. of professionally qualified persons CISA __ CISSP ___ CISM __
12 Name of the professionally qualified personnel CISA CISSP CISM
indicating the respective qualifications (service
provider may add more lines as per requirements)

13 Business details in India for the last three financial years (copies of the published
audited financial statements should be annexed)
Year Turnover Service Operating Net
Income profit Profit
after
Tax
2016-17
2017-18
2018-19
14 Details of the organizations for which IS Audit was conducted in the past three years
Name of the Organisation Place Month & Year

Page 38 of 62
 3. Format – III: CV of Professional Personnel
(To be furnished on a separate sheet for each employee)

Name of the staff

Date of Birth
Professional Qualifications
Service in the firm from
Previous employment record Organization From to

Details of Key assignments handled in

the past three years
Organization Month & Year Details of assignment done

Whether Copy of the Professional Yes / No (Certification Details)

Certification like CISA/CISM/CISSP is
enclosed or not

Page 39 of 62
4. Format – IV (a): References of IS Audits done for Banks.
(The details of each assignment should be furnished on a separate page. The details should
relate to the assignments done during the past three years. We expect two references in
the minimum)

1 Name of the Bank

2 Address
3 Name of the Contact Person
4 Designation
5 Direct Phone number
6 Mobile Phone
7 E-mail id
8 Month & Year in which IS Audit was
conducted
9 Names of professional personnel who
carried out that assignment
10 Brief particulars of the Systems for
which IS audit was done. (Scope of
Work)

Page 40 of 62
5. Format –IV (b): References of Core Banking Application
Audits done for Banks.
(The details of each assignment should be furnished on a separate page. The details should
relate to the assignments done during the past three year. We expect two references in
the minimum)

1 Name of the Bank

2 Address
3 Name of the Contact Person
4 Designation
5 Direct Phone number
6 Mobile Phone
7 E-mail id
8 Month & Year in which IS Audit was
conducted
9 Names of professional personnel who
carried out that assignment
10 Scope of Work

Page 41 of 62
 6. Format – V: Proposed Methodology & Work Plan
(Please mention the details of tasks you propose to do along with the estimates of time
lines for each task, the key personnel you intend to engage for each of the tasks in the
assignment and the deliverables for each task. In other words, this sheet should provide
the entire project plan)

Page 42 of 62
 7. Format – VI: Commercial Offer
(To be submitted in Commercial Bid)
To
Union Bank of India,
Central Audit & Inspection Department,
The Earnest House, 7th floor,
Nariman Point, Mumbai - 400 021

Dear Sir,

Sub: Response to RFP for Selection of CERT-in Empanelled Information System

Audit Service Provider for Conducting Information System Audit of IT Systems
and Processes
With reference to the above RFP, having examined and understood the instructions, terms
and conditions, we hereby enclose our Commercial offer for conducting IS Audit of the
systems, as detailed in your above referred inquiry.
Sr. Details Professional Fees Taxes Total Cost
No.
1 IS audit of Bank’s systems as per
Scope defined in RFP – (Part A-
Annexure I)
2 IS audit of Bank’s systems as per
Scope defined in RFP – (Part B-
Annexure I)
Total Cost of Ownership (TCO)
TCO in words:
Note- Price is to be quoted for one year as per the scope of RFP. The contract will be
renewed based on performance for further period, in tranches of one year, not
exceeding for further period of two years. Bank may at its discretion place order for
Part A or Part B or Both (Part A+ Part B) or specified under points 15.15 of RFP.
We confirm that the offer is in conformity with the terms and conditions as mentioned in
your above referred RFP. We further confirm that the information furnished in the
proposal, annexure, formats, is correct. Bank may make its own inquiries for verification
and we understand that the Bank has the right to disqualify and reject the proposal, if any
of the information furnished in the proposal is not correct.
We also confirm that the prices offered shall remain fixed for a period of One Hundred
Eighty (180) days from the date of submission of the offer.
We also understand that the Bank is not bound to accept the offer either in part or in full.
If the Bank rejects the offer in full or in part the Bank may do so without assigning any
reasons there for.

Yours faithfully,

Authorized Signatories
(Name, Designation and Seal of the Company)
Date:
Page 43 of 62
 8. Format – VII: Un-priced Commercial Offer
(To be submitted in Technical Bid)
To
Union Bank of India,
Central Audit & Inspection Department,
The Earnest House, 7th floor,
Nariman Point, Mumbai - 400 021
Dear Sir,

Sub: Response to RFP in connection with outsourcing IS Audit

With reference to the above RFP, having examined and understood the instructions, terms
and conditions, we hereby enclose our Unpriced Commercial offer for conducting IS Audit
of the systems, as detailed in your above referred inquiry. We have not furnished any
price information below.

Sr. Details Professional Fees Taxes Total Cost

No.
1 IS audit of Bank’s systems as per XXXXXXXXXX XXXXXX XXXXXXXX
Scope defined in RFP – (Part A-
Annexure I)
2 IS audit of Bank’s systems as per XXXXXXXXXX XXXXXX XXXXXXXX
Scope defined in RFP – (Part B-
Annexure I)
Total Cost of Ownership (TCO)
TCO in words:
Note- Price is to be quoted for one year as per the scope of RFP. The contract will be
renewed based on performance for further period, in tranches of one year, not
exceeding for further period of two years. Bank may at its discretion place order for
Part A or Part B or Both (Part A+ Part B) or as specified under points 15.15 of RFP.

We confirm that the offer is in conformity with the terms and conditions as mentioned in
your above referred RFP. We further confirm that the information furnished in the
proposal, annexures, formats, is correct. Bank may make its own inquiries for verification
and we understand that the Bank has the right to disqualify and reject the proposal, if any
of the information furnished in the proposal is not correct.
We also confirm that the prices offered shall remain fixed for a period of One Hundred
Eighty (180) days from the date of submission of the offer.

We also understand that the Bank is not bound to accept the offer either in part or in full.
If the Bank rejects the offer in full or in part the Bank may do so without assigning any
reasons there for.
Yours faithfully,

Authorized Signatories
(Name, Designation and Seal of the Company)
Date:

Page 44 of 62
9. FORMAT –VIII: FORMAT FOR BANK GUARANTEE- EMD
To
Union Bank of India,
Central Audit & Inspection Department,
The Earnest House, 7th floor,
Nariman Point, Mumbai - 400 021
.

Dear Sir,
M/s __________________ having their registered office at _____________
(hereinafter called the ‘Bidder’) wish to respond to the Request for Proposal (RFP)
for Selection of CERT-in Empanelled Information System Audit Service Provider for
Conducting Information System Audit of IT Systems and Processes, self and other
associated Bidders and submit the proposal for the same as listed in the RFP
document.

Whereas the ‘Bidder’ has submitted the proposal in response to RFP, we, the
____________ Bank having our head office ________________ hereby irrevocably
guarantee an amount of Rs.2,00,000/ (Rupees Two lac Only) as bid security as
required to be submitted by the ‘Bidder’ as a condition for participation in the said
process of RFP.
The Bid security for which this guarantee is given is liable to be enforced/ invoked:

1. Withdraws its bid during bid validity period

2. Refuses to honor commercial bid. Bank reserves the right to place order
onto Bidder based on prices quoted by them.
3. Refuses to accept purchase order or having accepted the purchase order,
fails to carry out his obligations mentioned therein

We undertake to pay immediately on demand, to Union Bank of India, the

said amount of Rs. Rs.2,00,000/ (Rupees Two lac Only) without any reservation,
protest, demur, or recourse. The said guarantee is liable to be invoked/ enforced
on the happening of the contingencies as mentioned above and also in the RFP
document and we shall pay the amount on any Demand made by Union Bank of
India which shall be conclusive and binding on us irrespective of any dispute or
difference raised by the Bidder.

Notwithstanding anything contained herein:

1) Our liability under this Bank guarantee shall not exceed Rs.2,00,000/
(Rupees Two lac Only).
2) This Bank guarantee will be valid up to __________________; with a claim
period of 45 days thereafter and
3) We are liable to pay the guarantee amount or any part thereof under this
Bank guarantee only upon service of a written claim or demand by you on or
before ________________.

In witness whereof the Bank, through the authorized officer has sets its hand and
stamp on this _______________ day of __________________ at
_________________.

Page 45 of 62
Signature ……………………………………

Name …………………………………………
(In Block letters)
Designation …………………………………
(Staff Code No.)……………………………..

Official address:
(Bank’s Common Seal)
Attorney as per power of Attorney No.
Date:
WITNESS:

1……………………………………………… (Signature with Name, Designation & Address)

2……………………………………………… (Signature with Name, Designation & Address)

Page 46 of 62
10. FORMAT –IX: Format of Performance Bank Guarantee
NOTE:

1. This guarantee should be furnished by a Nationalized Bank / Scheduled

Bank, other than Union Bank of India, as per the following format.
2. This bank guarantee should be furnished on stamp paper value as per Stamp
Act. (not less than Rs.500/-).
3. The stamp paper should be purchased either in the Name of the Bank
executing the Guarantee or in the name of Union Bank of India.
4. This Bank Guarantee should be furnished within 30 days from the date of
purchase order or the delivery period prescribed in the purchase order
whichever is earlier.
5. This Bank Guarantee should be directly sent to the Purchaser by the Issuing
Bank under Registered Post with Acknowledge Due.

To
Union Bank of India,
Central Audit & Inspection Department,
The Earnest House, 7th floor,
Nariman Point, Mumbai - 400 021

Dear Sir,

In consideration of Union Bank of India, Central Audit & Inspection Department,

The Earnest House, 7th floor, Nariman Point, Mumbai - 400 021, placing an order
for _____________of & on __________________ having registered office at
_____________________ (hereinafter called the vendor) as per the purchase
contract entered into by the vendor vide purchase contract no ____________ dated
__________ (hereinafter called the said contract), we ________________( Name of
the Guarantor Bank), a 'schedule bank', issuing this guarantee through its branch at
__________ presently located at
__________________________________________________________ (hereinafter
called the bank), do hereby irrevocably and unconditionally guarantee the due
performance of the vendor as to the ) for _____________________(Name of
project ) as per the said contract entered into by the vendor with you.

If the said vendor fails to implement or maintain the system or any part thereof as
per the contract and on or before the schedule dates mentioned therein, we
_____________ (Name of the Guarantor Bank), do hereby unconditionally and
irrevocably agree to pay the amounts due and payable under this guarantee
without any demur and merely on demand in writing from you during the currency
stating that the amount claimed is due by way of failure on the part of the vendor
or loss or damage caused to or suffered / or would be caused to or suffered by you
by reason of any breach by the said vendor of any of the terms and conditions of
the said contract, in part or in full. Any such demand made on us shall be
conclusive as regards the amount due and payable under this guarantee.

Page 47 of 62
We ______________( Name of the Guarantor Bank), further agree that this
guarantee shall continue to be valid will you unless you certify that the vendor has
fully performed all the terms and conditions of the said contract and accordingly
discharge this guarantee, or until ______________ , whichever is earlier. Unless a
claim or demand is made on us in writing under this guarantee on or before
______________, we shall be discharged from all our obligations under this
guarantee. If you extend the schedule dates of performance under the said
contract, as per the terms of the said contract, the vendor shall get the validity
period of this guarantee extended suitably and we agree to extend the guarantee
accordingly at the request of the vendor and at our discretion, provided such
request is served on the bank on or before ______________.

Failure on part of the vendor in this respect shall be treated as a breach

committed by the vendor and accordingly the amount under this guarantee shall at
once become payable on the date of receipt of demand made by you for payment
during the validity of this guarantee or extension of the validity period.

You will have fullest liberty without affecting this guarantee to postpone for any
time or from time to time any of your rights or powers against the vendor and
either to enforce or forebear to enforce any or all of the terms and conditions of
the said contract. We shall not be released from our liability under this guarantee
by the exercise of your liberty with reference to matters aforesaid or by reason of
any time being given to the vendor or any other forbearance act or omission on
your part or any indulgence by you to the vendor or by any variation or
modification of the said contract or any other act, matter or thing whatsoever
which under the law relating to sureties would but for the provisions hereof have
the effect of so releasing us from our liability hereunder.

In order to give full effect to the guarantee herein contained you shall be entitled
to act as if we are your principal debtors in respect of all your claims against the
vendor hereby guaranteed by us as aforesaid and we hereby expressly waive all our
rights of surety ship and other rights if any which are in any way inconsistent with
the above or any other provision of this guarantee.

The words the vendor, the beneficiary of this guarantees i.e. Yourself, and
ourselves i.e. __________________ (Name of the Guarantor Bank), unless
repugnant to the context or otherwise shall include their assigns, successors,
agents, legal representatives. This guarantee shall not be effected by any change
in the constitution of any of these parties and will ensure for and be available to
and enforceable by any absorbing or amalgamating or reconstituted company or
concern, in the event of your undergoing any such absorption, amalgamation or
reconstitution.

This guarantee shall not be revocable during its currency except with your prior
consent in writing. This guarantee is non-assignable and non-transferrable.

Notwithstanding anything contained herein above:

I) Our liability under this bank guarantee shall not exceed 10% of the TCO.

II) This bank guarantee shall be valid up to _____________.

Page 48 of 62
III) We are liable to pay the guaranteed amount or any part thereof under this
bank guarantee only if you serve upon us a written claim or demand (and
which should be received by us), on or before ____________ before 12:00
hours (Indian standard time) where after it ceases to be in effect in all
respects whether or not the original bank guarantee is returned to us.

This guarantee deed must be returned to us upon expiration of the period of

guarantee.

Signature ……………………………………

Name …………………………………………
(In Block letters)
Designation …………………………………
(Staff Code No.)……………………………..

Official address:
(Bank’s Common Seal)
Attorney as per power of Attorney No.
Date:
WITNESS:

1……………………………………………… (Signature with Name, Designation & Address)

2……………………………………………… (Signature with Name, Designation & Address)

Page 49 of 62
 11. FORMAT-X: Know Your Employee Annexure
(To be submitted by all bidders on their letter head)

(Bidder has to submit Undertaking on company letter head as per format given
below).

1. We ______________________ (name of the company) hereby confirm that

all the Resource (both on-site and off-site) deployed/to be deployed on
Bank’s project for ________________ (Name of the RFP) have undergone KYE
(Know Your Employee) process and requisite checks have been performed
prior to employment of said employees as per our policy.

2. We undertake and agree to save defend and keep harmless and

indemnified the Bank against all loss, cost, damages , claim penalties
expenses, legal liability because of non compliance of KYE and of misconduct
of the employee deployed by us to the Bank.

3. We further agree to submit the required supporting documents (Process of

screening, Background verification report, police verification report,
character certificate, ID card copy, Educational document, etc) to Bank
before deploying officials in Bank premises for ________________ (Name of
the RFP).”

Signature of Competent Authority with company seal

________________________________
Name of Competent Authority __________________________________
Company / Organization __________________________________
Designation within Company / Organization______________________________
Date ________________

Name of Authorized Representative __________________________________

Designation of Authorized Representative________________________________
Signature of Authorized Representative __________________________________
Verified above signature
Signature of Competent Authority__________________________________
Date ________________

Page 50 of 62
 12. FORMAT-XI: Bid Query Format

Bidders have to provide their queries on eligibility criteria, scope of work, terms
& conditions etc. in excel format as mentioned below. Bidders are requested to
categorize their queries under appropriate headings. Bidders are requested to
provide a reference of the page number, state the clarification point and the
queries/suggestion/deviation that they propose as shown below (all the queries
will be entertained only in Microsoft Excel in the following format by e-mail):

Queries will not be accepted in any other format other than Microsoft Excel.

Sl. No. Clause Page no. Clause Query Bank Response

no.

Place:
Date:
Signature:
Name & Designation:
Business Address:

Page 51 of 62
 13.Annexure-I
Part-A

Indication List of Application / Process

1 Enterprise Wide Area Network
2 On-premise hyper converged Private Cloud
3 Core Banking Solution – Domestic and Overseas
4 Data Center & DR Site
5 ATM Setup
6 Lending Automation System (LAS) including online Loan Application
7 Information Technology Security Solutions (Active Directory/Patch
Management/NAC/Antivirus)
8 IT Security Systems (Solutions under C-SOC)
9 Internet Banking – FEBA Domestic & UK
10 Mobility application development platform ( MADP)
11 Enterprise Application Integration System
12 Demat Application
13 Payment Systems (RTGS/NEFT/QNG/SFMS)
14 CMS Payment Solution - Cash Management System
15 SWIFT Alliance (Domestic & Foreign Branches)
16 FI Gateway,KIOSK Operations, IM Banking App, Micro ATMs)
17 Mobile Banking Applications (Approx 10)
18 Penetration Testing of External Web URLs & Penetration Testing of
Mobile Applications
19 SMS Banking, SMS alerts & OTP
20 CKYC Application
21 Business Intelligence
22 OCRM Application- Call Center
23 Email solution
24 Biometric Server for Finacle
25 Mandate management Solution - MMS
26 CCIL - used for trading purpose by dealers.
27 Cheque Truncation System (CTS)
28 Integrated Treasury Management System
29 Outsourced- Data Center and Network Monitoring System
30 Enterprise Fraud Risk Management (EFRM)

Page 52 of 62
Indication List of Application / Process
31 RETAD - Platform for B-category branches for reporting of foreign
currency txns (Treasury)
32 GSTN application
33 TRACS Application
34 Channel Financing
35 Anti-Money Laundering- AML
36 Online Debit Card Issuance
37 Online Account Opening System
38 Management Information Systems & XBRL
39 Audit Management Package
40 Oracle Financial Services Analytical Applications
41 Integrated Risk Management System(IRM)
42 E-remit and E-Pay
43 Document Management System (DMS)
44 Process outsourced to Third Party (Approx 70 Process)
45 Audit for in-house developed application only Vulnerability
Assessment,OS,DB review only (Approx 70)
46 Application Programming Interface Management (APIM)
47 National Electronic Toll Collection (NETC)

Please note that above list of applications (Part A) for IS audit is indicative
only and may be replaced with other set of applications.
Based on the requirement number of application may also increase or
decrease.
Vendor is also expected to undertake Pre-implementation audit of new
application to be introduced as per requirement and no separate price is to be
quoted for the same.

Part-B
Indicative list of applications for IS Audit where separate price to be
quoted - DC Location Hyderabad/ Bangalore
1 Cheque Truncation System
2 Finacle (CBS)
3 Financial Inclusion System
4 Financial transaction Switch (ATM Switch)
5 Internet Banking
6 Integrated Treasury Management System (ITMS)
Page 53 of 62
7 RTGS/NEFT
8 SWIFT
9 Mobile Baking
10 Active Directory
11 Symantec Antivirus
12 Lending Automation System
13 Primary Data Centre

Page 54 of 62
 14. Annexure II – Pre Contract Integrity Pact

Tender Ref. No:…….

INTEGRITY PACT

Whereas Union Bank of India having its registered office at Union Bank Bhavan,
239, Vidhan Bhavan Marg, Nariman Point, Mumbai, India -400 021 acting through
its Central Audit and Inspection Department, represented by General Manager /
Dy. General Manager hereinafter referred to as the Buyer and the first party,
proposes to procure (Name or category of the Equipment, services, etc.)
hereinafter referred to as Stores and / or Services.

And
M/s_____________________________ represented by_____________ Chief
Executive Officer, (which term, unless expressly indicated by the contract, shall
be deemed to include its successors and its assignee), hereinafter referred to as
the bidder/seller and the second party, is willing to offer/has offered the Stores
and / or Services.

2. Whereas the Bidder/Seller is a private company/public company/

/partnership/registered export agency, constituted in accordance with the
relevant law in the matter and the BUYER is a Public Sector Undertaking and
registered under Companies Act 1956. Buyer and Bidder/Seller shall hereinafter
be individually referred to as “Party” or collectively as the “parties”, as the
context may require.

3. Preamble

Buyer has called for tenders under laid down organizational procedures
intending to enter into contract /s for supply / purchase / etc of
__________________ and the Bidder /Seller is one amongst several bidders
/Proprietary Vendor /Customer Nominated Source/Licensor who has indicated a
desire to bid/supply in such tendering process. The Buyer values and takes
primary responsibility for values full compliance with all relevant laws of the
land, rules, regulations, economic use of resources and of fairness /
transparency in its relations with its Bidder (s) and / or Seller(s).

In order to achieve these goals, the Buyer will appoint Independent External
Monitor(s) (IEM) in consultation with Central Vigilance Commission, who will
monitor the tender process and the execution of the contract for compliance
with the principles mentioned above.

Page 55 of 62
4. Commitments of the Buyer

4. 1 The Buyer commits itself to take all measures necessary to prevent

corruption and fraudulent practices and to observe the following principles:-

(i) No employee of the Buyer, personally or through family members,

will in connection with the tender, or the execution of a contract
demand, take a promise for or accept, for self or third person, any
material or immaterial benefit which the person is not legally
entitled to.

(ii) The Buyer will during the tender process treat all Bidder(s) /Seller(s)
with equity and reason. The Buyer will in particular, before and
during the tender process, provide to all Bidder (s) /Seller(s) the
same information and will not provide to any Bidders(s) /Seller(s)
confidential /additional information through which the Bidder(s) /
Seller(s) could obtain an advantage in relation to the process or the
contract execution.

(iii) The Buyer will exclude from the process all known prejudiced
persons.

4.2 If the Buyer obtains information on the conduct of any of its employees
which is a criminal offence under the Indian Legislation Prevention of Corruption
Act 1988 as amended from time to time or if there be a substantive suspicion in
this regard, the Buyer will inform to its Chief Vigilance Officer and in addition
can initiate disciplinary action.

5 Commitments of the Bidder(s) /Seller(s):

5.1 The Bidder(s)/ Seller(s) commit itself to take necessary measures to prevent
corruption. He commits himself to observe the following principles during his
participation in the tender process and during the contract execution.

(i) The Bidder(s) /Seller(s) will not directly or through any other persons
or firm, offer promise or give to any of the Buyer’s employees
involved in the tender process or the execution of the contract or to
any third person any material or other benefit which he / she is not
legally entitled to, in order to obtain in exchange any advantage
during the tendering or qualification process or during the execution
of the contract.

(ii) The Bidder(s) /Seller(s) will not enter with other Bidders / Sellers
into any undisclosed agreement or understanding, whether formal or
informal. This applies in particular to prices, specifications,
certifications, subsidiary contracts, submission or non submission of
Page 56 of 62
 bids or any other actions to restrict competitiveness or to introduce
cartelization in the bidding process.

(iii) The bidder(s) /Seller(s) will not commit any offence under the
Indian legislation, Prevention of Corruption Act, 1988 as amended
from time to time. Further, the Bidder(s) /Seller(s) will not use
improperly, for purposes of competition or personal gain, or pass on
to others, any information or document provided by the Buyer as
part of the business relationship, regarding plans, technical
proposals and business details, including information constrained or
transmitted electronically.

(iv) The Bidder(s) /Seller(s) shall ensure compliance of the provisions of

this Integrity Pact by its sub-supplier(s) / sub-contractor(s), if any,
Further, the Bidder /Seller shall be held responsible for any
violation/breach of the provisions by its sub-supplier(s) /Sub-
contractor(s).

5.2 The Bidder(s) /Seller(s) shall ensure compliance of the provisions of this
Integrity Pact by its sub-supplier(s) / sub-contractor(s), if any, Further, the
Bidder /Seller shall be held responsible for any violation /breach of the
provisions by its sub-supplier(s) /sub-contractor(s).

5.3 The Bidder(s) /Seller(s) will not instigate third persons to commit offences
outlined above or be an accessory to such offences.

5.4 Agents / Agency Commission

The Bidder /Seller confirms and declares to the Buyer that the bidder/Seller is
the original manufacturer/authorized distributor / stockiest of original
manufacturer or Govt. Sponsored /Designated Export Agencies (applicable in
case of countries where domestic laws do not permit direct export by OEMS of
the stores and /or Services referred to in this tender / Offer / contract /
Purchase Order and has not engaged any individual or firm, whether Indian or
Foreign whatsoever, to intercede, facilitate or in any way to recommend to
Buyer or any of its functionaries, whether officially or unofficially, to the award
of the tender / contract / Purchase order to the Seller/Bidder; nor has any
amount been paid, promised or intended to be paid to any such individual or
firm in respect of any such intercession, facilitation or recommendation. The
Seller / Bidder agrees that if it is established at any time to the satisfaction of
the Buyer that the present declaration is in anyway incorrect or if at a later
stage it is discovered by the Buyer that the Seller incorrect or if at a later stage
it is discovered by the Buyer that the Seller/Bidder has engaged any such
individual /firm, and paid or intended to pay any amount, gift, reward, fees,
commission or consideration to such person, party, firm or institution, whether
before or after the signing of this contract /Purchase order, the Seller /Bidder
Page 57 of 62
 will be liable to refund that amount to the Buyer. The Seller will also be
debarred from participating in any RFP / Tender for new projects / program
with Buyer for a minimum period of five years. The Buyer will also have a right
to consider cancellation of the Contract / Purchase order either wholly or in
part, without any entitlement of compensation to the Seller /Bidder who shall in
such event be liable to refund agents / agency commission payments to the
buyer made by the Seller /Bidder along with interest at the rate of 2% per
annum above LIBOR (London Inter Bank Offer Rate) (for foreign vendors) and
Base Rate of SBI (State Bank of India) plus 2% (for Indian vendors). The Buyer
will also have the right to recover any such amount from any contracts /
Purchase order concluded earlier or later with Buyer.

6. Previous Transgression

6.1 The Bidder /Seller declares that no previous transgressions have occurred in
the last three years from the date of signing of this Integrity Pact with any other
company in any country conforming to the anti corruption approach or with any
other Public Sector Enterprise in India that could justify Bidder’s /Seller’s
exclusion from the tender process.

6.2 If the Bidder /Seller makes incorrect statement on this subject, Bidder
/Seller can be disqualified from the tender process or the contract, if already
awarded, can be terminated for such reason without any liability whatsoever on
the Buyer.

7. Company Code of Conduct

Bidders /Sellers are also advised to have a company code of conduct (clearly
rejecting the use of bribes and other unethical behavior) and a compliance
program for the implementation of the code of conduct throughout the
company.

8. Sanctions for Violation

8.1 If the Bidder(s) /Seller(s), before award or during execution has committed
a transgression through a violation of Clause 5, above or in any other form such
as to put his reliability or credibility in question, the Buyer is entitled to
disqualify the Bidder(s) /Seller (s) from the tender process or take action as per
the procedure mentioned herein below:

(i) To disqualify the Bidder /Seller with the tender process and exclusion
from future contracts.

Page 58 of 62
 (ii) To debar the Bidder /Seller from entering into any bid from Buyer for
a period of two years.

(iii) To immediately cancel the contract, if already signed /awarded

without any liability on the Buyer to compensate the Bidder /Seller
for damages, if any. Subject to Clause 5, any lawful payment due to
the Bidder/Seller for supplies effected till date of termination would
be made in normal course.

(iv) To encash EMD /Advance Bank Guarantees / Performance Bonds /

Warranty Bonds, etc. which may have been furnished by the Bidder
/Seller to the extent of the undelivered Stores and / or Services.

8.2 If the Buyer obtains Knowledge of conduct of Bidder /Seller or of an

employee or representative or an associate of Bidder /Seller which constitutes
corruption, or if the Buyer has substantive suspicion in this regard, the Buyer
will inform to its Chief Vigilance Officer.

9. Compensation for Damages

9.1 If the Buyer has disqualified the Bidder(s) /Seller(s) from the tender process
prior to the award according to Clause 8, the Buyer is entitled to demand and
recover the damages equivalent to Earnest Money Deposit in case of open
tendering.

9.2 If the Buyer has terminated the contract according to Clause 8, or if the
Buyer is entitled to terminate the contract according to Clause 8, the Buyer
shall be entitled to encash the advance bank guarantee and performance bond /
warranty bond, if furnished by the Bidder / Seller, in order to recover the
payments, already made by the Buyer for undelivered Stores and / or Services.

10. Price Fall Clause

The Bidder undertakes that it has not supplied /is not supplying same or similar
product/systems or subsystems at a price lower than that offered in the present
Bid in respect of any other Ministry /Department of the Government of India or
PSU or Coal India Ltd and its subsidiaries during the currency of the contract and
if it is found at any stage that same or similar product /Systems or Subsystems
was supplied by the Bidder to any other Ministry /Department of the
Government of India or a PSU or any Public Sector Bank at a lower price during
the currency of the contract, then that very price will be applicable to the
present case and the difference in the cost would be refunded by the Bidder to
the Buyer, if the contract has already been concluded”.

Page 59 of 62
11. Independent External Monitor(s)

11.1 The Buyer has appointed independent External Monitors for this Integrity
Pact in consultation with the Central Vigilance Commission (Names and
Addresses of the Monitors are given in RFP).

11.2 As soon as the integrity Pact is signed, the Buyer shall provide a copy
thereof, along with a brief background of the case to the independent External
Monitors.

11.3 The Bidder(s) / Seller(s) if they deem it necessary, May furnish any
information as relevant to their bid to the Independent External Monitors.

11.4 If any complaint with regard to violation of the IP is received by the buyer
in a procurement case, the buyer shall refer the complaint to the Independent
External Monitors for their comments / enquiry.

11.5 If the Independent External Monitors need to peruse the records of the
buyer in connection with the complaint sent to them by the buyer, the buyer
shall make arrangement for such perusal of records by the independent External
Monitors.

11.6 The report of enquiry, if any, made by the Independent External Monitors
shall be submitted to MD & CEO, Union Bank Of India, Union Bank Bhavan,
Vidhan Bhavan Marg, Nariman Point, Mumbai -21 within 2 weeks, for a final and
appropriate decision in the matter keeping in view the provision of this Integrity
Pact.

12. Law and Place of Jurisdiction

This Integrity Pact is subject to Indian Laws, and exclusive Jurisdiction of

Courts at Mumbai, India.

13. Other Legal Actions

The actions stipulated in this Integrity Pact are without prejudice to any other
legal action that may follow in accordance with the provision of the extant law
in force relating to any civil or criminal proceedings.

14. Integrity Pact Duration.

14.1 This Integrity Pact begins when both parties have legally signed it. It
expires for the successful Bidder / Seller 10 months after the last payment

Page 60 of 62
 under the contract, and for all other Bidders / Sellers within 6 months form
date of placement of order / finalization of contract.

14.2 If any claim is made/ lodged during this time, the same shall be
binding and continue to be valid despite the lapse of this Integrity Pact as
specified above, unless it is discharged / determined by MD & CEO, Union
Bank of India.

14.3 Should one or several provisions of this Integrity Pact turn out to be
invalid, the reminder of this Integrity Pact remains valid. In this case, the
parties will strive to come to an agreement to their original intentions.

15 Other Provisions

15.1 Changes and supplements need to be made in writing. Side agreements

have not been made.

15.2 The Bidders (s)/ Sellers (s) signing this IP shall not initiate any Legal action
or approach any court of law during the examination of any
allegations/complaint by IEM and until the IEM delivers its report.

15.3 In view of nature of this Integrity Pact, this Integrity Pact shall not be
terminated by any party and will subsist throughout its stated period.

15.4 Nothing contained in this Integrity Pact shall be deemed to assure the
bidder / Seller of any success or otherwise in the tendering process.

16. This Integrity Pact is signed with Union Bank of India exclusively and hence
shall not be treated as precedence for signing of IP with MoD or any other
Organization.

17. The Parties here by sign this Integrity Pact at________________on

________________
(Seller/Bidder) and ___________on __________ (Buyer)

BUYER BIDDER * /SELLER*

Signature: Signature:

General Manager/DGM Authorized Signatory (*)

Union Bank of India,
…………………………..Division

Date: Date:
Stamp: Stamp:

Witness Witness
Page 61 of 62
1. ______________________ 1. ______________________

______________________ ______________________
2.______________________ 2. ______________________
______________________ ______________________

(*) – Authorized signatory of the company who has also signed and submitted
the main bid.

*****END OF DOCUMENT******

Page 62 of 62