Professional Documents
Culture Documents
Volumes I, II
https://nationalinsurance.nic.co.in
This document is the property of National Insurance Company Limited. It may not be copied,
distributed or recorded on any medium, electronic or otherwise, without written permission
therefore. The use of the contents of this document, even by the authorized personnel / agencies for
any purpose other than the purpose specified herein, is strictly prohibited and shall amount to
copyright violation and thus, shall be punishable under the Indian Law.
Volume - I
Important Dates and Information
Master Document with RFP Number:
Bid Reference NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019
Date of Commencement of Bid 21-Aug-2019 11.30 Am
Date and Time for request for
30-Aug-2019 up to 02:00 PM
clarification of Bids
Date and Time for Pre-Bid Meeting 30-Aug-2019 up to 03:00 PM
On or before 09-Sep-2019 at
Date and Time for publication of www.nationalinsuranceindia.com and
clarification, if required
www.tenderwizard.com/NICL
Date and Time for Receipt of Bids 24-Sep-2019 up to 03:00 PM
Time and Date of Opening of PART-I
24-Sep-2019 at 04:00 PM
(Bid Security) i.r.o. Bids for Volume-II
Time and Date of Opening of PART-II
(Technical Bid) and Part-III
To be intimated later to Participating Bidders
(Commercial Bid) i.r.o. Bids for
Volume-II
IT Department
National Insurance Company Ltd.
Place of Opening of both PARTs of the 3 Middleton Street, 4th floor,
Bids for Volume-II Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740
Email: rs.raman@nic.co.in
Date till which the Bid is valid i.r.o. 1 (one) year from the date of opening of the
Bids for Volume-II Commercial Bids
Dy. General Manager - IT,
IT Department
National Insurance Company Ltd.
Address for all Communication, 3 Middleton Street, 4th floor,
including request for clarification, if Kolkata - 700 071
required Phone No: 2283-0795 Fax No: 2283-1740
Email: rs.raman@nic.co.in
CC: abhijit.bhattacharya@nic.co.in,
utkarsh2.gupta@nic.co.in
Bank Details of NIC Head Office
Name as per Bank Account : National Insurance Company Limited
Bank Account Number : 417953111
Type of Account : Current Account
Name of the Bank : Indian Bank
Name of the Branch : Russell Street, Kolkata – 900071
MICR Number of the Branch : 900019018
IFSC No. of the Branch : IDIB000R024
1 Volume – I: Overview
1.1 About National Insurance Company Ltd.
National Insurance Company Limited (hereinafter referred to as NIC), with its registered office
in Kolkata, is of the leading public sector insurance companies of India. It was incorporated in
1906 and nationalized in 1972, before operating as a Government of India undertaking from 2002.
National Insurance Company Ltd (NIC) is one of the leading public sector insurance companies
of India, carrying out non-life insurance business. Headquartered in Kolkata, NIC's network of
about 1000 offices, manned by more than 16,000 skilled personnel, is spread over the length and
breadth of the country covering remote rural areas, townships and metropolitan cities. NIC's
foreign operations are carried out from its branch offices in Nepal.
NIC transacts general insurance business of Fire, Marine and Miscellaneous insurance.
Befittingly, the product ranges, of more than 200 policies offered by NIC cater to the diverse
insurance requirements of its 14 million policyholders. Innovative and customized policies ensure
that even specialized insurance requirements are fully taken care of.
1.2 Background
In order to cater to the newer dimensions of insurance and matching customer expectations, NIC
took up transformation of its business processes using IT as the key enabler for its day to day
operations. NIC completed the re-design of its core business processes and is in the process of
implementation of the “Enterprise Architecture Solution for Insurance” (hereinafter referred to as
EASI).
EASI is a centralized application suite consisting of more than 20 applications. Contrary to the
earlier application, which was decentralized, EASI requires uninterrupted connection to the
centralized servers hosted at NIC’s Data Centre (DC), Disaster Recovery Site (DR) and Near Site
(NR).
Currently the complete IT Infrastructure is co-located in a Tier III+ Data Centre and DR Site,
located in geographically distinct seismic zones.
NIC through this RFP therefore invites bids from reputed System Integrators for refresh of the
existing security technologies and add new security solution to enhance the information security
posture and SOC of NIC. The Scope includes procurement, installation, implementation,
integration, maintenance and support of the solutions with all the relevant applications and
infrastructure during the contract period of five years.
As such, this Master Document has been segregated into two volumes. Whereas Volume II,
contain specific details for preparation of Bid in respect of the RFP for Enterprise Information
Security Solution, Volume I contain general details, terms, conditions, Format of Contract etc.
concerning the RFP and which are required for preparation of the Bid.
The RFP is governed by the general details, Terms, Conditions, Format of Contract etc. as laid
down in the Master Document.
Non-furnishing of RFP Document Fee/s, till the time of submission of the bid will disqualify
the bidder.
A copy of proof of payment of non-refundable RFP Fee has to be emailed to the following
ids;: rs.raman@nic.co.in, CC: abhijit.bhattacharya@nic.co.in
B Intending Bidders who wish to participate in the Pre-Bid Meeting shall submit the proof of
payment of non-refundable RFP Document Fee of Rs. 25,000/- only (Rupees Twenty Five
Thousand only) to National Insurance Company Limited payable through NEFT/RTGS only,
prior to the Pre-Bid Meeting Date. Only authorized representative of Bidder is allowed to
participate in the pre-Bid meeting. Documentary proof of payment of the RFP Document Fee
by intending bidders by mail/hard copy, is a pre-requirement for participation in the Meeting.
C The Bidder should be agreeable to hold the price and configuration for a period of at least one
year from the date of opening of Commercial Bid in respect of his bid under the RFP, and in
case there occurs any change in the specifications on account of the Solution offered/ordered
for being phased out from the market, should be able to supply solution and systems of higher
configuration at the same prices agreed to, in respect of the bid under the RFP as in Volume-
II.
D The Bidder can submit only one bid offering only one combination of solution and products
in respect of the RFP. If any Bidder quotes multiple offers under each item, his bid will be
summarily rejected.
E Intending Bidders are required to quote for all the items quoted for in respect of the Volume.
Failure to quote for any one or more items or not mentioning the prices of each item separately
in the Commercial Bid will disqualify the Bidder.
F Each Bid under RFP must be accompanied with an Earnest Money Deposit (EMD) of value
of Rs. 50,00,000.00 (Rupees Fifty Lakhs Only)by way of BG/DD/NEFT/RTGS in favour of
National Insurance Company Limited, refer NIC Bank details mentioned above. Non-
furnishing of EMD will disqualify the bidder.
The EMD would be returned without any interest to the unsuccessful Bidders on receipt of
written application, within 90 days of award of Purchase Order to the Successful Bidder.
The EMD will be forfeited if the successful Bidder refuses to accept purchase order or having
accepted purchase order fails to carry out his obligations set out in the terms under the final
Contract. Additionally, such bidder will be blacklisted and barred from participating in any
future RFPs’ of NIC.
Bidders have to submit their Bid online, on or before the last date and time mentioned
in RFP.
The Technical Bid shall be evaluated only for those responses that have qualified in the Pre-
Qualification Bid.
Commercial bids of only those bidders who qualify in the Technical Bid shall be opened at a
later date. NIC will notify the date and time of opening of the Commercial bids to the
technically qualified bidders.
NIC reserves the right to change or relax the eligibility criteria to ensure inclusivity. No further
discussion/ interface will be granted to bidders whose bids have been disqualified.
The evaluation by NIC will be undertaken by a committee and its decision is final.
L The Pre-qualification Bid of the Bidder should be submitted online. Along with the online
submission, the following should be submitted in separate sealed cover super-scribed
“Original”.
A CD containing soft copy of the Pre-qualification bid and Pre-Qualification Bid and
supporting documents in hard copy should be enclosed in one cover and sealed. This cover
should be super-scribed with the wording “DO NOT OPEN BEFORE ____” “Pre-
Qualification bid for NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019”.
The Bidder should put the proof of transfer of EMD of requisite value in the appropriate
envelope for “Original” Pre-Qualification Bid for NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019.
Only one representative of the bidder can be present for the opening of the Pre-Qualification
Bid. If the representative of the bidder is not present at the venue on the scheduled date and
time, NIC will proceed with opening of the Bid.
M The Technical Bid of the Bidder should be submitted online. Along with the online
submission, the following should be submitted in separate sealed cover super-scribed
“Original”.
A CD containing soft copy of the Technical bid and Technical Bid and supporting
documents in hard copy should be enclosed in one cover and sealed. This cover should be
super-scribed with the wording “DO NOT OPEN BEFORE __________”and “Technical bid
for NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019.
It is mandatory to submit the technical details in the prescribed formats duly filled in. NIC,
at its discretion, may not evaluate a Technical Bid in case of non-submission or partial
submission of technical details.
Only one representative of the bidder can be present for the opening of the Technical Bid on
the specified date and time. If the representative of the bidder is not present at the venue on
the scheduled date and time, NIC will proceed with opening of the Bid.
Technically qualified bids will be taken up for further processing and the Commercial Bids
of qualified bidders will be opened in the presence of the technically qualified bidders’
representative on separate date and time which will be notified separately. If the representative
of the bidder is not present at the venue on the scheduled date and time, NIC will proceed
with opening of the Bid.
N The Commercial Bid of the Bidder should be submitted online. Along with the online
submission, the following should be submitted in separate sealed cover super-scribed
“Original”.
A CD containing soft copy of the Commercial bid and Commercial Bid in hard copy should
be enclosed in one cover and sealed. This cover should be super-scribed with the wording
“DO NOT OPEN BEFORE __________”and “Commercial bid for NIC/IT/RFP/Enterprise
Info-Sec Solution/RFP/07/2019.
The price quoted should be in Indian rupees only. The prices offered shall be on a fixed price
basis and should not be linked to the Foreign exchange.
Prices are to be indicated only in the prescribed format in Commercial Bid. No information
should be kept blank and no options should be quoted. Offer should be in strict
conformity with the prescribed format.
“RFPs’” means this Request for Proposal (“RFP No: NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019”) which is a detailed notification seeking a set of service (s),
product(s), materials and/or any combination of them in respect of Volume-II and as governed
by the GT&C (Volume-I) of the Master Document and respective Volume.
The term ‘Solution’ shall also include ‘Service’ such as successful Supply, Migrate,
Installation, Configuration, Commissioning, Integration, Demonstration, Management,
Maintenance, Monitoring of Enterprise Information Security Solution (where applicable)and
such obligations of the Supplier covered under the order/contract including services ancillary
to the supply of the Goods, such as transportation and insurance, and any other incidental
services, and are complying with requirements specified in this document, within defined
timelines and as per defined matrices, and as applicable under Scope of Work in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
N Integration’ means seamless combination of existing infrastructure without any gap as
applicable under Scope of Work and Minimum Technical Specifications in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
O “Site” shall mean the location(s) for which the Contract has been issued in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 and where the service shall be
provided as per Contract/Agreement. Site shall where applicable also mean, the area (s) or
space (s) (including any full cabinets, Cage (Server Room)s, suites, rooms) contracted by NIC
as per terms of the RFP
P The term “DC” or “DR” means specific Caged area/quadrant protected by multi-tier physical
and logical security against physical hazards, co-located in a hosting facility of Service
Provider exclusively used by NIC, for running its Information Technology operations. The
term “DC” or “DR” shall also mean the term “Site” or “Colocation Space” and “Additional
Facilities”, where applicable. The term “NR” means the NR Site hosted in a location by NIC,
for the purpose of data replication and business continuity. The term “HO” means the Head
Office of NIC.
Q The term “Equipment” means all equipment or wiring (including cabling), or other tangible
items at that time installed, stored or located in the Colocation Space or “Additional
Facilities” including DC, DR, NR, HO by or on behalf of NIC. The term shall also include
any equipment or wiring provisioned by the Supplier at any of the locations as mentioned for
the purpose of successful Supply, Migrate, Installation, Configuration, Commissioning,
Integration, Demonstration, Management, Maintenance, and Monitoring of Enterprise
Information Security Solution.
R “Documentary evidence” means any matter expressed or described upon any substance by
means of letters, figures or marks intended to be used for the recording of that matter and
produced before a court.
S NIC reserves the right to extend the last date/time for submission of bids or modify / relax
the conditions stipulated in this document through email and/or website information update.
3 GT&C - Price Schedule:
All quotes are to conform to the format as per Price Schedule also referred as Commercial
A Bid in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
All Inclusive Price of the Solution in respect of ENTERPRISE INFO-SEC
B SOLUTION/RFP/07/2019will comprise of all Services, Hardware and accessories,
software, OS, other licenses, Comprehensive Warranty as applicable, for project period
as per terms of the RFP. It should take into account price/charges as specified in the
Commercial Bid, in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
The ‘Grand Total Price (without Tax)’ as specified in Price Schedule or Commercial Bid
C in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 must take into
consideration all the components required in respect of Volume-II.
Any other taxes / levies such as Octroi / entry tax etc., payable at the place of delivery
D will be reimbursed on actual basis (wherever applicable at the place of delivery) subject
to production of original document / receipt issued by appropriate authority. In case any
waybill or road permit is to be obtained, the Supplier shall make necessary arrangements
for obtaining the same.
The Supplier is required to submit their bids after carefully examining the
E documents/conditions in respect of either or all the Volumes. The Supplier must obtain
for himself on his own responsibility and at his own expenses all the information
necessary to enable him to prepare and submit a proper quotation.
It will be the responsibility of the Supplier to take care of all formalities, if any, necessary
F as per orders of any government/non-government authority in force at the point of time
of delivery.
The Selection of Supplier would be through the process as laid down in Section - 5
G
The detailed breakup of price quotes is to be furnished along with the Price Schedule by
H the Bidder in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
The Supplier shall agree to maintain the price and configuration of all the components
I supplied in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 under
this document for one (1) year from the date of opening of the Commercial Bid.
However, should there be a fall in the prices between the date of submission of bid and
the date of delivery of the Solution ordered for in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019, on account of revision in prices in Services, Hardware /
Software and any other components or on account of revision in duties and taxes or for
any other reason whatsoever, the benefit shall be passed on to NIC.
Repeat order of any of the components of the Solution in respect of ENTERPRISE
J INFO-SEC SOLUTION/RFP/07/2019, may be placed with the Supplier throughout the
term of project period of 5 years.
a. If there is a discrepancy between the unit price and total price, whichever is
lower will be taken into account at the time of commercial bid evaluation.
b. If there is discrepancy between words and figures, the lower-most figure will
prevail.
c. Where only total price has been provided, NIC will derive unit price based on
division of the total price by the number of units.
d. If tax amount does not corroborate with the tax percentage mentioned in the
price
Bid, the tax percentage prevails and amount shall be corrected up to two decimals.
If the Bidder does not accept this procedure, the bid may be rejected.
A bid determined not substantially responsive will be rejected by the purchaser and
cannot be made subsequently responsive.
C No consideration will be given to a bid in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 received after the date and time stipulated by ‘NIC’ and no
extension of time will normally be permitted for submission of bids.
D Overwriting without proper authentication is not permitted in filling up the bids and
may entail rejection of the bids. No price variation/adjustment or any other escalation
will be otherwise entertained, unless as per terms of Section - 7.
E The Bidder undertakes that in competing for the RFP and if the award is made to
the Bidder in executing the contract, the Bidder will strictly observe the laws
against fraud and corruption in force in India namely “Prevention of Corruption
Act 1988”.
F Canvassing in connection with bids is strictly prohibited and bids submitted by Bidders
who resort to canvassing are liable to be rejected.
Any effort by a Bidder to influence NIC in the bid evaluation, bid comparison or
contract award decisions may result in the rejection of the Bidder’s bid and
blacklisting from participation in future RFPs’.
G Bidder has to sign an Integrity Pact as provided in the RFP document, in original
and the same should be submitted along with Technical bid as per the format
provided in Section - 59
H NATIONAL INSURANCE CO. LTD. DOES NOT BIND ITSELF TO ACCEPT
ANY QUOTATION/BID AND RESERVES THE RIGHT TO ACCEPT/REJECT
ANY QUOTATION/BID WITHOUT ASSIGNING ANY REASONS THEREFOR.
5 GT&C – Selection of Supplier: Supplier will be selected by following the steps given as under:
A The RFP will be in three stages, viz., Pre-Qualification, Technical and Commercial bid.
NIC will evaluate the bidder based on their eligibility criteria as laid down in Pre-
Qualification
B The Bidders who qualify in the Pre-Qualification stage will be intimated of their
selection and their Technical bids shall be opened at a date and time to be specified
later.
C.1 The Technical bids submitted by the bidders will be evaluated. This process will consist
of:
C.2 Evaluation of the Technical Bid submitted along-with compliance to the Minimum
Technical Specifications mentioned for each of the products/solutions, as applicable in
Volumes-II. Wherever details have been asked for, specific responses should be
provided by the bidder.
C.3 Presentation by the bidders on their solution and understanding of the Project, if
required by NIC.
C.4 Demonstration of functionalities as per NIC’s requirements, if required by NIC.
C.5 Visit to bidders and/or Customer Locations, if required by NIC. Any cost associated
with the visit to bidder’s and/or Customer Locations by NIC Officials will be borne by
NIC.
However, in case the site is not ready and NIC Officials are required to make subsequent
visits, then the cost for the same is required to be borne by the bidder.
C.6 NIC will shortlist the bidder(s) based on technical evaluation as mentioned above. In
case, the bidders are not able to comply with all technical specifications,
functionalities during the technical evaluation, the proposal will not be considered by
NIC for commercial evaluation, ultimately disqualifying the bidder who doesn’t comply
with technical evaluation.
The Bidders who qualify in the Technical stage will be intimated of their selection and
their Financial bids shall be opened at a date and time to be specified later.
D Selection of Supplier who offers the lowest price and meets the commercial
qualification requirements from the technically qualified list.
The Commercial Bid will be evaluated based on the Cost proposed by the Bidder in the
Commercial Bid and the L1 Bidder shall automatically qualify for becoming Selected
Bidder and for award of contract by NIC.
NIC will notify the name of the Selected Bidder, through publication in company
website.
E Any/all Minimum Criteria specified in RFP needs to be fulfilled by the bidder to
proceed to the next stage of evaluation/selection.
F NIC reserves the right to accept/reject any deviation in the Technical and Commercial
Bids of any Bidder.
A Bids must be received by NIC at the specified address not later than the time and date
specified in the Section -Important Dates and Information. In the event of the
specified date for the submission of Bids being declared a holiday for NIC, the bids
will be received up to the appointed time on the next working day.
B NIC may, at its discretion, extend this dead-line for the submission of Bids, in which
case all rights and obligations of NIC and Bidders previously subject to the deadline
will thereafter be subject to the deadline as extended.
C Late Bids
Any bid received by NIC after the deadline for submission of bids prescribed by
NIC will be rejected and returned unopened to the Bidder.
7 GT&C – Modification of Bids:
A The Bidder may modify its bid after the bid’s submission, provided that written notice of
the modification including substitution of the Bids is received by NIC prior to the deadline
prescribed for submission of bids.
B The Bidder’s request for modification may be submitted by e-mail but followed by a
signed confirmation copy, postmarked no later than the deadline for submission of bids.
C No bid may be modified subsequent to the deadline for submission of Bids.
Installation &
Delivery (from PO Integration (From PO
Solution Date) Date)
Central Location and Remaining
70% of all location 20%
SIEM including SOAR, Packet
Forensics, Deception 24 weeks
DAM 8 weeks
Data Classification 24 weeks
Information Rights
Management (Since it is 24 Weeks – from go-
optional) ahead
DNS Security (Since it is 24 Weeks – from go-
optional) ahead
Anti-Phishing (Since it is 8 weeks 24 Weeks – from go-
optional) ahead
Vulnerability Management
Solution 12 weeks
MDM 20 week 18 weeks
MTP 20 week 18 weeks
DLP 8 weeks
Central Storage 16 weeks
NAC 24 weeks 18 weeks
Proxy 12 weeks
a) All the items (where applicable) as specified in the Purchase Order becomes fully
functional, after delivery, within the scheduled date of installation.
b) The Supplier shall be responsible for installing, configuring and testing of all the
items and all other accessory software where applicable.
d) In case of failure on the part of the Supplier to adhere to the time schedule, the
Liquidated Damages condition shall be invoked by ‘NIC’.
e) Delivery, installation and commissioning should be under the supervision and
guidance of ‘NIC’ officials.
10 GT&C - Delivery of documents: The Supplier shall furnish the following documents to ‘NIC’.
Original copies of:
11 GT&C - Terms of Payment: Payment will be made by the Head Office (HO), pertaining to the
Solution delivered in respect of Volume-II.
A a) Performance Bank Guarantee (PBG) of 10% of ‘Contract Value’ should be
submitted by the successful Bidder, (as per format given in Volume-I within 15 working
days of issue of Purchase Order). PBG to be valid for the project period of five years.
Failure to submit the PBG within the mentioned period may result in the cancellation of
the Purchase Order and forfeiture of the EMD.
Once this PBG i.e. 10% of ‘Contract Value’, in the form of Bank Guarantee is received by
NIC, the EMD as Bid Security in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 will be returned to the successful Bidder.
NIC wants to avail Cenvat Credit. Hence, all necessary documents regarding the same are
required to be submitted to NIC by the Supplier.
B Payment in full shall be released by HO against submission of the following:
b) A PBG of 10% of ‘Contract Value in the form of BG valid for the project period
of five years.
c) Successful Delivery, Installation and Commissioning of the Solution in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019at each of the locations within the
scheduled installation period.
d) Receipt of Installation Certificate duly signed and stamped by the Supplier as well
as by ‘NIC’ officials.
e) In case where installation is put on hold because of NIC requirements (which might
include delay due to site not being ready or inability to provide downtime), the items may
be tested by NIC in conjunction with the Service Provider. However, Supplier is responsible
for final installation, commissioning as specified by NIC at a future date at no additional
cost.
C No advance payment will be made by ‘NIC’.
D An Agreement/Contract between NIC, and the Supplier (as per format given in Volume-
I) shall be executed within 15 working days of issuance of Purchase Order.
15 GT&C – Warranty:
A The Supplier should also guarantee that the Goods (equipment and its accessories) supplied
are new, unused and conform to technical specifications of design, materials and
workmanship as mentioned in the bid offer. The Supplier should also guarantee that the
Goods should perform satisfactorily (i.e. provide the full features/functions) as per
requirements mentioned in the Technical Specification of the RFP. The devices, solution
quoted in this RFP, should not be declared end-of-support within 5 years by OEM.
Also refer Minimum Technical Specifications and Commercial Bid.
B The Supplier should also guarantee that all the software, including Operating System,
firmware etc. and as applicable, supplied by the Supplier is licensed and legally obtained.
C The warranty for all practical purposes in respect of devices would mean On-Site
Comprehensive Warranty free of charge, shall start and remain valid for 5 years, unless
otherwise specified, after the goods have been delivered, installed, commissioned and
accepted. Such On-Site Comprehensive Warranty shall also include free of cost
transportation and replacement of malfunctioning parts of the
product/configuration/solution. Comprehensive On-Site Warranty for 5 years as
applicable, includes but not limited to OS upgrade, 24 x 7 x 365 access, registered access to
OEM portal.
D If any particular product/configuration/solution is suffering some malfunction (by which it
is not able to provide the full features/functions being sought as per Technical Specification
in such subsequent procurement/s for more than twice in a year, NIC may ask the Supplier
to replace the product/configuration/solution and the Supplier shall replace the same with
another brand new item of same/higher configuration at no extra cost to NIC.
E Warranty, should not become void if NIC buys any other supplementary hardware from a
third party and install it with these equipment. However, the warranty will not apply to such
hardware items installed.
F In case of replacement of devices covered under Warranty, where the product
(software/hardware as applicable) has been declared vide end-of-support notification, they
should be replaced with product with next higher specification
G In case of repeat order within the ambit of item quoted in the RFP, where the product has
been declared vide end-of-sale notification, should be replaced with product with next
higher specification
H Bidders have to quote product with five years warranty, which need to be back-lined
with respective OEM. Bidder needs to submit the direct OEM confirmation in this regard
confirming the same to NIC. 70 % payment will be released based on the above
confirmation only. Refer, Section - 62
16 GT&C - Guarantee: The guarantee shall cover the following, where applicable:
a) Quality, strength and performance of the materials and equipment supplied, where
applicable, for successful commissioning of the items.
b) Safe electrical and mechanical stresses, on all parts of such equipment under all
conditions of operation.
c) Prompt service during maintenance period for repairs and breakdown.
19 GT&C - Standards:
The Goods/Solution/Services (where applicable) supplied under contract shall conform to the
standards mentioned in the technical specifications and when no applicable standard is
mentioned, it will be mutually agreed between the Supplier and NIC.
Failure to submit the PBG within the period may result in the cancellation of the Purchase
Order and forfeiture of the EMD.
B In case of violation of any of the conditions during the Contract Period in respect of the
Contract under ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, the Performance
Bank Guarantee as aforesaid may be invoked by ‘NIC’.
Sl.No.
The downtime will be calculated post schedule restoration time which mentioned in the
Table -1 to be the time when solution is up and running with all configuration and with
full functionality as mentioned in the respective Minimum Technical Specifications.
Penalty Clause
Non-compliance of the SLA as per the Table No-1, Sl.No.1, penalty would be Rs.
10,000/- per day for each day or part thereof, for solution not functioning as per
specifications (all days of the week). The overall penalty cap would be 5% of the cost
of the Enterprise Information Security Solution. After the cap is reached, NIC may
cancel the contract.
In case of the intermittent failures and repetitive problems (problems repeating three or
more times in a quarter) due to improper diagnostics and repair/replacement the system
would be treated as continuously down.
En-cashing the Performance Bank Guarantee shall not endanger any provisions of
warranty/AMC written or otherwise expressed and the concerned warranty/AMC will
remain in full force. In case of the intermittent failures and repetitive problems (problems
repeating more three or more times in a quarter) due to improper diagnostics and
repair/replacement the system would be treated as continuously down.
Once this amount reaches 5% of the Contract Value, NIC may cancel the contract, and
en-cash the PBG. En-cashing the Performance Bank Guarantee shall not endanger any
provisions of warranty/AMC written or otherwise expressed and the concerned
warranty/AMC will remain in full force.
The aggregate of all penalties and liquidated damages under this Contract shall not
exceed 5% of the Contract Price.
Also Refer Section - 69.15, Service Level Agreement
Other Conditions:
A In case Services are not fully completed within stipulated period, Liquidated Damage
condition shall be invoked if such delay is not attributable to “Force Majeure”.
B If the Supplier fails to Deliver within scheduled period, ‘NIC’ shall deduct from the contract
price, as liquidated damages, a sum equivalent to 0.50% of the price of the delayed goods
for each week (7 days) or part thereof of delay until actual delivery, up to a maximum
deduction of 5% of the value of the delayed goods. Once such delay crosses the maximum
limit, ‘NIC’ may consider contract either full and/or, in part, and annulment of order, either
full and/or, in part.
C If the Supplier fails to Install, Integrate and Commission the solution (the solution running
live and with full functionality as per Technical Specifications in production environment)
within defined weeks (Section - 8) from issuance of Purchase Order, ‘NIC’ shall deduct
from the contract price, as liquidated damages, a sum equivalent to 0.50% of the price of
the solution to be installed, for each week (7 days) or part thereof of delay until actual
installation, integration and commissioning, up to a maximum deduction of 5% of the value
of the delayed solution. Once such delay crosses
the maximum limit, ‘NIC’ may consider termination of the contract either full and/or, in
part, and annulment of order, either full and/or, in part.
B In the case of delay in the rectification of the defects falling under warranty of the Supplier,
‘NIC’ is entitled to deduct liquidated damages as mentioned above, Section-27, Section-
28.
C NIC reserves the right to extend the Time Period, where the delay is due to NIC
responsibility.
29 GT&C - Termination on Insolvency: The agreement can be terminated by giving written notice
to the Supplier, without compensation to them if:
A The Supplier becomes bankrupt or is otherwise declared insolvent;
B The Supplier being a company is wound up voluntarily or by the order of a court or a
receiver, or manager is appointed on behalf of the debenture holders or circumstances
occur entitling the court or debenture holders to appoint a receiver or a manager, provided
that such termination will not prejudice or affect any right of action or remedy accrued or
that might accrue thereafter to the Purchaser.
C Purchaser shall however pay the Supplier for all products and services provided up to the
effective date of termination.
30 GT&C – Termination for Defaults: The Purchaser may, without prejudice to any other remedy
for Breach of the Contract, by written notice of 90 days of default to the Bidder, terminate the
Contract in respect of Volume-II in whole or in part;
A If the Supplier fails to render services within the time period(s) specified in the Contract
or any extension period thereof granted by the Purchaser, or
B If the Supplier fails to perform any other obligations under the Contract
C All payments due to the Supplier till the effective date of termination shall be made by
NIC within 60 days' of such written notice of termination, subject to applicable penalties,
Section-27, Section-28, Section - 69.15.
35 GT&C – Contract Amendment: No variation in the satisfaction of the terms of the Contract
shall be made except by the written amendment agreed and signed by the parties.
A If the Supplier fails to render services within the time period(s) specified in the Contract
or any extension period thereof granted by the Purchaser, or
B If the Supplier fails to perform any other obligations under the Contract
39 GT&C - Notices:
Any notice by one party to the other pursuant to the Contract shall be sent in written format by
fax/email and confirmed in writing to the address specified for that purpose in the Contract.
40 GT&C – Indemnity:
A The Supplier shall, at its own expense, defend and indemnify NIC against all third party
claims for infringement of patent, trademark, design or copyright arising from use of
products or any part thereof supplied by Supplier. Supplier will provide infringement
remedies and indemnities for third party products, on a pass through basis. The Supplier
shall expeditiously extinguish any such claims and shall have full rights to defend it there
from. If NIC is required to pay compensation to a third party resulting from such
infringement, the Supplier shall be fully responsible to pay such compensation along with
all costs, damages and attorney’s fees and other expenses that a court may finally awards,
in the event of the matter being adjudicated by a court or that be included in a Supplier
approved settlement. NIC will issue notice to the Supplier of any such claim without delay
and provide reasonable assistance to the Supplier in disposal of such claim, and shall at no
time admit to any liability for, or express any intent, to settle the claim. The Supplier shall
also reimburse all incidental costs, which NIC incurs in this regard. In the event of the
Supplier is not fulfilling its obligations under this clause within the period specified in the
notice issued by NIC, NIC has the right to recover the amounts due to it under this provision
from any amount payable to the Supplier under this project. The indemnities under this
clause are in addition to and without prejudice to the indemnities given elsewhere in this
agreement.
B In the event of the Supplier not fulfilling its obligations under this clause within the period
specified in the notice issued by NIC, NIC has the right to recover the amounts due to it
under this provision from any amount payable to the Supplier under this project.
C The indemnities under this clause are in addition to and without prejudice to the
indemnities given elsewhere in this agreement.
42 GT&C - Assignment:
The Supplier shall not assign in whole or in part, the obligations to perform under the contract
in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, except with Purchaser’s
prior written consent.
43 GT&C - Sub-contractor:
The Supplier shall obtain prior consent of the Purchaser in writing of all Sub-Contracts
(if any) to be awarded under the Contract in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019. Such consent, shall not relieve the Supplier from any liability
or obligation under the Contract.
46 GT&C - Obligation:
The entire responsibility of the Supply, Migrate, Installation, Configuration, Commissioning,
Integration, Demonstration, Management, Maintenance, Monitoring of Enterprise Information
Security Solution (where applicable) and all related activities in respect of ENTERPRISE
INFO-SEC SOLUTION/RFP/07/2019 lies with the Supplier on whom the Purchase Order is
placed and with whom the Contract is signed. The Supplier would be responsible and bear the
additional cost (if any), incurred by the Purchaser on account of the above-mentioned
obligations.
50 GT&C – Personnel: Supplier shall, at all times, be solely responsible for the acts/omissions of
its employees, agents, and representatives, deputed by the Supplier to provide Services under this
Agreement and/or any Scope of Work (collectively referred to as “Personnel”. Supplier shall
ensure that Personnel who visit or are deputed at the office/location of NIC to provide the
Services:
i. are at all times at their best behavior and adhere to the policies and procedures
of NIC and the relevant authority;
ii. should at all times carry on his/her person, a valid identity card, which shall be
issued by the Supplier; and
iii. should conduct themselves in the most orderly manner, maintain perfect
discipline and shall not in any manner cause any interference, annoyance, nuisance,
obstruction or any difficulty to the Purchaser or its employees at the office/location of
NIC or elsewhere.
Supplier hereby agrees that in case NIC and/or any authority raise any objection to any
Personnel; then the Supplier shall immediately remove such Personnel from the
office/location of NIC, as the case maybe, and replace such Personnel by other
Personnel suitable to NIC. Similarly, in case any Personnel is unavailable to perform
the Services, for any reason whatsoever, the Supplier shall forthwith or in any event
provide a replacement with the required qualifications within timelines mutually agreed
upon between the Parties, in writing, on a case to case basis. In both cases, the Supplier
shall ensure that NIC does not face any disruption or stoppage of work due to
unavailability of any replacement.
Supplier shall ensure that Personnel do not indulge in unlawful activities, including but
not limited to theft and/or any unauthorized use of any property or information or data
of NIC and/or any third party and shall not tamper with such information/data. In case
of any loss/damage caused to NIC, due to any unlawful activity of the Supplier and/or
its Personnel; then without prejudice to any rights and remedies available to NIC, under
this Agreement and/or any applicable law, the Supplier shall be liable to make good
such loss/damage to NIC.
Supplier shall, at all times, be solely liable and responsible for the safety of its Personnel
and NIC shall have no liability or responsibility towards the same.
Supplier agrees that Personnel shall be subject to and shall at all times conform to NIC’s
and the relevant authority’s requirements and policies, in order to protect the
office(s)/location(s), servers, equipment and/or the operating system of NIC. Any
violations and disregard to these requirements shall be a cause of denial of access to
such Personnel into NIC office/location, even for providing the Services. Supplier shall
ensure that its Personnel exercise due care and diligence to prevent any injury to person
or damage to the property while on NIC’s office/location and it shall be fully
responsible and liable to NIC for any damages caused by its Personnel. Supplier shall
ensure that the facilities, if any, provided by NIC for use by the Personnel are utilized
with an appropriate degree of care and attention.
Supplier shall, whenever NIC instructs so in writing, promptly, without demur or
protest, handover and return any material, documents and equipment that NIC may have
provided to it. NIC shall not be required to assign any reason for any such instructions.
In the event the said materials are found to be damaged, the Supplier shall make good
the loss so suffered by NIC due to the damage caused to the materials/equipment.
Supplier shall at all times carry and provide for adequate and sufficient insurance cover
against all legal liability for loss or damage to material property or bodily injury or
death to the Personnel arising out of or in consequence of performance of its obligations
under this Agreement and against all actions, claims, demands, costs and expenses in
relation thereto.
Supplier shall ensure that only those Personnel are deployed to provide Services who
have cleared the background checks, especially in case where such Personnel are
required to be deployed at the NIC premises /locations. Further, the Supplier hereby
expressly undertakes that the Supplier shall be solely liable, accountable and
responsible for:
I. making good any loss or damage that NIC may suffer on account of or in
relation with any act or omission of the Supplier and/or its Personnel; and/or
II. Any action/sanction/penalty imposed by any relevant authority on NIC for any reason
attributable to the Supplier and/or its Personnel.
53 GT&C – Inspection and Audit by NIC (IRDAI Outsourcing Regulations 2017 Clause # 13):
The Supplier acknowledges and understands that NIC shall conduct periodic inspection or audit
on the Supplier either by internal auditors or by Chartered Accountant firms appointed by NIC
to examine the compliance of the outsourcing agreement while carrying out the activities
outsourced. The Supplier further represents and warrants that it is fully compliant with Clause
13 of IRDAI Outsourcing Regulations 2017. The outsourcing committee of NIC may decide
on the periodicity taking into account the risks associated with the activity outsourced.
Measures shall be taken to arrest the deficiencies noticed if any in the inspection or audit report.
54 GT&C - Inspection and Audit by IRDAI (IRDAI Outsourcing Regulations 2017 Clause #
18):
The Supplier acknowledges and understands that authorized representatives of the IRDAI have
the right to: -
i. Examine the books, records, information, systems and the internal control environment
in the Supplier (or sub-contractor as applicable), to the extent that they relate to the service
being performed for NIC and,
ii. Access any internal audit reports or external audit findings of the Supplier that concern
the service being performed for NIC.
Both, the Supplier and NIC acknowledges and understands that wherefore in pursuance of the
contract and respective Scope of Work, the Supplier is provided access to policyholder records,
both the parties shall ensure that all original policyholder records continue to be maintained in
India.
Receiving Party shall, on the Disclosing Party’s request, destroy, erase or deliver to the
Disclosing Party all of the Disclosing Party’s Confidential Information, save where the
retention of such Confidential Information is necessary to comply with Applicable Law or
otherwise for the other Party to exercise its rights or receive benefits due under this Agreement.
Supplier and the Purchaser both agree that the provisions shall not apply to any information
which the Receiving Party can prove: (i) is or becomes public knowledge other than by breach
of this section; (ii) was in the possession of Receiving Party without restriction in relation to
disclosure before the date of receipt from Disclosing Party; (iii) is received from a third party
who lawfully acquired it and who was under no obligation restricting its disclosure; or (iv) was
independently developed, without access to any Confidential Information disclosed by the
Disclosing Party.
Supplier and the Purchaser both agree that these provisions shall not apply so as to prevent
disclosure of Confidential Information by the Receiving Party to the extent that such disclosure
is required to be made by any authority of competent jurisdiction or by any Applicable Law,
provided that the Receiving Party: (i) gives the Disclosing Party reasonable formal written
notice (provided that this is not in contravention of Applicable Law), prior to such disclosure
to allow the Disclosing Party a reasonable opportunity to seek a protective order; and (ii) uses
reasonable endeavours to obtain prior to the disclosures, written assurance from the applicable
entity that it will keep the Confidential Information confidential.
58 GT&C - Format of Contract between successful Supplier and National Insurance Company
Limited (NIC) *****
FORMAT FOR CONTRACT BETWEEN SUPPLIER AND NATIONAL INSURANCE
COMPANY LIMITED (NIC)
AND WHEREAS the Supplier has assured that the Solution in respect of a and b as mentioned
above which they would supply would be fit for the purposes of the Purchaser and has been
agreed to relieve the “PURCHASER” from the Principle of “CAVEAT EMPTOR” being the
Purchaser is a mere consumer hereby it is better to rely on SUPPLIER as to the fulfilment of the
purpose/s of the purchase/procurement and/or installation and maintenance.
AND WHEREAS the Purchaser invited bids from Bidders for submitting bids for supply of all
the mentioned in the Purchaser’s Invitation in the Master Document and in RFP No.
NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019, containing broad terms and
conditions, for the supply, installation, commissioning, maintenance etc. as detailed in the RFP
document.
AND WHEREAS the Supplier submitted a bid and bids were submitted by some other Bidders.
AND WHEREAS out of the several bids when opened the Purchaser found the price quoted by
the Supplier for NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019 to be eligible to be
awarded the contract.
AND WHEREAS the Purchaser would place orders on the Supplier for the purchase as
mentioned in the Master Document, RFP No. NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019 and in the bid/offer Papers on the terms, conditions and specifications
mentioned therein and in the Purchase Order issued on ________ 20__.
AND WHEREAS the parties herein intend to set out the terms and conditions for such purchase
and maintenance and matters connected therewith and to define the mutual rights and obligations
of the parties herein.
NOW THESE PRESENTS WITNESSETH and the parties herein agree as follows:
1. Scope:
The Master Document, RFP No. NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019,
and the bid/offer documents will form part of and shall be deemed to have been incorporated in
these presents but in case of any conflict between any term in the said documents and in these
presents the term of these presents will have overriding effect and the said documents have to
be read and will have effect subject to these presents.
2. Resolution of Disputes: Insert Section - 57
3. Prevention of Corruption: Each Party shall comply with all Applicable Laws relating to
bribery and corruption and shall not do, or omit to do, any act that will cause the other Party to
be in breach of any such Applicable Law, and in doing so: (i) shall not give or receive any bribes,
including in relation to any public official; and (ii) shall maintain an effective anti-bribery
compliance regime, that monitors compliance and detects violations.
4. Notices:
For the purpose of all notices, the address of the Supplier and the Purchaser shall be those
given in the beginning of these presents.
As the Purchaser’s Registered Head Office is situated within the Jurisdiction of the High Court
at Calcutta all disputes and differences are subject to the Jurisdiction of The Calcutta High
Court.
5. Compliance with Terms and Conditions:
The Supplier will comply with all the Terms and Conditions given in this Master Document,
RFP No. NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019 and bid Offer.
IN WITNESS WHEREOF the parties hereto have executed these presents on the day, month
and year first above written.
SIGNED SEALED AND DELIVERED FOR _______________________
By the hands of Shri/Smt._______________________________________
In presence of Shri/Smt.________________________________________
In presence of Shri/Smt.________________________________________
Preamble
The PURCHASER intends to award, under laid down organizational procedures, contract for
Procurement under NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019(hereinafter
referred to as the ‘Project’). The PURCHASER necessarily requires full compliance with all
relevant laws of the land, rules, regulations, economic use of resources and of
fairness/transparency in its relations with its Bidder(s) and/or Contractor(s).
In order to achieve these goals, the PURCHASER may appoint an Independent External
Monitor (IEM), who will monitor the tender process and the execution of the contract for
compliance with the Integrity Pact by all parties concerned, for all works covered in the Project.
(1) The PURCHASER commits itself to take all measures necessary to prevent corruption and
to observe the following principles:-
b) The PURCHASER will, during the tender process treat all Contractor(s)/Bidder(s) with
equity and reason. The PURCHASER will in particular, before and during the tender
process, provide to all Contractor(s)/Bidder(s) the same information and will not provide
to any Contractor(s)/Bidder(s), confidential/additional information through which the
Contractor(s)/Bidder(s) could obtain an advantage in relation to the tender process or the
contract execution.
c) The PURCHASER will exclude from the process all known prejudiced persons. The
PURCHASER shall obtain bids from only those parties who have been short-listed or pre-
qualified or through a process of open advertisement/web publishing or any combination
thereof.’
(2) If the PURCHASER obtains information on the conduct of any of its employees,
Contractor(s) and/or Bidder(s), which is a criminal offence under the IPC/PC Act, or if there
be a substantive suspicion in this regard, the PURCHASER will inform the Chief Vigilance
Officer and subject to its discretion, can additionally initiate disciplinary actions.
(3) The PURCHASER will enter into agreements with identical conditions with all
Contractor(s)/Bidder(s), in the different Work Packages in the aforesaid Project/s.
(4) The PURCHASER will disqualify from the tender process all Contractor(s)/Bidder(s), who
do not sign this Pact or violate its provisions.
(1) The Bidder(s) / Contractor(s) commit(s) itself/themselves to take all measures necessary to
prevent corruption. He commits himself to observe the following principles during his
participation in the tender process and during the contract execution:
(a) The Bidder(s) / Contractor(s) will not, directly or through any other person or firm offer,
promise or give to any of the PURCHASER’s employees involved in the tender process or
the execution of the contract any material or other benefit which he/she is not legally entitled
to, in order to obtain in exchange any advantage, of any kind whatsoever, during the tender
process or during the execution of the contract.
(b) The Bidder(s)/Contractor(s) will not enter with other Bidders into any undisclosed
agreement or understanding, whether formal or informal. This applies in particular to prices,
specification, certifications, subsidiary contracts, submission or non-submission of bids or
any other actions to restrict competitiveness or to introduce cartelization in the bidding
process.
(c) The Bidder(s)/Contractor(s) will not use improperly, for purpose of competition or
personal gain, or pass on to others, any information or document provided by the
PURCHASER as part of the business relationship, regarding plans, technical proposals and
business details, including information contained or transmitted electronically.
(d) The Bidder(s) / Contractor(s) of foreign origin shall disclose the name and address of the
Agents/representatives in India, if any. Similarly the Bidder(s)/Contractor(s) of Indian
Nationality shall furnish the name and address of the foreign PURCHASERs, if any. Further
details as mentioned in the “Guidelines on Indian Agents of Foreign Suppliers” shall be
disclosed by the Bidder(s) / Contractor(s). Further, as mentioned in the Guidelines all the
payments made to the Indian agent/representative have to be in Indian Rupees only.
(e) The bidder(s) / Contractor(s) will, when submitting his bid, disclose any and all payments
he has made, is committed to or intends to make to agents, brokers or any other
intermediaries in connection with the award of the contract.
(2) The Bidder(s) / Contractor(s) will not instigate third persons to commit offences outlined
above or be an accessory to such offences.
Section 3: Disqualification from tender process and/or exclusion from future contracts.
(1) If the Bidder(s) / Contractor(s), before awarding the Project or during execution has
committed a transgression by violating Section 2 above or in any other form so as to put his
reliability or credibility in question, the PURCHASER, at its sole discretion, is entitles to
disqualify the Bidder(s) / Contractor(s) from the tender process or terminate the Contract, if
already awarded, for that reason, without prejudice to any other legal rights or remedies
available to the PURCHASER under the relevant clauses of the tender/contract.
(3) If it is observed after payment of final bill but before the expiry of validity of Integrity Pact
that the contractor has committed a transgression, through a violation of any of the terms under
Section 2 above or any other term(s) of this Pact, during the execution of contract, the
PURCHASER will be entitled to exclude the contractor from further tender/contract award
processes.
(4) The exclusion will be imposed for a minimum period of six (6) months and a maximum
period of three (3) years.
(5) If the Contractor(s)/Bidder(s) can prove that he has restored/recouped the damage to the
PURCHASER caused by him and has installed a suitable corruption prevention system, the
PURCHASER may, at its sole discretion, revoke or reduce the exclusion period before the
expiry of the period of such exclusion.
(1) If the PURCHASER has disqualified the Bidder(s)/Contractor(s) from the tender process
prior to the awarding of the Project according to Section 3, the Earnest Money Deposit(EMD)/
Bid Security furnished, if any, along with the offer, as per terms of the Invitation of Tender,
shall also be forfeited. The Bidder(s)/Contractor(s) understands and agrees that this will be in
addition to the disqualification and exclusion of the Contractor(s)/Bidder(s) as may be imposed
by the PURCHASER, in terms of Section 3 above.
(2) If, at any time after the awarding of the Project, the PURCHASER has terminated the
contract according to Section 3, or if the PURCHASER is entitled to terminated the contract
according to Section 3, the security Deposit/Performance Bank Guarantee furnished by the
Contractor, if any, as per the terms of the Contract shall be forfeited without prejudice to any
other legal rights and remedies available to the PURCHASER under the relevant clauses of
General/Special Conditions of Contract. The Contractor(s)/Bidder(s) understands and agrees
that this will be in addition to the disqualification and exclusion of the Bidder(s)/Contractor(s),
as may be imposed by the PURCHASER in terms of Section 3 above.
(1) The Bidder(s)/Contractor(s) herein declares that it has committed no transgressions in the
last 3 years with any other Company in any country confirming to the anti-corruption approach
as detailed herein or with government/ any other Public Sector Enterprise in India that could
justify its exclusion from the tender process.
(2) If at any point of time during the tender process or after the awarding of the Contract, it is
found that the Bidder(s)/Contractor(s) has made an incorrect statement on this subject, he can
be disqualified from the tender process or if, as the case may be, that the Contract, is already
awarded, it will be terminated for such and the Bidder(s)/Contractor(s) can be black listed in
terms of Section 3 above.
(1) The PURCHASER shall, in case where the Project Value is in excess of Rs One Crore and
above, may appoint competent and credible Independent External Monitor(s) with clearance
from Central Vigilance Commission. The Monitor shall review independently, the cases
referred to it to assess whether and to what extent the parties concerned comply with the
obligations under this Integrity Pact.
(2) In case of non-compliance of the provisions of the Integrity Pact, the complaint/non-
compliance is to be lodged by the aggrieved party with the Nodal Officer only, as shall be
appointed by the CMD, NIC. The Nodal Officer shall refer the complaint/non-compliance so
received by him to the aforesaid Monitor.
(3) The Monitor will not be subject to any instructions by the representatives of the parties and
will perform its functions neutrally and independently. The Monitor shall report to the
Chairman-cum Managing Director, NIC.
(4) The Bidder(s) / Contractor(s) accepts that the Monitor shall have the right to access, without
restriction, all Project documentation of the PURCHASER including that provided by the
Contractor. The Contractor will also grant the Monitor, upon his/her request and demonstration
of a valid interest, unrestricted and unconditional access to its project documentation. The
Monitor is under contractual obligation to treat the information and documents of the Bidder(s)
/ Contractor(s) with confidentiality.
(5) The PURCHASER will provide to the Monitor, sufficient information about all meetings
among the parities related to the Project, provide such meetings could have an impact on the
contractual relations between the PURCHASER and the Contractor.
(6) As soon as the Monitor notes, or believes to note, a violation of this Pact, he will so inform
the PURCHASER and request the PURCHASER to discontinue and/or take corrective action,
or to take other relevant action(s). The Monitor can in this regard submit non-binding
recommendations. However, beyond this, the Monitor has no right to demand from the parties
that they act in a specific manner and/or refrain from action and/or tolerate action.
(7) The Monitor will submit a written report to the CMD, NIC within 4 to 6 weeks from the
date of reference or intimation to it and, should the occasion arise, submit proposals for
corrective actions for the violation or the breaches of the provisions of the agreement noticed
by the Monitor.
(8) If the Monitor has reported to the CMD, NIC, of a substantiated suspicion of an offence
under relevant IPC/PC Act, and the CMD, NIC, has not, within the reasonable time taken
visible action to proceed against such offence or reported it to the Chief Vigilance Officer, the
Monitor may also transmit this information directly to the Chief Vigilance Officer, NIC.
(9) The word ‘Monitor’ means Independent External Monitor and includes both singular and
plural forms.
The Pact shall come into force when both parties have legally signed it. The Pact shall expire,
in case of the Contractor(s), 3 (three) months after the last payment under the Contract is made
and in case of the unsuccessful Bidder(s), 2 (two) months after the contract for the project has
been awarded. If any claims is made / lodged during this time, the same shall be binding and
continue to be valid despite the lapse of this pact as specified above, unless it is
discharged/determined by CMD of NIC. The Bidder(s)/Contractor(s), however, understands
and agrees that even upon the completion of the Project and/or the last payment under the
Contract having been made, if any transgression/violation of the terms of this Pact comes/is
brought to the notice of the PURCHASER, it may, subject to its discretion, blacklist and/or
exclude such Bidder(s)/Contractor(s) as provided for in Section 3, without prejudice to any
other legal right or remedy so available to the PURCHASER.
Section 9: Other Provisions
(1) This agreement is subject to Indian Law. Place of performance and jurisdiction is the
Registered Office of the PURCHASER, i.e. Kolkata.
(2) Changes and supplements as well as termination notice need to be made in writing.
(4) Should one or several provisions of this agreement turn out to be invalid, the remainder of
this agreement shall remain valid and binding. In such a case, the parties will strive to come to
an agreement in accordance to their original intentions.
(5) Wherever he or his as indicated in the above sections, the same may be read as he/she or
his/her, as the case may be.
______________________________ ________________________
(For & On behalf of the PURCHASER) (For & On behalf of Bidder/Contractor)
(Office Seal) (Office Seal)
Place____________
Date_____________
To
NATIONAL INSURANCE COMPANY LIMITED
Head Office: 3, Middleton Street,
Kolkata – 700 071.
Dear Sir,
We hereby extend our full guarantee and warranty as per respective Clauses in the General
Terms & Conditions of the Master Document and the RFP No. ____________ for the goods
offered for supply against this invitation for bid by the above firm.
We hereby further confirm that the solution quoted by our partner including on-site warranty as
applicable under terms of the Master Document and RFP No. ____________, has been
examined and vetted by us. We also confirm that all the Part Codes (product and warranty)
quoted by our partner are OK and the solution quoted by our partner will work as per
requirements specified by NIC.
Yours faithfully,
(Name)
For and on behalf of
M/s. …………………………………..
Signature of Manufacturer
Dated:
Place:
Sd. /-Seal
Note: This letter of authority should be on the letterhead/certificate form issued by the
manufacturing concern and should be signed by a person competent and having the power of
Attorney to bind the manufacturer.
We warrant that everything to be supplied by us hereunder shall be free from all encumbrances,
defects and faults in material, workmanship and manufacture and shall be of the highest grade
and quality and consistent with the established and generally accepted standards for items of the
type ordered shall be in full conformity with the specifications, drawings of samples, if any, and
shall operate properly. We shall be fully responsible for its efficient and effective operation.
This warranty shall survive inspection of and payment for, and acceptance of the items, but shall
expire on completion of the 5 years after their successful installation and acceptance by the
purchaser.
The obligations under the warranty expressed above shall include all costs relating to labour,
spares, maintenance (preventive and unscheduled), at site of the items which under proper use
by the Purchaser and under normal care and maintenance of Supplier proves defective in design,
material or workmanship or fails to operate effectively and efficiently or conform to the
specifications and for which notice is promptly given by the Purchaser to the Supplier.
The Supplier warrants and undertakes that in case any defect be found within the defined project
period, the Supplier will attend to the problem within the defined time period (also refer
Sections - 27, 28, 69) of lodging of the complaint by the Purchaser either by Letter, over the
telephone, by fax, email or by other modes of communications. Wherever it is required to
replace any part, the Supplier undertakes to replace the part within the defined time period, refer
Sections - 27, 28, 69, of attending the call. In case of failure from supplier’s side the Purchaser
has the right to encash the Performance Bank Guarantee.
Moreover we agree to warranty clauses as per respective Clauses in the General Terms &
Conditions of the Master Document and RFP No. NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019.
Signature of Bidder
Dated :
Place :
Seal :
(Name)
For and on behalf of
M/s. …………………………………..
Signature of Manufacturer
Dated:
Place:
Sd. /-Seal
Note: All the Hardware, software quoted in this Section, should not be out of support from
OEM for at least a period of 5 years from the date of this Certificate
Signature of Bidder:
Dated:
Place:
Seal:
Dear Sir,
KNOW ALL MEN by these presents that WE ________________ having our registered office
at ____________________________ (hereinafter called “the Bank”) are bound unto The
National Insurance Company Limited (hereinafter called “the Purchaser”) in the sum of
Rupees ___________________________ for which payment well and truly to be made to the
said Purchaser, the Bank binds itself, its successors and assigns by these presents. Sealed with
the Common Seal of the said Bank this ___________ day of ________________ 201_.
If the Bidder withdraws his bid during the period of bid validity specified by the bidder in the
bid; or
If the Bidder, having been notified of the acceptance of its bid by the Purchaser during the
period of bid validity
i. fails or refuses to execute the Contract Form, if required; or
We undertake to pay to the Purchaser up to the above amount upon receipt of its first
written demand, without the Purchaser having to substantiate its demand, provided that in
its demand the Purchaser will note that the amount claimed by it is due to it owing to the
occurrence of one or both of the two conditions, specifying the occurred condition or
conditions.
This guarantee will remain in force up to and including 45 days after the period of bid
validity, and any demand in respect thereof should reach the Bank not later than the above
date.
Place: __________________________
To
National Insurance Company Ltd.
Head Office
3, Middleton Street
Calcutta-700 071
Dear Sirs,
We, Bank Ltd. having our office located at …………do hereby undertake to indemnify
National Insurance Company Limited or their heirs, successors or permitted assigns (hereinafter
referred to as ‘NIC’) and keep indemnified to the extent of the sum of Rs …………… (Rupees
……………) from and against all losses and damages that may be caused to NIC in relation to
the payment to be made by NIC to the Supplier as aforesaid by reason of any default or defaults
on the part of the Supplier in the due supply of plant / machinery / equipment / spares / services
for carrying out any work or discharging supplier’s obligation as per the said contract in the
observance and performance of any of the terms and conditions relating thereto in accordance
with the true intent and meaning thereof and in the event of any default or defaults on the part
of the Supplier as aforesaid we shall forthwith on demand and without demur pay to NIC any
sum not exceeding in the total the said sum of Rs. …………….. (Rupees ………..) As may be
claimed by NIC to be due from the Supplier by way of refund of such payment or any portion
or otherwise as NIC’s losses and / or damages, costs charges or expenses incurred by reason of
such default or defaults on the part of the Supplier as aforesaid.
Notwithstanding anything to the contrary, NIC’s decision as to whether the Supplier has made
any such default or defaults and the amount or amounts to which NIC is entitled by reasons
thereof will be binding on us and we shall not be entitled to ask NIC to establish their claim or
claims under this guarantee, but will pay the same forthwith on NIC’s demand without any
protest or demur.
This guarantee shall continue and hold good until it is released by NIC on the applications by
the Supplier after completion of delivery of goods / services / terms and conditions at site
provided always this guarantee shall in no event remain in force after the day of ……………..
Without prejudice to NIC’s claim or claims arisen and demanded from or otherwise notified to
us in writing on or before the seventh day after the said date of expiry of the guarantee which
will be enforceable against us notwithstanding that the same is or not enforced after the said
date.
Should it be necessary to extend this guarantee on account of any reason whatsoever, we
undertake to extend the period this agreement till such time with the Supplier’s consent on the
request by NIC, provided the terms and conditions relating to the extension of the Guarantee
are satisfied.
NIC will have the fullest liberty without affecting this guarantee, either to vary, or to modify
and to revoke any of the terms and conditions of the said PO or to extend the time of
performance of the Supplier or to postpone for any time or from time to time any of NIC’s
rights or powers against the Supplier and either to enforce or to forbear to enforce any of the
terms and conditions of the said PO and we shall not be released from our liability under this
guarantee by the exercise of NIC’s liberty. With reference to matters aforesaid or by reason of
any time being given to the Supplier, or any other forbearance, act or omission on NIC’s part
or any indulgence by NIC to the Supplier or by any variation or modification of the said PO or
any other act, matter or things whatsoever, which under the law relating to sureties, would but
for the provisions hereof, have the effect of so releasing us from our liability hereunder provided
always nothing herein contained will enlarge our liability hereunder beyond the limit of Rs.
……………. (Rupees……………………………..) As aforesaid or extend the period of the
guarantee beyond the said day of …………….. Unless expressly agreed to by us in writing.
This guarantee shall not in any way be affected by NIC’s taking or varying or giving up any
securities from the Supplier or any other person, firm or company on their behalf or by winding
up, dissolution, insolvency or death as the case may be of the Supplier or his company/firm.
In order to give full effect to the guarantee herein contained, NIC shall be entitled to act as if
we were your principal debtors in respect of all NIC’s claims against the Supplier hereby
guaranteed by us as aforesaid.
Subject to the maximum limit of our liability as aforesaid, this guarantee will cover all NIC’s
claim or claims against the Supplier from time to time arising out of or in relation to the said
PO and in respect of which NIC’s claim in writing is lodged on us on or before the seventh day
after expiry of this guarantee.
Any notice by way of demand or otherwise hereunder may be sent by special courier, telex,
fax, email or registered post to our local address as aforesaid and if sent by post, it shall be
deemed to have been lodged / given / submitted when the same is posted.
This guarantee and the powers and provisions herein contained, are in addition to and not by
way of limitation of or substitution for any other guarantee or guarantees hereto before given
to NIC by us and now existing un-cancelled and that this guarantee is not intended to and shall
not revoke or limit such guarantee or guarantees.
This guarantee shall not be affected by any change in the constitution of the Supplier or us nor
shall it be affected by any change in your constitution or by amalgamation or absorption thereof
or therewith but will ensure to the benefit of and be available to and enforceable by the
absorbing or amalgamated company or concern.
This guarantee shall come into force on ____________ and shall not be revoked by us whether
before it’s coming into force or any time during its currency without NIC’s prior consent in
writing.
We further agree and undertake to pay to NIC the amount demanded by NIC in writing
irrespective of any dispute or controversy between NIC and the Supplier.
Notwithstanding anything contained hereinabove our liability under this agreement is restricted
to Rs …… (Rupees ……………………………..) Unless a written claim is lodged on us for
payment under this guarantee within seven days of the date of expiry of this guarantee i.e. on
or before …………….. all NIC’s rights under this guarantee shall be forfeited and we shall be
deemed to have been released and discharged from all liabilities there under, irrespective of
whether or not the original guarantee is returned to us, discharged.
We have power to issue this guarantee in NIC’s favour under the Memorandum and Articles of
Association of our Bank and the undersigned has full power to execute this guarantee under the
Power of Attorney granted to him by the Bank.
Branch Manager
(Banker’s seal)
Address………………………………
………………………………
P.S.: The amount referred to above will be as per the terms of payment specified
Instruction to Bidders
The Bidder is expected to examine all instructions, forms, terms, specifications, and other
information in Volume-I of the Master Document and the RFP No. NIC/IT/RFP/Enterprise
Info-Sec Solution/RFP/07/2019, Volume-II. Failure to furnish all information required by any of
these documents or to submit a Bid not substantially responsive to these documents in every
respect will be at Bidder’s risk and may result in the rejection of its Bid.
Bidders are advised to study the mentioned documents carefully before participating. It shall be
deemed that submission of bid by the bidder has been done after their careful study and
examination of the mentioned documents with full understanding to its implications. Any lack of
information shall not in any way relieve the bidder of his responsibility to fulfil his obligations
under the Bid.
In the event of default by the Bidder with respect to this RFP or the Master Document, NIC
may debar the Bidder from participating in any future RFPs’ floated by NIC for any
purpose.
68 Eligible Bidders: The following are the conditions, which are to be necessarily fulfilled, to be
eligible for technical evaluation of the Bid. Non-compliance of any of criteria will entail summary
rejection of the bid offer. Photocopies of relevant documents / certificates should be submitted as
proof in support of the claims made along with tender. NIC also reserves the right to verify /
evaluate the claims made by the vendor independently. Only those interested bidders who
satisfy the following eligibility criteria should respond to ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019: Refer Sections - 68, 71
A
Minimum Qualifications of the Bidder:
1 The Bidder should be a Registered Company in India under the Companies Act, 1956
(photocopy of certificate of registration to be provided)
2
The Bidder should be an established Information Technology company and in operation
for at least 5 years in India as at 31.03.2017
3 The Bidder should be ISO 9000/9001, ISO 20000 and ISO/IEC 27001 certified, with
certifications valid at the time of bid submission. (photocopies of certificates to be
provided)
4 The Bidder should have implemented minimum three out of four solutions (SIEM,
packet forensics, Vulnerability Management, APT) out of the new solutions in at least 1
(one) of PSU / BFSI. For the rest either Bidder / OEM references shall be given.
Completion Certificates to be provided from Customer
5
The Bidder should have at least 2 (Two) Information Security Orders of their National
Customers, each having an order value of at least Rs. 20 Crore
within the last 5 years –Or,
4 (Two) Information Security Orders of their National Customers, each having an order
value of at least Rs. 10 Crore within the last 5 years
Completion Certificates to be provided from Customer
6 The Bidder should have implemented and maintained captive SOC for any one
PSU/BFSI/Government customers (with at least 1000 locations) in India within last 5
years. SOC solution should have at least 3 out of the following components like SIEM,
WAF, DAM, PIM, NBA, Anti-APT solutions/Anti-Phishing, DLP, MDM. Completion
Certificates to be provided from Customer
7 The Bidder should have manpower with certifications in Information Security
Operations. The Bidder should have at least 20 certified security professionals on their
payroll with minimum two CISA/CISM/CISSP certifications
8 The Bidder should have an annual turnover of at least Rs. 750 Crores (Seven Hundred
Fifty Crores) for each of the last 3 (three) financial years 2015-16, 2016-17 and 2017-
18 (audited balance sheet from last 3 financial years to be provided as per Section - 71.1.
AND,
Should have net profit after tax in the last 3 (three) financial years –2015-16, 2016-17
and 2017-18(audited balance sheet from last 3 financial years to be provided as per
Section - 71.1
9 The Bidder should have support office in at least 4 (Four) Metro Locations [Kolkata,
Mumbai, New Delhi, Chennai] and in Bangalore, Hyderabad, Pune.
10 The Bidder should have Toll Free number for fault registration within India, operating
365x24x7 basis
11 The Bidder should not be blacklisted/debarred/denied bidding facilities by any
Government Department/ Public sector Undertaking as on the date on bid submission
12 The Bidder should not have filed for Bankruptcy in any country
Bidder has to meet the minimum eligibility criteria as mentioned in the Pre-Qualification Bid
If, on evaluation of the Technical bids it is observed that any one or more items of the product
offered in the RFP do not meet the minimum requirements of Specifications, the Company
reserves the right to accept or reject the Bid.
The Commercial bids of only those Bidders will be opened who qualify at the Technical bid
evaluation stage and whose products are found to meet the specifications offered by them, at a
date and time to be specified later.
The Bidder shall prepare the bid in the following manner. Relevant documents, letters, forms,
supporting, etc. need to be attached to each part as given below
The BID SECURITY. This would contain only the Bid Security (Earnest Money) amounting to
Rs. 50,00,000.00 (Rupees Fifty Lakhs Only) by way of BG/DD/NEFT/RTGS in favour of
National Insurance Company Limited, payable as per Bank Details mentioned in this document.
Non-furnishing of EMD will disqualify the bidder.
The EMD would be returned to the unsuccessful Bidder (without any interest) and on receipt of
application, within 90 days of award of Purchase Order to the Successful Bidder. For the
successful Bidder, the same would be retained as Security Deposit without any interest till a BG
of 10% of Contract Value is received by NIC, in the form of Performance Bank Guarantee
(PBG) as per format given in Section –64.
The Bid Security Deposit will be forfeited if:
The bidder withdraws his bid at any time before the LOI of PO or Advice for execution is issued
against the RFP.
OR
The Bidder fails or refuses to execute the work after having been identified L1 in the bid, before
or after LOI/PO/Advise for execution is issued
OR
Fails or refuses to furnish the Performance Bank Guarantee
OR
The Bidder fails or refuses to execute the Contract.
1 The PRE-QUALIFICATION BID. This would contain the proof of transfer of EMD,
Bidder Profile Section - 71, Financial Information Section - 71.1, Citations Section - 71.2.
Any other documents that are required in the process, like client engagement letters or
certificates, audited balance sheets, etc. and a CD containing the soft copy (both ‘PDF’ and
‘xls’ formats) of the Pre-Qualification Bid and are also to be included herein.
2 The TECHNICAL BID. This would contain the Technical Bid Letter Section - 70,
Section- 70.1 Technical Bid Particulars, Format of Warranty, OEM Certified Part
Numbers, Technical Compliance, Unpriced Bill of Materials to be submitted with the
Technical Bid. Section-72 Statement of Deviation from RFP Terms and Conditions, if any,
and Details of the proposed solution, proposed methodology and timeline (in a separate
sheet). Any other documents that are required in the proposal process, like client
engagement letters or certificates, audited balance sheets, etc. and a CD containing the soft
copy (both ‘PDF’ and ‘xls’ formats) of the Technical Bid and are also to be included
herein.
3 The COMMERCIAL BID. This would contain the Commercial Bid Letter Section - 73,
Section - 73.2 Commercial Bid Particulars, Section- 73.1 Commercial Bid. A CD
containing the soft copy (both ‘PDF’ and ‘xls’ formats) of the Commercial Bid is also to
be included herein.
Bidders have to submit their Bid online, on or before the last date and time mentioned
in RFP.
69 Scope of Work
NIC currently has its DC co-hosted in Kolkata, and DR co-hosted in Bangalore. The IT
infrastructure currently co-hosted include servers, storage, network, information security, backup
devices, etc. installed in racks. The Near Site is located at NIC Head Office, Kolkata.
NIC has over 15000 systems in the network comprising a mix of desktops and laptops with
Windows 7, Windows 8/8.1, Windows 10, and Apple’s OS etc. NIC has deployed a layered
Security architecture deployed from its Data Centre (DC) and Disaster Recovery Site (DR), to
protect its network and associated information resources. NIC has a SOC which manages its entire
Information Security architecture. Anti-virus is loaded in all end-points and managed centrally.
URL filtering solutions ensure that internet access made available at the endpoint has reduced the
threat of malware, and secure mailing gateway reduces spam.
The objective of the RFP is to refresh the existing security technologies and add new security
solution to enhance the information security posture of NIC. The Scope includes procurement,
installation, implementation, integration, maintenance and support of the solutions with all the
relevant applications and infrastructure during the contract period.
Total Period of Contract under this RFP is 5 (Five) Years. All the products should carry a
warranty of 5 (Five) years from a common successful installation date mutually agreed by NIC
and the successful bidder. All products procured under this RFP should be with highest
support from OEM. All hardware to be fully populated with all ports (Fiber, Copper)
and transceivers. Transceivers should support 1G, 10 G and multimode.
Bidder has to provision all required hardware, software, licenses as part of solution
delivery.
All the proposed Hardware should support all upgrades, versions, releases of the
software, licenses as and when released by OEM for the entire period of the project
Bidder should ensure dual power supply for all proposed hardware/appliances.
Storage of Logs with archive for a period of one year for SIEM solution. Bidder should size
solution accordingly
Delivery of the necessary solutions and the corresponding hardware, software, database
required for implementing the solutions mentioned
Renewal /Upgrade of existing products, license
Implementation of the respective solutions at NIC including configuration, customization of
the products as per the NIC‘s requirement
Providing the manpower support to meet the various compliance needs of NIC
Bidder is required to provide the necessary personnel to manage the operations for the
solutions in scope and to ensure SLA compliance adherence to agreed Service Level
Agreements (SLA) and periodic monitoring and reporting of the same
Continual improvement of the Security Operations as defined in the SLA
Implementation of the specified solutions and necessary hardware as per the technical
requirement specified in the RFP is the responsibility of the bidder. Selected Bidder to ensure
that the proposed solution (hardware and software) complies with all the functional and
technical requirements as provided in Section – 67.5-67.12 Technical and Functional
Requirements & Sizing in Section -. 67.13
Bidder shall be responsible for timely compliance of all audits and Vulnerability Assessment
(VA) audit observations
Post implementation, the bidder is responsible for integrating any additional logs that NIC
may wish to monitor with the SIEM solution at no additional cost to NIC. Logs needs to be
integrated with the SIEM solution through automated or manual mode. Bidder is required to
provide the feasibility for both the modes of integration in coordination with the existing
vendors.
Bidder is responsible for developing and implementing the security configuration, hardening
of all the devices and software that are procured for Security Operations. Also, they have to
periodically review the guidelines and configure.
Development and implementation of processes for management and operation including (but
not limited to) the following processes:
o Configuration and Change Management
o Incident and Escalation management processes
o Daily standard operating procedures
o Reporting metrics and continuous improvement procedures
o Data retention and disposal procedures
o BCP and DR plan and procedures for Security Solutions
o Security Patch management procedure for procured items
Bidder shall address all the errors/bugs/gaps in the functionality in the solution implemented
at no additional cost during the Project Period.
Implement necessary security measures for ensuring the information security of the proposed
Solutions.
All patches and upgrades (in Version) from OEMs shall be implemented by the Bidder
ensuring customization done in the solution as per the NIC’s requirements are applied.
Technical upgrade of the installation to the new version, as and when required, shall be done
by the Bidder. Any version upgrade (in Version ) of the software / tool / appliance by Bidder
to be done after taking prior approval of NIC and after submitting impact assessment of such
upgrade at no additional cost to NIC.
Any changes/upgrades (in Version ) to the software performed during the support phase shall
subject to the comprehensive and integrated testing by the Bidder to ensure that the changes
implemented in the system meets the specified requirements and doesn’t impact any other
function of the system. Release management for application software will also require NIC
approval. A detailed process in this regard will be finalized by Bidder in consultation with
NIC. Any Major Version Upgrade which requires re-sizing of the hardware and software
during the contract period will be taken separately on mutually agreed payment terms.
Issue log for the errors and bugs identified in the solution and any change done in the solution
shall be maintained by the bidder and should be periodically submitted to the NIC team.
Bidder, at least on a monthly basis, will inform NIC about any new updates/upgrades available
for all software components of the solution along with a detailed action report. In case of
critical security patches/alerts, the bidder shall inform about the same immediately along with
his recommendations. The report shall contain bidder’s recommendations on update/upgrade,
benefits, impact analysis etc. The bidder shall need to execute updates/upgrades though formal
change management process and update all documentations and Knowledge databases etc. For
updates and upgrades, Bidder will carry it out at no additional cost to NIC by following defined
process.
o Errors and bugs that persist for a long time, impact a wider range of users and is
difficult to resolve becomes a problem. Bidder shall identify and resolve all the
problems in the identified solution (e.g. system malfunctions, performance problems
and data corruption etc.).
o Monthly report on problem identified and resolved would be submitted to NIC team
along with the recommended resolution.
All planned or emergency changes to any component of the system shall be through the
approved Change Management process. The Bidder needs to follow all such processes (based
on industry ITSM framework). For any change, Bidder shall ensure:
o Detailed impact analysis
o Change plan with Roll back plans
o Appropriate communication on change required has taken place
o Proper approvals have been received
o Schedules have been adjusted to minimize impact on the production environment
o All associated documentations are updated post stabilization of the change
o Version control maintained for software changes. The bidder shall define the Software
Change Management and Version control process. For any changes to the solution,
Bidder has to prepare detailed documentation including proposed changes, impact to
the system in terms of functional outcomes/additional features added to the system etc.
Bidder shall ensure that software and hardware version control is done for entire
duration of Bidder’s contract.
Bidder shall maintain version control and configuration information for application software
and any system documentation.
Bidder shall maintain at least the following minimum documents with respect:
o The Bidder shall perform an in-depth analysis of the existing system and shall submit
a detailed plan for the implementation of this project, including but not limited to the
following:
Project Plan detailing each task with target date and assigned resource
persons and installation of all supplied items and integration with
existing infrastructure at DC, DR and NIC Offices.
Architecture Diagram
o Bidder shall submit this document to NIC for review and any suggestions by NIC will
be incorporated therein.
o HLD and LLD which will capture the configuration required to meet existing needs as
well as incorporating the minimum technical specifications of the RFP. Supplier
should coordinate with existing Security and Network Vendor, also in this regard.
o Any other explanatory notes about system, bidder shall also ensure updating of
documentation of software system ensuring that:
o SOPs are updated to reflect on-going changes/enhancements.
o All the technical documents (HLD, LLD, SOPs, Implementation Plan, Rules & Policy
documents etc.) submitted should be vetted by OEM’s of respective components
and bidder need to submit the OEM confirmation along with the documents. The
solution should be hardened as per periodic OEM recommendations. OEM to provide
initial hardening document, and configuration templates. Any change during the
project period has to be validated by OEM
o Bidder should ensure that all the required documentation is made available to NIC.
The technical bid should include an overview of the processes mentioned above.
o Develop Escalation Matrix in order to handle Information Security Incidents
efficiently.
o Provide necessary documentation for the operation, integration, customization, of each
of the solutions in scope.
During Implementation Phase, bidder should propose at least one –Dedicated Project
Manager -100% Onsite Deployment (at Head Office), One - Solution Architect- Onsite
Support to Project team, One - Security Expert- Onsite Support to Project team
Bidder should take complete ownership to deploy the solutions seamlessly in existing
infrastructure, if any up-grade/Update or replacement needed in existing infrastructure has to
be informed to NIC during the requirement gathering stage by bidder to deploy the solution
with proper documentation
Unpriced Bill of Materials (BoM/BoQ) to be submitted with the Technical Bid
a. Support Back-lining:
The bidder will remain responsible for overall implementation and maintenance of the
solution, and must backline hardware and software support with OEM for 100% of
equipment procured under this RFP.
NIC should be able to login independently to OEM portal to view support contracts and
raise TAC/ RMA directly with OEM if required.
NIC should be able to use a self-web log-in for self-help support through OEM’s online
knowledge base, resources and tools.
Operating system (OS) software updates, including both minor and major releases within
licensed feature set should be available for download by NIC, directly if required.
The contract should be back-lined with the OEM during the complete contract period as
mentioned in RFP Warranty Clause. The bidder will be required to provide a proof of
OEM support back-lining in writing in the form, Section - 62 from the OEM within
30 days from the date of release of the LoI (letter of intent)/first-PO (Purchase Order).
Until the proof of back lining for the complete inventory support/warranty as per the RFP
is not provided, no payment will be released for the products and services.
b. Warranty/AMC:
Warranty/AMC contract for all the devices mentioned in this RFP will be on on-site &
comprehensive basis for the project period, as applicable, and subject to extension based
on NIC’s requirement, on pro-rata basis. OEM Supporting letter mentioning that Partner
has back lining support from OEM for the support as mentioned in Commercial Bid.
All necessary on-site Technical troubleshooting & configuration management.
SLA based service delivery.
Improve Response & Resolution time.
Quarterly preventive maintenance.
Support as per Minimum Technical Specifications
Defective equipment’s need to be replaced by the Supplier as per the SLA terms mentioned
in the tender document.
On-site resources at NIC HO, DC, DR as part of NIC SOC for doing all configuration,
management, monitoring, support, co-ordination for restoration.
c. Execution Overview:
Supplier has to provide necessary on-site/off-site model to maintain the SLA.
Single point of contact for all fault booking & service request update.
Supplier should have Toll free number & mailing facility for the fault booking from
anywhere on 24X7 basis.
Technical call Centre should be accessible 24 hours per day, 7 days per week to assist with
Product use, Configuration and troubleshooting issues and should have access to OEM
support portal.
Quarterly review meeting for the service improvement plan.
Work with existing Security, Network, Application Vendors of NIC
d. Supply, installation, configuration and commissioning of the items (necessary hardware and
software) at locations specified by NIC.
Provide 24x7x365 basis post implementation comprehensive support.
Supplier has to act as technical-advisor to NIC for the items under procurement by way of
evaluation, demonstration, etc. as and when required by NIC. Supplier has to submit
findings/reports to NIC and give suggestions/recommendations. Necessary resources
(including Level-3 support) have to be deployed by Supplier for technical assistance and
submit the detailed documentations etc. by NIC. No additional cost will be payable by NIC
for such things.
In case there is a cost incurred to NIC due the wrong BoM/Specification/feature-set of
items (equipment/device/appliance/software) at any location, the same will have to be
replaced by Supplier at no extra cost to NIC.
Prepare test-plan, implementation plan, integration plans and rollback strategies
Comprehensive monitoring and onsite support
The successful bidder shall co-ordinate and co-operate with the other Suppliers of NIC so
that the work shall proceed smoothly without any delay and to the satisfaction of NIC.
No extra claim shall be entertained on account of all/part of any job redone on account of
bidder’s negligence which results into damages/losses during execution of the job. Also,
any component(s) required to meet the functioning of items, after release of Purchase
Order shall have to be provided by the successful bidder. All such cost shall be borne by
the bidder.
The Supplier has to provide complete escalation matrix which should be updated and sent
to NIC as and when there is a change.
The Supplier has to specify the Name of the OEMs with the product name in the Technical
specification.
e. The hardware configuration has to be done by the Supplier. The hardware should not have any
single point of failure.
Prepare HLD and LLD in consultation with OEM and NIC for rollout.
Design and document a Project implementation plan with significant milestones marked
on it.
The selected bidder needs to commission items in such a way to ensure the requirements
mentioned as per the technical specifications and uptime requirements as per the SLA
section.
Selected Bidder needs to study existing deployment LAN, WAN, Application environment
(including DC/DR/NR) of NIC and provide for deployment of the proposed items.
The installation will include proper mounting, labeling, tagging of all the equipment and
providing network and power connections.
The selected bidder shall be responsible to provide within scope of work all facilities like
labor, transportation, tool kits, testing equipment, cables, connectors, power cords etc.
which is necessary for successful deployment of solution.
f. Transportation to & fro, lodging and boarding of manpower shall be in Supplier’s scope.
g. NIC expects the Supplier to submit a detailed plan for designing and implementation of the
project which should include the full scope of the project as mentioned in this document. On
acceptance of such plan by NIC, the Supplier is required to carry out the implementation
including supply, installation, commissioning and testing of equipment etc.
Prepare the designs, architecture and implement the solution in line with best practices in
the industry, regulatory guidelines, IT Act 2000 (along with its amendments), standards as
modified from time to time or any other law of the land which may be applicable.
Recommendation of best practices to implement and roll out the items under procurement.
Supplier needs to prepare a detailed execution plan, including HLD and LLD. The
complete documented plan must be submitted to NIC with supported designs and drawings
(if any) within 4 weeks of placing the order. The actual execution will start only after
approval of plan by NIC officials. The plan shall include information related to integration
with existing setup (as applicable), required downtime, deployment schedule etc. The
installation of the equipment shall be done as a planned activity on a date & time of
approved deployment schedule.
The Supplier is responsible for Onsite support for the operations and maintenance of the
components for a period of 5 years post-go live of all components of the solution.
The Supplier shall be responsible for managing and supporting the implementation of
patches, updates and upgrades of the solutions and provide daily/weekly/monthly reports.
All upgrades to be done within reasonable time-lines to minimize threat, subject to NIC
go—ahead. The components of the proposed solution should provide support for any
future OS, as and when available, at no extra cost.
h. Documentation
All the documents shall be supplied in properly bound volumes of A4 size sheets.
Documents for high level design (HLD), detailed design (LLD), and configuration of
individual features set on various appliances, general testing, Standard Operating
Procedure, best practices etc. shall form the complete set for fulfilling the documentation
criteria.
Supplier shall also submit Delivery and Installation Report, Warranty certificates, License
Copies for all the items supplied along with the supplies.
Installation report should contain the part numbers of all the components supplied by the
selected bidder
i. Inspection and Acceptance Procedure
Physical Inspection and preliminary testing of the Enterprise Information Security Solution
shall be done by Supplier, in the presence of representatives of NIC
The items supplied by the Supplier should meet the technical specifications envisaged in
this RFP document.
Appliances will be considered to have been commissioned when services as described in
this tender document are able to run smoothly over the network.
All documentations, but not limited to Design, Configuration etc. (HLD and LLD) must
be handed over to NIC after successful implementation, commissioning and before release
of final payment
j. Management (required only during implementation): The selected vendor will have to align
a Project Manager with minimum 6 years’ experience, immediately after the signing of the
Contract. The detail of PM should be conveyed in writing to NIC within 2 weeks of receipt of
purchase order. The responsibilities of the On-site Project Manager as a part of support are as
follows (indicative but not exhaustive):
Act as a Single Point of Contact (SPOC) for the entire project
Responsibility for the entire execution & management of the project after receipt of
purchase order. Overall monitoring of project
Coordination for Installation/integration
Call flow management, Quality Service Delivery
On-site Team management
SLA management and reporting
Submission of periodical Reviews and reports required by NIC.
Crisis management and Emergency response procedures.
Preparation and submission of detailed Project documentation to NIC (Purchase Order
wise) and progress of initiatives taken by NIC.
He should be placed at NIC premises during NIC’s office hours. However, the hours may
be extended whenever required.
The Supplier shall submit to NIC, the name and contact details, including address, telephone
number, mobile number, FAX number/email address of the nominated Project Manager.
It is mandatory for the concerned Project Manager to have structured meeting with NIC once
a week, preferably on Monday, during the implementation period from the date of receipt of
the first Purchase Order by the vendor. Weekly meetings should be held till the project is
entirely rolled out.
k. Onsite Support Services
24x7 Services: Management, Maintenance and Configuration of the existing Information
Security Infrastructure along-with the newly delivered systems for the entire contract period.
The support to be provided to NIC should be on a 24x7 Onsite basis. During the Business
hours, the support engineers will be working out of NIC’s Head Office and during the non-
business hours, the support should be provided from the Data Centre. The bidder is required
to quote for appropriate number of seats at Data Centre for carrying out the activities.
Resources allocated for any currently ongoing activities at the Data Centre cannot be combined
with this new operation.
HARDWARE SOFTWARE
Sl. No. Appliance Module Location
Container CPU RAM HDD OS APP DB
2012
Cisco
Xeon® R2 6.2.9200
Air-Watch UCSC- 16 500
1 APP DC 2.30 (6 Std build NA
Console C220- GB GB
Core) 64 9200
M3S
Bit
2012
Cisco
Xeon® R2 6.2.9200
Air-Watch UCSC- 16 500
2 APP DC 2.30 (6 Std build NA
Device C220- GB GB
Core) 64 9200
M3S
Bit
2012
Cisco
Xeon® R2 6.2.9200
Air-Watch UCSC- 16 500
3 APP DC 2.30 (6 Std build NA
Content C220- GB GB
Core) 64 9200
M3S
Bit
2012
Cisco
Air-Watch Xeon® R2 6.2.9200
UCSC- 16 500
4 Mail APP DC 2.30 (6 Std build NA
C220- GB GB
Gateway Core) 64 9200
M3S
Bit
2012
Cisco
Xeon® R2 6.2.9200 SQL
Air-Watch UCSC- 16 500
5 DB DC 2.30 (6 Std build 2014
Database C220- GB GB
Core) 64 9200 x64
M3S
Bit
Bidder has to comply with the Minimum Technical Specifications of the products in this RFP.
Bidder will get disqualified in case of Non-Compliance.
.
A. SIEM
• Appliances shall be implemented in High availability configuration at DC
• Logs and Flow Collectors at DC, DR & HO to be deployed.
• Log Volume: 10,000 EPS license scalable to 20,000 EPS by license upgrade.
• Appliance based solution to be proposed from OEM with the processing capacity of 20,000
EPS and Data indexing capacity of 30,000 EPS to cater for peaks or bursts handling. All the
appliances should be in HA or Cluster mode in full redundancy.
• Log Retention: 3 months of Online storage of Security events / Metadata and 9 months
Offline storage of raw log data.
UEBA:
• This should be integrated with SIEM and should be capable of handling 14000 users.
• Additional prices for 10,000 slabs each.
SOAR:
• This tool must have Security Case / incident Management, Orchestration, Playbook
Automation and remediation capabilities.
• This may be a part of SIEM or a separate tool which could be integrated with SIEM,
bidirectional integration is required if the SOAR is a separate tool than SIEM.
• Minimum 30 Analysts shall access the SOAR simultaneously and should not restrict the
number of Analyst to be able to access the SOAR platform.
• No limitation should be there on the incident response capability / incident management
cases to be raised simultaneously and no limitation shall be there on the number of playbooks that
can be created on the platform.
Network Forensics:
• Dedicated PCAP & DPI capable appliances at DC, DR & HO.
• This tool must be integrated with SIEM to provide nested & correlated single view of alerts.
• 1 Gbps Network scanning throughput at DC, DR & HO. Total of 3 appliances.
• PCAP raw data for 15 days and meta data Storage up to 30 days.
Optional OEM Services to be Proposed:
OEM’s Analyst has to work with the SOC team on a weekly basis (at least one hour session per
week) to configure the platform and deployment though out the tenure of the Support and
maintenance period of the project :
• Validate configuration of the entity structure and lists relevant to each module
• Configure Machine analytics rules, advanced behavior analytics, and incident response plug-
ins
• Implement module-specific dashboards and reports to provide rapid access to the most
important information
• Expose previously unseen threats
• Prioritize threats in a precise way
• Drive down false positives through greater corroboration
During weekly meetings, OEM Analyst should align the platform with best practices, review and
tune content
Implementation:
Implement SIEM solution only in cluster at DC with log collectors at DC,DR and HO
Integrate the identified devices/application/operating systems/database with SIEM,
Integrate existing security solutions mentioned along with the new solution procured though
this RFP with SIEM
Integrate Application Logs with SIEM.
Developing custom parsers for non-standard logs for 50 event sources
Implement correlation rules out of the box and standard use cases
Implement packet forensic solution at DC,DR and HO
Implement and configure user and entity behavior analysis rules
Integrate SOAR with SIEM
Create playbooks as per the requirements
Implement UEBA as per the requirements
Deception - Implement the solution across the NIC‘s Datacenter and Disaster Recovery
center which are internet facing landscape and any other critical service as deemed by NIC
Deception - Configure the Decoy (Honey Pot) rules and policies.
Integrate Decoy (Honey Pot) with SIEM to generate alerts for any Decoy (Honey Pot)
violations and provide a correlated view of threats and vulnerabilities associated with them
along with remediation mechanism.
Deception - Creating and applying policies after analyzing traffic pattern
Configuring backup Schedule of the proposed solution
Monitoring:
Improve the policies configured on an on-going basis to reduce the occurrence of false
Positives
Monitor the SIEM alerts and suggest/take appropriate action
Perform on-going optimization, performance tuning, maintenance, configure additional use
cases,
Suggest improvements as a continuous improvement process, Trend Analysis etc.
Install/Re-install/ reconfigure any component/ system of the security equipment’s supplied
by the bidder, in case of crash of those components / system on problem or patch/upgrades
etc.
Root cause analysis of any event has to be done and proper corrective action has to be taken
with information to NIC officials. Based on that, the bidder should recommend for
improvement to policies, procedures, tools and other aspects
Creating out of the box reports as per NIC requirement
The proposal should include OEM Professional Services for the successful implementation of SIEM
including UEBA, SOAR, Deception and Packet forensics. The OEM professional services shall
include but not limited to solution architecture, design, installation, integration, preparation of
acceptance test plan & procedure with expected results
C. Network Admission Control - The existing NAC solution runs on Cisco SNS 3315. The ISE
solution also provides the TACACS management for the network and security devices
Implementation
Update/Upgrade the existing NAC solution to the latest version
Migrate the policies (NAC & TACACS)
Verify the NAC functionalities
Upgrade the NAC Agent
Configure and Verify TACACS rules
Solution Integration
Integrate Solution with SIEM to generate alerts for any violations.
The Bidder needs to ensure the proposed solution is configured to generate events for
monitoring through SIEM.
E. Proxy
Implementation
Update/Upgrade the existing hardware
Upgrade the existing version if needed.
Provide licenses as required.
Migrate the polices configured
Verify the functionalities
Integrate with SIEM
Any hardware upgrade needed for implementing the solution has to be provided by the
bidder.
F. MDM
Implementation
Upgrade/migrate the existing hardware/architecture along with users to cloud solution with
99.9% SLA. Functionality wise there should not be any change in cloud solution.
Provide the licenses.
Migrate the users
Verify the functionalities
Bidder to equip NIC SOC Team with 4 Mobile Devices, two running Pure Android viz.
Google Pixel latest version and another two running iOS, Apple XS for periodic testing of
MDM policies. Devices are to be refreshed by Bidder as and when declared EOL by
respective OEM.
Mobile Threat Prevention - Implement the solution across NIC
Configure the Mobile Security Framework rules and policies.
Integrate Mobile Security Framework with SIEM to generate alerts for any Mobile Security
Framework violations and provide a correlated view of threats and vulnerabilities associated
with them along with remediation mechanism.
The proposed solution should be capable to work with existing VMware (AirWatch) MDM
solution
Creating and applying policies after analyzing traffic pattern
Configuring backup Schedule of the proposed solution
Solution Integration
Integrate Solution with SIEM to generate alerts for any violations.
The Bidder needs to ensure the proposed solution is configured to generate events for
monitoring through SIEM.
G. Anti-Phishing
Implementation
Implement the solution across the NIC‘s Datacenter and Disaster Recovery center which are
internet facing landscape and any other critical service as deemed by NIC
Validate the Anti-Phishing alerts and take action in coordination with NIC
The purpose of Centralized File server is to store the data centrally at the DC. Currently user generated
data are stored in the end user systems. Since the data are scattered in various locations it is not
possible to identify the data or to classify leading to Data leakage. Also since backup is not available
this leads to data loss in case of failure at system end. By having the data centrally the user will have
System Drive-mapped so that the data are stored only in the mapped drive. With data classification
solution the file server shall be scanned with built-in policies to identify known data elements such as
credit/debit card numbers as well as flexible pattern recognition to identify specific data for example
the presence of personal information (e.g. Employee IDs, Aadhar/PAN IDs, mobile phone numbers
that may relate to the Data Privacy Law) and non-personal information (e.g. IPR of NIC). The scans
shall be scheduled at regular configurable intervals to identify where sensitive data is stored and who
the owner is. The solution shall scan these repositories for existing sensitive data, and once identified
this data can be automatically classified at rest. The data classification solution shall automatically
and periodically monitor and scan the corporate file server, and then classify the files based on
sensitive keywords and data found in the contents, or file location, file types, and various other file
attributes. For example, the solution shall be able to scan a network shared folder every hour, and
classify any document stored inside as ‘Restricted’. The scan results shall be immediately displayed
in the Dashboard to show where sensitive data resides in the various repositories across the
organization
I. Vulnerability Assessment:
Vulnerability Assessment and Penetration Testing should cover NIC’s Information System
Infrastructure which includes Networking systems, Security devices, Servers, Databases,
Applications Systems, websites maintained at NIC’s premises. Bidder should carry out an assessment
of Threat & Vulnerabilities assessments and assess the risks in NIC’s Information Technology
Resources with the use of the proposed VA tool. This will include identifying existing threats if any
and suggest remedial solutions and recommendations of the same to mitigate all identified risks, with
the objective of enhancing the security of Information Systems.
The frequency for conducting VAPT should be half-yearly. The VA should be done though the
solution at least once in 6 months. However, NIC at its own discretion can change the frequency. The
Bidder should use the services of Auditor empanelled with Cert-IN for conducting the Penetrating
Testing for internet facing assets. Auditor is required to perform black Box Testing for
devices/applications. The Auditor shall be rotated by the Bidder, every three years.
Auditor is required to close all the gaps/issues identified and also coordinate with the existing vendors
of NIC in order to close all the gaps identified in VAPT Reports as per the timelines and submit the
status report of all the identified gaps in the VAPT Report on weekly basis.
J. User Training:
Implementation
Integrate with NIC Active Directory
Enabling the modules and rolling out for 100 users
Configuring the Phishing Campaign and rollout of 100 users
Operations
Periodic Reporting on the awareness training for 12000 users
Creating the campaign based on NIC requirement
Security Information and Event Manager: < Bidder to mention Product Name>
Refere
nce
Docum
ent
name,
Sl. Complianc page
Technical Specifications
No. e (Yes/No) numbe
r, with
highlig
hted
paragr
aph
The SIEM platform should be based on a Hardened Operating System Based
solution with a clear physical separation of the collection engine, the logging
1
engine and the co-relation engine. The solution should have a scalable
architecture, catering multi-tier support and distributed deployment.
The solution should support log collection, correlation and alerts for the number
2
of devices mentioned in scope.
The solution should be able to conduct agent less collection of logs except for
3
those which cannot publish native audit logs
The solution should have connectors to support the listed devices/ applications
4 and additional, if any required, the bidder should develop customized
connectors for these at no extra cost
The proposed solution must ensure all the system components continue to
5
operate when any other part of the system fails or loses connectivity.
The proposed solution should be able to cater to 10000 sustained EPS while
6
being scalable to 20000 sustained EPS, storage for 1 year
The capacity for event correlation engine that is being proposed should be
7
properly sized for the specified EPS.
The proposed system/solution should have the ability to correlate all the fields
8
in a log
9 The proposed solution should be able to parse and correlate multi-line logs
The proposed solution must employ advanced analytics and machine learning
10
techniques
11 The UEBA must be offered fully integrated within the proposed solution
The UEBA must be able to detect and respond to insider threats, compromised
12
account, privileged account abuse, data exfiltration etc.
The UEBA must correlate log information to single identities to know the actors
behind the actions impacting the environment with Identity Inference, which
13
attributes identities to anonymous log messages, streamlining forensic
investigations
The UEBA must create a heuristic baseline of user activity by analyzing
behavior, so it must perform multidimensional baselining, enabling the
14 modeling of a broad set of user behaviors. Baselines are used to detect
anomalous behavior via machine learning and other statistical analysis
techniques
The UEBA must use the heuristic baseline to detect unusual behaviors in real
time, so it must continuously analyze current activity against baselines
15
established for each identity and peer group. Detect behavioral deviations from
user and peer group baselines
The UEBA must collect machine data from across NIC environment and fill in
16
forensic gaps with endpoint and network monitoring
17 Log security in terms of integrity and availability should be ensured
All logs should be Authenticated (time-stamped) and encrypted before
transmission to the correlation/normalization engine. This may be achieved by
18
encrypting the logs or the communication channel between the aforementioned
components.
The solution should be able to continue to collect log data during database
19 backup, de-fragmentation and other management scenarios, without any
disruption to service
The solution should have the capability to collect and analyse logs from various
log sources which include operational Events / Logs of Security devices
including IPS, Firewalls, Anti-virus and other such devices, Logs / Events from
the servers such as Web server, Mail server, DNS Server, Application Servers,
20
Operating systems (Windows, Unix, Linux, AIX, Solaris etc), Virtualization
platforms, Databases (Oracle, SQL, DB2 etc.), Storage systems, etc. as deemed
to be important for the purpose of Security. The system should support, not
restricted to, the following log and event collection methods:
21 - Syslog – UDP (as detailed in RFC 3164) TCP (as detailed in RFC 3195)
22 - Flat file logs such as from DNS, DHCP, Mail servers, web servers etc.
23 - Windows events logs – Agent-based or agent-less
24 - FTP, S/FTP, SNMP, ODBC, CP-LEA, SDEE, WMI, JDBC, etc.
In case the connectivity with SIEM management system is lost, the collector
should be able to store the data in its own repository for a minimum period of 7
25
days. The retention, deletion, synchronization with SIEM data store should be
automatic but it should be possible to control the same manually.
26 The Log collector should support filtering of log data.
All logs should be automatically categorized into categories like usernames,
27
event categories, actions, event id’s and other meta data fields
The solution shall automatically tag the logs with geo location, IP address, data
28
center category defined, source asset , application name etc.
Solution should provide threat intelligence feeds for botnet C&C servers,
malware domains, proxy networks, known bad IP’s and hosts, traffic to APT
29
domains etc. Proposed solution should support STIX/TAXII based threat
intelligence feed for correlation.
Solution should be able to perform the following correlations (but not limited
30 to) based on analysis rules mapped to various threat categories and provided
with criticality information.
The various threat categories to be covered include:
1) Vulnerability based
2) Statistical based
3) Historical based
4) Heuristics based
5) Behavior based on source entity, applications etc.
6) Information Leak
7) Unauthorized Access
8) Denial of Service
9) Service Unavailable
10) Phishing attack
11) Pattern based rules
12) Profiling
13) Whitelist/Blacklist/Reference List
The solution should provide out of box rules for alerting on threats found in log
31
or network data.
E.g. failed logins, account changes, expirations, port scans, suspicious file
names, default usernames, default passwords, security tools, AV signature
31. updates, successful authentications, bandwidth by IP, email senders, failed
1 privilege escalations, VPN failed logins, group management system
configuration changes, traffic to nonstandard ports, URL blocked, accounts
deleted, accounts disabled, top intrusions etc.
32 The solution should allow creating correlation rules on any meta fields
The solution shall allow sending alerts to external systems e.g.- syslog, email
33
etc.
34 The solution shall allow export of specific logs from the correlated event.
35 The solution should be capable for performing application monitoring.
The proposed solution should provide the ability to monitoring and alerting on
36 non-compliance events in real-time and provide necessary reports and
dashboards.
The solution should allow creating standard reports from the rules configured in
37 the system. The solution should also allow customizing reports in accordance
with the organization’s requirements from time to time.
The solution should provide out of box templates for reports on ISO 27001
38
standards at no additional cost.
39 The solution should provide both tabular and graphical reports
The dashboard should be in the form of a unified portal that can show correlated
40 alerts/ events from multiple disparate sources such as security devices, network
devices, enterprise management systems, servers, applications, databases, etc.
Events should be presented in a manner that is independent of device specific
41
syntax and easy to understand for all users
42 The solution should provide event playback for forensic analysis.
43 All artefacts/forensic evidence for each incident should be maintained
Should generate e-mail and SMS notifications for all critical/high risk alerts
44
triggered from SIEM
45 The system should allow scheduling reports
The system should provide a calendar view. Clicking on a date should show all
46
reports generated on the selected date
Reports should be available in the formats including but not limited pdf, csv,
47
etc.
The solution must provide a flexible dashboard with chart and summary displays
48
for a complete view of real-time captured data.
The solution must provide fully customizable queries and report library to define
49
report and alert combinations.
Dashboard should support different views relevant for different stake holders
50
including top management, operations team, Information Security Department
Dashboard views should be customizable as per user rights and access to
51
individual components of the application.
The system should permit setting up geographical maps or location wise real
52
time dashboards to identify impacted areas and sources of alerts.
Solution should have the ability to perform free text searches for events,
53
incidents, rules and other parameters.
The proposed solution should have inbuilt case management and should have
54
options for integrating with external ticketing solution
The system should allow centralized management and reporting for various
55
components from central site.
The solution should support creation of incident management workflows to
56 track incident from creation to closure, provide reports on pending incidents,
permit upload of related evidences such as screenshots etc.
57 The system should allow centralized system updates for application
The system should have interface to monitor health of the various components
58
of solution and provide details like CPU usage, interface usage, disk status etc.
The system should receive feeds from a threat intelligence repository
maintained by the OEM and from leading global intelligence sources. The
59 solution should support external threat intelligence which could be used to
identify incidents based on knowledge of global security research, to
supplement its own threat feed.
60 The system should audit all changes made to the system
The solution should support role based access control and user based access
61 control and have out of box dashboards for various roles like incident analyst,
incident coordinator, SOC lead etc.
62 The solution shall have intuitive dashboards for other stake holders
Network Forensic Analysis Tool
The packet appliance should support collection of full network traffic based on
1
all/desired protocols
The Packet capture appliance should have a throughput of as mentioned in the
2
sizing annexure
Should support filtering of desired traffic on filtering conditions using OSI
3 Layers 2-7 like BPF filters, ports, protocols, applications and meta data
conditions(Ex- truncate when destination zone is DMZ)
The solution should perform threat detection using
- Threat intelligence(Inbuilt feeds)
4
- STIX Support for external feed integration
- Community based threat intelligence
- Should support custom watch lists and feeds using CSV
- Correlation rules on packet data(Ex- PDF download followed by SSH
connection)
- Should have native correlation rules for network traffic and support
custom rules
- Simple alerts like ,destination country is ”Russia”
- The solution should support Easy-to-use dashboards for analysts for
hunting and investigation
The solution should be able to provide complete packet-by-packet details
5 pertaining to one or more session of interest including , web pages, FTP, Email
, image views, artifact & raw packet extractions
Should support on demon enrichment (Right click on asset and add more
6
context) with feeds based on Hashes, IP, incidents etc
7 Support session exports and remember recent queries
Support customization of analyst layouts to show specific meta data (Ex- show
8
only source/destination IP address, usernames, files names etc. in the view
Support multiple such layouts for each analyst and capability to share layouts
9
within various analysts
10 Should have native incident management workflows with features to support
11 Support sending of notifications on syslog, emails
12 Dashboard support to reflect desired parameters as charts and reports
13 Support Incident Management and workflows view based on user ID/role
Native Incident reports and related metric like trends, by Status, by Category
14
etc.
Evidence attachment in incident, Incident creation on rules or manually during
15
investigation process
Integration with third party helpdesk if required and integration with GRC tool
16
for incident management which NIC may have in future
Should have dedicated health and wellness page for monitoring logical and
17
physical condition of appliances
18 Support custom application and protocol parsers by analyst team
19 Support STIG based hardening and REST based API
The solution perform searches across all network data. The solution shall
20
search attachment file names
The proposed solution must detect and alert when inappropriate or
21
blacklisted applications are used
Security Orchestration, Automation & Response
The solution should provide integration with most prevalent IT and cyber
security systems like SIEM, IPS, Anti-APT, Firewalls, LDAP/AD, End point
1
protection, NAC, Vulnerability scanners, patch management etc. to consume
alert data, perform investigative and remediation actions.
The solution should support integrating custom sources in case product OEM is
2
not supported by default.
The solution should integrate with partner products using any of the standard
3 protocols and interfaces including REST API, SOAP, SSH/CLI interface, and
custom APIs
Solution shall have the capability of providing independent threat intelligence
4
for local and external threats
The solution must support the ability to correlate against 3rd party security data
5 feeds (i.e. geographic mapping, known botnet channels, known hostile
networks, etc.)
The solution should provide a simple, comprehensive, fully automated approach
6 to detect and stop the threats that matter, for on premise deployments from
internal & external attacks
The solution should support both human and machine based automation for
7
various tasks related to security investigations
The proposed solution must offer the play book functions embedded in the
8
platform at no additional cost.
Solution should provide capability to execute desired playbooks (collection of
9
actions/commands) based on manual analysis.
Solution Should do Automatic Remediation in real-time without any manual
10
intervention.
Solution should auto remediate the problem without causing a huge impact to
the organization. Some of the examples such remediation could be:–
· Push policies to prevent an external IP
11
· isolate an internal desktop/Server
· Disabling user accounts used for malicious purposes
· Patch automation in case tool finds vulnerability
The solution must provide a mechanism to capture all relevant aspects of a
12 security incident in a single logical view. This view must include relevant
events, network activity data, correlated alerts, vulnerability data, etc.
Solution should provide necessary integration with the IT/cybersecurity systems
13 for keeping the forensics artefacts from the integrated sources of the incident
before taking remedial actions.
Solution should support email or text notifications, along with functionality to
14
email comprehensive periodic reports and dashboards.
Solution should provide content for threat descriptions as well as remediation
15
advice
Solution should be configured with the used cases with automation for response
to the minimum basic threats like
· Blacklisted IP Communication
· Possible Penetration Testing Activity
· Connection to Known Malicious Actor in Published Host List
· DDOS Attack
· Vulnerability scan detection
16 · Phishing detection
· Brute force attack
· Malware activity
· Ransomware
. Endpoint Quarantine
. Suspend Users
Apart from the above used cases there should be provision for configuring new
use cases as well as compliances as per future requirements.
The solution should provide complete incident management capabilities to
17
provide end to end capabilities from alert collection to closure.
The solution must provide a playbook for each type of incident raised by the
solution. The playbook should specify what activities are to be performed by
18
L1/L2/L3 personnel and what investigation/action are to be taken by each
personnel.
19 The solution should allow attaching multiple playbooks to any incident.
The solution should be able to find related incidents from historical data based
20
on assets like IPs or user involved in incident
The SOAR solution must not have any limit the number of SOC analysts or
21 playbook templates that can be used
The proposed solution must the customers to add their own automated
22 remediation.
The proposed solution automated remediation must provide a built-in
23 hierarchy approval workflow
The proposed solution must calculate the mean time to detect and mean time to
24 respond automatically and show that on the dashboard for the analysts
Deception
1 The solution must have the ability to visually replay past events on an interactive
fluid dashboard that show all decoy elements and attacker details.
2 Solution must use a numeric risk score for an attacker based on dynamic analysis
of attacker behavior. Solution should not just use basic critical / high / medium
/ low buckets.
3 The system must have the ability to save and share custom views filtered based
on time and any event metadata for analyzing specific events. Results of saved
queries must be exportable.
4 The solution must have the ability to reconstruct raw attack data into plain
English attack analysis. It must also provide attacker / APT group attribution,
mitigation recommendations, MITRE mapping within the user interface for the
analyst.
5 The solution should have a central management console to manage the
deployment and event notifications. All other components should be controlled
and configured through the central management console only.
6 Both physical and virtual instances that can each support minimum 50 VLANs
and minimum 250 network decoys per appliance.
7 The solution should offer the option for both physical and virtual instances of
the solution components. The virtual instances must support VMware.
8 The solution should have capabilities to scan the surrounding environment, and
automatically deploy authentic deception that mimic not only the hostnames of
the surrounding systems but MAC addresses and services as well. The solution
must be able to choose the ratio between blend-in and stand-out decoys.
9 Ability to ‘agentless’ embed lures on real endpoints in the form of unique
dummy credentials that lead attackers on to decoy systems
10 Deception platform must be capable of creating file decoys that are deployed on
real systems and ‘agentless’ trigger alerts when opened, copied, modified or
deleted
11 The solution should have the ability to capture commands executed for hi-
interaction SSH connections on Linux decoys
12 Linux high-interaction decoys should not be emulated, but should be complete
distributions that are externally instrumented (no internally running agent /
process).
13 For authenticity, Linux high-interaction decoys should be one-to-one (the
solution should not re-use of a single internal VMs for multiple decoys).
14 The solution should be able to deploy built-in application decoys that look like
webmail portals, VPN login portals, network printer, PIM login, HRMS etc.
15 Decoy web-applications should include the ability to easily upload templates for
high-interaction (login / browsing of the decoy application).
16 All Windows high interaction activity should be logged, not just code execution
attempts. High-interaction should not involve transfer of malicious code to a
separate analysis VM, but should provide full interactive access to the attacker.
17 The solution must support geolocation of external threats.
18 The solution should have the ability to detect network scans in all VLANs in the
enterprise network including remote offices without the need for any complex
network changes like GRE tunnels or additional appliances in each branch
19 The solution should be able to create spear-phishing decoys to detect targeted
spear phishing attempts.
20 Decoys created must be individually unique, not just a variation of a few virtual
machines.
21 The solution should have an inbuilt feature to allow automatic isolation of an
attacking source system based on preset or custom rules
22 When an event occurs, the solution should have built in orchestration to take
specific actions based on preset or user specified rules that can be specified on
any event meta-data. The rule engine should support multiple Boolean and
logical conditions to appropriately orchestrate the response.
23 Decoys should be integrated with the real Active Directory domain and should
not use a domain trust relationship between a dummy Active Directory and the
real Active Directory domain that hackers can easily discover.
24 Decoy services like SSH, HTTP / HTTPS, FTP, SMB, MySQL, telnet should
be individually unique services and not just a few VMs offering the same service
on multiple IP addresses
25 Solution should include high-interaction Windows decoys that are accessible
over the following channels: WMI, RDP, WinRM, RPC-DCOM.
27 Solution should have the ability to create Internet facing decoys with low false
positives, not just running internal network decoys on the Internet. The Internet
facing decoys should consume backscatter threat intelligence from platforms
like MISP, Greynoise, Shodan etc.
28 Deception platform should automatically fill network decoys with realistic auto-
generated enticing content pertaining to specific business verticals like Finance,
Legal, HR, IT etc. Please list the specific types of “auto-generatable” files /
content etc.
29 The solution must support deep protocol inspection of network traffic such as
DCE/RPC / SSL-JA3 for detection of exploits, reconnaissance and zero-days
pre-engagement in the virtual machine.
30 Linux decoys must not contain a monitoring agent that could identify the OEM
vendor of deception solution.
31 Deception platform must be capable of real-time telephonic alerts based on
preset or custom notification rules
32 The solution should have a built in incident response capability that allows live
forensics of the attacking source system. This includes live memory analysis.
33 For security, the base operating platform (host operating platform on which the
decoys run) of the deception appliance must be hardened and capable of being
patched against any future vulnerability.
34 Solution must allow visual dissection of the PCAP traffic and preserve all
network traffic to and from the decoys while having the ability to export PCAPs
based on a time filter.
35 Solution must support Suricata signature detection for 'known bad' events and
must be updated with the latest emerging threat signatures.
36 The proposed solution must be listed by Gartner in the Magic Quadrant or as a
Cool Vendor
37 Detect MITM attacks like NBNS, LLMNR, MDNS, ARP, DHCP in every
VLAN of the enterprise
38 Deception solution provider (OEM) should offer professional services for
customization of decoys, deception strategy planning, and incident response
69.6 Minimum Technical Specifications and Compliance of RFP for Vulnerability Assessment
Solution
Vulnerability Assessment Solution: < Bidder to mention Product Name>
Refere
nce
Docum
ent
Complian name,
Sl.N
Technical Specification ce page
o.
(Yes/No) numbe
r, with
highlig
hted
paragr
aph
1 The proposed solution should have minimal impact on traffic, server
performance, networks etc. during deployment and operation
2 The system should work in any network topology
The proposed solution should maintain an updated database for latest
3
vulnerabilities
The proposed solution should provide flexible deployment of VAS solution
4 and capability for tuning the scanning configurations for optimal performance
of NIC's infrastructure
The proposed solution should provide pre-built integrations with other security
5
solutions
6 The proposed solution should perform a targeted scan (i.e. check for a specific
set of vulnerabilities or IP Addresses).
The proposed solution should support application scanning, mobile device
7
scanning
8 The proposed solution should support centralized management of scan
operations, reporting and administration.
9 The proposed solution should automatically discover and categorize assets
based on multiple attributes and not just the IP addresses
The proposed solution should be able to identify applications running on non-
10
standard ports.
The proposed solution should track hosts over time in a dynamic IP
11
environment (DHCP)
The vulnerability signature database should include breakdown of types of
12 signatures (i.e. CGI, RPC, etc.) and number of signatures that map directly to
CVE IDs.
The proposed solution should be able to conduct vulnerability assessment for
13 all operating systems and their versions including but not limited to: Windows,
AIX, Unix, Linux, Solaris servers etc.
14 The proposed solution should provide mechanism to upload IP lists of devices
through XLS format
15 The proposed solution should provide configurable Vulnerability assessment
policy and individual tests
The proposed solution should be able to scan workstation, servers, network and
16 security equipment and other devices such as printers, mobiles, webcams,
tablets etc.
17 The proposed solution should be able to run scans on network segments as well
as entire network.
The proposed solution should be able to perform authenticated and
18 unauthenticated scans and manage credentials centrally for authenticated
scans.
The proposed solution should be able to scan application databases for
19
vulnerabilities
20 The proposed solution should be able to detect weak password for databases
and point out accounts with simple, weak and shared passwords.
21 The proposed solution should be able to identify out-of-date software versions,
applicable patches and system upgrades.
The system should be able to identify configuration deviations/defects as per
22 NIC baselines, CIS, SCAP, OVAL baseline/ Standards /leading practices for the
various devices in scope
23 The proposed solution should include vulnerability rating methodology
configurable to NIC's requirement
24 The proposed solution should provide remediation information in the reports
including links to patches etc.
25 The proposed solution should produce a report listing all applications on a host
or network, regardless of whether the application is vulnerable
27 The proposed solution should be able to support “scan windows”, scan
scheduling, and automatic/manual pausing/stopping/restarting of scans.
The proposed solution should support users to modify existing rules or create
28
their own rules
The proposed solution should include a library of potential vulnerabilities and
29 rules which should cover SANS top 20. This library should be customizable by
the administrator and changes to the same should be traceable.
The proposed solution should produce reports in the following formats: XLS,
30
PDF, CSV, XML etc.
31 The proposed solution vendor should assist NIC in reducing the number of
false positives identified by the solution
32 The proposed solution should be able to prioritize vulnerabilities on the basis
of severity levels defined by the NIC
The proposed solution should be able to track the closure of all vulnerabilities
33 identified and should include parameters such as responsible person, date of
closure, action taken etc.
34 The proposed solution vendor should provide configuration review services as
a part of the solution
The proposed solution should generate reports on trends in vulnerabilities on a
35
particular asset.
36 The proposed solution should be able to integrate with other security solutions
(i.e. Security Information/Event Management, Patch Management, IPS, etc.)
37 The proposed Solution should have an Application Programming Interface
(API) to integrate with other systems
39 The proposed solution should support integration with threat feeds, allowing
vulnerabilities to be correlated against real-time threat information.
40 The proposed solution should be able to detect both wireless and rogue devices
41 The proposed solution should support all kind of standard platforms like
Solaris, Linux, MAC OS and Windows Etc.
42 The proposed solution should maintain history of scan and provide comparison
between two scans and differential reports of the scans
43 The proposed solution should support discoveries of vulnerabilities caused by
absence of update for OS, Database, Application, etc.
44 The proposed solution should support scanning of virtualization and terminal
platforms like vSphere, Hyper-V, XenApp, etc.
45 The proposed solution should provide both pre-configured and fully
customizable report templates for various stakeholders across organization.
The proposed solution should provide Built-in reports that include but not
limited to audit, baseline comparison, executive summary, PCI, policy
46
compliance, remediation planning, top remediation, SANS Top 20,
vulnerability verification report etc.
The proposed solution should support automatic, manual and offline
47
application updates
The proposed solution should allow NIC to schedule the VA of selected assets
48 for a pre-defined date and time. The proposed solution should also be able to
schedule scans based on asset ratings and asset types.
The bidder should assist in building of scan templates as per NIC's
49 requirements such as types of applications to be scanned, protocols to be used,
ports to be scanned etc.
69.7 Minimum Technical Specifications and Compliance of RFP for Data Classification and
Information Rights Management
Data Classification and Information Rights Management: < Bidder to mention Product Name>
Refere
nce
Docum
Complian ent
Sl.N
Technical Specification ce name,
o.
(Yes/No) page
number
, with
highlig
hted
paragra
ph
The solution should evaluate content, context, identity and other attributes of
1 unstructured data to make classification and policy decisions.
The solution should have a simple and a flexible policy engine to support
creation of rules - For example, upon an Event where the user clicks ‘Send’
2
on an email, under the Condition one of the email recipient had a certain
specific email domain, to take an Action to block the email from being sent.
The solution should support policy conditionality based on data attributes like
3 content, classification, recipients, sender, author, filename, path, IP address,
MAC address, modification date, file type, and location.
The solution should enable administrators to define policies with or without
4
classification as part of the policy.
The solution should support policy nesting/hierarchy to control the flow of
5 policy execution, making it easier to support more advanced use cases for
classification and policy enforcement.
The solution should provide context-sensitive help throughout the user
6 interface to support security training and help users select the correct
classification and policy remediation options.
Data Classification and Identification Requirements
The solution should support automated, suggested, and user-driven
7
classification.
The solution should enable the classification of Word, Excel and PowerPoint
8
documents from within Microsoft Office.
9 The solution should enable the classification of any custom file type.
The solution should support the ability to classify on Send, Save/Save As,
10 Print, New Email, Close/Open Document, and other email and document
events.
11 The solution should support unlimited number of classification fields.
The solution should support users to enforce data retention and disposition
12 tags, including date fields while classifying information especially sensitive
information which can result in increased liability if stored longer
The solution should support hierarchical and conditional classification fields,
so that the appearance of a sub-field is conditional on the value selected in the
13
higher-level field. For example, when a user selects “Restricted,” a sub-field
is presented with a list of departments including “HR Only.”
The solution should support dynamic/tailored classification selections based
14 on the user's Active Directory attributes or groups.
The solution should support the mapping of classification schemas across the
15
organization.
The solution should support the mapping of old classification values to new
16 ones, and seamlessly update previously classified information if required.
The solution should enable users to assign classification values via a one click
17
classification user interface.
The solution should enable users to assign classification values to any file type
18 by right-clicking in File Explorer and selecting one or more files.
The solution should enable users to assign classification values to non-
19
classified email in their inbox.
The solution should enable users to set their most frequently used
20
classifications as “Favorites.”
The solution should enable users to save type-in fields as Favorites so that the
21
information needs to be typed in only once.
The solution should provide tooltips, classification descriptions, and help page
22 links to assist users with classification policy.
The solution should support the use of automated classification for any
23 classification field. These classification values can be assigned based on
content, context, and/or user identity (e.g. user role).
The solution should support dynamic population of classification fields from
sources other than the pre-configured classification schema. For example,
24 metadata values can come from document attributes (e.g. author),
environmental variables (e.g. IP or MAC address), and/or Active Directory
(e.g. group, department).
The solution should support the ability to set the classification automatically
25 based on a series of questions presented to the user via the classification
dialog.
The solution should support the ability to ask users to confirm an automated
26 classification value (also called “suggested classification”).
The solution should support the ability to prompt users to change the default
27 classification(s) if the default is inappropriate for the content, context, or other
attributes of the email or document.
The solution should support the ability to prompt users to classify in some
cases, and use automated classification in others. For example, a default
28 classification may be used for internal email, but users are prompted to
classify for external email. Or users may be prompted to classify email only
when there is an attachment.
The solution should support the ability to scan for certain keywords and
29 regular expressions and set the classification accordingly.
The solution should support creating custom conditions within a policy. For
example, the solution should allow creating a custom condition to ensure a
30 particular software is installed on the system before allowing email to be sent,
query time of day to ensure an activity takes place during regular business
hours.
The solution should support creating custom actions within a policy. For
example, the solution should have provision to write a custom action to send
31 an email notification when a user performs an action denied by a policy, send
an email notification to an administrator when a user attempts to print or
distribute content classified as Restricted.
The solution should generate metadata for all file types, including persistent,
32 embedded metadata for many non-Office files, including PDF, TXT, Visio,
Project, images, and multimedia files.
The solution should support metadata remediation and prioritization when
multiple sources of metadata are available on a file. For example, a user-
33
applied classification may be most critical and trustworthy, while in other
cases, a DLP solution’s tag is treated as a preferred value.
The solution should support the creation of custom metadata for
34
interoperability, including custom X-headers.
The solution should support customizable visual markings in email and
35
documents (e.g. font, size, color, and content).
The solution should support customizable visual markings for HTML, RTF
36
and plaintext email.
The solution should support the ability to evaluate multiple email and
37 document attributes to determine the appropriate markings.
The solution should support different visual markings for the same
classification, depending on context. For example, a “Confidential” email
38
going to internal recipients may have different markings than a “Confidential”
email going to external recipients.
The solution should support different visual markings for different
39 applications, for instance, adding a header or footer for all documents but only
meta data into emails
The solution should support automatic classification of files when its
downloaded and saved to specific folders(e.g. Downloads, My Documents)
41 and the classification should be based on file content for files that can be read
by a text processor and based on file type or file size or file name or file path
for other file types
The solution should support Machine Learning Categorization to help predict
42 different categories of documents, providing classification suggestion or
automation on unknown content in documents and email
The solution should have the ability to classify email message with the same
43
classification label as files attached to it
The solution should have the ability to automatically classify email and
44 calendar events as 'Internal' based on the sender and recipient in the same
email domain
The solution should have the ability to enforce obtaining consent from end
45 users while handling sensitive information and capture the same in the meta
data
The solution should provide the ability to allow user to manually classify file
attachment(s) directly within MS Outlook when composing an email without
46
the need to open the attachment and without classifying the original source
file.
Data Discovery Requirements
The solution should support the discovery and identification of large volumes
48 of data, stored both on premise and in the cloud. This includes the scanning of
network file shares, as well as Cloud storage providers.
The solution should provide the ability to run scheduled scans to automatically
49 classify files based on several factors, including the file properties/attributes,
content, and/or metadata.
The solution should support the ability to encrypt files by integrating with
50 third party encryption solutions. This additional layer of protection can be
added based on the details of the file itself, or its location.
The solution should support the ability to collect file information during scans,
including file properties, classification (pre- and post-scan), and access
51
controls. This data inventory identifies what the data is, where it is, and who
has access to it.
The solution should provide the ability to analyze scanning results via a built-
in dashboard or third-party analytics tools to minimize data at risk, monitor
52
classification activities, and optimize data identification policies and data
storage solutions.
The solution should support the ability to quarantine files stored
inappropriately, flag files for follow-up, or take action based on results of the
53
scan. This may include updating security policies, or re-educating users on
the treatment of sensitive data.
The solution should have the ability to scan Windows file shares, and enforce
54 classification based on content, file attributes, file location
The solution should support Machine Learning Categorization to help predict
55 different categories of documents at rest, providing classification suggestion
or automation on unknown documents at rest
Information Protection Requirements
The solution should provide interactive warning messages that include
56 remediation options and URL links for additional help and information.
57 The solution should consolidate all policy warnings in the same policy dialog.
The solution should enable administrators to control whether users can
58
override policy warnings.
The solution should support the use of task panel alerts, which can be applied
59 at all times or only under certain conditions. For example, the task panel can
be configured to appear when handling an Excel spreadsheet containing PII.
The solution should support the ability for users to opt-in or opt-out of any
policies that the administrator defines as optional. For example, an
60
administrator may want to allow users to opt out of using default
classifications, or allow them to opt out of email and document scanning.
The solution should allow users to click a button to run a policy check before
61 sending an email or continuing to compose or save a document. This enable
the user to run a content scan without having to do a scan on every Save.
The solution should provide the ability to warn/prevent users from
62
downgrading, upgrading, or changing a classification.
The solution should provide the ability to save the name of the original
63 classifier in metadata, and to enforce policy so that only the original classifier
can change the classification.
The solution should provide the ability to warn users when opening sensitive
64
Office documents.
The solution should provide the ability to highlight sensitive information
65 within an email and redact the sensitive content so that users can remediate
any policy violations before the email leaves the desktop.
The solution should provide the ability to automatically invoke the Microsoft
Office Document Inspector to remove hidden or sensitive information, such
66
as comments, revisions, and document properties – without impacting
classification-related visual markings or properties.
The solution should provide the ability to evaluate the number of instances of
sensitive data within an email or document, and then apply the appropriate
67 policy. For example, users may be allowed to send an internal email with one
credit card number, but if there is more than one credit card number, the
message requires a restricted classification and will be encrypted.
The solution should provide advanced control over email attachments via
68 policies that evaluate content, recipients, sender, classification, filename, file
size, and other attributes.
The solution should provide the ability to restrict users from sending non-
69 classified email attachments (i.e. attachments that have no classification).
The solution should provide the ability to present the user with a checklist of
blocked attachments when a policy violation occurs, and allows the user to
70 manually select the attachments that are allowed to bypass the policy
violation. For example, the user can be shown all “Confidential” attachments
and asked to confirm individual attachments before sending the email.
The solution should support the scanning of zip file attachments, including the
71 ability to evaluate individual file properties such as metadata, filename, and
path (e.g. when a file is within a folder within the zip file).
The solution should support ability to Prompt the user to enter the password
used for sending password protected file over email. The password entered
72
should be appended to email header after encryption with the key generated
during tool installation
The solution should support the ability to check external recipient policies via
73 an LDAP directory instead of the corporate Active Directory.
The solution should provide the ability to present the user with a checklist of
blocked recipients when a policy violation occurs, and allows the user to
74 manually select the recipients that are allowed to bypass the policy violation.
For example, the user can be shown all external recipients and asked to
confirm individual recipients before sending the email.
The solution should support the ability to automatically BCC a specified
75
mailbox when an email triggers a policy.
The solution should prevent users from downgrading classification to lower
76
levels on files and Emails
The solution should allow only the file owner defined in file attribute to
77
downgrade file classification.
The solution should allow only a specific AD user group for downgrading or
78
changing classification
The solution should allow authorized users to enter a justification before
79
downgrading classification.
Auditing and Reporting Requirements
The solution should log user activity while users are handling email,
80
documents, and files.
The solution should provide flexibility to send user logs to SIEM, syslog
81
server, text file, and Windows event logs as per the need.
The solution should provide a reporting collector that can collect events
82 written to the Windows event logs and record them in a central reporting
database.
The solution should provide built-in reports and dashboards to analyze user
83
behavior and system health.
The solution should provide a built-in dashboard for reviewing data discovery
84 scanning results for user activity, deployment, data storage trends, and data
inventory.
Mobile Security Requirement
The solution should support classification of emails on the following mobile
devices without additional license. In case additional hardware is required for
85 the same, Bidder shall provide
Apple iPhone and iPad with iOS 9 or later.
Android phones with Android platform version 4.4 or above
The solution should support the ability to add classification label as a
86
customizable body tag within the email message.
The solution should provide clear display of the documents’ classification
87
when opened.
Configuration and Deployment Requirements
The solution should provide a centralized, web-based Administration Console
88
for classification configuration and policy management.
The solution should support the ability to save configurations in a single
89
configuration file.
The solution should enable clients to retrieve configurations from file shares
90
or web servers (HTTP or HTTPS).
The solution should have the ability to integrate with AD natively and enforce
91 policies based on AD groups and enable administrators to tailor configurations
to individual users or groups of users
92 The solution should cache configurations on endpoints locally for offline use.
The solution should provide the ability to deploy in silent mode either natively
93 or using third party software distribution tools so that software can be
deployed and enabled in different phases.
The solution should enable administrators to customize all user interface text
94 strings to support different languages and terminology. This includes
classification fields and values, and policy warning messages.
The solution should work with Microsoft Office 2010 (32 and 64 bit), 2013
95 (32-bit and 64-bit), 2016(32-bit and 64-bit) and 2019(32 and 64 bit)
The solution should work on Windows 7, 8.1, and 10; and Windows Server
96 2008 R2(SP1) and 2012 R2 and Windows Server 2016
The solution should work with in virtual machine environments including
97 Citrix XenDesktop, VMWare and other virtual desktops.
The solution should include installation and configuration, professional
services to plan, configure, and deploy the solution on-site and transfer
98
knowledge to the organization’s personnel in order to ensure continuous
operation.
Solution should have the ability to extend classification of emails and
99
documents seamlessly for MAC OS
Integration and Interoperability Requirements
The solution should provide the ability to attach metadata to information
100
objects, which can be leveraged by e-discovery solutions.
The solution should provide the ability to attach metadata to information
101 objects, which can be leveraged by third-party data loss prevention (DLP)
solutions and should work even when emails and documents are protected.
Solution should support enforcing policies like encrypt all documents which
102
has PCI information by integrating with IRM solutions
The solution should provide the ability to trigger encryption based on
metadata. For example, if a specific keyword or pattern is found in a message,
103 the solution can add a MAPI property with the Boolean value of “True”. The
encryption solution can use the “True” MAPI property to initiate the required
response.
The solution should integrate with Fileserver with the ability to scan. For
104 example, when the user uploads the document to fileserver
The solution should quickly identify where sensitive information is available
105 and who is touching it. It should also help prioritize risk and remediation and
should be capable of locking down the data without interrupting business.
The solution should have the ability to integrate with archival solutions and
106 take actions on archival based on classification label
Storage
Storage Quality Certification - The Storage OEM should be established in the
1
Gartner General Purpose storage arrays. Leader Quadrant 2018 or above
Storage Controller - The Storage system must have at least two controllers
running in an active-active mode with automatic failover to each other in case
if one controller fails for both NAS and SAN. ; The storage solution should
be a true unified architecture with support for all the protocols FC, iSCSI,
2
CIFS, NFS, FCoE, SMB, HTTP, pNFS natively. Single storage OS should
support all protocol without adding additional hardware. All necessary
software and hardware required to meet the requirement should be supplied
by OEM.
Storage Scalability - The Storage system should be scalable to a minimum of
3
8 controllers in the same cluster in active-active configuration
System Cache required - The system should Support minimum 64 GB
memory across the two controllers. Proposed system should have ability to
4 protect data on cache if there is a controller failure or power outage. .The cache
on the storage should have 72hrs or more battery backup (OR) should have
De-staging capability to either flash/disk.
Extended cache for enhanced performance - The system must provide
5 capability to use SSD/Flash as an extended/secondary cache. The system must
be supplied with at least 7.5 TB of SSD and/or NVMe Flash for this purpose.
Drive Support - The system must support intermixing of SSD, SAS and SATA
drives to meet the capacity and performance requirements of the applications.
6 The system must support a minimum of a 144 disks for scalability purpose
with 2 controllers. The scale out architecture should support minimum 1700
drives scalable with upto 10 PB
Protocols - The storage should be configured with FCP, iSCSI, NFS (NFSv3,
NFSv4, NFSv4.1) SMB (SMB2 & SMB3), pNFS protocols for use with
7 different applications. Any hardware/software required for this functionality
shall be supplied for the entire supported capacity in No Single Point Of
Failure mode.
RAID configuration - Should support various RAID levels (1/5/6) or
8
equivalent
Storage Performance - The storage model should support a 5 GB CIFS or NFS
shares for each of 15000 users across 100 branches
9
OEM should mention a bandwidth requirement from branches to storage
location
Storage Capacity - The usable capacity required for storage from day 1 is
10 75TB on SAS disk and additional SSD cache for performance .Max scalable
capacity should be 1.2 PB using SAS/NLSAS /SSD with two controllers
Front-End and Backend connectivity - The proposed storage system should
11 have minimum 8 numbers of 10GbE Ports frontend ports and 12Gb backend
SAS ports,
Rack Mountable - The storage should be supplied with rack mount kit. All the
necessary patch cords (Ethernet and Fiber) shall be provided and installed by
12
the vendor.
The Proposed solution should not exceed 16 Rack Units.
Storage Scalability - The proposed system should be field upgradeable to a
13
higher or same model with NAS scale-out: 1–24 nodes (12 HA pairs)
Storage functionality - The storage shall have the ability to expand
14
LUNS/Volumes on the storage online and instantly.
The storage shall have the ability to create logical volumes without physical
capacity being available or in other words system should allow over-
14.1
provisioning of the capacity. The license required for the same shall be
supplied for the maximum supported capacity of the offered storage model.
14.2 The storage should be configured with Quality of Service feature.
The storage shall support logical partitioning of controllers in future such that
14.3
each partition appears as a separate Virtual storage in itself.
The proposed storage system should be configured to provide data protection
14.4
against two simultaneous drive failures.
The required number hard disks for parity & spares, should be provided
14.5
exclusively of the usable capacity mentioned.
The proposed storage should support integration with Active directory for
14.6
users and group account to data access
System should have redundant hot swappable components like controllers,
14.7
disks, power supplies, fans etc.
Point-in-times images - The storage should have the requisite licenses to
create point-in-time snapshots. The storage should support minimum 250
15
snapshots per volume/LUN. The license proposed should be for the complete
supported capacity of the system.
Point-in-times images - The system should support instant creation of clones
15.1
of active data, with near zero performance impact.
Management - Easy to use GUI based and web enabled administration
16 interface for configuration, storage management and performance analysis
tools
OS support - Support for industry-leading Operating System platforms
including: LINUX, Microsoft Windows, HP-UX, SUN Solaris, IBM-AIX,
17
VMware, etc. Any Multi-pathing software required for the solution must be
supplied for unlimited host connectivity
De-Duplication and Compression - Proposed storage should support block
18 level data de-duplication and compression for all kinds of data (structured &
unstructured); should support both NAS and SAN.
Warranty & SLA - The Hardware and software quoted should have 5 years
19
support along with upgrade and updates.
Information Rights Management – Optional Procurement
1 The solution should be capable to provide security of documents on desktop,
laptops and fileservers
2 The solution should be capable to provide security of documents in emails.
Lotus INotes either through client or clientless
3 The solution should have the capability to restrict access/use of files by users,
groups & devices
4 The solution should have the capability to revoke access to the
documents/files to users at any time even after delivery
5 The solution should have the capability to protect documents and emails text
during storage, transmission and while it is being used
6 The solution should be capable to enable external users to access protected
documents, including agentless access (i.e. no installation of agent required to
view and edit the MS Office files even without the native application
7 The solution should allow the user to view the documents after initial
authentication and authorization without using passwords after successful first
authentication
8 The solution should be capable to provide a mechanism to manage external
users separately from the internal users via a different user repository
9 The solution should be capable to share protected documents with external
users by applying pre-created IRM template
10 The solution should support dominant MS Office formats and Open Office
formats
11 The solution should support older versions of MS Office e.g. 2010 especially
when sharing with external user
12 The solution should support most commonly used file formats like PDF, text
and text based formats, and dominant image formats
13 The solution should have the capability to protect any file format being used
by NIC
14 The solution should support all dominant versions of Windows, Linux & Mac
operating systems, dominant browser technologies, native app support for
mobile devices like Android and iOS
15 The solution should support dominant databases like Microsoft SQL and
Oracle, MySQL
16 The solution should support virtualized environments for deployment of
server components as well as for creating and accessing protected
documents/emails
17 The solution should have the capability to provide integration with existing
user management systems e.g. Active Directory and have built-in identity
management capabilities. Such integration should only be part of on premise
configuration only
18 The solution should support automatic deletion/disabling of internal/external
users based on changes in Identity Sources
19 The solution should support integration with Single Sign On systems, external
authentication systems (like Google etc.)
20 The solution should support highly granular rights: viewing, editing, printing,
copying, forwarding, screen capture prevention (even when file opens in
native application), time based expiry, and restrict access on mobile devices
21 The solution should be capable to allow to copy content from protected
document to a protected document only and not to an unprotected document.
It should insure that copied data does not lose the associated rights to that
information.
22 The solution should have the capability to lock access to a particular
machine/s, and ability to restrict access based on the location (IP address) i.e.
ability to restrict access of protected content inside NIC's premise only.
23 The solution should have the capability to allow document creators to assign
different rights for each user or group in the same window
24 The solution should have the capability to provide off-line use of protected
documents; can also control the period for which the user can have offline use
25 The solution should have the capability to allow enforced watermarked
viewing of protected files
26 The solution should be capable enough to enforce protection even when the
file formats are changed (e.g. word file saved as pdf)
27 The solution should allow to display dynamic watermark basis classification
applied in the file
28 The solution should be such that there is no single point of unprotecting the
documents other the document owner
29 The solution should be capable to retain rights regardless of where files are
stored, transmitted, used and archived. The rights and policies on the
document must apply irrespective of how the document is shared i.e. copied
to USB, FTP, shared via G-drive, Dropbox etc. and should be independent of
the collaboration platforms
30 The assigned rights should be dynamic; one can grant and withdraw the rights
for a specific user or group for the protected document at any time without the
need to recall or resend the document
31 The system administrator should be able to define and control which users are
allowed to define policies and can monitor these policies for compliance to
NIC's security standards. Admin/Owner of the document should also be able
to transfer document ownership
32 The solution should be capable to provide web-based activity searching and
reporting of user activities and admin activities
33 The solution should be capable to assign specific roles that can monitor the
usage of all documents within the defined hierarchy
34 The audit trail should capture the person who has used the document, what
has been done (un/authorized), the time, and the location. Activities can be
exported to be consumed by other monitoring systems.
36 Basic access to protected information (for view and edit) must be available on
desktops without any client installation or any required application software
like Word for MS office files
37 The desktop client/agent should be easy to install and should provide for
offline access to protected documents
38 If a user forwards a protected file to other users, there must be a system driven
workflow (and not just an email) for other users to ask for permissions/rights
from the owner of the file
39 The solution must be easy to use and must support existing enterprise
applications
40 The solution should support automation of protection including prompting
users to protect content
41 The Solution should be capable to transfer access related policy changes to
affected documents in short span of time.
42 The solution should have reusable rights templates to remove requirement of
repeated rights setting by end users. It must also provide control over which
user has access to custom and predefined templates
43 The solution should provide search-and-browse capabilities for documents,
activities, and rights templates for end users and administrators
44 The solution must not require a change in user behavior.
For e.g. The desktop file protection must happen at the endpoint and not by
uploading the file to a central location, external user must receive email
attachment that is protected and not a link etc.
45 The solution should provide a framework for integration with Network File
server and provide generic APIs for custom application integration
46 The solution should have readymade connector for integration with multiple
storage devices (e.g. Neap, SanDisk, Hitachi etc.)
47 The solution should provide connectors for integration with Data Loss
Prevention (DLP) systems to apply protection based on file classification and
/ or specific keywords identified within the document. NIC current has
McAfee DLP and the solution should have integration with the same
48 The solution should be capable to allow for automated folder-based protection
for NIC's central file server. Folders are mapped to user’s machines as local
drive e.g. G:\. All files existing and newly dropped in this folder must be
automatically protected with predefined policies. The user's view must not be
replaced with some custom or application specific view
49 The Solution should have integration with Microsoft AD for user
authentication / rights management. It should also support withdrawal of
access rights if employee / onsite vendor staff left the organization / transfers.
51 The solution should be capable to support delegation of duties and
administrative functions for efficient management
52 The solution should support installation of desktop client via standard
desktop/infrastructure management tools like RADIA-CAE, Desktop Central
etc.
53 The solution should provide basic in-app troubleshooting capabilities that can
be easily run by end users themselves
54 The solution should have minimal to no dependency on other proprietary
hardware/software on the desktop or server
55 The solution should not cause conflicts with other security systems like anti-
virus, anti-malware systems
56 The solution should support segregation of duties (defining end users, system
administrators, policy administrators)
57 The solution should have capability to create and apply custom FRM (File
Right Management) Rules at organization level, department level, Group level
or user level as per requirements.
58 The solution should have the capability to keep keys and content separate at
all times
59 The solution should establish communication within the system as well as
with external systems over secured communication protocols like https
60 The solution should be capable to provide two-factor authentication or
integrate with third party authentication mechanism
61 The solution should not require additional licenses for recipients of documents
within or outside of the enterprise
62 The solution should be capable to provide security of information irrespective
of vendor's computing environment (Storage, Network Connectivity). This
will be a fully offline environment
63 The solution should have the provision to lock the information to a specific
device on first access
69.8 Minimum Technical Specifications and Compliance of RFP for Mobile Threat Protection
Mobile Threat Protection: < Bidder to mention Product Name>
Refere
nce
Docum
ent
Complian name,
Sl.N
Technical Specification ce page
o.
(Yes/No) numbe
r, with
highlig
hted
paragr
aph
Solution must have Proactive defense against zero-day malicious repackaged
1 apps
Solution must have Incremental app analysis based on signature,
2 static/dynamic analysis, behavior, structure, permissions, source and more
Solution must have a Real-time response and protection against various known,
3 unknown and targeted malware attacks
4 Solution should include an effective shield against malicious Wi-Fi networks
5 Must have Detection, blocking and remediation of malicious iOS profiles
Should have Active Honeypot technology to identify Man-in-the- Middle, SSL
6 downgrading and content manipulation attacks without violating privacy
7 should have capability to Monitor devices for unpatched known vulnerabilities
8 Should educate users and notify security staff
Should help in Uncovering zero-day vulnerabilities in apps and operating
9 systems while informing vendors
Should detect unknown and known vulnerabilities such as Stage-fright and
10 Accessibility Clickjacking
11 The MTP solution should integrate with existing AirWatch MDM solutions
The solution must have a capability to Remote wipe incase a device is lost or
12 compromised
The solution must have a capability to Passcode lock to protect corporate
13 information
The solution must have a capability to generate comprehensive reporting on
14 devices, users and groups
Should have Deep static and dynamic analysis includes behavior analysis based
15 on machine learning
16 Should Constantly monitor and evaluate severity of open vulnerabilities
Solution should feed Intelligence to other enterprise systems like (i.e. EMM,
17 SIEM)
18 Should have Catalog characteristics of both good and bad apps and networks
19 Should Evaluate OS versions and device types to determine upgradability
Should help identify zero-day detection of repackaged apps and other malware
20 types
21 Solution should be Easy to deploy, adopt, maintain and update
22 Should have Zero impact on productivity
23 Should have Real-time protection from certain suspicious apps and networks
24 Should automate corporate asset protection when under attack
69.9 Minimum Technical Specifications for User Training (Optional Procurement)
User Training: < Bidder to mention Product Name>
Refere
nce
Docu
ment
name,
Complian page
Sl.
Technical Specifications ce numb
No.
(Yes/No) er,
with
highli
ghted
paragr
aph
The training should a web-based platform\virtual learning environment (VLE)
1 hosted by the bidder/OEM
2 The bidder must provide licenses for up to 12,000 users
The bidder/OEM must have at least one experience in providing security
awareness training in BFSI in India. Please provide names and examples of one
3 or more for whom security training has been provided
4 The solution must be available 24x7x365 days with 99.7% availability.
If provide as VLE must allow bulk uploading of users and addition of single
5 users
6 VLE login page must use strong encryption (AES 256 or stronger)
VLE should integrate with NIC Active directory and users should be able to
7 login with domain credentials
Security awareness training must require that users interact with the training
session, meaning user either answers questions during/throughout a session or
8 completes a quiz/assessment at the end of the training session
Security awareness training must provide users with a certificate of completion
9 upon successful conclusion of the training
VLE should allow multiple users to complete the training simultaneously
10 without degradation of service
VLE should be compatible with Windows and Mac platforms and Internet
Explorer, Safari, Firefox and Chrome browsers without the need for installation
11 of browser add-ons.
12 The solution must allow users to take training multiple times
The solution must notify users via e-mail that they have an outstanding
13 obligation to complete a lesson.
Security awareness training should be innovative, engaging and highly
interactive requiring the user to click on items, mouse over items, play a game
14 or answer questions during the training
Security awareness training content should be innovative, engaging and highly
15 interactive and updated at least annually
Security Training should have the ability to be taken all at once or staggered
16 into smaller parts and offered throughout the year
Security awareness training topics should be short (each topic under 20 minutes
17 in length).
Security awareness training content may include but is not limited to the
18 following topics
Security essentials
Security Beyond office
Safer Web Browsing
Mobile Apps
Securing your Email Series
URL Training
Social Engineering\Phishing
Safe Social Networking
Physical Security
Data Storage and Destruction
Mobile Device Security
USB Device Safety
Protecting Against Ransomware
Email Security
Security Awareness training should be able to initiate phishing simulation and
19 there by assign phishing related training and awareness to employees of NIC.
Phishing tests should show results for each participant (Fail = Clicked on the
20 link in the email, Pass = Did not click on link in the email)
21 Phishing test results should show
21.1 Recipient’s Name and email address
21.2 Date email was sent
21.3 Whether recipient clicked on the link
22 Remedial phishing training is provided to users that fail a phishing test
Security awareness training status reports should be easily exported (pdf, csv,
23 xls)
24 Executive level summary reports should be provided
Security awareness training status reports should show total
25 enrollment\completion and enrollment\completion by organization
26 Security awareness training reports should include:
26.1 Name
26.2 Email Address
26.3 Date training was assigned
26.4 Date training was completed
26.5 Modules completed
69.10 Minimum Technical Specifications and Compliance of RFP for Anti-Phishing (Optional
Procurement)
69.11 Minimum Technical Specifications and Compliance of RFP for DNS Security (Optional
Procurement)
DNS Security: < Bidder to mention Product Name>
Complian Refere
ce nce
(Yes/No) Docu
ment
Sl. name,
Technical Specification
No. page
numb
er,
with
highli
ghted
paragr
aph
1 The proposed solution must be based mandatorily on recursive DNS analysis
and should support 18000 systems from day one
2 The solution must have a minimal impact with the existing DNS infrastructure
3 The threat intelligence must be consumed from the OEM facilities that serve
the recursive DNS requests.
4 The solution must offer several deployment options: either via an internal
virtual forwarder, or pointing the forwarder of the existing authoritative DNS
to the recursive service, or pointing the DNS configured on the Internal Proxy
to the recursive service, without any additional physical hardware.
5 The recursive DNS security must be:
Easily deployable, simply changing the forwarders to the OEM recursive DNS.
Delivered directly from the OEM’s global network.
Easy to manage and operate
6 The solution must be applicable simultaneously to corporate users connecting
from wired and wireless networks, with the possibility to define different
policies based on different public IPs, and or internal networks, or Active
Directory attributes (in case an internal virtual forwarder is necessary).
7 Security Requirements
8 The solution must be able to detect and block advanced malware regardless of
the specific ports or protocols used by the malware.
9 The solution must be able to detect and block malware using protocols different
from HTTP/HTTPS.
10 The solution must be able to detect and block advanced malware used for both
opportunistic attacks and targeted attacks targeted for this specific
organization.
11 The solution must be able to protect at least from the following categories of
malware: botnets, exploit kits, drive-by, and phishing.
12 The solution must be able to detect and block, suspicious DNS requests
returning RFC1918 compliant IP addresses not allowed to be routed on the
Internet, or directed to Dynamic DNS services.
13 The solution must be able to prevent infections, blocking the DNS requests
towards malware distribution domains or drive-by domains, and contain the
pre-existing infections, blocking the DNS requests towards command and
control infrastructures.
14 The solution must leverage predictive intelligence and not use static signatures
or blacklists
15 The predictive intelligence must be created via the DNS traffic analysis on a
global scale, via a network of at least 20 distributed Datacenter’s hosting the
resolvers.
16 The analysis algorithms must be enforce predictive detectors able to identify in
real time, where attacks are staged and consequently predict and prevent the
next move of attackers.
17 In order to allow the malware detection on a global scale, the network utilized
to build the threat intelligence must process at least 80 billion DNS
requests/day coming from at least 60 million daily users.
18 The solution must have a proven efficacy being able to block at least 80 million
of daily DNS requests.
19 The analysis algorithms must make use multi-layer predictive detectors. As a
mere example, these include (but are not limited to):
Analysis of DNS co-occurrences,
Analysis of Domains based on Natural Language Processing algorithms.
Detection of DGA via perplexity and entropy.
Detection of DNS traffic peaks
Soundwave analysis applied to DNS traffic
BGP anomalies detection.
20 Solutions using blacklists are not admitted.
21 The threat intelligence must be automatically updated in less than 15 minutes
after the discovery of a new threat without any manual update operations.
22 The solution should support transparent intelligent proxy configurable inside
each security policy and able to analyze both HTTP and HTTPS traffic.
23 Supported transparent proxy capability must be enforced without any explicit
mechanism such as a proxy PAC file or an adapter inside the network device.
24 The solution should support ability to enforce Web filtering policies, based on
62 categories. It must be possible to enforce the Web filtering policy
independently form the security policy.
25 Solution should supported web filtering and security policies should allow the
creation of global exceptions for several domains, via custom whitelists or
blacklists.
26 For each domain detected as malicious, the solution must allow to visualize the
IOCs and the features of this domain inside a dedicated investigation
dashboard.
27 The investigation dashboard must also allow the manual submission of
domains, IPs, email addresses, ASNs and hashes.
28 For each malicious domain, the investigation dashboard must show, if
available, the hash of the associated malware samples directly from the report,
without connecting to external services.
29 The solution must have ability to calculate risk score of apps which is compiled
from 3 elements i.e. Business, Usage, and Vendor Compliance.
30 The solution must have ability to showcase App Details , it should allow to
check information including its risk score, type, category, users that have used
it and detection date
31 The solution must have ability to show Workflow management via labeling of
un-reviewed and recently discovered apps to facilitate healthy cloud adoption.
32 The solution must have ability to block over 200 apps and automatically enable
app settings and policy configuration.
33 The solution must have ability to show DNS Requests by App Risk & assigns
a risk score to apps, based on a number of factors. The DNS requests made by
a high-risk app should be considered more problematic than the same number
of requests made by an app with a lower risk score.
34 The solution shall provide the capability for the administrator to classify public
SaaS applications as Corporate Sanctioned official ones or personal instances
and block them if need by
35 The solution must have Chromebook client support to provides DNS-layer
protection for Chromebook users whether they are connected to your networks
or remotely, no matter which Chromebook device they use
36 The solution must have ability to Protect against phishing threats automatically
leveraging global network data and predictive intelligence to discover internet
infrastructure used to host phishing sites.
37 The solution must have ability to Enforce policies to block in-appropriate
content
38 Management & Integration Requirements
39 The management interface must be web-based. It must allow to create
different user profiles with different level of permissions. As an example the
roles must include:
Administrator
Reporting User
Read-Only Users
40 The policy editor must allow the creation of security policies based on identities
such as networks, users, and computers.
41 The policy editor must have a test function to verify the identities matching a
security policy prior to its deployment in production.
42 It must be possible to customize the blocking page for each policy entry. The
customization must include the ability to define a custom message, insert a
custom logo, or an administrator email address.
43 The policy editor must allow to define a different blocking page for each
identity and category of events (for instance a blocking page for security-
related events, a blocking page for web filtering blocks, etc.)
44 The policy editor must allow to forward the blocked connection to an internal
URLs.
45 The policy editor must allow to create users, on a local database, with the ability
to bypass the blocking page.
46 The policy editor must allow to create special codes that allow to bypass the
block pages for the users who have them.
47 The events related to all the DNS queries analyzed must appear in real time,
with the ability to configure filters based on identity, destination, source IP,
response type and date.
48 The events related to the DNS queries associated to security events must appear
in real time, with the ability to configure filters based on identity, destination,
source IP and date.
49 All the filters must be applicable defining a custom time (filter by date).
50 The dashboard must allow to reclassify a domain related to a security event,
directly from the event record, via a link allowing to open a ticket towards the
security OEM research team.
51 The management platform must have advanced reporting capabilities to
identify cloud services or Shadow IT devices, in order to determine which
services are used inside the organization by traditional or embedded devices
and eventually detect anomalies in their usage.
52 The management platform must allow to generate the following reports:
Total requests
Activity volume
Top Domains
Top Categories
Top Identities.
53 All the reports must be exported in csv format or scheduled to be sent via
email.
54 All the activities made by administrators must be logged inside an Admin Audit
Log Report.
55 The solution must include a set of enforcement RESTful API able to import
domains from external sources and enforce them globally for the organization
via DNS.
56 The connector must use the EDNS0 protocol (RFC6891).
57 The solution must be able to extend the protection off the network through the
installation of a lightweight roaming agent on the Windows and OSX devices.
58 The roaming agent must be able to apply an additional level of enforcement
based on the analysis of the connections trying to connect directly to an IP
without generating and DNS queries (IP Layer Enforcement).
59 It must be possible to selectively enable the IP Layer Enforcement inside each
security policy.
60 The network used to deliver the DNS security service must use Anycast.
61 The network used to deliver the DNS security service must have experienced
an uptime of at least 99.9% over the last 10 years.
62 The management interface must support 2 Factor Authentication mechanisms
for the administrators, such as, for instance text messages or Google
Authenticator.
63 As an additional authentication mechanism for the administrators, the
management interface must support the SAML integration with a SSO
provider.
69.12 Sizing
Solution Sizing
High availability at DC
Collectors at DC,DR& HO in HA
EPS - 10000 scalable to 20000
3 months online storage
9 months offline storage
UEBA - This should be integrated with SIEM. 14000 users,
additional prices for 10,000 slabs each
SOAR - This tool may be a part of SIEM or a separate tool,
integrated with SIEM. 30 Analysts.
SIEM Packet Forensics - Standalone at DC, DR & HO. This tool may be a
part of SIEM or a separate tool but should be integrated with SIEM
to provide single view of alerts
1 Gbps throughput at DC & DR
500 Mbps at HO
Storage 15 day raw logs, 30 days Meta
This tool may be a part of SIEM or a separate tool, integrated with
SIEM.
Deception - Standalone in DC & DR. 10 Vlans. This tool may be a
part of SIEM or a separate tool but should be integrated with SIEM
to provide single view of alerts
Standalone in DC, Existing license 25 instance
DAM
Augmenting existing license with addition 25 new license
Standalone in DC
Data Classification
Discovery module for 100 TB, 14000 users
IRM Standalone in DC for 14000 users
Vulnerability Management Solution Total Devices – 1000 IP Addresses
Standalone in DC,
MDM
6500 Mobile devices
Standalone in DC
MTP
6500 Mobile devices
User Training 12000 users for 1 year.
Central Storage solution 100 TB usable storage with RAID
Penetration Testing Two /24 IP Pools at DMZ
Sl. Compliance
Minimum Manpower Requirements Remarks
No. (Yes/No)
A Monitoring team
1 Level 1 resources: with minimum 3 plus years’ experience in enterprise
information security environment. Having good understanding of
fundamentals of TCP/IP, DNS, Networking (Routing/Switching),
Operating Systems (Windows/Linux), Enterprise Anti-Virus. CCNA
certification is mandatory.
Two consoles 24x7
- Night Shift to be carried out from Data Centre
- Bidder to Quote for Two (2) Seats at the Data Centre and 1 seat
2
at DR in the Commercial Bid.
- Minimum 6 +1 Resources to be provided
- Additionally require Minimum 1 resource at DR
3 Trained on SIEM solution
B Security Management Team
1 Minimum Level 3 resources: with minimum 6 plus years’ experience in
enterprise core Information Security environment.
Experience on Information Security technologies viz. 2FA, AV, IPS, Mail
Gateways, Proxy, DLP, Stateful and Stateless Firewalls, NAC, Packet
Analyzer, SIEM with product certifications. Deep knowledge and hands-
on experience on Core Routers and Core and Server Farm Switches, Load
Balancers at DC/DR is mandatory.
Minimum 6 People in the Major Shift only
- Out of which One will do Switch
2
Management
- And One will be doing SIEM Management
Amongst these, One resource will be L4/L5 who will act as Technical
3
Team Lead
C Tools Management Team
1 Minimum Level 2 resources
2 Minimum 6 People in Major shift only
3 Experience: 4 years in Tools/services proposed in this RFP
D Compliance Management Resource – Minimum Level 3 Resource
E All the manpower should be on direct payroll of the Bidder and the
salary should be commensurate with best industry standards applicable
for experienced Information Security professionals.
F The Bidder shall be responsible for compliance of all laws, rules,
regulations and ordinances applicable in respect of its manpower
(including but not limited to Minimum Wages Act, Provident Fund laws,
Workmen Compensation Act etc. The Bidder shall establish and maintain
all proper records including but not limited to accounting records required
by any law, code, practice or corporate policy applicable to their line of
activity from time to time, including records and returns as applicable
under labor legislations. The Bidder shall indemnify NIC against any
claims made by any statutory authorities regarding then on compliance of
any of the related laws from time to time.
G The Bidder shall obtain license from the Competent Authority (Central)
for hiring on engagement of person or persons for the specific purpose for
which the RFP is floated and shall pay minimum wages and other
allowances and benefits such as insurance, gratuity, provident fund,
pension, bonus etc.to the persons so hired as per the legislations in force
such as but not limited to Contract Labor (Regulation and Abolition) Act,
Minimum Wages Act, Payment of Wages Act and other legislations for
the time being in force. Minimum Salary for Monitoring Team, Tools
Management Team, Security Management Team personnel, Technical
Team Lead and Compliance Management Resource per month Rupees
Thirty Thousand/-, Rupees Forty Five Thousand, Rupees. Seventy
Thousand, Rupees Seventy Five Thousand and Rupees Fifty Thousand
respectively. YoY Increment at minimum 5 %. Salary Sheets have to be
submitted to justify payment of minimum salary, prior to quarterly release
of arrears for manpower. Bidder is free to pay salary over and above
minimum.
H Major shift will mean timings from 09:00 Hrs to 20:00 Hrs
Days will include all Working days of NIC from Monday to Friday and
also on Saturday The Teams as specified in the table above will follow
NIC’s Holiday List
I The Bidder should not replace resources without prior permission of
NIC. Also, the bidder should give at least one month prior notice to
NIC in case of resource replacement. It is the duty of the bidder that
the replacement provided should be equally or more qualified and
Experienced than the existing resource. Also, the existing resource
should provide the complete handover to the new resource.
Service Level: The SLA specifies the expected levels of service to be provided by the Bidder to NIC.
This expected level is also called the baseline. Any degradation in the performance of the solution and
services is subject to levying of penalties.
Payments to the Bidder are linked to the compliance with the SLA metrics. During the contract period, it
is envisaged that there could be changes to the SLAs, in terms of addition, alteration or deletion of
certain parameters, based on mutual consent of both the parties i.e. NIC and Bidder.
The Bidder shall monitor and maintain the stated service levels to provide quality service. Bidder
to use automated tools (limited to the SLA Management of this RFP) to provide the SLA Reports. The
proposed solutions to be integrated with tool. Bidder to provide access to NIC or its designated
personnel to the tools used for SLA monitoring.
Definitions:
1. “Availability” means the time for which the services and facilities are available for
conducting operations on the NIC system including application and associated infrastructure.
Availability is defined as (%) = (Operation Hours –Downtime) * 100%
(Operation
Hours)
2. The business hours are 24*7 on any calendar day the NIC is
operational.
3. All the infrastructure of Data Center, Disaster Recovery site, HO will be supported on
24x7 basis.
4. The “Operation Hours” for a given time frame are calculated after deducting the
planned downtime from “Operation Hours”. The Operation Hours will be taken on 24x7
basis, for the purpose of meeting the Service Level requirements i.e. availability and
performance measurements both.
5. “Downtime” is the actual duration for which the system was not able to service NIC
or the Clients of NIC, due to System or Infrastructure failure as defined by NIC and
agreed by the Bidder.
6. “Scheduled Maintenance Time” shall mean the time that the System is not in service due
to a scheduled activity as defined in this SLA. The scheduled maintenance time would not
be during business hours. Further, scheduled maintenance time is planned downtime with
the prior permission of NIC
7. “Incident” refers to any event / abnormalities in the functioning of any of IT Equipment /
Services that may lead to disruption in normal operations of the Data Centre, System o r
Application services.
8. Total Maintenance Cost refers to Sum of FM Manpower Cost and AMC, ATS & others
Cost for the entire contract duration.
Level Classification:
Level Function/Technologies
i. Such class of errors will include problems, which prevent all users from
making Operational use of solution pan-NIC.
Critical ii. Security Incidents affecting multiple locations
iii. No work-around or manual process available
iv. Financial impact on NIC
i. Any incident which is not classified as “Critical” but which requires a
change to solve the problem and that change has not been implemented
in time and has pan-NIC impact
ii. Any problem due to which the infrastructure of the proposed solution is
High Priority not available to multiple NIC users or does not perform according to the
defined performance and query processing parameters required as per
the RFP or;
iii. Multiple Users/User Groups across various locations face severe
functional restrictions with the RFP solutions irrespective of the cause.
i. Moderate functional restrictions related to problems in the implemented
Medium Priority
solutions irrespective of the cause.
i. A service request raised for any new installation, creation, addition,
deletion, removal.
Low Priority ii. Any incident which is not classified as “Critical/High/Medium Priority”
but hampers the productivity of user; a problem or Incident that causes
work delay of user.
S. No. Service Area Expected Service Level Penalty
1 Incident 24x7 monitoring of all in- scope All Critical, High and Medium priority
Response devices incident should be logged as incident
tickets and responded as per below
SLAs:
Categorization of events into
Critical, High, Medium and Incident along with action plan/
Low priority shall be carried out mitigation steps should be provided to
in consultation with the NIC designated NIC personnel as per the
during the contracting phase. below SLA:
Critical incidents within 15
minutes of the incident
Example for calculation of identification. Update should be
percentage of incidents provided every 15 minutes till the
10 Incidents are logged of closure of the incident.
High priority incidents within 30
which 8 are responded within
minutes of the incidents
the specified time and 2 have identification. Update should be
been delayed. This means provided every 1 hour till the
8/10*100 = 80% have been closure of the incident
responded within the specified Medium priority incidents
timelines and correspondingly within 60 minutes of the
the penalty will be applied incidents identification. Update
should be provided every 4 hours till
based on the event/incident
the closure of the incident.
categorization.
Penalty:
Any violation in meeting the SLA
requirements which leads to Critical
incident, NIC shall impose a penalty
10% of the Quarterly Maintenance
Cost for each 30 minutes delay up to
2 hours, beyond 2 hours penalty
would be 10% of the overall
Quarterly Maintenance Cost for
each 20 minutes delay.
Any violation in meeting the SLA
requirements which leads to High or
Medium incident, NIC shall impose
a penalty of 5% of the Quarterly
Maintenance Cost for each 45
minutes delay up to
3 hours, beyond 3 hours penalty
would be 10%of the overall
S. No. Service Area Expected Service Level Penalty
Quarterly Maintenance Cost for
each 30 minutes delay.
3 Report Periodic reports to Daily Reports: Critical reports should
and be provided to NIC be submitted as and when required.
Dashboard Timings will be mutually decided.
Penalty
Delay in reporting for daily report for
more than 6 hour shall incur a penalty of
INR 2,500 for each default
Attendance for
support
Penalty shall
personnel.
No of shift be INR 5,000
(covers all the
below for every 2%
Resource locations)
minimum default or part Manual
availability Minimum
attendance thereof below
attendance level
level the agreed
during any shift is
threshold
100% of agreed
deployment.
Penalty:
NIC expects the Bidder to complete the scope of the project as mentioned in Section
- 69 scope of work of this document within the timeframe specified. Inability of the
Bidder either to provide the requirements as per the scope or to meet the timelines
as specified would be treated as breach of contract and would invoke the penalty
/LD clause.
Inability of the Bidder to provide services at the service levels defined would result
in breach of contract and would invoke the penalty clause
Notwithstanding anything contained above, no such penalty will be chargeable on
the Bidder for the inability occasioned, if such inability is due to reasons entirely
attributable to the NIC.
Bidder needs to deploy the same resources or resources with equivalent/higher skill
sets as per the terms and conditions of the RFP. For Each Default, NIC may levy
the penalty of Rs. 1,00,000 quarterly till the Bidder deploys the required resources
The Bidder is required to provide and implement the regular
updates/upgrades/patches released by the OEM within the timelines as mentioned,
NIC will levy the penalty of Rs. 20,000 per week or part thereof in not adhering the
schedules.
If during the contract period, any equipment has a hardware failure on three or
more occasions in a quarter, it shall be replaced by equivalent or higher new
equipment by the bidder at no additional cost to NIC.
The right to levy the penalty is in addition to and without prejudice to other rights
/ remedies available to the NIC such as termination of contract, invoking
performance guarantee and recovery of amount paid etc.
The NIC reserves the right to recover the penalty from any payment to be
made under this contract.
The penalty would be deducted from the quarterly payouts and the cap on any
penalty due during the Warranty period will be adjusted against the payments
made for bills/invoices provided by the bidder. Quarterly penalty will be 20% of
the quarterly payout. For the purpose of this RFP, the total of penalties as per
SLA and the Liquidated damages will be subject to a maximum of 5% of the
overall contract value.
Also refer Section - 27, 28
Exception
NIC shall not hold the Successful Bidder responsible for a failure to meet any
Service Level if it is directly attributable to:
Execution of the disaster recovery plan/business continuity plan for an
NIC declared disaster situation;
Any established inability of other third party vendor or service
provider of NIC, to fulfill the requirements as per the contract.
Any established inability or delay from NIC to fulfill the requirements
as per the contract.
69.16 Intentionally Left Blank
69.17Intentionally Left Blank
To,
Chief Manager - IT,
IT Department
National Insurance Company Ltd.
3 Middleton Street, 4th floor,
Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740
Email: rs.raman@nic.co.in
Sir,
We hereby declare
1. We/our principals are equipped with adequate manpower / machinery / technology for
providing the Products and Services as per the parameters laid down in the Master
Document and ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, (Scope of
Work, as in Volume-II) and we are prepared for live/technical demonstration of our
capability and preparedness before the representatives of NIC. We/our principals are
also equipped with adequate maintenance and service facilities within India for
supporting the offered document.
2. We hereby offer to provide the Products and Services at the prices and rates mentioned
in the Commercial Bid at Section -73.1.
3. We do hereby undertake that, in the event of acceptance of our bid, the Products and
Services shall be provided as stipulated in the schedule to the RFP 01_Volume-II and
that we shall perform all the incidental services.
4. We enclose herewith the complete Technical Bid as required by you. This includes:
a. Technical Bid Letter Section - 70
b. Technical Bid Particulars Section- 70.1
c. Technical Compliance, in respect of components of the solution, Sections -
69.1 to 69.17
d. Unpriced Bill of Materials (BoM).
e. Statement of Deviation from RFP Terms and Conditions Section-72, if any
f. Details of the proposed solution, proposed methodology and timeline (in a
separate sheet)
g. A CD containing the soft copy of the Technical Bid in pdf and xls format
We agree to abide by our offer for a period of one year from the date fixed for opening
of the Commercial Bid and that we shall remain bound by a communication of
acceptance within that time.
We have carefully read and understood the terms and conditions of the Master
Document and ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 and the
conditions of the Contract applicable to the bid and we do hereby undertake to provide
services as per these terms and conditions. The deviations from the technical
specification(s) are only those mentioned in the deviations in Section-72.
We do hereby undertake, that, until a formal contract is prepared and executed, this bid,
together with your written acceptance thereof or placement of letter of intent awarding
the contract, shall constitute a binding contract between us.
6. Name and Address of the officer to whom all references shall be made regarding
the bid: …………………………………………………
Telephone: …………………………
Fax: …………………………
E-mail: …………………………
7. Name and Address of the Single Point of Contact for all communications
(including issue resolution and support):
………………………………………………
Telephone: …………………………
Fax: …………………………
E-mail: …………………………
Bidder:
Signature: …………………………
Name of the authorized signatory …………………………
Designation …………………………
Duly authorized to sign the RFP Response for and on behalf of: ……………………
(Name and Address of Company)
Company Seal:
Signature: …………………………
Designation …………………………
Duly authorized to sign the RFP Response for and on behalf of:
………………………… (Name and Address of Company)
Company Seal:
Note: The Pre-Qualification Bid, Section - 71, to be submitted along with Financial
Information, Section -71.1, and Citations, Section - 71.2.
Proof of transfer of Bid Security (Earnest Money) for an amount equal to Rs. 50,00,000.00
(Rupees Fifty Lakhs Only) should be enclosed in the appropriate envelope.
Signature: …………………………
Name of the authorized signatory …………………………
Designation …………………………
Duly authorized to sign the RFP Response for and on behalf of:
………………………… (Name and Address of Company)
Company Seal:
71.2 Annexure 5 (Vol-II) – Citations
Note:
1. The Citations should be given in the above format. A separate copy of this format should
be used for each citation and Bidder to provided citations in respect of all such
implementations.
2. Submit photocopies of client engagement letters or certificates on the client letterhead,
duly signed and stamped by the client’s authorized signatory.
To,
Chief Manager - IT,
IT Department
National Insurance Company Ltd.
3 Middleton Street, 4th floor,
Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740
Email: rs.raman@nic.co.in
Dear Sir,
Following are the deviations and variations from the Terms and Conditions of the
Master Document and ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
These deviations and variations are exhaustive. Except these deviations and
variations, the entire implementation can be performed as per your specifications in
the ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
Signature: …………………………
Name of the authorized signatory …………………………
Designation …………………………
Duly authorized to sign the RFP Response for and on behalf of:
………………………… (Name and Address of Company)
Company Seal:
73 Annexure 8 (Vol-II) – Commercial Bid Letter
Sir,
We hereby declare
1. We hereby offer to provide the Products and Services at the prices and rates mentioned
in the Commercial Bid at Section-73.1.
2. We do hereby undertake that, in the event of acceptance of our bid, the Products and
Services shall be provided as stipulated in the Master Document and NIC/IT/RFP/Enterprise
Info-Sec Solution/RFP/07/2019 and that we shall perform all the incidental services.
3. We enclose herewith the complete Commercial Bid as required by you. This includes:
a. Commercial Bid Letter Section-73
b. Commercial Bid Particulars Section- 73.2
c. Commercial Bid Section-73.1.
d. A CD containing the soft copy of the Commercial Bid in pdf and xls format
We agree to abide by our offer for a period of one year from the date of opening of the
Commercial Bid and that we shall remain bound by a communication of acceptance within that
time.
We have carefully read and understood the terms and conditions of the Master Document and
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 and the conditions of the Contract
applicable to the bid and we do hereby undertake to provide services as per these terms and
conditions.
We do hereby undertake, that, until a formal contract is prepared and executed, this bid,
together with your written acceptance thereof or placement of letter of intent awarding the
contract, shall constitute a binding contract between us.
Commercial Bid
Commercial Bid
A. Product Cost (Inclusive of 5 Years On-Site Comprehensive Warranty)
***ERV
Clause
Ta
Sl. Unit (% of
Make and Amoun x
No Compulsory Items Qty. Pric Product,
Model t (%
. e which is
)
imported
)
Security Incident
and Event
Management Tool
(SIEM) in cluster
with UEBA, SOAR
& packet forensics
in DC. (UEBA,
SOAR, Correlation
Engine, Analytics
1 collector/receiver in 1
DC). The DC, DR,
HO to only have
collector/receivers
to collect remote
logs and packet
forensics.) – Price
to be quoted
separately for each
module
Vulnerability
Management
Solution at DC
2 1000 IPs; no 1000
limitation of
number of times IPs
can be scanned
Deception at DC &
3 1
DR
Mobile Threat
4 6500
Protection
Data classification
5 14000
tool – in DC
Central Storage at
6 100 TB
DC
24 port 10G Switch
C1-WSC3850-
24XS-S - with Cisco
7 10
Prime Infra License
for Existing Prime
NMS
8 Sub-Total (A)
B. Renewal
McAfee Database
25 Renewal + 25
1 Activity Monitoring
Upgrade
Tool – in DC
McAfee Data Leak
Prevention Tool –
Host DLP licenses
2 will be 15,000;
Network DLP in
DC, DR, HO
Internet Gateways
Buyback of existing
2.1 DLP equipment’s
as-is-where-is basis
25000
Cisco - Network
3 Endpoint ,
Admission Control
17000 users
Forcepoint Web
Security licenses
6500 licenses,
renewal (6500)
4 1+1+1
along-with refresh
Hardware
of hardware in at
DC, DR and HO
Buyback of existing
Quantity,
Web Security As per the
4.1 Device
equipment’s as-is- details in scope
Details
where-is basis
AirWatch - Mobile
Device
Management
5 6500
licenses renewal
(6500) along-with
hardware refresh
McAfee Endpoint
6 2000
Encryption
Fortigate Firewall
at HO, with IPS
Blades and SSL
7 1+1 in HA
inspection – NGFW
throughput of 2
Gbps
Buyback of existing
Firewall
equipment’s as-is-
7.1 where-is basis in
case of end of
support needs to
replaced
1 (Required
Fort-Analyzer at for Cluster
8
DR configuration
)
TrendMicro
Enterprise Security
Suite - IMSVA 4500 licenses
9
License and for 2 years
Scanmail for
Domino License
SQL DB 2016 2 + 1 (each
10
Standard edition with 22 Core)
Citrix 10G/1G Dual
11 16+16
Mode SR
12 Sub-Total (B)
C. Services
Implementation
1
Cost
Two Seats at DC,
Kolkata (24 x 7 one
2 seat and 8x5 another 2
seat) Operation for 5
years
One Seat at DR,
Bangalore for 8x5
3 1
Operation for 5
years
Bidder to
mention
quantity but
should not be
IS Management -
4 less than the
Monitoring Team
minimum
mentioned,
Section -
69.14
Bidder to
mention
quantity but
IS Management - should not be
5 Security less than the
Management Team minimum
mentioned,
Section -
69.14
Bidder to
mention
quantity but
IS Management - should not be
6 Tools Management less than the
Team minimum
mentioned,
Section -
69.14
Bidder to
mention
quantity but
Compliance should not be
1 Resource at
7 Management less than the
HO
Resource minimum
mentioned,
Section -
69.14
Yearly PT through Quote Price for
8
CERT-IN Auditor contract period
9 Sub-Total (C)
***ERV
Clause
Ta
Sl. Unit (% of
Item Description Make and Amoun x
No Qty. Pric Product,
(optional) Model t (%
. e which is
)
imported
)
Information Rights
1 14000
Management
SIEM License for
additional EPS in
slabs of 10,000. In
2 case additional 10000
hardware required
to scale to 20,000
EPS mention the
cost as separate line
item
Anti-Phishing
3 solution Take down 50
per year
4 Microsoft Service 450 hours
1000 instances
each. For every
Data Recovery and
additional
5 Data Erasure
erasure/recovery
Solution
, unit price will
be used.
AirWatch – Mobile
Device
Management
6 1000
(additional slabs of
licenses, for use
when required)
7 DNS Security 4000
UEBA – additional
8 10,000
slabs
Cisco 40G
SFP : QSFP-40G-
9 SR- 8
BD
8
Fortinet
10 12+12
Transceiver
Cisco GLC - T
11 20+20
(20+20)
User Training per
12 12,000
year
SMI-52 MRO-TEK
13 with v.35/E1 50 pair
Interface and G.703
14 Sub-Total (D)
Note:
1. The Commercial Bid should be given in the above format. All the Tables should be
filled-in by the bidder.
2. All the prices of this document should flow correctly from the respective sheets.
3. The total cost (Grand Total Price (without Tax)) should flow from the respective
Amount’s (Total of A+B+C).
4. Bidder should strictly follow the format given in Table.
5. The above-mentioned quotations should be valid for minimum 1 (one) year from the
date of opening of Commercial Bid.
6. Above prices should include all transport, insurance, installation, etc. as applicable at
implementation sites.
7. NIC reserves the right to change the quantity of items quoted above at the time of
placing order. In such case the value of the order will be the cost of items finally opted
by NIC.
8. The Bidder is responsible for all the arithmetic computation & price flows. NIC is not
responsible for any errors.
9. Optional Price (Sub-Total – D) will not be part of L1 Calculation. However, L1 Bidder
has to match the lowest quoted price in Optional Item.
10. A separate table should be provided mentioning unit price (INR) and applicable tax
(mentioning individual HSN/SAC Code) in separate columns of all the
components/services that make up each of the components. The lowest price would be
decided on the basis of “Grand Total Price (without Tax) - TCO for Project Period”
11. The price quoted by the bidder shall be inclusive of all taxes, levies, duties and cess like
GST, CGST, and IGST etc., which will be paid as per the rate prescribed by
Government time to time.
Signature: …………………………
Name of the authorized signatory …………………………
Designation …………………………
Duly authorized to sign the RFP Response for and on behalf of:
………………………… (Name and Address of Company)
Company Seal:
5. Name and Address of the officer to whom all references shall be made regarding
the bid: …………………………………………………
Telephone: …………………………
Fax: …………………………
E-mail: …………………………
6. Name and Address of the Single Point of Contact for all communications
(including issue resolution and support):
………………………………………………
Telephone: …………………………
Fax: …………………………
E-mail: …………………………
Bidder:
Signature: …………………………
Name of the authorized signatory …………………………
Designation …………………………
Duly authorized to sign the RFP Response for and on behalf of:
………………………… (Name and Address of Company)
Company Seal:
74 Annexure – 11 (Vol-II) Format for Queries from Bidders – Bidders have to provide
their queries on scope of work, terms & conditions etc. in the below format in excel file only
(xls/xlsx). Bidders should provide a reference of the page number, state the clarification point
and the queries/suggestion/modification that they propose as shown below
A. E Tendering Pre-Requisite:
• P.C. connected with internet.
Computer System with good configuration (Min PIV, 1 GB RAM,
Windows 7 or above)
Microsoft Internet Explorer 6.0 or above
Digital Certificate(s)
• Registration with Service provider portal www.tenderwizard.com/NICL
• The vendor should possess a Class III Digital Signature certificate (Mandatory).
• (Bids will not be recorded without Digital Signature Certificate.)
• In case of any clarification please contact ITI Ltd., before the schedule time of the
e-Procurement.
Contact Helpdesk:-
HELPDESK NO. 9073677150/151,152, E-mail: helplinetenderwizard@gmail.com
for more detail please click on ‘Contact Us’ link
a) For registration, Submission procedure and method of correspondence etc. Please visit
our website: www.tenderwizard.com/NICL and click on the link “User Manual
(Download)” on home page
In order to submit the Bid, the bidders have to get themselves registered
online on the e-Procurement portal of NICL with valid Digital Signature Certificate (DSC)
issued from any agency authorized by CCA and which can be traced up to the chain of
trust to the Root Certificate of CCA... The registration should be in the name of bidder,
whereas DSC holder may be either bidder himself or his duly authorized person.
The bidders will have to accept unconditionally the online user portal agreement which
contains the acceptance of all the Terms and Conditions of NIT including
Commercial and General Terms & Conditions and other conditions, if any, along
with on-line undertaking in support of the authenticity of the declarations regarding the
facts, figures, information and documents furnished by the Bidder on-line in order to
become an eligible bidder. No conditional bid shall be allowed/accepted.
The bidder will have to give an undertaking online that if the
information/declaration/scanned documents furnished in support of the same in respect
of eligibility criteria is found to be wrong or misleading at any stage, they will be
liable to be punitive action.
The detailed method for participating in the e-procurement are available in the website
www.tenderwizard.com/NICL . The bidders have to Log on to NICL’s tendering web site
and then click on the specified links to start participating in the e-tendering process.
Bidders are also free to communicate with the contact person of the service provider to get
all clarifications regarding the mode of the e-procurement process.
N.B. :
( I ) As such, bidders are requested to see the website once again before due date of
tender opening to ensure that they have not missed any corrigendum uploaded against
the said tender after downloading the tender document. The responsibility of
downloading the related corrigendum, if any, will be that of the bidders.
(II) No separate intimation in respect of corrigendum to this Notice Inviting Tender (NIT)
(if any) will be sent to bidders. Bidders are requested to follow NIC website and e-
tendering website.
e) The offer should be submitted (uploaded) as per the terms and conditions and
procedures laid down in the website of M/s ITI Ltd www.tenderwizard.com/NICL tender
document failing which the offer is liable for rejection.
Bidders should download the complete NIT including the Annexure and read carefully
before filling the details and uploading the documents.
f) The bidder must upload all the documents required as per the terms of NIT. Any other
document uploaded which is not required as per the terms of the NIT shall not be
considered.
The bidder shall authenticate the bid with his Digital Certificate for submitting the bid
electronically on e-Procurement platform and the bids not authenticated by digital
certificate of the bidder will not be accepted on the e-Procurement platform. All the
bidders who do not have Digital Certificate need to obtain Digital Certificate. Bidders
may contact Help Desk of ITI.
After submission of the bid online, the bidders are requested to submit the demand
drafts / Bank Guarantee towards tender fees and EMD in a separately sealed envelope
mentioning the RFP No. along with other documents in a separate envelope as
required, latest by the due date. All the bidders are requested to submit the hard copy
of complete bid documents (Pre-qualification, Technical & Commercial Bids) in
proper sealed condition as mentioned in the RFP. The Technical Bid & Commercial
Bid should be similar in both the cases. The Company calling for tenders shall not be
responsible for any claims / problems arising out of this.
a. The user should complete all the processes and steps required for bid submission.
The successful bid submission can be ascertained once acknowledgement is given by
the system through bid submission number after completing all the processes and
steps. NIC and ITI will not be responsible for incomplete bid submission by users.
Users may also note that the incomplete bids will not be saved by the system and not
available for the Tender Inviting Authority for processing.
a. Before uploading scanned documents, the bidders shall sign on all the statements,
documents, certificates uploaded by him, owning responsibility for correctness
/authenticity.
Neither NIC Ltd. nor the service provider (ITI) is responsible for any failure of submission
of bids due to failure of internet or other connectivity problems or reasons thereof. The
company reserves the right to accept or reject any or all offers. Bids of any Tenderer may
be rejected if a conflict of interest between the Tenderer and the company is detected at
any stage. Incomplete offers are liable to be summarily rejected.
Registration
2- Only one registration shall be retained after completion of this tender for future
bidding in NIC’s e- Tenders. The other registration(s) will be de-activated.
3- Annual registration fee of Rs. 3,000/- plus Taxes shall be payable by the bidder to
Tenderwizard.
4- Vendor has to pay the E-tender processing fee of Rs. 3000/- plus taxes for
participating (Download the Bid, Submission of bid) in each tender.
Offline Submissions:
The bidder is requested to submit the following documents offline to the under mentioned
address before the start of Public Online Tender Opening Event in a Sealed Envelope
without fail:
The envelope shall bear RFP Number, Due Date and Wordings “DO NOT OPEN
BEFORE “….-…-20_”and contain the following documents:
Note: The Bidder should also upload the scanned copies of all the above mentioned
original documents as Bid-Annexures during Online Bid-Submission.
F. Other Instructions
For further instructions, the vendor should visit the home-page of the portal HELPDESK
NO. 9073677150/151,152, E-mail: helplinetenderwizard@gmail.com for more detail
please click on ‘Contact Us’ link