RFP For Enterprise Information Security Solution

NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019
RFP for Enterprise Information Security Solution
Volumes I, II
NATIONAL INSURANCE COMPANY LIMITED
Registered and Head Office: 3, Middleton Street, Kolkata – 700 071

Phone No: 2283-1728 / 39 Fax No: 2283-1740
https://nationalinsurance.nic.co.in
This document is the property of National Insurance Company Limited. It may not be copied,
distributed or recorded on any medium, electronic or otherwise, without written permission
therefore. The use of the contents of this document, even by the authorized personnel / agencies for
any purpose other than the purpose specified herein, is strictly prohibited and shall amount to
copyright violation and thus, shall be punishable under the Indian Law.
Volume - I
Important Dates and Information
Master Document with RFP Number:
Bid Reference NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019
Date of Commencement of Bid 21-Aug-2019 11.30 Am
Date and Time for request for
30-Aug-2019 up to 02:00 PM
clarification of Bids
Date and Time for Pre-Bid Meeting 30-Aug-2019 up to 03:00 PM
On or before 09-Sep-2019 at
Date and Time for publication of www.nationalinsuranceindia.com and
clarification, if required
www.tenderwizard.com/NICL
Date and Time for Receipt of Bids 24-Sep-2019 up to 03:00 PM
Time and Date of Opening of PART-I
24-Sep-2019 at 04:00 PM
(Bid Security) i.r.o. Bids for Volume-II
Time and Date of Opening of PART-II
(Technical Bid) and Part-III
To be intimated later to Participating Bidders
(Commercial Bid) i.r.o. Bids for
Volume-II
IT Department
National Insurance Company Ltd.
Place of Opening of both PARTs of the 3 Middleton Street, 4th floor,
Bids for Volume-II Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740
Email: rs.raman@nic.co.in
Date till which the Bid is valid i.r.o. 1 (one) year from the date of opening of the
Bids for Volume-II Commercial Bids
Dy. General Manager - IT,
IT Department
Address for all Communication, 3 Middleton Street, 4th floor,
including request for clarification, if Kolkata - 700 071
required Phone No: 2283-0795 Fax No: 2283-1740
CC: abhijit.bhattacharya@nic.co.in,
utkarsh2.gupta@nic.co.in
Bank Details of NIC Head Office
Name as per Bank Account : National Insurance Company Limited
Bank Account Number : 417953111
Type of Account : Current Account
Name of the Bank : Indian Bank
Name of the Branch : Russell Street, Kolkata – 900071
MICR Number of the Branch : 900019018
IFSC No. of the Branch : IDIB000R024
1 Volume – I: Overview
1.1 About National Insurance Company Ltd.
National Insurance Company Limited (hereinafter referred to as NIC), with its registered office
in Kolkata, is of the leading public sector insurance companies of India. It was incorporated in
1906 and nationalized in 1972, before operating as a Government of India undertaking from 2002.
National Insurance Company Ltd (NIC) is one of the leading public sector insurance companies
of India, carrying out non-life insurance business. Headquartered in Kolkata, NIC's network of
about 1000 offices, manned by more than 16,000 skilled personnel, is spread over the length and
breadth of the country covering remote rural areas, townships and metropolitan cities. NIC's
foreign operations are carried out from its branch offices in Nepal.
NIC transacts general insurance business of Fire, Marine and Miscellaneous insurance.
Befittingly, the product ranges, of more than 200 policies offered by NIC cater to the diverse
insurance requirements of its 14 million policyholders. Innovative and customized policies ensure
that even specialized insurance requirements are fully taken care of.
1.2 Background
In order to cater to the newer dimensions of insurance and matching customer expectations, NIC
took up transformation of its business processes using IT as the key enabler for its day to day
operations. NIC completed the re-design of its core business processes and is in the process of
implementation of the “Enterprise Architecture Solution for Insurance” (hereinafter referred to as
EASI).
EASI is a centralized application suite consisting of more than 20 applications. Contrary to the
earlier application, which was decentralized, EASI requires uninterrupted connection to the
centralized servers hosted at NIC’s Data Centre (DC), Disaster Recovery Site (DR) and Near Site
(NR).
Currently the complete IT Infrastructure is co-located in a Tier III+ Data Centre and DR Site,
located in geographically distinct seismic zones.
1.3 Objectives of the RFP
NIC through this RFP therefore invites bids from reputed System Integrators for refresh of the
existing security technologies and add new security solution to enhance the information security
posture and SOC of NIC. The Scope includes procurement, installation, implementation,
integration, maintenance and support of the solutions with all the relevant applications and
infrastructure during the contract period of five years.
1.4 RFP Documents
As such, this Master Document has been segregated into two volumes. Whereas Volume II,
contain specific details for preparation of Bid in respect of the RFP for Enterprise Information
Security Solution, Volume I contain general details, terms, conditions, Format of Contract etc.
concerning the RFP and which are required for preparation of the Bid.
The RFP is governed by the general details, Terms, Conditions, Format of Contract etc. as laid
down in the Master Document.
Volumes and Sections of this Master Document:

A. Volume I
1. the Overview
2. General Terms and Conditions (GT&C) for the RFP
B. Volume II - NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019
1. the Instruction to Bidders for ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019
2. the Scope of Work
3. the Roles and Responsibilities
4. the Annexures
1.5 GT&C – Instructions to Bidders:

A Intending Bidders who satisfy the eligibility criteria laid down under the Volumes II of this
document can bid for the RFP as in the mentioned Volume. Intending Bidders may also
download this document from the company’s website https://nationalinsurance.nic.co.in or
E Tendering portal- www.Tenderwizard.com/NICL ) between dates (refer – Section
Important Dates and Information) and the Bidder has to submit a non-refundable RFP
Document Fee of Rs. 25,000/- only (Rupees Twenty Five Thousand only) to National
Insurance Company Limited payable through NEFT/RTGS only prior to Pre-Bid Meeting
Date.
Non-furnishing of RFP Document Fee/s, till the time of submission of the bid will disqualify
the bidder.
A copy of proof of payment of non-refundable RFP Fee has to be emailed to the following
ids;: rs.raman@nic.co.in, CC: abhijit.bhattacharya@nic.co.in
B Intending Bidders who wish to participate in the Pre-Bid Meeting shall submit the proof of
payment of non-refundable RFP Document Fee of Rs. 25,000/- only (Rupees Twenty Five
Thousand only) to National Insurance Company Limited payable through NEFT/RTGS only,
prior to the Pre-Bid Meeting Date. Only authorized representative of Bidder is allowed to
participate in the pre-Bid meeting. Documentary proof of payment of the RFP Document Fee
by intending bidders by mail/hard copy, is a pre-requirement for participation in the Meeting.
C The Bidder should be agreeable to hold the price and configuration for a period of at least one
year from the date of opening of Commercial Bid in respect of his bid under the RFP, and in
case there occurs any change in the specifications on account of the Solution offered/ordered
for being phased out from the market, should be able to supply solution and systems of higher
configuration at the same prices agreed to, in respect of the bid under the RFP as in Volume-
II.
D The Bidder can submit only one bid offering only one combination of solution and products
in respect of the RFP. If any Bidder quotes multiple offers under each item, his bid will be
summarily rejected.
E Intending Bidders are required to quote for all the items quoted for in respect of the Volume.
Failure to quote for any one or more items or not mentioning the prices of each item separately
in the Commercial Bid will disqualify the Bidder.
F Each Bid under RFP must be accompanied with an Earnest Money Deposit (EMD) of value
of Rs. 50,00,000.00 (Rupees Fifty Lakhs Only)by way of BG/DD/NEFT/RTGS in favour of
National Insurance Company Limited, refer NIC Bank details mentioned above. Non-
furnishing of EMD will disqualify the bidder.
The EMD would be returned without any interest to the unsuccessful Bidders on receipt of
written application, within 90 days of award of Purchase Order to the Successful Bidder.
The EMD will be refunded/returned to the successful Bidder on production of a performance

guarantee.
The EMD will be forfeited if the successful Bidder refuses to accept purchase order or having
accepted purchase order fails to carry out his obligations set out in the terms under the final
Contract. Additionally, such bidder will be blacklisted and barred from participating in any
future RFPs’ of NIC.
No interest on EMD will be paid to either Successful or Unsuccessful Bidder.

G The company reserves the right to accept / reject any / all offers without assigning any reason
whatsoever. The decision of the Company in selecting the bidder would be final and
conclusive.
H The consultants of NIC or their sister concerns will not be permitted to participate in these
bid/s.
I RFP Document/s is/are not Transferable.
J The RFP will be in three Parts, viz., Pre-Qualification, Technical and Commercial bid and in
online format.
Bidders have to submit their Bid online, on or before the last date and time mentioned
in RFP.
Details of the procedure to be followed for online, is available in Annexure-12 (Volume-

II). Bidders have to abide by the same.
K NIC shall evaluate Pre-qualification Bid first and shortlist the bidders who qualify for further
evaluation.
The Technical Bid shall be evaluated only for those responses that have qualified in the Pre-
Qualification Bid.
Commercial bids of only those bidders who qualify in the Technical Bid shall be opened at a
later date. NIC will notify the date and time of opening of the Commercial bids to the
technically qualified bidders.
NIC reserves the right to change or relax the eligibility criteria to ensure inclusivity. No further
discussion/ interface will be granted to bidders whose bids have been disqualified.
The evaluation by NIC will be undertaken by a committee and its decision is final.
L The Pre-qualification Bid of the Bidder should be submitted online. Along with the online
submission, the following should be submitted in separate sealed cover super-scribed
“Original”.
A CD containing soft copy of the Pre-qualification bid and Pre-Qualification Bid and
supporting documents in hard copy should be enclosed in one cover and sealed. This cover
should be super-scribed with the wording “DO NOT OPEN BEFORE ____” “Pre-
Qualification bid for NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019”.
Supporting documents have to be indexed and page numbers, paragraph numbers

referenced with the prescribed format of the PQ Bid.
The Bidder should put the proof of transfer of EMD of requisite value in the appropriate
envelope for “Original” Pre-Qualification Bid for NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019.
Prices must not be indicated in the Pre-Qualification Bid.
Only one representative of the bidder can be present for the opening of the Pre-Qualification
Bid. If the representative of the bidder is not present at the venue on the scheduled date and
time, NIC will proceed with opening of the Bid.
M The Technical Bid of the Bidder should be submitted online. Along with the online
“Original”.
A CD containing soft copy of the Technical bid and Technical Bid and supporting
documents in hard copy should be enclosed in one cover and sealed. This cover should be
super-scribed with the wording “DO NOT OPEN BEFORE __________”and “Technical bid
for NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019.
The Technical Bid must be submitted in an organized and structured manner.
Supporting documents have to be indexed and page numbers, paragraph numbers

referenced with the prescribed format of the Technical Bid. Unpriced BoQ to be
provided.
It is mandatory to submit the technical details in the prescribed formats duly filled in. NIC,
at its discretion, may not evaluate a Technical Bid in case of non-submission or partial
submission of technical details.
The corrections or alterations, if any should be authenticated. In the case of the

corrections/alteration are not properly authenticated, the offer will be rejected.
Technical details must be completely filled up containing correct technical information of the
product being offered. Filling up of the forms using terms such as “OK”, “accepted”, “noted”,
“as given in brochure/manual” are not acceptable to NIC. Offers not adhering to these
guidelines may not be accepted by NIC.
No brochures/leaflets etc. should be submitted in loose form.
Prices must not be indicated in the Technical Bid.
Only one representative of the bidder can be present for the opening of the Technical Bid on
the specified date and time. If the representative of the bidder is not present at the venue on
the scheduled date and time, NIC will proceed with opening of the Bid.
Technically qualified bids will be taken up for further processing and the Commercial Bids
of qualified bidders will be opened in the presence of the technically qualified bidders’
representative on separate date and time which will be notified separately. If the representative
of the bidder is not present at the venue on the scheduled date and time, NIC will proceed
with opening of the Bid.
N The Commercial Bid of the Bidder should be submitted online. Along with the online
“Original”.
A CD containing soft copy of the Commercial bid and Commercial Bid in hard copy should
be enclosed in one cover and sealed. This cover should be super-scribed with the wording
“DO NOT OPEN BEFORE __________”and “Commercial bid for NIC/IT/RFP/Enterprise
Info-Sec Solution/RFP/07/2019.
The price quoted should be in Indian rupees only. The prices offered shall be on a fixed price
basis and should not be linked to the Foreign exchange.
Prices are to be indicated only in the prescribed format in Commercial Bid. No information
should be kept blank and no options should be quoted. Offer should be in strict
conformity with the prescribed format.
In case of deviation, the bid is liable to be disqualified.

O All the covers namely Pre-Qualification Bid, Technical Bids and Commercial Bids
prepared as above are to be put in a single sealed cover super scribed with the wordings
“RFP No: NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019, Due Date and the
wordings “DO NOT OPEN BEFORE __________”.
P All the covers thus prepared should also indicate clearly the name and address of the Bidder.
Contents of each of the innermost envelopes must be bound properly.
Q The Bidder shall bear all costs associated with the preparation and submission of its bid, and
the Purchaser will in no case be responsible or liable for those costs, regardless of the conduct
or outcome of the Bidding process
R Address for all communication is given in Table, Important Dates and Information. In
case of deviation, the bid is liable to be disqualified.
2 GT&C - Common Definitions for the RFP: In this Master Document the following terms shall
be interpreted as indicated below:
A ‘NIC’ means National Insurance Company Limited.
B The ‘Purchaser’ means National Insurance Company Limited.
C The term “this document” means this “Master Document”, containing Volume-I (Overview
and GT&C), Volume-II (RFP No: NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019), and Annexures, if any.
“RFPs’” means this Request for Proposal (“RFP No: NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019”) which is a detailed notification seeking a set of service (s),
product(s), materials and/or any combination of them in respect of Volume-II and as governed
by the GT&C (Volume-I) of the Master Document and respective Volume.
The term Volume-II or (RFP No: NIC/IT/RFP/Enterprise Info-Sec

Solution/RFP/07/2019) or ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 are
interchangeable.
D The term ‘Contract’ or ‘Agreement’ are interchangeable and means the respective Contract
or Agreement to be signed by the Successful Bidder and NIC in respect of RFP
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 and as recorded in the Contract
Form signed by the Purchaser and the Supplier, including all attachments and Annexure
thereto and all documents incorporated by reference therein. The contract also covers the
General Terms and Conditions and other points mentioned in this document including the
accepted deviations (if any).
Specimen of the Contract has been given in Volume-I.

E The terms ‘Service Provider/System Integrator/Authorised Channel
Partner/Partner/Supplier/Contractor/System Integrator/SI’ are interchangeable and means the
person or the firm or the company with whom the order for the Supply, Migrate, Installation,
Configuration, Commissioning, Integration, Demonstration, Management, Maintenance,
Monitoring of Enterprise Information Security Solution (where applicable)is placed in respect
of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, and shall be deemed to include
the Partner’s successors, representatives (approved by the Purchaser), heirs, executors,
administrators and permitted assigns, as the case may be unless excluded by the terms of the
contract.
F The term ‘Bidder’ means ‘Service Provider/System Integrator/Authorised Channel Partner
/Partner/Supplier/ System Integrator/SI’ and is interchangeable.
The term ‘Supplier’ also includes Original Equipment Manufacturer (OEM) wherever
applicable.
At the time of issuance of Purchase Order and signing of Contract in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, the successful Bidder may be
termed as ‘Supplier’ or ‘Vendor’.
The Bidder who has signed the bid in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 should clearly indicate the capacity in which he / she has signed
the bid and the company or firm shall be bound by his / her signature.
G The “Authorized Representative” shall mean any person/agency authorized by either of the
parties.
H The ‘Bid Price/Contract Price/Contract Value’ means the ‘Grand Total Price (without Tax)’
payable to the successful Bidder/Supplier/Authorized Partner net of discount (if any),
liquidated damages (if any) under the contract in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 and these presents for the full and proper performance of the
contractual obligations of the Supplier/Authorized Partner
I The ‘Contract Value’ means the real cost in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 including all related Services, Software, Hardware and other
accessories (as applicable) to be supplied and installed for successful Supply, Migrate,
Installation, Configuration, Commissioning, Integration, Demonstration, Management,
Maintenance, Monitoring of Enterprise Information Security Solution (where applicable) by
Supplier and acceptance by NIC
J “Rates/Prices” means prices of supply of items quoted by the Bidder in the Commercial Bid
submitted by him in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019and/or mentioned in the Contract
K “LOI” means issuing of Letter of Intent which shall constitute the intention of the Purchaser
to place the purchase order with the successful bidder in respect of ENTERPRISE INFO-
SEC SOLUTION/RFP/07/2019.
L The ‘Order’ means the Purchase Order issued in favour of the Supplier in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
M The term ‘Goods/Solution/Items’ are interchangeable and means all the deliverables
complying with technical requirements specified in this document and as applicable under
Scope of Work in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, which
the Supplier is required to Supply, Migrate, Installation, Configuration, Commissioning,
Integration, Demonstration, Management, Maintenance, Monitoring of Enterprise
Information Security Solution (where applicable)of the Supplier under the order/contract in
respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
The term ‘Solution’ shall also include ‘Service’ such as successful Supply, Migrate,
Installation, Configuration, Commissioning, Integration, Demonstration, Management,
Maintenance, Monitoring of Enterprise Information Security Solution (where applicable)and
such obligations of the Supplier covered under the order/contract including services ancillary
to the supply of the Goods, such as transportation and insurance, and any other incidental
services, and are complying with requirements specified in this document, within defined
timelines and as per defined matrices, and as applicable under Scope of Work in respect of
N Integration’ means seamless combination of existing infrastructure without any gap as
applicable under Scope of Work and Minimum Technical Specifications in respect of
O “Site” shall mean the location(s) for which the Contract has been issued in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 and where the service shall be
provided as per Contract/Agreement. Site shall where applicable also mean, the area (s) or
space (s) (including any full cabinets, Cage (Server Room)s, suites, rooms) contracted by NIC
as per terms of the RFP
P The term “DC” or “DR” means specific Caged area/quadrant protected by multi-tier physical
and logical security against physical hazards, co-located in a hosting facility of Service
Provider exclusively used by NIC, for running its Information Technology operations. The
term “DC” or “DR” shall also mean the term “Site” or “Colocation Space” and “Additional
Facilities”, where applicable. The term “NR” means the NR Site hosted in a location by NIC,
for the purpose of data replication and business continuity. The term “HO” means the Head
Office of NIC.
Q The term “Equipment” means all equipment or wiring (including cabling), or other tangible
items at that time installed, stored or located in the Colocation Space or “Additional
Facilities” including DC, DR, NR, HO by or on behalf of NIC. The term shall also include
any equipment or wiring provisioned by the Supplier at any of the locations as mentioned for
the purpose of successful Supply, Migrate, Installation, Configuration, Commissioning,
Integration, Demonstration, Management, Maintenance, and Monitoring of Enterprise
Information Security Solution.
R “Documentary evidence” means any matter expressed or described upon any substance by
means of letters, figures or marks intended to be used for the recording of that matter and
produced before a court.
S NIC reserves the right to extend the last date/time for submission of bids or modify / relax
the conditions stipulated in this document through email and/or website information update.
3 GT&C - Price Schedule:
All quotes are to conform to the format as per Price Schedule also referred as Commercial
A Bid in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
All Inclusive Price of the Solution in respect of ENTERPRISE INFO-SEC
B SOLUTION/RFP/07/2019will comprise of all Services, Hardware and accessories,
software, OS, other licenses, Comprehensive Warranty as applicable, for project period
as per terms of the RFP. It should take into account price/charges as specified in the
Commercial Bid, in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
The ‘Grand Total Price (without Tax)’ as specified in Price Schedule or Commercial Bid
C in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 must take into
consideration all the components required in respect of Volume-II.
Any other taxes / levies such as Octroi / entry tax etc., payable at the place of delivery
D will be reimbursed on actual basis (wherever applicable at the place of delivery) subject
to production of original document / receipt issued by appropriate authority. In case any
waybill or road permit is to be obtained, the Supplier shall make necessary arrangements
for obtaining the same.
The Supplier is required to submit their bids after carefully examining the
E documents/conditions in respect of either or all the Volumes. The Supplier must obtain
for himself on his own responsibility and at his own expenses all the information
necessary to enable him to prepare and submit a proper quotation.
It will be the responsibility of the Supplier to take care of all formalities, if any, necessary
F as per orders of any government/non-government authority in force at the point of time
of delivery.
The Selection of Supplier would be through the process as laid down in Section - 5
G
The detailed breakup of price quotes is to be furnished along with the Price Schedule by
H the Bidder in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
The Supplier shall agree to maintain the price and configuration of all the components
I supplied in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 under
this document for one (1) year from the date of opening of the Commercial Bid.
However, should there be a fall in the prices between the date of submission of bid and
the date of delivery of the Solution ordered for in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019, on account of revision in prices in Services, Hardware /
Software and any other components or on account of revision in duties and taxes or for
any other reason whatsoever, the benefit shall be passed on to NIC.
Repeat order of any of the components of the Solution in respect of ENTERPRISE
J INFO-SEC SOLUTION/RFP/07/2019, may be placed with the Supplier throughout the
term of project period of 5 years.
4 GT&C – Bidder to Note:

A The Bidder/Supplier would maintain appropriate and adequate stand-by equipment and
spares for maintenance of the items during the entire project period wherever applicable
in respect of the RFP.
B Arithmetical errors may be rectified on the following basis:
a. If there is a discrepancy between the unit price and total price, whichever is
lower will be taken into account at the time of commercial bid evaluation.
b. If there is discrepancy between words and figures, the lower-most figure will
prevail.
c. Where only total price has been provided, NIC will derive unit price based on
division of the total price by the number of units.
d. If tax amount does not corroborate with the tax percentage mentioned in the
price
Bid, the tax percentage prevails and amount shall be corrected up to two decimals.
If the Bidder does not accept this procedure, the bid may be rejected.
A bid determined not substantially responsive will be rejected by the purchaser and
cannot be made subsequently responsive.
C No consideration will be given to a bid in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 received after the date and time stipulated by ‘NIC’ and no
extension of time will normally be permitted for submission of bids.
D Overwriting without proper authentication is not permitted in filling up the bids and
may entail rejection of the bids. No price variation/adjustment or any other escalation
will be otherwise entertained, unless as per terms of Section - 7.
E The Bidder undertakes that in competing for the RFP and if the award is made to
the Bidder in executing the contract, the Bidder will strictly observe the laws
against fraud and corruption in force in India namely “Prevention of Corruption
Act 1988”.
F Canvassing in connection with bids is strictly prohibited and bids submitted by Bidders
who resort to canvassing are liable to be rejected.
Any effort by a Bidder to influence NIC in the bid evaluation, bid comparison or
contract award decisions may result in the rejection of the Bidder’s bid and
blacklisting from participation in future RFPs’.
G Bidder has to sign an Integrity Pact as provided in the RFP document, in original
and the same should be submitted along with Technical bid as per the format
provided in Section - 59
H NATIONAL INSURANCE CO. LTD. DOES NOT BIND ITSELF TO ACCEPT
ANY QUOTATION/BID AND RESERVES THE RIGHT TO ACCEPT/REJECT
ANY QUOTATION/BID WITHOUT ASSIGNING ANY REASONS THEREFOR.
5 GT&C – Selection of Supplier: Supplier will be selected by following the steps given as under:
A The RFP will be in three stages, viz., Pre-Qualification, Technical and Commercial bid.
NIC will evaluate the bidder based on their eligibility criteria as laid down in Pre-
Qualification
B The Bidders who qualify in the Pre-Qualification stage will be intimated of their
selection and their Technical bids shall be opened at a date and time to be specified
later.
C.1 The Technical bids submitted by the bidders will be evaluated. This process will consist
of:
C.2 Evaluation of the Technical Bid submitted along-with compliance to the Minimum
Technical Specifications mentioned for each of the products/solutions, as applicable in
Volumes-II. Wherever details have been asked for, specific responses should be
provided by the bidder.
C.3 Presentation by the bidders on their solution and understanding of the Project, if
required by NIC.
C.4 Demonstration of functionalities as per NIC’s requirements, if required by NIC.
C.5 Visit to bidders and/or Customer Locations, if required by NIC. Any cost associated
with the visit to bidder’s and/or Customer Locations by NIC Officials will be borne by
NIC.
However, in case the site is not ready and NIC Officials are required to make subsequent
visits, then the cost for the same is required to be borne by the bidder.
C.6 NIC will shortlist the bidder(s) based on technical evaluation as mentioned above. In
case, the bidders are not able to comply with all technical specifications,
functionalities during the technical evaluation, the proposal will not be considered by
NIC for commercial evaluation, ultimately disqualifying the bidder who doesn’t comply
with technical evaluation.
The Bidders who qualify in the Technical stage will be intimated of their selection and
their Financial bids shall be opened at a date and time to be specified later.
D Selection of Supplier who offers the lowest price and meets the commercial
qualification requirements from the technically qualified list.
The Commercial Bid will be evaluated based on the Cost proposed by the Bidder in the
Commercial Bid and the L1 Bidder shall automatically qualify for becoming Selected
Bidder and for award of contract by NIC.
NIC will notify the name of the Selected Bidder, through publication in company
website.
E Any/all Minimum Criteria specified in RFP needs to be fulfilled by the bidder to
proceed to the next stage of evaluation/selection.
F NIC reserves the right to accept/reject any deviation in the Technical and Commercial
Bids of any Bidder.
6 GT&C – Deadline for submission of Bids:
A Bids must be received by NIC at the specified address not later than the time and date
specified in the Section -Important Dates and Information. In the event of the
specified date for the submission of Bids being declared a holiday for NIC, the bids
will be received up to the appointed time on the next working day.
B NIC may, at its discretion, extend this dead-line for the submission of Bids, in which
case all rights and obligations of NIC and Bidders previously subject to the deadline
will thereafter be subject to the deadline as extended.
C Late Bids
Any bid received by NIC after the deadline for submission of bids prescribed by
NIC will be rejected and returned unopened to the Bidder.
7 GT&C – Modification of Bids:
A The Bidder may modify its bid after the bid’s submission, provided that written notice of
the modification including substitution of the Bids is received by NIC prior to the deadline
prescribed for submission of bids.
B The Bidder’s request for modification may be submitted by e-mail but followed by a
signed confirmation copy, postmarked no later than the deadline for submission of bids.
C No bid may be modified subsequent to the deadline for submission of Bids.
8 GT&C – Delivery Schedule:

Activity Schedule - Enterprise Information Security Solution. Also Refer Section - 27
Installation &
Delivery (from PO Integration (From PO
Solution Date) Date)
Central Location and Remaining
70% of all location 20%
SIEM including SOAR, Packet
Forensics, Deception 24 weeks
DAM 8 weeks
Data Classification 24 weeks
Information Rights
Management (Since it is 24 Weeks – from go-
optional) ahead
DNS Security (Since it is 24 Weeks – from go-
optional) ahead
Anti-Phishing (Since it is 8 weeks 24 Weeks – from go-
optional) ahead
Vulnerability Management
Solution 12 weeks
MDM 20 week 18 weeks
MTP 20 week 18 weeks
DLP 8 weeks
Central Storage 16 weeks
NAC 24 weeks 18 weeks
Proxy 12 weeks
Downtime provisioning will be done by NIC.
Also refer Scope of Work
Note 1: Installation is deemed to be complete viz. “Commissioned” when:
a) All the items (where applicable) as specified in the Purchase Order becomes fully
functional, after delivery, within the scheduled date of installation.
b) The Supplier shall be responsible for installing, configuring and testing of all the
items and all other accessory software where applicable.
d) In case of failure on the part of the Supplier to adhere to the time schedule, the
Liquidated Damages condition shall be invoked by ‘NIC’.
e) Delivery, installation and commissioning should be under the supervision and
guidance of ‘NIC’ officials.
An authorized official of ‘NIC’ should acknowledge commissioning of the items.
9 GT&C – Place of Delivery and Installation:

Place of Delivery and Installation – As per Scope of Work
10 GT&C - Delivery of documents: The Supplier shall furnish the following documents to ‘NIC’.
Original copies of:
A Invoice showing NIC’s purchase order reference, services/goods description, quantity,

unit price and total amount.
B Delivery Challans.
C Installation Certificates authenticated by ‘NIC’ officials
D Software licenses for utility/system software, where applicable
E Format of Warranty, where applicable
F Manuals, media (e.g. OEM Recovery CD etc.) and all relevant accessories, where
applicable
11 GT&C - Terms of Payment: Payment will be made by the Head Office (HO), pertaining to the
Solution delivered in respect of Volume-II.
A a) Performance Bank Guarantee (PBG) of 10% of ‘Contract Value’ should be
submitted by the successful Bidder, (as per format given in Volume-I within 15 working
days of issue of Purchase Order). PBG to be valid for the project period of five years.
Failure to submit the PBG within the mentioned period may result in the cancellation of
the Purchase Order and forfeiture of the EMD.
Once this PBG i.e. 10% of ‘Contract Value’, in the form of Bank Guarantee is received by
NIC, the EMD as Bid Security in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 will be returned to the successful Bidder.
NIC wants to avail Cenvat Credit. Hence, all necessary documents regarding the same are
required to be submitted to NIC by the Supplier.
B Payment in full shall be released by HO against submission of the following:
b) A PBG of 10% of ‘Contract Value in the form of BG valid for the project period
of five years.
c) Successful Delivery, Installation and Commissioning of the Solution in respect of
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019at each of the locations within the
scheduled installation period.
d) Receipt of Installation Certificate duly signed and stamped by the Supplier as well
as by ‘NIC’ officials.
e) In case where installation is put on hold because of NIC requirements (which might
include delay due to site not being ready or inability to provide downtime), the items may
be tested by NIC in conjunction with the Service Provider. However, Supplier is responsible
for final installation, commissioning as specified by NIC at a future date at no additional
cost.
C No advance payment will be made by ‘NIC’.
D An Agreement/Contract between NIC, and the Supplier (as per format given in Volume-
I) shall be executed within 15 working days of issuance of Purchase Order.
Submission of Contract in respect of ENTERPRISE INFO-SEC

SOLUTION/RFP/07/2019is a pre-requisite to be complied with, prior to release of
payment.
E All bids are to be submitted in Indian Rupees. NIC will make all payments in Indian
Rupees Only.
F All payments to the Supplier will be made by NIC through NEFT/RTGS Only.
12 GT&C - Payment will be made in the following Manner:

A Payment in respect of procurement in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019will be as follows:
B Activities Payment Terms
B. Manpower Quarterly in arrears
1
C Enterprise 100% Cost of all Software licenses on Delivery
Informatio 70% Cost of all Hardware, inbuilt (software) and all other accessories, on
n Security Delivery.
Solution 25 % Cost, associated (software, licenses) and all other accessories on
Installation, Configuration, and Commissioning of Hardware after
completion of 70%, refer Section - 8. Implementation charges will be
released along with release of this payment.
Remaining 5% Cost will be released on completion of 30%, refer Section
-8
Payment will be released on completion of individual solution
implementation.
Also Refer, Section - 14, 15, 17
D Also refer, Section -73.1
13 GT&C - Documents to be produced for the release of payment:

The successful Supplier’s request for payment in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019, should be made to ‘NIC’ HO IT Department in writing accompanied
by the following documents in ORIGINAL:
a) Execution of Contract between NIC and Successful Supplier in respect of ENTERPRISE
INFO-SEC SOLUTION/RFP/07/2019,which will remain valid for the project period of
five years.
b) A PBG of 10% of ‘Contract Value in the form of BG valid for the project period.
c) Letter from OEM where applicable in their Letter Head confirming that the Supplier has
purchased On-Site Comprehensive Warranty from them and has extended the same to NIC.
d) Letter from Supplier where applicable in letter head mentioning all the information
related to OEM’s Part Code for the entire warranty period for the entire product procured.
e) Delivery Challans
f) Installation Certificates, counter-signed by NIC Official
g) Invoice pertaining to the Solution delivered in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019.
h) Proof of Payment of Taxes / Octroi / Levies, if any.
i) Software licenses for Utility / System Software and / or any other licenses, where
applicable.
j) Supply of Manuals, media, etc. with accessories where applicable.
14 GT&C - Availability of Service / Product:

A The items should be available during the validity of the for the project period of five years.
B Solution details should be enclosed in technical documents.
C Spares and OEM support for the product offered should be available for at least 5 years
from date of Delivery. OEM’s declaration to the effect to be produced by Supplier
before release of 70% payment.
D However, in case the product/configuration/solution offered is discontinued (within the
project period), and the product/configuration is suffering some malfunction (by which it is
not able to provide the full features/functions being sought as per Technical Specification,
the Supplier should provide free-of-cost replacement with new model with better
configuration.
15 GT&C – Warranty:
A The Supplier should also guarantee that the Goods (equipment and its accessories) supplied
are new, unused and conform to technical specifications of design, materials and
workmanship as mentioned in the bid offer. The Supplier should also guarantee that the
Goods should perform satisfactorily (i.e. provide the full features/functions) as per
requirements mentioned in the Technical Specification of the RFP. The devices, solution
quoted in this RFP, should not be declared end-of-support within 5 years by OEM.
Also refer Minimum Technical Specifications and Commercial Bid.
B The Supplier should also guarantee that all the software, including Operating System,
firmware etc. and as applicable, supplied by the Supplier is licensed and legally obtained.
C The warranty for all practical purposes in respect of devices would mean On-Site
Comprehensive Warranty free of charge, shall start and remain valid for 5 years, unless
otherwise specified, after the goods have been delivered, installed, commissioned and
accepted. Such On-Site Comprehensive Warranty shall also include free of cost
transportation and replacement of malfunctioning parts of the
product/configuration/solution. Comprehensive On-Site Warranty for 5 years as
applicable, includes but not limited to OS upgrade, 24 x 7 x 365 access, registered access to
OEM portal.
D If any particular product/configuration/solution is suffering some malfunction (by which it
is not able to provide the full features/functions being sought as per Technical Specification
in such subsequent procurement/s for more than twice in a year, NIC may ask the Supplier
to replace the product/configuration/solution and the Supplier shall replace the same with
another brand new item of same/higher configuration at no extra cost to NIC.
E Warranty, should not become void if NIC buys any other supplementary hardware from a
third party and install it with these equipment. However, the warranty will not apply to such
hardware items installed.
F In case of replacement of devices covered under Warranty, where the product
(software/hardware as applicable) has been declared vide end-of-support notification, they
should be replaced with product with next higher specification
G In case of repeat order within the ambit of item quoted in the RFP, where the product has
been declared vide end-of-sale notification, should be replaced with product with next
higher specification
H Bidders have to quote product with five years warranty, which need to be back-lined
with respective OEM. Bidder needs to submit the direct OEM confirmation in this regard
confirming the same to NIC. 70 % payment will be released based on the above
confirmation only. Refer, Section - 62
16 GT&C - Guarantee: The guarantee shall cover the following, where applicable:
a) Quality, strength and performance of the materials and equipment supplied, where
applicable, for successful commissioning of the items.
b) Safe electrical and mechanical stresses, on all parts of such equipment under all
conditions of operation.
c) Prompt service during maintenance period for repairs and breakdown.
17 GT&C - Maintenance during Warranty Period:

A The On-Site Comprehensive Warranty, will be for a period of 5 years. OEM Part Code
details for Warranty, should be specified in the bid.
B The Supplier shall ensure Support services for the Solution under ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019, are as per details in the RFP.
C If Supplier fails in replacement of the defects within the defined time frame as mentioned
above, from the date of attending the call, then the Purchaser has the right to encash the
Performance Bank Guarantee without endangering any provisions of warranty written or
otherwise expressed and the concerned warranty will remain in full force.
D Also refer Scope of Work, Minimum Technical Specifications, Commercial Bid and
Annexures
18 GT&C - Copyright violations and Patent Rights:

A The Supplier shall indemnify ‘NIC’ in respect of all suits, action claims or damages arising
out of violation of any Patents or Copyrights, for any and all components of the Solution
supplied by the Supplier in respect of the ENTERPRISE INFO-SEC
B The Supplier shall indemnify ‘NIC’ against all third party claims of infringement of patent,
trademark or industrial design rights arising from use of the goods and services, software
package or any other part thereof in India.
19 GT&C - Standards:
The Goods/Solution/Services (where applicable) supplied under contract shall conform to the
standards mentioned in the technical specifications and when no applicable standard is
mentioned, it will be mutually agreed between the Supplier and NIC.
20 GT&C - Satisfactory Performance:

The Supplier shall guarantee satisfactory performance as per the specifications in the Purchase
Order and further undertake to reimburse the Purchaser in respect of all payments made in
pursuance of this Purchase Order and such other cost as may be decided by mutual consent or
by arbitrator, if Supplier do not perform to committed standards thus materially affecting
performance of the systems.
21 GT&C - Manuals and Media:
The Supplier shall provide original driver CDs, software etc., manuals of the Hardware &
Software, where applicable at the time of delivery with every installation, if applicable, in
respect of items supplied under ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
22 GT&C - Transportation and Insurance till delivery of the equipment:

The Supplier is required to deliver the items at various locations of ‘NIC’ across the country.
Transportation and insurance (on Inland Transit All Risk Class A plus SRCC) of goods, where
applicable, required for successful commissioning of the items shall be arranged and paid for
by the Supplier.
23 GT&C - Change of Purchase Order: ‘

‘NIC’ may at any time, by written order to the Supplier through a change control procedure as
agreed mutually make changes within the general scope of the Purchase Order. NIC will be free
to either reduce or increase the quantity/configuration/specifications of the items to be
purchased/change place of delivery or installation, on the same terms and conditions. NIC also
reserves the right to place repeat orders for upto 25% quantity on any item, subject to Section-
33, within 24 months of the date of the Purchase Order.
24 GT&C - Performance Security:

A Performance Bank Guarantee (PBG) of 10% of ‘Contract Value in respect of ENTERPRISE
INFO-SEC SOLUTION/RFP/07/2019 in the form of BG valid for the project period of
five years from the scheduled last date of installation should be submitted by the successful
Bidder in favour of ‘NIC’ along with the signed Contract (as per format given in Volume-
I) within 15 working days of issue of Purchase Order.to Head Office of ‘NIC’.
Failure to submit the PBG within the period may result in the cancellation of the Purchase
Order and forfeiture of the EMD.
B In case of violation of any of the conditions during the Contract Period in respect of the
Contract under ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, the Performance
Bank Guarantee as aforesaid may be invoked by ‘NIC’.
25 GT&C - Cancellation Clause:

If the items are not delivered, installed, integrated within the scheduled time period as mentioned
in Purchase Order, National Insurance Company Limited reserves the right to invoke the PBG
furnished by the Supplier favoring ‘NIC’ and cancel the contract thereafter.
26 GT&C - Delays in the Supplier’s performance:

A Delivery of the items and performance of the services shall be made by the Supplier in
accordance with the time schedule mentioned in the Purchase Order.
B Any delay by the Supplier in the performance of its delivery obligations, other than the
delay which occurs due to reasons beyond the Supplier’s control, shall render the Supplier
liable for imposition of liquidated damages, and/or termination of the Contract for default,
besides encashment of the PBG.
C If at any time during the performance of the Contract, the Supplier should encounter the
conditions impeding the timely performance of the services, the Supplier shall promptly
notify the Purchaser in writing of the fact of the delay, it’s likely duration and its cause(s).
As soon as practicable after receipt of the Supplier’s notice, the Purchaser shall evaluate
the situation and may at its discretion extend the Supplier’s time for performance in which
case the extension shall be recorded by the parties.
D Any delay by the Supplier in the performance of its service obligations, other than the
delay which occurs due to reasons beyond the Supplier’s control, shall render the Supplier
liable for termination of the contracts for default. Any incidental taxes and levies on
account of delay in performance caused by Supplier shall be on the Supplier’s account.
27 GT&C - Liquidated Damages:
Sl.No.
Service Level Response Time Resolution Time

1 For All The
Solutions Within 24 hours
Within 1 hour
deployed in DC,
DR, HO
Downtime Clause
 The downtime will be calculated post schedule restoration time which mentioned in the
Table -1 to be the time when solution is up and running with all configuration and with
full functionality as mentioned in the respective Minimum Technical Specifications.
Penalty Clause
 Non-compliance of the SLA as per the Table No-1, Sl.No.1, penalty would be Rs.
10,000/- per day for each day or part thereof, for solution not functioning as per
specifications (all days of the week). The overall penalty cap would be 5% of the cost
of the Enterprise Information Security Solution. After the cap is reached, NIC may
cancel the contract.
 In case of the intermittent failures and repetitive problems (problems repeating three or
more times in a quarter) due to improper diagnostics and repair/replacement the system
would be treated as continuously down.
 En-cashing the Performance Bank Guarantee shall not endanger any provisions of
warranty/AMC written or otherwise expressed and the concerned warranty/AMC will
remain in full force. In case of the intermittent failures and repetitive problems (problems
repeating more three or more times in a quarter) due to improper diagnostics and
repair/replacement the system would be treated as continuously down.
 Once this amount reaches 5% of the Contract Value, NIC may cancel the contract, and
en-cash the PBG. En-cashing the Performance Bank Guarantee shall not endanger any
provisions of warranty/AMC written or otherwise expressed and the concerned
warranty/AMC will remain in full force.
 The aggregate of all penalties and liquidated damages under this Contract shall not
exceed 5% of the Contract Price.
 Also Refer Section - 69.15, Service Level Agreement
Other Conditions:
A In case Services are not fully completed within stipulated period, Liquidated Damage
condition shall be invoked if such delay is not attributable to “Force Majeure”.
B If the Supplier fails to Deliver within scheduled period, ‘NIC’ shall deduct from the contract
price, as liquidated damages, a sum equivalent to 0.50% of the price of the delayed goods
for each week (7 days) or part thereof of delay until actual delivery, up to a maximum
deduction of 5% of the value of the delayed goods. Once such delay crosses the maximum
limit, ‘NIC’ may consider contract either full and/or, in part, and annulment of order, either
full and/or, in part.
C If the Supplier fails to Install, Integrate and Commission the solution (the solution running
live and with full functionality as per Technical Specifications in production environment)
within defined weeks (Section - 8) from issuance of Purchase Order, ‘NIC’ shall deduct
from the contract price, as liquidated damages, a sum equivalent to 0.50% of the price of
the solution to be installed, for each week (7 days) or part thereof of delay until actual
installation, integration and commissioning, up to a maximum deduction of 5% of the value
of the delayed solution. Once such delay crosses
the maximum limit, ‘NIC’ may consider termination of the contract either full and/or, in
part, and annulment of order, either full and/or, in part.
B In the case of delay in the rectification of the defects falling under warranty of the Supplier,
‘NIC’ is entitled to deduct liquidated damages as mentioned above, Section-27, Section-
28.
C NIC reserves the right to extend the Time Period, where the delay is due to NIC
responsibility.
28 GT&C – Resort to Liquidated Damages:

In the event the Purchaser terminated the Contract in whole or in part, the Purchaser shall:
A Encash the PBG/not refund the performance security amount.
B Deduct Liquidated damages as specified in respective Clause/s
C May procure, upon such terms and in such manner as it deems appropriate, services similar
to those undelivered and/or not performed, and the Supplier shall be liable to the Purchaser,
for any excess costs in getting the balance work done up to a maximum of 5% of the
Contract Value, for such similar Services. However, the Bidder shall continue performance
of the Contract to the extent not terminated.
29 GT&C - Termination on Insolvency: The agreement can be terminated by giving written notice
to the Supplier, without compensation to them if:
A The Supplier becomes bankrupt or is otherwise declared insolvent;
B The Supplier being a company is wound up voluntarily or by the order of a court or a
receiver, or manager is appointed on behalf of the debenture holders or circumstances
occur entitling the court or debenture holders to appoint a receiver or a manager, provided
that such termination will not prejudice or affect any right of action or remedy accrued or
that might accrue thereafter to the Purchaser.
C Purchaser shall however pay the Supplier for all products and services provided up to the
effective date of termination.
30 GT&C – Termination for Defaults: The Purchaser may, without prejudice to any other remedy
for Breach of the Contract, by written notice of 90 days of default to the Bidder, terminate the
Contract in respect of Volume-II in whole or in part;
A If the Supplier fails to render services within the time period(s) specified in the Contract
or any extension period thereof granted by the Purchaser, or
B If the Supplier fails to perform any other obligations under the Contract
C All payments due to the Supplier till the effective date of termination shall be made by
NIC within 60 days' of such written notice of termination, subject to applicable penalties,
Section-27, Section-28, Section - 69.15.
31 GT&C – Income/Corporate Taxes:

A The Supplier shall be liable to pay all the Corporate Taxes, and the Income Tax, that shall
be levied according to the laws and regulations applicable from time to time in India.
B Wherever the laws and regulations require deduction of such taxes at the source of
payments, the Purchaser shall effect such deductions from the payment due to the Supplier.
The remittance of amounts as deducted and issuance of Certificate for such deductions
shall be made by the Purchaser as per the regulations in force. Nothing in the Contract
shall relieve the Supplier from their responsibility to pay any tax that may be levied in
India on income and profits made by the Bidder in respect of the Contract.
C The relevant deduction certificate shall be provided to the Supplier within 90 days of
deduction at source.
32 GT&C - Taxes and Duties:

A Supplier will be entirely responsible for making the payments in respect of all taxes, stamp
duties, fees, etc. in connection with delivery of service at site/s including taxes and levies
to be charged in connection with incidental services etc. For procurement of way-bill,
necessary arrangement shall be made by bidder. Service Taxes will be payable as per rules
prevalent at the time of submission of bid response.
B However, Only Octroi and Entry tax if any; payable at the place of delivery will be
reimbursed by NIC subject to production of original receipt.
33 GT&C - ERV Clause:

Purchase of any additional component/item after one year from placement of first Purchase
Order, would be linked to the ERV Clause. The conversion rate of US Dollar to Indian Rupees
as on close of date of bid submission would be considered as the base rate. Any fluctuation (+
or -) 2% in the conversion rate as on the date of placement of additional purchase order, will
be taken into account and benefit thereof will be passed on to either Supplier or NIC. Any effect
of such fluctuation, on Taxes will also be considered.
34 GT&C - Contract with NIC:

The successful Bidder will have to enter into a contract with National Insurance Company Ltd.
within 15 working days of issue of Purchase Order in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019.The format of the Contract is attached in Volume-I. Failure to enter
into Contract may result in cancellation of the Purchase Order/s and forfeiture of EMD/PBG
35 GT&C – Contract Amendment: No variation in the satisfaction of the terms of the Contract
shall be made except by the written amendment agreed and signed by the parties.
A If the Supplier fails to render services within the time period(s) specified in the Contract
or any extension period thereof granted by the Purchaser, or
B If the Supplier fails to perform any other obligations under the Contract
36 GT&C – Limitation of Liability:

Supplier’s aggregate liability for actual direct damages shall be limited to a maximum of the
Contract Value, provided that this limit shall not apply to (1) the infringement indemnity; or
(2) bodily injury (including death) and damage to real property and tangible personal property
caused by Supplier’s negligence. Supplier shall not in any event be liable for any indirect or
consequential damages, or for loss of profit, business, revenue, goodwill, anticipated savings
or data, or third party claims except with respect to bodily injury (including death) and damage
to real and tangible personal property for which Supplier is legally liable. For the purposes of
this Section, “Contract Value” at any given point in time, means the aggregate value of
purchase orders placed by NIC on the Bidder under this project.
37 GT&C - Governing Language:

The bid prepared by the Bidder and all correspondence and documents relating to the bids
exchanged by the Bidder and the Purchaser, shall be written in the English language, provided
that any printed literature furnished by the Bidder may be in any another language so long the
same is accompanied by an English translation in which case, for purposes of interpretation of
the bid, the English translation shall govern.
38 GT&C - Applicable Law:

This Agreement shall be construed, interpreted and applied in accordance with and shall be
governed by the laws applicable in India including applicable export and import laws. The
courts at Kolkata shall have the exclusive jurisdiction to entertain any dispute or proceeding
arising out of or in relation to this Agreement.
39 GT&C - Notices:
Any notice by one party to the other pursuant to the Contract shall be sent in written format by
fax/email and confirmed in writing to the address specified for that purpose in the Contract.
40 GT&C – Indemnity:
A The Supplier shall, at its own expense, defend and indemnify NIC against all third party
claims for infringement of patent, trademark, design or copyright arising from use of
products or any part thereof supplied by Supplier. Supplier will provide infringement
remedies and indemnities for third party products, on a pass through basis. The Supplier
shall expeditiously extinguish any such claims and shall have full rights to defend it there
from. If NIC is required to pay compensation to a third party resulting from such
infringement, the Supplier shall be fully responsible to pay such compensation along with
all costs, damages and attorney’s fees and other expenses that a court may finally awards,
in the event of the matter being adjudicated by a court or that be included in a Supplier
approved settlement. NIC will issue notice to the Supplier of any such claim without delay
and provide reasonable assistance to the Supplier in disposal of such claim, and shall at no
time admit to any liability for, or express any intent, to settle the claim. The Supplier shall
also reimburse all incidental costs, which NIC incurs in this regard. In the event of the
Supplier is not fulfilling its obligations under this clause within the period specified in the
notice issued by NIC, NIC has the right to recover the amounts due to it under this provision
from any amount payable to the Supplier under this project. The indemnities under this
clause are in addition to and without prejudice to the indemnities given elsewhere in this
agreement.
B In the event of the Supplier not fulfilling its obligations under this clause within the period
specified in the notice issued by NIC, NIC has the right to recover the amounts due to it
under this provision from any amount payable to the Supplier under this project.
C The indemnities under this clause are in addition to and without prejudice to the
indemnities given elsewhere in this agreement.
41 GT&C - Right of Selection, Product, Service and Quantity:

NIC reserves the right to place Order for the entire, less or more quantity of the products and/or
services to be procured through the RFP. NIC also reserves the right to place order for only
selected products and/or services as specified in ENTERPRISE INFO-SEC
42 GT&C - Assignment:
The Supplier shall not assign in whole or in part, the obligations to perform under the contract
in respect of ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, except with Purchaser’s
prior written consent.
43 GT&C - Sub-contractor:
The Supplier shall obtain prior consent of the Purchaser in writing of all Sub-Contracts
(if any) to be awarded under the Contract in respect of ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019. Such consent, shall not relieve the Supplier from any liability
or obligation under the Contract.
44 GT&C - Force Majeure:

A Notwithstanding the provisions contained herein the Supplier shall not be liable for
liquidated damages or termination for default, if and to the extent that its’ delay in
performance or other failure to perform its obligations under the Contract is the result of
an event of Force Majeure.
B For the purpose of this clause “Force Majeure” means an event beyond the control of the
Supplier and not involving the Supplier’s fault or negligence and not foreseeable. Such
events may include, but are not restricted to, acts of the purchaser, in the contractual
capacity, wars or revolution, fires, floods, epidemic, quarantine restrictions and freight
embargoes.
C If a Force Majeure situation arises, the Supplier shall promptly notify the Purchaser in
writing of such condition and the cause thereof. Unless otherwise directed by the Purchaser
in writing the Supplier shall continue to perform their obligations under the Contract as
far as reasonably practical, and shall adopt all reasonable alternative means for
performance not prevented by Force Majeure clause.
45 GT&C - Termination for Convenience:

A The Purchaser may by written notice of 180 days sent to the Supplier terminate the
Contract, in whole or in part, any time for its convenience. The notice of termination shall
specify that termination is for the Purchaser’s convenience, the extent to which
performance of work under the Contract is terminated and the date on which such
termination becomes effective.
B All payments due to the Supplier till the effective date of termination shall be made by
NIC within 60 days of such written notice for termination.
46 GT&C - Obligation:
The entire responsibility of the Supply, Migrate, Installation, Configuration, Commissioning,
Integration, Demonstration, Management, Maintenance, Monitoring of Enterprise Information
Security Solution (where applicable) and all related activities in respect of ENTERPRISE
INFO-SEC SOLUTION/RFP/07/2019 lies with the Supplier on whom the Purchase Order is
placed and with whom the Contract is signed. The Supplier would be responsible and bear the
additional cost (if any), incurred by the Purchaser on account of the above-mentioned
obligations.
47 GT&C – Compliance with Terms and Conditions:

The Bidder will comply with all the terms and conditions given in this Master Document and
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 subject to deviations and response
thereof.
48 GT&C – Acceptance of Terms:

The Bidder will, by responding to ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, be
deemed to have accepted the terms of the ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019 and the Master Document subject to the deviations and further
mutually agreed terms.
49 GT&C - No Legal Relationship:

No binding legal relationship will exist between any of the Bidders and NIC, until execution
of Contract.
50 GT&C – Personnel: Supplier shall, at all times, be solely responsible for the acts/omissions of
its employees, agents, and representatives, deputed by the Supplier to provide Services under this
Agreement and/or any Scope of Work (collectively referred to as “Personnel”. Supplier shall
ensure that Personnel who visit or are deputed at the office/location of NIC to provide the
Services:
i. are at all times at their best behavior and adhere to the policies and procedures
of NIC and the relevant authority;
ii. should at all times carry on his/her person, a valid identity card, which shall be
issued by the Supplier; and
iii. should conduct themselves in the most orderly manner, maintain perfect
discipline and shall not in any manner cause any interference, annoyance, nuisance,
obstruction or any difficulty to the Purchaser or its employees at the office/location of
NIC or elsewhere.
Supplier hereby agrees that in case NIC and/or any authority raise any objection to any
Personnel; then the Supplier shall immediately remove such Personnel from the
office/location of NIC, as the case maybe, and replace such Personnel by other
Personnel suitable to NIC. Similarly, in case any Personnel is unavailable to perform
the Services, for any reason whatsoever, the Supplier shall forthwith or in any event
provide a replacement with the required qualifications within timelines mutually agreed
upon between the Parties, in writing, on a case to case basis. In both cases, the Supplier
shall ensure that NIC does not face any disruption or stoppage of work due to
unavailability of any replacement.
Supplier shall ensure that Personnel do not indulge in unlawful activities, including but
not limited to theft and/or any unauthorized use of any property or information or data
of NIC and/or any third party and shall not tamper with such information/data. In case
of any loss/damage caused to NIC, due to any unlawful activity of the Supplier and/or
its Personnel; then without prejudice to any rights and remedies available to NIC, under
this Agreement and/or any applicable law, the Supplier shall be liable to make good
such loss/damage to NIC.
Supplier shall, at all times, be solely liable and responsible for the safety of its Personnel
and NIC shall have no liability or responsibility towards the same.
Supplier agrees that Personnel shall be subject to and shall at all times conform to NIC’s
and the relevant authority’s requirements and policies, in order to protect the
office(s)/location(s), servers, equipment and/or the operating system of NIC. Any
violations and disregard to these requirements shall be a cause of denial of access to
such Personnel into NIC office/location, even for providing the Services. Supplier shall
ensure that its Personnel exercise due care and diligence to prevent any injury to person
or damage to the property while on NIC’s office/location and it shall be fully
responsible and liable to NIC for any damages caused by its Personnel. Supplier shall
ensure that the facilities, if any, provided by NIC for use by the Personnel are utilized
with an appropriate degree of care and attention.
Supplier shall, whenever NIC instructs so in writing, promptly, without demur or
protest, handover and return any material, documents and equipment that NIC may have
provided to it. NIC shall not be required to assign any reason for any such instructions.
In the event the said materials are found to be damaged, the Supplier shall make good
the loss so suffered by NIC due to the damage caused to the materials/equipment.
Supplier shall at all times carry and provide for adequate and sufficient insurance cover
against all legal liability for loss or damage to material property or bodily injury or
death to the Personnel arising out of or in consequence of performance of its obligations
under this Agreement and against all actions, claims, demands, costs and expenses in
relation thereto.
Supplier shall ensure that only those Personnel are deployed to provide Services who
have cleared the background checks, especially in case where such Personnel are
required to be deployed at the NIC premises /locations. Further, the Supplier hereby
expressly undertakes that the Supplier shall be solely liable, accountable and
responsible for:
I. making good any loss or damage that NIC may suffer on account of or in
relation with any act or omission of the Supplier and/or its Personnel; and/or
II. Any action/sanction/penalty imposed by any relevant authority on NIC for any reason
attributable to the Supplier and/or its Personnel.
51 GT&C – Compliance with NIC’s Information Security Policy/s:

Prior to Supplier deploying any of it Personnel or engaging any person to perform Services for
NIC; the Supplier shall, at a minimum, with respect to each such Personnel comply with NIC’s
Information security policy/s (ISP/s), as may be amended from time to time, to a reasonably
possible extent. Supplier hereby acknowledges that it has received a copy of the current ISP/s
simultaneously with the execution of this Agreement. Supplier shall not assign any Personnel
to perform the Services under this Agreement who does not comply with the provisions of the
ISP/s. NIC shall have the right to audit Supplier’s books and records/facilities / location / places
prepared or kept in connection with the Services at all reasonable times and places to ensure
compliance with the ISP/s, to the extent applicable.
52 GT&C - Risk Assessment:

The Supplier acknowledges and understands the value of information and agrees that NIC may
undertake a Risk Assessment to consider the value (either quantitative or qualitative) of
information and risks associated prior to providing the access to the Supplier. Security
requirements and controls identified from said risk assessment will form part of the agreement,
even if such requirements and controls are identified at a later date and time. NIC may conduct
an annual Risk Assessment of the Supplier either by internal auditors or its Risk Assessment
partner/consultant or, ask the Supplier to have the assessment done by a CERT-IN empaneled
auditor and submit the report of the assessment along-with controls as implemented to mitigate
the risks as identified, to NIC. NIC may cancel the contract with the Supplier in case the
controls as identified are not implemented, in time.
53 GT&C – Inspection and Audit by NIC (IRDAI Outsourcing Regulations 2017 Clause # 13):
The Supplier acknowledges and understands that NIC shall conduct periodic inspection or audit
on the Supplier either by internal auditors or by Chartered Accountant firms appointed by NIC
to examine the compliance of the outsourcing agreement while carrying out the activities
outsourced. The Supplier further represents and warrants that it is fully compliant with Clause
13 of IRDAI Outsourcing Regulations 2017. The outsourcing committee of NIC may decide
on the periodicity taking into account the risks associated with the activity outsourced.
Measures shall be taken to arrest the deficiencies noticed if any in the inspection or audit report.
54 GT&C - Inspection and Audit by IRDAI (IRDAI Outsourcing Regulations 2017 Clause #
18):
The Supplier acknowledges and understands that authorized representatives of the IRDAI have
the right to: -
i. Examine the books, records, information, systems and the internal control environment
in the Supplier (or sub-contractor as applicable), to the extent that they relate to the service
being performed for NIC and,
ii. Access any internal audit reports or external audit findings of the Supplier that concern
the service being performed for NIC.
Both, the Supplier and NIC acknowledges and understands that wherefore in pursuance of the
contract and respective Scope of Work, the Supplier is provided access to policyholder records,
both the parties shall ensure that all original policyholder records continue to be maintained in
India.
55 GT&C – Risk Title:

The Risk, Title, Ownership of the products matching the Technical Specifications as in
Volume-II and delivered by the Supplier following issuance of Purchase Order, shall be
transferred to NIC upon delivery by Supplier, receipt by authorized official of NIC and
subsequent payment of all the amounts due to Supplier by NIC. Supplier should ensure that
such Receipt is signed, stamped and dated, at respective location of delivery.
56 GT&C - Confidentiality and Non-Disclosure:

Supplier and the Purchaser shall each, when acting in the capacity of a Receiving Party: (i)
keep confidential, all Confidential Information disclosed by the Disclosing Party, during the
Term of this Agreement and for a 10 year period following the termination of this Agreement;
(ii) use the Confidential Information disclosed by the Disclosing Party solely in connection
with performing its obligations or exercising its rights and not otherwise for its own benefit or
the benefit of any third party; and (iii) not disclose the Confidential Information disclosed by
the Disclosing Party to any person, other than a director, officer, employee or professional
advisor of a Party, Supplier Group Company, or Purchaser Group Company to any authority,
statutory or otherwise to whom disclosure of Confidential Information is necessary for
performance of obligations or exercise of rights in connection with this Agreement.
Receiving Party shall ensure that each person to whom it discloses Confidential Information
complies with confidentiality provisions no less onerous than those contained in this section,
and will remain liable for any disclosure of Confidential Information by each such person as if
it makes such disclosure.
Receiving Party shall, on the Disclosing Party’s request, destroy, erase or deliver to the
Disclosing Party all of the Disclosing Party’s Confidential Information, save where the
retention of such Confidential Information is necessary to comply with Applicable Law or
otherwise for the other Party to exercise its rights or receive benefits due under this Agreement.
Supplier and the Purchaser both agree that the provisions shall not apply to any information
which the Receiving Party can prove: (i) is or becomes public knowledge other than by breach
of this section; (ii) was in the possession of Receiving Party without restriction in relation to
disclosure before the date of receipt from Disclosing Party; (iii) is received from a third party
who lawfully acquired it and who was under no obligation restricting its disclosure; or (iv) was
independently developed, without access to any Confidential Information disclosed by the
Disclosing Party.
Supplier and the Purchaser both agree that these provisions shall not apply so as to prevent
disclosure of Confidential Information by the Receiving Party to the extent that such disclosure
is required to be made by any authority of competent jurisdiction or by any Applicable Law,
provided that the Receiving Party: (i) gives the Disclosing Party reasonable formal written
notice (provided that this is not in contravention of Applicable Law), prior to such disclosure
to allow the Disclosing Party a reasonable opportunity to seek a protective order; and (ii) uses
reasonable endeavours to obtain prior to the disclosures, written assurance from the applicable
entity that it will keep the Confidential Information confidential.
57 GT&C - Arbitration Clause:

If any dispute or difference shall arise, such difference shall independently of all other
questions be referred to the decision of a sole arbitrator to be appointed in writing by the parties
or if they cannot agree upon a single arbitrator within 30 days of any party invoking arbitration,
the appointment shall be made upon request by a party, by the Chief Justice of the High Court
at Calcutta, or any person or institution designated by him in accordance with the provisions of
the Arbitration and Conciliation Act, 1996 as amended or re-enacted from time to time. It shall
be a condition precedent to any right of action or suit upon the Contract that award by such
arbitrator/arbitrators of the amount of the loss or damage shall be first obtained. The seat of
such arbitration shall be at Kolkata.
58 GT&C - Format of Contract between successful Supplier and National Insurance Company
Limited (NIC) *****
FORMAT FOR CONTRACT BETWEEN SUPPLIER AND NATIONAL INSURANCE
COMPANY LIMITED (NIC)
THIS Memorandum of Understanding/Agreement is made on this _____day of ______, 20__

BETWEEN M/s. _________ and carrying on business at __________ (hereinafter referred to as
“SUPPLIER” and shall include its heirs, successors or permitted assigns) of the First Part and
NATIONAL INSURANCE COMPANY LIMITED, a Company registered under the
Companies Act, 1956 having its registered Head Office at 3, Middleton Street, Calcutta – 700
071 (hereinafter referred to as “PURCHASER” and shall include its heirs, successors or
permitted assigns) of the Second Part.
WHEREAS the Vendor is in the business of a) Supply, Migrate, Installation, Configuration,

Commissioning, Integration, Demonstration, Management, Maintenance, Monitoring of
Enterprise Information Security Solution (where applicable), being party of the Second Part
herein.
AND WHEREAS the Purchaser intends to Procure a) Supply, Migrate, Installation,

Configuration, Commissioning, Integration, Demonstration, Management, Maintenance,
Monitoring of Enterprise Information Security Solution (where applicable) and has
explained to the Supplier the purposes and uses for which the procurement is being made.
AND WHEREAS the Supplier has assured that the Solution in respect of a and b as mentioned
above which they would supply would be fit for the purposes of the Purchaser and has been
agreed to relieve the “PURCHASER” from the Principle of “CAVEAT EMPTOR” being the
Purchaser is a mere consumer hereby it is better to rely on SUPPLIER as to the fulfilment of the
purpose/s of the purchase/procurement and/or installation and maintenance.
AND WHEREAS the Purchaser invited bids from Bidders for submitting bids for supply of all
the mentioned in the Purchaser’s Invitation in the Master Document and in RFP No.
NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019, containing broad terms and
conditions, for the supply, installation, commissioning, maintenance etc. as detailed in the RFP
document.
AND WHEREAS the Supplier submitted a bid and bids were submitted by some other Bidders.
AND WHEREAS out of the several bids when opened the Purchaser found the price quoted by
the Supplier for NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019 to be eligible to be
awarded the contract.
AND WHEREAS the Purchaser would place orders on the Supplier for the purchase as
mentioned in the Master Document, RFP No. NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019 and in the bid/offer Papers on the terms, conditions and specifications
mentioned therein and in the Purchase Order issued on ________ 20__.
AND WHEREAS the parties herein intend to set out the terms and conditions for such purchase
and maintenance and matters connected therewith and to define the mutual rights and obligations
of the parties herein.
NOW THESE PRESENTS WITNESSETH and the parties herein agree as follows:
1. Scope:
The Master Document, RFP No. NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019,
and the bid/offer documents will form part of and shall be deemed to have been incorporated in
these presents but in case of any conflict between any term in the said documents and in these
presents the term of these presents will have overriding effect and the said documents have to
be read and will have effect subject to these presents.
2. Resolution of Disputes: Insert Section - 57
3. Prevention of Corruption: Each Party shall comply with all Applicable Laws relating to
bribery and corruption and shall not do, or omit to do, any act that will cause the other Party to
be in breach of any such Applicable Law, and in doing so: (i) shall not give or receive any bribes,
including in relation to any public official; and (ii) shall maintain an effective anti-bribery
compliance regime, that monitors compliance and detects violations.
4. Notices:
For the purpose of all notices, the address of the Supplier and the Purchaser shall be those
given in the beginning of these presents.
As the Purchaser’s Registered Head Office is situated within the Jurisdiction of the High Court
at Calcutta all disputes and differences are subject to the Jurisdiction of The Calcutta High
Court.
5. Compliance with Terms and Conditions:
The Supplier will comply with all the Terms and Conditions given in this Master Document,
RFP No. NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019 and bid Offer.
IN WITNESS WHEREOF the parties hereto have executed these presents on the day, month
and year first above written.
SIGNED SEALED AND DELIVERED FOR _______________________
By the hands of Shri/Smt._______________________________________
In presence of Shri/Smt.________________________________________
SIGNED SEALED AND DELIVERED FOR ‘NIC’

By the hands of Shri/Smt._______________________________________
59 GT&C - Format for Integrity Pact
INTEGRITY PACT BETWEEN
National Insurance Company Limited (NIC) hereinafter referred to as “PURCHASER” (which
expression, unless repugnant to the context thereof, shall mean and include its legal
representatives, heirs and assigns)
AND
………………………………………………… hereinafter refer to us “The
Bidder/Contractor” (which expression, unless repugnant to the context thereof, shall mean and
include its legal representatives, heirs and assigns)
Preamble
The PURCHASER intends to award, under laid down organizational procedures, contract for
Procurement under NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019(hereinafter
referred to as the ‘Project’). The PURCHASER necessarily requires full compliance with all
relevant laws of the land, rules, regulations, economic use of resources and of
fairness/transparency in its relations with its Bidder(s) and/or Contractor(s).
In order to achieve these goals, the PURCHASER may appoint an Independent External
Monitor (IEM), who will monitor the tender process and the execution of the contract for
compliance with the Integrity Pact by all parties concerned, for all works covered in the Project.
Section 1 – Commitments of the PURCHASER
(1) The PURCHASER commits itself to take all measures necessary to prevent corruption and
to observe the following principles:-
a) No employee of the PURCHASER, personally or through family members or through

any other channel, will in connection with the tender for or the execution of a contract,
demand take a promise for or accept, for self or third person, any material or immaterial
benefit , which the person is not legally entitled to.
b) The PURCHASER will, during the tender process treat all Contractor(s)/Bidder(s) with
equity and reason. The PURCHASER will in particular, before and during the tender
process, provide to all Contractor(s)/Bidder(s) the same information and will not provide
to any Contractor(s)/Bidder(s), confidential/additional information through which the
Contractor(s)/Bidder(s) could obtain an advantage in relation to the tender process or the
contract execution.
c) The PURCHASER will exclude from the process all known prejudiced persons. The
PURCHASER shall obtain bids from only those parties who have been short-listed or pre-
qualified or through a process of open advertisement/web publishing or any combination
thereof.’
(2) If the PURCHASER obtains information on the conduct of any of its employees,
Contractor(s) and/or Bidder(s), which is a criminal offence under the IPC/PC Act, or if there
be a substantive suspicion in this regard, the PURCHASER will inform the Chief Vigilance
Officer and subject to its discretion, can additionally initiate disciplinary actions.
(3) The PURCHASER will enter into agreements with identical conditions with all
Contractor(s)/Bidder(s), in the different Work Packages in the aforesaid Project/s.
(4) The PURCHASER will disqualify from the tender process all Contractor(s)/Bidder(s), who
do not sign this Pact or violate its provisions.
Section 2 – Commitments of the Bidder(s) / Contractor(s)
(1) The Bidder(s) / Contractor(s) commit(s) itself/themselves to take all measures necessary to
prevent corruption. He commits himself to observe the following principles during his
participation in the tender process and during the contract execution:
(a) The Bidder(s) / Contractor(s) will not, directly or through any other person or firm offer,
promise or give to any of the PURCHASER’s employees involved in the tender process or
the execution of the contract any material or other benefit which he/she is not legally entitled
to, in order to obtain in exchange any advantage, of any kind whatsoever, during the tender
process or during the execution of the contract.
(b) The Bidder(s)/Contractor(s) will not enter with other Bidders into any undisclosed
agreement or understanding, whether formal or informal. This applies in particular to prices,
specification, certifications, subsidiary contracts, submission or non-submission of bids or
any other actions to restrict competitiveness or to introduce cartelization in the bidding
process.
(c) The Bidder(s)/Contractor(s) will not use improperly, for purpose of competition or
personal gain, or pass on to others, any information or document provided by the
PURCHASER as part of the business relationship, regarding plans, technical proposals and
business details, including information contained or transmitted electronically.
(d) The Bidder(s) / Contractor(s) of foreign origin shall disclose the name and address of the
Agents/representatives in India, if any. Similarly the Bidder(s)/Contractor(s) of Indian
Nationality shall furnish the name and address of the foreign PURCHASERs, if any. Further
details as mentioned in the “Guidelines on Indian Agents of Foreign Suppliers” shall be
disclosed by the Bidder(s) / Contractor(s). Further, as mentioned in the Guidelines all the
payments made to the Indian agent/representative have to be in Indian Rupees only.
(e) The bidder(s) / Contractor(s) will, when submitting his bid, disclose any and all payments
he has made, is committed to or intends to make to agents, brokers or any other
intermediaries in connection with the award of the contract.
(2) The Bidder(s) / Contractor(s) will not instigate third persons to commit offences outlined
above or be an accessory to such offences.
Section 3: Disqualification from tender process and/or exclusion from future contracts.
(1) If the Bidder(s) / Contractor(s), before awarding the Project or during execution has
committed a transgression by violating Section 2 above or in any other form so as to put his
reliability or credibility in question, the PURCHASER, at its sole discretion, is entitles to
disqualify the Bidder(s) / Contractor(s) from the tender process or terminate the Contract, if
already awarded, for that reason, without prejudice to any other legal rights or remedies
available to the PURCHASER under the relevant clauses of the tender/contract.
(2) If the Contractor(s)/Bidder(s) has committed a transgression through a violation of any of

the terms under Section 2 above or in any other form such as to put his reliability or credibility
into question, the PURCHASER will also be entitled to exclude such Contractor(s)/Bidder(s)
from future tenders/contract award processes. The imposition and duration of the exclusion will
be determined by the PURCHASER, keeping in view the severity of the transgression. The
severity will be determined by the circumstances of the case, in particular, the number of
transgressions and/or the amount of the damage.
(3) If it is observed after payment of final bill but before the expiry of validity of Integrity Pact
that the contractor has committed a transgression, through a violation of any of the terms under
Section 2 above or any other term(s) of this Pact, during the execution of contract, the
PURCHASER will be entitled to exclude the contractor from further tender/contract award
processes.
(4) The exclusion will be imposed for a minimum period of six (6) months and a maximum
period of three (3) years.
(5) If the Contractor(s)/Bidder(s) can prove that he has restored/recouped the damage to the
PURCHASER caused by him and has installed a suitable corruption prevention system, the
PURCHASER may, at its sole discretion, revoke or reduce the exclusion period before the
expiry of the period of such exclusion.
Section 4: Compensation for Damages
(1) If the PURCHASER has disqualified the Bidder(s)/Contractor(s) from the tender process
prior to the awarding of the Project according to Section 3, the Earnest Money Deposit(EMD)/
Bid Security furnished, if any, along with the offer, as per terms of the Invitation of Tender,
shall also be forfeited. The Bidder(s)/Contractor(s) understands and agrees that this will be in
addition to the disqualification and exclusion of the Contractor(s)/Bidder(s) as may be imposed
by the PURCHASER, in terms of Section 3 above.
(2) If, at any time after the awarding of the Project, the PURCHASER has terminated the
contract according to Section 3, or if the PURCHASER is entitled to terminated the contract
according to Section 3, the security Deposit/Performance Bank Guarantee furnished by the
Contractor, if any, as per the terms of the Contract shall be forfeited without prejudice to any
other legal rights and remedies available to the PURCHASER under the relevant clauses of
General/Special Conditions of Contract. The Contractor(s)/Bidder(s) understands and agrees
that this will be in addition to the disqualification and exclusion of the Bidder(s)/Contractor(s),
as may be imposed by the PURCHASER in terms of Section 3 above.
Section 5: Previous transgression
(1) The Bidder(s)/Contractor(s) herein declares that it has committed no transgressions in the
last 3 years with any other Company in any country confirming to the anti-corruption approach
as detailed herein or with government/ any other Public Sector Enterprise in India that could
justify its exclusion from the tender process.
(2) If at any point of time during the tender process or after the awarding of the Contract, it is
found that the Bidder(s)/Contractor(s) has made an incorrect statement on this subject, he can
be disqualified from the tender process or if, as the case may be, that the Contract, is already
awarded, it will be terminated for such and the Bidder(s)/Contractor(s) can be black listed in
terms of Section 3 above.
Section 6: Independent External Monitor / Monitors
(1) The PURCHASER shall, in case where the Project Value is in excess of Rs One Crore and
above, may appoint competent and credible Independent External Monitor(s) with clearance
from Central Vigilance Commission. The Monitor shall review independently, the cases
referred to it to assess whether and to what extent the parties concerned comply with the
obligations under this Integrity Pact.
(2) In case of non-compliance of the provisions of the Integrity Pact, the complaint/non-
compliance is to be lodged by the aggrieved party with the Nodal Officer only, as shall be
appointed by the CMD, NIC. The Nodal Officer shall refer the complaint/non-compliance so
received by him to the aforesaid Monitor.
(3) The Monitor will not be subject to any instructions by the representatives of the parties and
will perform its functions neutrally and independently. The Monitor shall report to the
Chairman-cum Managing Director, NIC.
(4) The Bidder(s) / Contractor(s) accepts that the Monitor shall have the right to access, without
restriction, all Project documentation of the PURCHASER including that provided by the
Contractor. The Contractor will also grant the Monitor, upon his/her request and demonstration
of a valid interest, unrestricted and unconditional access to its project documentation. The
Monitor is under contractual obligation to treat the information and documents of the Bidder(s)
/ Contractor(s) with confidentiality.
(5) The PURCHASER will provide to the Monitor, sufficient information about all meetings
among the parities related to the Project, provide such meetings could have an impact on the
contractual relations between the PURCHASER and the Contractor.
(6) As soon as the Monitor notes, or believes to note, a violation of this Pact, he will so inform
the PURCHASER and request the PURCHASER to discontinue and/or take corrective action,
or to take other relevant action(s). The Monitor can in this regard submit non-binding
recommendations. However, beyond this, the Monitor has no right to demand from the parties
that they act in a specific manner and/or refrain from action and/or tolerate action.
(7) The Monitor will submit a written report to the CMD, NIC within 4 to 6 weeks from the
date of reference or intimation to it and, should the occasion arise, submit proposals for
corrective actions for the violation or the breaches of the provisions of the agreement noticed
by the Monitor.
(8) If the Monitor has reported to the CMD, NIC, of a substantiated suspicion of an offence
under relevant IPC/PC Act, and the CMD, NIC, has not, within the reasonable time taken
visible action to proceed against such offence or reported it to the Chief Vigilance Officer, the
Monitor may also transmit this information directly to the Chief Vigilance Officer, NIC.
(9) The word ‘Monitor’ means Independent External Monitor and includes both singular and
plural forms.
Section 7: Criminal charges against violating Bidder(s) / Contractor(s) / Subcontractor(s)
If the PURCHASER obtains knowledge of conduct of a Bidder/Contractor or any employee or

a representative or and associate or a Bidder/Contractor, which constitutes a criminal offence
under the IPC/PC Act, or if the PURCHASER has substantive suspicion in this regard, the
PURCHASER will forthwith inform the same to the Chief Vigilance Officer, NIC.
Section 8: Duration of the Integrity Pact.
The Pact shall come into force when both parties have legally signed it. The Pact shall expire,
in case of the Contractor(s), 3 (three) months after the last payment under the Contract is made
and in case of the unsuccessful Bidder(s), 2 (two) months after the contract for the project has
been awarded. If any claims is made / lodged during this time, the same shall be binding and
continue to be valid despite the lapse of this pact as specified above, unless it is
discharged/determined by CMD of NIC. The Bidder(s)/Contractor(s), however, understands
and agrees that even upon the completion of the Project and/or the last payment under the
Contract having been made, if any transgression/violation of the terms of this Pact comes/is
brought to the notice of the PURCHASER, it may, subject to its discretion, blacklist and/or
exclude such Bidder(s)/Contractor(s) as provided for in Section 3, without prejudice to any
other legal right or remedy so available to the PURCHASER.
Section 9: Other Provisions
(1) This agreement is subject to Indian Law. Place of performance and jurisdiction is the
Registered Office of the PURCHASER, i.e. Kolkata.
(2) Changes and supplements as well as termination notice need to be made in writing.
(3) If the Bidder/Contractor is a partnership or a consortium, this agreement must be signed by

all partners or consortium members.
(4) Should one or several provisions of this agreement turn out to be invalid, the remainder of
this agreement shall remain valid and binding. In such a case, the parties will strive to come to
an agreement in accordance to their original intentions.
(5) Wherever he or his as indicated in the above sections, the same may be read as he/she or
his/her, as the case may be.
______________________________ ________________________
(For & On behalf of the PURCHASER) (For & On behalf of Bidder/Contractor)
(Office Seal) (Office Seal)
Place____________
Date_____________
60 GT&C – Sample Manufacturer’s Authorization Form (MAF)

SAMPLE FORMAT FOR MANUFACTURER’S AUTHORIZATION FORM
To
Head Office: 3, Middleton Street,
Kolkata – 700 071.
Dear Sir,
Sub.: NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019
We ……………… who are established and reputable manufacturers of …………….. having

factories at ………………………. do hereby authorize M/s. …………………… (Name and
Address of Supplier/Authorized Partner) to bid, negotiate and conclude the contract with NIC
against RFP No.__________ for the above goods manufactured by us.
We hereby extend our full guarantee and warranty as per respective Clauses in the General
Terms & Conditions of the Master Document and the RFP No. ____________ for the goods
offered for supply against this invitation for bid by the above firm.
We hereby further confirm that the solution quoted by our partner including on-site warranty as
applicable under terms of the Master Document and RFP No. ____________, has been
examined and vetted by us. We also confirm that all the Part Codes (product and warranty)
quoted by our partner are OK and the solution quoted by our partner will work as per
requirements specified by NIC.
Yours faithfully,
(Name)
For and on behalf of
M/s. …………………………………..
Signature of Manufacturer
Dated:
Place:
Sd. /-Seal
Note: This letter of authority should be on the letterhead/certificate form issued by the
manufacturing concern and should be signed by a person competent and having the power of
Attorney to bind the manufacturer.
61 GT&C – Sample Format of Warranty

Sample FORMAT OF WARRANTY (For each item quoted)
This free of charge warranty shall start and shall remain valid for 5 Years for Devices supplied
against RFP No. NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019 from the last date
of installation of the equipment that has been delivered and installed, commissioned, tested and
accepted.
We warrant that everything to be supplied by us hereunder shall be free from all encumbrances,
defects and faults in material, workmanship and manufacture and shall be of the highest grade
and quality and consistent with the established and generally accepted standards for items of the
type ordered shall be in full conformity with the specifications, drawings of samples, if any, and
shall operate properly. We shall be fully responsible for its efficient and effective operation.
This warranty shall survive inspection of and payment for, and acceptance of the items, but shall
expire on completion of the 5 years after their successful installation and acceptance by the
purchaser.
The obligations under the warranty expressed above shall include all costs relating to labour,
spares, maintenance (preventive and unscheduled), at site of the items which under proper use
by the Purchaser and under normal care and maintenance of Supplier proves defective in design,
material or workmanship or fails to operate effectively and efficiently or conform to the
specifications and for which notice is promptly given by the Purchaser to the Supplier.
The Supplier warrants and undertakes that in case any defect be found within the defined project
period, the Supplier will attend to the problem within the defined time period (also refer
Sections - 27, 28, 69) of lodging of the complaint by the Purchaser either by Letter, over the
telephone, by fax, email or by other modes of communications. Wherever it is required to
replace any part, the Supplier undertakes to replace the part within the defined time period, refer
Sections - 27, 28, 69, of attending the call. In case of failure from supplier’s side the Purchaser
has the right to encash the Performance Bank Guarantee.
Moreover we agree to warranty clauses as per respective Clauses in the General Terms &
Conditions of the Master Document and RFP No. NIC/IT/RFP/Enterprise Info-Sec
Solution/RFP/07/2019.
Signature of Bidder
Dated :
Place :
Seal :
62 GT&C - Undertaking for Back-lining
RFP No: NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019

To
Kolkata – 700 071.
Dear Sir,
This is to confirm that we M/S………………………………………………. who is bidding in

your RFP will backline the support for Security Solution and Equipment’s for complete
Contract duration with M/s _________________________Original Equipment Manufacturer
(OEM) of ____________________ as per the terms of the RFP within 30 days of issuance of
Purchase Order from NIC.
Signature
(Name)
For and on behalf of
M/s. …………………………………..
Signature of Manufacturer
Dated:
Place:
Sd. /-Seal
63 GT&C – OEM Certified Part Numbers including for Warranty, AMC

Sample format for OEM Certified Part Numbers and the description of the components
against those Part Numbers (Hardware, Software, Warranty etc.)
Sl.No. OEM Part No. Description of the components against respective Part No.
(Certificate from OEM should be attached)
Note: All the Hardware, software quoted in this Section, should not be out of support from
OEM for at least a period of 5 years from the date of this Certificate
Signature of Bidder:
Dated:
Place:
Seal:
64 GT&C – Format for EMD/Bid Security

To
Kolkata – 700 071.
Dear Sir,
Whereas ________________________________________ (hereinafter called ‘the Bidder’)

has submitted its bid dated ________________ for the _______________________________.
(Hereinafter called “the Bid”).
KNOW ALL MEN by these presents that WE ________________ having our registered office
at ____________________________ (hereinafter called “the Bank”) are bound unto The
National Insurance Company Limited (hereinafter called “the Purchaser”) in the sum of
Rupees ___________________________ for which payment well and truly to be made to the
said Purchaser, the Bank binds itself, its successors and assigns by these presents. Sealed with
the Common Seal of the said Bank this ___________ day of ________________ 201_.
The Conditions of this obligation are:
If the Bidder withdraws his bid during the period of bid validity specified by the bidder in the
bid; or
If the Bidder, having been notified of the acceptance of its bid by the Purchaser during the
period of bid validity
i. fails or refuses to execute the Contract Form, if required; or
ii. Fails or refuses to furnish the Performance Security, in accordance with

the instructions to Bidder.
We undertake to pay to the Purchaser up to the above amount upon receipt of its first
written demand, without the Purchaser having to substantiate its demand, provided that in
its demand the Purchaser will note that the amount claimed by it is due to it owing to the
occurrence of one or both of the two conditions, specifying the occurred condition or
conditions.
This guarantee will remain in force up to and including 45 days after the period of bid
validity, and any demand in respect thereof should reach the Bank not later than the above
date.
Dated this.................day of............
Place: __________________________
Date: Seal and signature of the vendor
65 GT&C - Performance Bank Guarantee

FORMAT FOR PERFORMANCE BANK GUARANTEE
BANK GUARANTEE FOR PAYMENT (TO BE SUBMITTED IN NON-JUDICIAL

STAMP PAPER OF APPROPRIATE VALUE PURCHASED IN THE NAME OF THE
ISSUING BANK)
To
Head Office
3, Middleton Street
Calcutta-700 071
Dear Sirs,
RFP No.: -NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019

In consideration of your having placed Purchase Order for purchase of items as per RFP:
NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019with …………… and your agreeing
to pay the aforesaid M/s. …………………………(hereinafter referred to as ‘The Supplier’ and
shall include his heirs, successors and permitted assigns) a sum of Rs……………………
(Rupees………………………….) as and by way of payment in terms of the Contract/Supply
Order/Purchase Order No/s. ………………….. Dated …………. with you (hereinafter referred
to as ‘PO’) on your agreeing to furnish to you with our guarantee in the manner hereinafter
contained, we …….…….. (Bankers Name) located at …………………..with registered office
at ……………………
DO HEREBY COVENANT AND AGREE AS FOLLOWS:
We, Bank Ltd. having our office located at …………do hereby undertake to indemnify
National Insurance Company Limited or their heirs, successors or permitted assigns (hereinafter
referred to as ‘NIC’) and keep indemnified to the extent of the sum of Rs …………… (Rupees
……………) from and against all losses and damages that may be caused to NIC in relation to
the payment to be made by NIC to the Supplier as aforesaid by reason of any default or defaults
on the part of the Supplier in the due supply of plant / machinery / equipment / spares / services
for carrying out any work or discharging supplier’s obligation as per the said contract in the
observance and performance of any of the terms and conditions relating thereto in accordance
with the true intent and meaning thereof and in the event of any default or defaults on the part
of the Supplier as aforesaid we shall forthwith on demand and without demur pay to NIC any
sum not exceeding in the total the said sum of Rs. …………….. (Rupees ………..) As may be
claimed by NIC to be due from the Supplier by way of refund of such payment or any portion
or otherwise as NIC’s losses and / or damages, costs charges or expenses incurred by reason of
such default or defaults on the part of the Supplier as aforesaid.
Notwithstanding anything to the contrary, NIC’s decision as to whether the Supplier has made
any such default or defaults and the amount or amounts to which NIC is entitled by reasons
thereof will be binding on us and we shall not be entitled to ask NIC to establish their claim or
claims under this guarantee, but will pay the same forthwith on NIC’s demand without any
protest or demur.
This guarantee shall continue and hold good until it is released by NIC on the applications by
the Supplier after completion of delivery of goods / services / terms and conditions at site
provided always this guarantee shall in no event remain in force after the day of ……………..
Without prejudice to NIC’s claim or claims arisen and demanded from or otherwise notified to
us in writing on or before the seventh day after the said date of expiry of the guarantee which
will be enforceable against us notwithstanding that the same is or not enforced after the said
date.
Should it be necessary to extend this guarantee on account of any reason whatsoever, we
undertake to extend the period this agreement till such time with the Supplier’s consent on the
request by NIC, provided the terms and conditions relating to the extension of the Guarantee
are satisfied.
NIC will have the fullest liberty without affecting this guarantee, either to vary, or to modify
and to revoke any of the terms and conditions of the said PO or to extend the time of
performance of the Supplier or to postpone for any time or from time to time any of NIC’s
rights or powers against the Supplier and either to enforce or to forbear to enforce any of the
terms and conditions of the said PO and we shall not be released from our liability under this
guarantee by the exercise of NIC’s liberty. With reference to matters aforesaid or by reason of
any time being given to the Supplier, or any other forbearance, act or omission on NIC’s part
or any indulgence by NIC to the Supplier or by any variation or modification of the said PO or
any other act, matter or things whatsoever, which under the law relating to sureties, would but
for the provisions hereof, have the effect of so releasing us from our liability hereunder provided
always nothing herein contained will enlarge our liability hereunder beyond the limit of Rs.
……………. (Rupees……………………………..) As aforesaid or extend the period of the
guarantee beyond the said day of …………….. Unless expressly agreed to by us in writing.
This guarantee shall not in any way be affected by NIC’s taking or varying or giving up any
securities from the Supplier or any other person, firm or company on their behalf or by winding
up, dissolution, insolvency or death as the case may be of the Supplier or his company/firm.
In order to give full effect to the guarantee herein contained, NIC shall be entitled to act as if
we were your principal debtors in respect of all NIC’s claims against the Supplier hereby
guaranteed by us as aforesaid.
Subject to the maximum limit of our liability as aforesaid, this guarantee will cover all NIC’s
claim or claims against the Supplier from time to time arising out of or in relation to the said
PO and in respect of which NIC’s claim in writing is lodged on us on or before the seventh day
after expiry of this guarantee.
Any notice by way of demand or otherwise hereunder may be sent by special courier, telex,
fax, email or registered post to our local address as aforesaid and if sent by post, it shall be
deemed to have been lodged / given / submitted when the same is posted.
This guarantee and the powers and provisions herein contained, are in addition to and not by
way of limitation of or substitution for any other guarantee or guarantees hereto before given
to NIC by us and now existing un-cancelled and that this guarantee is not intended to and shall
not revoke or limit such guarantee or guarantees.
This guarantee shall not be affected by any change in the constitution of the Supplier or us nor
shall it be affected by any change in your constitution or by amalgamation or absorption thereof
or therewith but will ensure to the benefit of and be available to and enforceable by the
absorbing or amalgamated company or concern.
This guarantee shall come into force on ____________ and shall not be revoked by us whether
before it’s coming into force or any time during its currency without NIC’s prior consent in
writing.
We further agree and undertake to pay to NIC the amount demanded by NIC in writing
irrespective of any dispute or controversy between NIC and the Supplier.
Notwithstanding anything contained hereinabove our liability under this agreement is restricted
to Rs …… (Rupees ……………………………..) Unless a written claim is lodged on us for
payment under this guarantee within seven days of the date of expiry of this guarantee i.e. on
or before …………….. all NIC’s rights under this guarantee shall be forfeited and we shall be
deemed to have been released and discharged from all liabilities there under, irrespective of
whether or not the original guarantee is returned to us, discharged.
We have power to issue this guarantee in NIC’s favour under the Memorandum and Articles of
Association of our Bank and the undersigned has full power to execute this guarantee under the
Power of Attorney granted to him by the Bank.
SIGNED AND DELIVERED ON THE DAY OF …… FOR & ON BEHALF OF

THE ………..BANK LTD.
FOR & ON BEHALF OF

(BANKER’S NAME)
Branch Manager
(Banker’s seal)
Address………………………………
………………………………
P.S.: The amount referred to above will be as per the terms of payment specified
66 GT&C - Clarification of Bids:

1. To assist in the examination, evaluation and comparison of bids the Purchaser may, at their
discretion, ask the Bidder for clarification of the bid.
2. Bidder should send their queries, if any, through e-mail to rs.raman@nic.co.in, CC to
abhijit.bhattacharya@nic.co.in on or before the stipulated date and time. Bidders
should submit the queries only in the format given in the RFP and in xls/xlsx format.
Queries which are not in the format specified in the format will be ignored. Bid is liable
for disqualification in case of deviation. Clarifications are entirely at the discretion of
NIC and no disputes will be entertained on the same. No query / suggestions will be
entertained after the opening of Commercial offer.
3. Clarifications will be published only in NIC’s Corporate Website
https://nationalinsurance.nic.co.in and E Tendering portal - www.Tenderwizard.com/NICL
. No other modes of communication will be used.
67 Volume-II: NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019

This is Volume-II of the Master Document.
Instruction to Bidders
The Bidder is expected to examine all instructions, forms, terms, specifications, and other
information in Volume-I of the Master Document and the RFP No. NIC/IT/RFP/Enterprise
Info-Sec Solution/RFP/07/2019, Volume-II. Failure to furnish all information required by any of
these documents or to submit a Bid not substantially responsive to these documents in every
respect will be at Bidder’s risk and may result in the rejection of its Bid.
Bidders are advised to study the mentioned documents carefully before participating. It shall be
deemed that submission of bid by the bidder has been done after their careful study and
examination of the mentioned documents with full understanding to its implications. Any lack of
information shall not in any way relieve the bidder of his responsibility to fulfil his obligations
under the Bid.
In the event of default by the Bidder with respect to this RFP or the Master Document, NIC
may debar the Bidder from participating in any future RFPs’ floated by NIC for any
purpose.
68 Eligible Bidders: The following are the conditions, which are to be necessarily fulfilled, to be
eligible for technical evaluation of the Bid. Non-compliance of any of criteria will entail summary
rejection of the bid offer. Photocopies of relevant documents / certificates should be submitted as
proof in support of the claims made along with tender. NIC also reserves the right to verify /
evaluate the claims made by the vendor independently. Only those interested bidders who
satisfy the following eligibility criteria should respond to ENTERPRISE INFO-SEC
SOLUTION/RFP/07/2019: Refer Sections - 68, 71
A
Minimum Qualifications of the Bidder:
1 The Bidder should be a Registered Company in India under the Companies Act, 1956
(photocopy of certificate of registration to be provided)
2
The Bidder should be an established Information Technology company and in operation
for at least 5 years in India as at 31.03.2017
3 The Bidder should be ISO 9000/9001, ISO 20000 and ISO/IEC 27001 certified, with
certifications valid at the time of bid submission. (photocopies of certificates to be
provided)
4 The Bidder should have implemented minimum three out of four solutions (SIEM,
packet forensics, Vulnerability Management, APT) out of the new solutions in at least 1
(one) of PSU / BFSI. For the rest either Bidder / OEM references shall be given.
Completion Certificates to be provided from Customer
5
The Bidder should have at least 2 (Two) Information Security Orders of their National
Customers, each having an order value of at least Rs. 20 Crore
within the last 5 years –Or,
4 (Two) Information Security Orders of their National Customers, each having an order
value of at least Rs. 10 Crore within the last 5 years
Completion Certificates to be provided from Customer
6 The Bidder should have implemented and maintained captive SOC for any one
PSU/BFSI/Government customers (with at least 1000 locations) in India within last 5
years. SOC solution should have at least 3 out of the following components like SIEM,
WAF, DAM, PIM, NBA, Anti-APT solutions/Anti-Phishing, DLP, MDM. Completion
Certificates to be provided from Customer
7 The Bidder should have manpower with certifications in Information Security
Operations. The Bidder should have at least 20 certified security professionals on their
payroll with minimum two CISA/CISM/CISSP certifications
8 The Bidder should have an annual turnover of at least Rs. 750 Crores (Seven Hundred
Fifty Crores) for each of the last 3 (three) financial years 2015-16, 2016-17 and 2017-
18 (audited balance sheet from last 3 financial years to be provided as per Section - 71.1.
AND,
Should have net profit after tax in the last 3 (three) financial years –2015-16, 2016-17
and 2017-18(audited balance sheet from last 3 financial years to be provided as per
Section - 71.1
9 The Bidder should have support office in at least 4 (Four) Metro Locations [Kolkata,
Mumbai, New Delhi, Chennai] and in Bangalore, Hyderabad, Pune.
10 The Bidder should have Toll Free number for fault registration within India, operating
365x24x7 basis
11 The Bidder should not be blacklisted/debarred/denied bidding facilities by any
Government Department/ Public sector Undertaking as on the date on bid submission
12 The Bidder should not have filed for Bankruptcy in any country
68.1 Preparation of Bid

The RFP will be in three parts, viz., Pre-Qualification, Technical and Commercial bid
Bidder has to meet the minimum eligibility criteria as mentioned in the Pre-Qualification Bid
If, on evaluation of the Technical bids it is observed that any one or more items of the product
offered in the RFP do not meet the minimum requirements of Specifications, the Company
reserves the right to accept or reject the Bid.
The Commercial bids of only those Bidders will be opened who qualify at the Technical bid
evaluation stage and whose products are found to meet the specifications offered by them, at a
date and time to be specified later.
The Bidder shall prepare the bid in the following manner. Relevant documents, letters, forms,
supporting, etc. need to be attached to each part as given below
The BID SECURITY. This would contain only the Bid Security (Earnest Money) amounting to
Rs. 50,00,000.00 (Rupees Fifty Lakhs Only) by way of BG/DD/NEFT/RTGS in favour of
National Insurance Company Limited, payable as per Bank Details mentioned in this document.
Non-furnishing of EMD will disqualify the bidder.
The EMD would be returned to the unsuccessful Bidder (without any interest) and on receipt of
application, within 90 days of award of Purchase Order to the Successful Bidder. For the
successful Bidder, the same would be retained as Security Deposit without any interest till a BG
of 10% of Contract Value is received by NIC, in the form of Performance Bank Guarantee
(PBG) as per format given in Section –64.
The Bid Security Deposit will be forfeited if:
The bidder withdraws his bid at any time before the LOI of PO or Advice for execution is issued
against the RFP.
OR
The Bidder fails or refuses to execute the work after having been identified L1 in the bid, before
or after LOI/PO/Advise for execution is issued
OR
Fails or refuses to furnish the Performance Bank Guarantee
OR
The Bidder fails or refuses to execute the Contract.
1 The PRE-QUALIFICATION BID. This would contain the proof of transfer of EMD,
Bidder Profile Section - 71, Financial Information Section - 71.1, Citations Section - 71.2.
Any other documents that are required in the process, like client engagement letters or
certificates, audited balance sheets, etc. and a CD containing the soft copy (both ‘PDF’ and
‘xls’ formats) of the Pre-Qualification Bid and are also to be included herein.
2 The TECHNICAL BID. This would contain the Technical Bid Letter Section - 70,
Section- 70.1 Technical Bid Particulars, Format of Warranty, OEM Certified Part
Numbers, Technical Compliance, Unpriced Bill of Materials to be submitted with the
Technical Bid. Section-72 Statement of Deviation from RFP Terms and Conditions, if any,
and Details of the proposed solution, proposed methodology and timeline (in a separate
sheet). Any other documents that are required in the proposal process, like client
engagement letters or certificates, audited balance sheets, etc. and a CD containing the soft
copy (both ‘PDF’ and ‘xls’ formats) of the Technical Bid and are also to be included
herein.
3 The COMMERCIAL BID. This would contain the Commercial Bid Letter Section - 73,
Section - 73.2 Commercial Bid Particulars, Section- 73.1 Commercial Bid. A CD
containing the soft copy (both ‘PDF’ and ‘xls’ formats) of the Commercial Bid is also to
be included herein.
Bidders have to submit their Bid online, on or before the last date and time mentioned
in RFP.
Details of the procedure to be followed for online, is available in Annexure-12

(Volume-II). Bidders have to abide by the same.
69 Scope of Work
NIC currently has its DC co-hosted in Kolkata, and DR co-hosted in Bangalore. The IT
infrastructure currently co-hosted include servers, storage, network, information security, backup
devices, etc. installed in racks. The Near Site is located at NIC Head Office, Kolkata.
NIC has over 15000 systems in the network comprising a mix of desktops and laptops with
Windows 7, Windows 8/8.1, Windows 10, and Apple’s OS etc. NIC has deployed a layered
Security architecture deployed from its Data Centre (DC) and Disaster Recovery Site (DR), to
protect its network and associated information resources. NIC has a SOC which manages its entire
Information Security architecture. Anti-virus is loaded in all end-points and managed centrally.
URL filtering solutions ensure that internet access made available at the endpoint has reduced the
threat of malware, and secure mailing gateway reduces spam.
The objective of the RFP is to refresh the existing security technologies and add new security
solution to enhance the information security posture of NIC. The Scope includes procurement,
installation, implementation, integration, maintenance and support of the solutions with all the
relevant applications and infrastructure during the contract period.
 Total Period of Contract under this RFP is 5 (Five) Years. All the products should carry a
warranty of 5 (Five) years from a common successful installation date mutually agreed by NIC
and the successful bidder. All products procured under this RFP should be with highest
support from OEM. All hardware to be fully populated with all ports (Fiber, Copper)
and transceivers. Transceivers should support 1G, 10 G and multimode.
 Bidder has to provision all required hardware, software, licenses as part of solution
delivery.
 All the proposed Hardware should support all upgrades, versions, releases of the
software, licenses as and when released by OEM for the entire period of the project
 Bidder should ensure dual power supply for all proposed hardware/appliances.
 Storage of Logs with archive for a period of one year for SIEM solution. Bidder should size
solution accordingly
 Delivery of the necessary solutions and the corresponding hardware, software, database
required for implementing the solutions mentioned
 Renewal /Upgrade of existing products, license
 Implementation of the respective solutions at NIC including configuration, customization of
the products as per the NIC‘s requirement
 Providing the manpower support to meet the various compliance needs of NIC
 Bidder is required to provide the necessary personnel to manage the operations for the
solutions in scope and to ensure SLA compliance adherence to agreed Service Level
Agreements (SLA) and periodic monitoring and reporting of the same
 Continual improvement of the Security Operations as defined in the SLA
 Implementation of the specified solutions and necessary hardware as per the technical
requirement specified in the RFP is the responsibility of the bidder. Selected Bidder to ensure
that the proposed solution (hardware and software) complies with all the functional and
technical requirements as provided in Section – 67.5-67.12 Technical and Functional
Requirements & Sizing in Section -. 67.13
 Bidder shall be responsible for timely compliance of all audits and Vulnerability Assessment
(VA) audit observations
 Post implementation, the bidder is responsible for integrating any additional logs that NIC
may wish to monitor with the SIEM solution at no additional cost to NIC. Logs needs to be
integrated with the SIEM solution through automated or manual mode. Bidder is required to
provide the feasibility for both the modes of integration in coordination with the existing
vendors.
 Bidder is responsible for developing and implementing the security configuration, hardening
of all the devices and software that are procured for Security Operations. Also, they have to
periodically review the guidelines and configure.
 Development and implementation of processes for management and operation including (but
not limited to) the following processes:
o Configuration and Change Management
o Incident and Escalation management processes
o Daily standard operating procedures
o Reporting metrics and continuous improvement procedures
o Data retention and disposal procedures
o BCP and DR plan and procedures for Security Solutions
o Security Patch management procedure for procured items
 Bidder shall address all the errors/bugs/gaps in the functionality in the solution implemented
at no additional cost during the Project Period.
 Implement necessary security measures for ensuring the information security of the proposed
Solutions.
 All patches and upgrades (in Version) from OEMs shall be implemented by the Bidder
ensuring customization done in the solution as per the NIC’s requirements are applied.
Technical upgrade of the installation to the new version, as and when required, shall be done
by the Bidder. Any version upgrade (in Version ) of the software / tool / appliance by Bidder
to be done after taking prior approval of NIC and after submitting impact assessment of such
upgrade at no additional cost to NIC.
 Any changes/upgrades (in Version ) to the software performed during the support phase shall
subject to the comprehensive and integrated testing by the Bidder to ensure that the changes
implemented in the system meets the specified requirements and doesn’t impact any other
function of the system. Release management for application software will also require NIC
approval. A detailed process in this regard will be finalized by Bidder in consultation with
NIC. Any Major Version Upgrade which requires re-sizing of the hardware and software
during the contract period will be taken separately on mutually agreed payment terms.
 Issue log for the errors and bugs identified in the solution and any change done in the solution
shall be maintained by the bidder and should be periodically submitted to the NIC team.
Bidder, at least on a monthly basis, will inform NIC about any new updates/upgrades available
for all software components of the solution along with a detailed action report. In case of
critical security patches/alerts, the bidder shall inform about the same immediately along with
his recommendations. The report shall contain bidder’s recommendations on update/upgrade,
benefits, impact analysis etc. The bidder shall need to execute updates/upgrades though formal
change management process and update all documentations and Knowledge databases etc. For
updates and upgrades, Bidder will carry it out at no additional cost to NIC by following defined
process.
o Errors and bugs that persist for a long time, impact a wider range of users and is
difficult to resolve becomes a problem. Bidder shall identify and resolve all the
problems in the identified solution (e.g. system malfunctions, performance problems
and data corruption etc.).
o Monthly report on problem identified and resolved would be submitted to NIC team
along with the recommended resolution.
 All planned or emergency changes to any component of the system shall be through the
approved Change Management process. The Bidder needs to follow all such processes (based
on industry ITSM framework). For any change, Bidder shall ensure:
o Detailed impact analysis
o Change plan with Roll back plans
o Appropriate communication on change required has taken place
o Proper approvals have been received
o Schedules have been adjusted to minimize impact on the production environment
o All associated documentations are updated post stabilization of the change
o Version control maintained for software changes. The bidder shall define the Software
Change Management and Version control process. For any changes to the solution,
Bidder has to prepare detailed documentation including proposed changes, impact to
the system in terms of functional outcomes/additional features added to the system etc.
Bidder shall ensure that software and hardware version control is done for entire
duration of Bidder’s contract.
 Bidder shall maintain version control and configuration information for application software
and any system documentation.
 Bidder shall maintain at least the following minimum documents with respect:
o The Bidder shall perform an in-depth analysis of the existing system and shall submit
a detailed plan for the implementation of this project, including but not limited to the
following:
 Project Plan detailing each task with target date and assigned resource
persons and installation of all supplied items and integration with
existing infrastructure at DC, DR and NIC Offices.
 Architecture Diagram
o Bidder shall submit this document to NIC for review and any suggestions by NIC will
be incorporated therein.
o HLD and LLD which will capture the configuration required to meet existing needs as
well as incorporating the minimum technical specifications of the RFP. Supplier
should coordinate with existing Security and Network Vendor, also in this regard.
o Any other explanatory notes about system, bidder shall also ensure updating of
documentation of software system ensuring that:
o SOPs are updated to reflect on-going changes/enhancements.
o All the technical documents (HLD, LLD, SOPs, Implementation Plan, Rules & Policy
documents etc.) submitted should be vetted by OEM’s of respective components
and bidder need to submit the OEM confirmation along with the documents. The
solution should be hardened as per periodic OEM recommendations. OEM to provide
initial hardening document, and configuration templates. Any change during the
project period has to be validated by OEM
o Bidder should ensure that all the required documentation is made available to NIC.
 The technical bid should include an overview of the processes mentioned above.
o Develop Escalation Matrix in order to handle Information Security Incidents
efficiently.
o Provide necessary documentation for the operation, integration, customization, of each
of the solutions in scope.
 During Implementation Phase, bidder should propose at least one –Dedicated Project
Manager -100% Onsite Deployment (at Head Office), One - Solution Architect- Onsite
Support to Project team, One - Security Expert- Onsite Support to Project team
 Bidder should take complete ownership to deploy the solutions seamlessly in existing
infrastructure, if any up-grade/Update or replacement needed in existing infrastructure has to
be informed to NIC during the requirement gathering stage by bidder to deploy the solution
with proper documentation
 Unpriced Bill of Materials (BoM/BoQ) to be submitted with the Technical Bid
a. Support Back-lining:
 The bidder will remain responsible for overall implementation and maintenance of the
solution, and must backline hardware and software support with OEM for 100% of
equipment procured under this RFP.
 NIC should be able to login independently to OEM portal to view support contracts and
raise TAC/ RMA directly with OEM if required.
 NIC should be able to use a self-web log-in for self-help support through OEM’s online
knowledge base, resources and tools.
 Operating system (OS) software updates, including both minor and major releases within
licensed feature set should be available for download by NIC, directly if required.
 The contract should be back-lined with the OEM during the complete contract period as
mentioned in RFP Warranty Clause. The bidder will be required to provide a proof of
OEM support back-lining in writing in the form, Section - 62 from the OEM within
30 days from the date of release of the LoI (letter of intent)/first-PO (Purchase Order).
Until the proof of back lining for the complete inventory support/warranty as per the RFP
is not provided, no payment will be released for the products and services.
b. Warranty/AMC:
 Warranty/AMC contract for all the devices mentioned in this RFP will be on on-site &
comprehensive basis for the project period, as applicable, and subject to extension based
on NIC’s requirement, on pro-rata basis. OEM Supporting letter mentioning that Partner
has back lining support from OEM for the support as mentioned in Commercial Bid.
 All necessary on-site Technical troubleshooting & configuration management.
 SLA based service delivery.
 Improve Response & Resolution time.
 Quarterly preventive maintenance.
 Support as per Minimum Technical Specifications
 Defective equipment’s need to be replaced by the Supplier as per the SLA terms mentioned
in the tender document.
 On-site resources at NIC HO, DC, DR as part of NIC SOC for doing all configuration,
management, monitoring, support, co-ordination for restoration.
c. Execution Overview:
 Supplier has to provide necessary on-site/off-site model to maintain the SLA.
 Single point of contact for all fault booking & service request update.
 Supplier should have Toll free number & mailing facility for the fault booking from
anywhere on 24X7 basis.
 Technical call Centre should be accessible 24 hours per day, 7 days per week to assist with
Product use, Configuration and troubleshooting issues and should have access to OEM
support portal.
 Quarterly review meeting for the service improvement plan.
 Work with existing Security, Network, Application Vendors of NIC
d. Supply, installation, configuration and commissioning of the items (necessary hardware and
software) at locations specified by NIC.
 Provide 24x7x365 basis post implementation comprehensive support.
 Supplier has to act as technical-advisor to NIC for the items under procurement by way of
evaluation, demonstration, etc. as and when required by NIC. Supplier has to submit
findings/reports to NIC and give suggestions/recommendations. Necessary resources
(including Level-3 support) have to be deployed by Supplier for technical assistance and
submit the detailed documentations etc. by NIC. No additional cost will be payable by NIC
for such things.
 In case there is a cost incurred to NIC due the wrong BoM/Specification/feature-set of
items (equipment/device/appliance/software) at any location, the same will have to be
replaced by Supplier at no extra cost to NIC.
 Prepare test-plan, implementation plan, integration plans and rollback strategies
 Comprehensive monitoring and onsite support
 The successful bidder shall co-ordinate and co-operate with the other Suppliers of NIC so
that the work shall proceed smoothly without any delay and to the satisfaction of NIC.
 No extra claim shall be entertained on account of all/part of any job redone on account of
bidder’s negligence which results into damages/losses during execution of the job. Also,
any component(s) required to meet the functioning of items, after release of Purchase
Order shall have to be provided by the successful bidder. All such cost shall be borne by
the bidder.
 The Supplier has to provide complete escalation matrix which should be updated and sent
to NIC as and when there is a change.
 The Supplier has to specify the Name of the OEMs with the product name in the Technical
specification.
e. The hardware configuration has to be done by the Supplier. The hardware should not have any
single point of failure.
 Prepare HLD and LLD in consultation with OEM and NIC for rollout.
 Design and document a Project implementation plan with significant milestones marked
on it.
 The selected bidder needs to commission items in such a way to ensure the requirements
mentioned as per the technical specifications and uptime requirements as per the SLA
section.
 Selected Bidder needs to study existing deployment LAN, WAN, Application environment
(including DC/DR/NR) of NIC and provide for deployment of the proposed items.
 The installation will include proper mounting, labeling, tagging of all the equipment and
providing network and power connections.
 The selected bidder shall be responsible to provide within scope of work all facilities like
labor, transportation, tool kits, testing equipment, cables, connectors, power cords etc.
which is necessary for successful deployment of solution.
f. Transportation to & fro, lodging and boarding of manpower shall be in Supplier’s scope.
g. NIC expects the Supplier to submit a detailed plan for designing and implementation of the
project which should include the full scope of the project as mentioned in this document. On
acceptance of such plan by NIC, the Supplier is required to carry out the implementation
including supply, installation, commissioning and testing of equipment etc.
 Prepare the designs, architecture and implement the solution in line with best practices in
the industry, regulatory guidelines, IT Act 2000 (along with its amendments), standards as
modified from time to time or any other law of the land which may be applicable.
 Recommendation of best practices to implement and roll out the items under procurement.
 Supplier needs to prepare a detailed execution plan, including HLD and LLD. The
complete documented plan must be submitted to NIC with supported designs and drawings
(if any) within 4 weeks of placing the order. The actual execution will start only after
approval of plan by NIC officials. The plan shall include information related to integration
with existing setup (as applicable), required downtime, deployment schedule etc. The
installation of the equipment shall be done as a planned activity on a date & time of
approved deployment schedule.
 The Supplier is responsible for Onsite support for the operations and maintenance of the
components for a period of 5 years post-go live of all components of the solution.
 The Supplier shall be responsible for managing and supporting the implementation of
patches, updates and upgrades of the solutions and provide daily/weekly/monthly reports.
All upgrades to be done within reasonable time-lines to minimize threat, subject to NIC
go—ahead. The components of the proposed solution should provide support for any
future OS, as and when available, at no extra cost.
h. Documentation
 All the documents shall be supplied in properly bound volumes of A4 size sheets.
 Documents for high level design (HLD), detailed design (LLD), and configuration of
individual features set on various appliances, general testing, Standard Operating
Procedure, best practices etc. shall form the complete set for fulfilling the documentation
criteria.
 Supplier shall also submit Delivery and Installation Report, Warranty certificates, License
Copies for all the items supplied along with the supplies.
 Installation report should contain the part numbers of all the components supplied by the
selected bidder
i. Inspection and Acceptance Procedure
Physical Inspection and preliminary testing of the Enterprise Information Security Solution
shall be done by Supplier, in the presence of representatives of NIC
 The items supplied by the Supplier should meet the technical specifications envisaged in
this RFP document.
 Appliances will be considered to have been commissioned when services as described in
this tender document are able to run smoothly over the network.
 All documentations, but not limited to Design, Configuration etc. (HLD and LLD) must
be handed over to NIC after successful implementation, commissioning and before release
of final payment
j. Management (required only during implementation): The selected vendor will have to align
a Project Manager with minimum 6 years’ experience, immediately after the signing of the
Contract. The detail of PM should be conveyed in writing to NIC within 2 weeks of receipt of
purchase order. The responsibilities of the On-site Project Manager as a part of support are as
follows (indicative but not exhaustive):
 Act as a Single Point of Contact (SPOC) for the entire project
 Responsibility for the entire execution & management of the project after receipt of
purchase order. Overall monitoring of project
 Coordination for Installation/integration
 Call flow management, Quality Service Delivery
 On-site Team management
 SLA management and reporting
 Submission of periodical Reviews and reports required by NIC.
 Crisis management and Emergency response procedures.
 Preparation and submission of detailed Project documentation to NIC (Purchase Order
wise) and progress of initiatives taken by NIC.
 He should be placed at NIC premises during NIC’s office hours. However, the hours may
be extended whenever required.
The Supplier shall submit to NIC, the name and contact details, including address, telephone
number, mobile number, FAX number/email address of the nominated Project Manager.
It is mandatory for the concerned Project Manager to have structured meeting with NIC once
a week, preferably on Monday, during the implementation period from the date of receipt of
the first Purchase Order by the vendor. Weekly meetings should be held till the project is
entirely rolled out.
k. Onsite Support Services
24x7 Services: Management, Maintenance and Configuration of the existing Information
Security Infrastructure along-with the newly delivered systems for the entire contract period.
The support to be provided to NIC should be on a 24x7 Onsite basis. During the Business
hours, the support engineers will be working out of NIC’s Head Office and during the non-
business hours, the support should be provided from the Data Centre. The bidder is required
to quote for appropriate number of seats at Data Centre for carrying out the activities.
Resources allocated for any currently ongoing activities at the Data Centre cannot be combined
with this new operation.
The support will include but not limited to:

 Co-relation of Logs, provide alert and report all Information Security Incidents.
 Detect, analyze and report critical security alerts on a real-time basis.
 Vulnerability assessment of network and security services, servers and desktops and
remediation of the same.
 Periodic cross-checking of security policy compliance.
 Manage, Maintain, Upgrade and Upkeep of Microsoft Active Directory and DNS
Infrastructure already deployed at NIC.
 Ensure all antivirus and other information security agents across the network are always
updated with latest signatures files as and when released by the OEM.
 Assessing Information Security threat environment and implementing risk-mitigation
processes.
 Monitor and Manage Activities and mitigate Information Security incidents in endpoints
(approx. 18,000 in numbers), servers (over 1000) and over 3000 (network switches,
routers) installed in all Offices of NIC. The activities includes but not limited to:
o Configuration of device drivers.
o Issues related to running of applications in the endpoints.
o Maintaining and updating documents required for installation, configuration and
operating procedures for all security devices and systems deployed in all offices in
NIC.
o Coordination of warranty repair or replacement service for Hardware and process
warranty claims, as applicable. If the equipment are required to be taken outside
NIC premises, the cost of transportation and other related costs will be borne by
the Bidder.
o Coordinating and scheduling maintenance activities with NIC (e.g. network
support, facilities support, etc.)
o Maintain accurate documentation on the current location and status of
Hardware and/or software in the process of being repaired
o Services including requirement analysis, assisting NIC in hardware and system
software platform acquisition, testing, verification, and installation. The Bidder
agrees that services provided include implementation and maintenance of the
hardware as well as installation & maintenance of the software.
o Hardware maintenance services including preventive Hardware support,
preventive maintenance, corrective maintenance to remedy a problem, and
scheduled maintenance required to maintain the Hardware in accordance with
manufacturers' specifications and warranties
o Provide maintenance data, as reasonably requested by NIC, to support replacement
/ refresh scheduling
o Provide a single-point-of-contact for the resolution of Hardware related problems
or to request an equipment upgrade or consultation. If the Hardware supplied by
the bidder is to be replaced permanently, then the Bidder shall replace the
equipment of same Make/Model/configuration or of higher configuration.
o Provide support and assistance, as required, to isolate complex network,
operational and software problems related to the proposed solutions
o Update, or provide the information required for the NIC to update the asset
management system with the NIC
o Track and report observed Mean Time Between Failures (MTBF) for Hardware
o Backup, remove, protect, and restore programs, data and removable storage
media in a machine prior to presenting the machine for service
o Bidder to take corrective actions in order to resolve any security related issue
including Malware attacks, Phishing attacks etc. occurring in NIC.
l. Role of Compliance Manpower
 Gap Analysis of existing Information Security Practice Document including IS Policy,
Procedural, Guideline Documents and Operational Manuals
 Provide inputs to NIC for update of the above-mentioned documents
 Ensure compliance of NIC with various regulatory guidelines as well as central/state
regulations on Information Security
m. NIC may choose to procure all or only certain number of any of the items or services specified
in this RFP. The quantity specified in the RFP may increase or decrease at the time of
placement of order based on the requirements of NIC at that point of time.
 Wherever equipment are on Buyback, buying back and removal of the same from
NIC’s premises is compulsory under all circumstances.
 NIC reserves the right to place order for additional amount up to 25 % of the Purchase
Order covered by this RFP within 2 (two) years of placing the first Purchase order.
n. Bidder is required to take-over support from the Existing Vendors for the following security
solutions, IT Infrastructure and successfully complete the transition of existing solution & IT
Infrastructures in order to have no disruptions; bidder is required to perform re-installation /
re-deployment / reconfiguration, change in parameter and attribute settings in respect to
achieve leading industry adopted practices and guideline of cyber security regulations
published by RBI:
 Perimeter / internet firewall
 Core Firewall
 Perimeter IPSs
 Core IPSs
o. Bidder to ensure connectivity as per NIC’s Design and specification standards for all the
solutions supplied as part of this RFP.
69.1 Existing Information Security Stack:
 Active Directory with extensive Group Policies for users and systems
 SIEM – McAfee SIEM as standalone mode in DC with collectors at DC, DR and HO.
 Forcepoint Web Security – Forcepoint web security is implemented with gateways at DC, DR
and HO with 6500 + 5500 user licenses. Forcepoint appliance V10000 is installed in
standalone mode in DC, DR & HO with separate policy server and log server running Version
8.4.
Server Forcepoint Policy Forcepoint Database

OS Windows 2012 R2 Std. Windows 2012 R2 Std.
Version 6.3.9600 build 9600 6.3.9600 build 9600
Application Version 8.4
Database SQL 2014
Intel(R) CPU E5-2683 v4 @ Intel(R) Xeon(R) CPU X5460 @
Processor 2.10GHz, 2097 MHz 3.16GHz, 3167MHz
Core 4 8
Ram 40 GB 16 GB
HDD 1 TB 1.2 TB
 Database Activity Monitoring – McAfee DAM solution is installed in standalone mode in DC

and 35+8 database instance has been integrated.
HARDWARE SOFTWARE
Sl. Appli Modul
Location HD
No. ance e Container CPU RAM OS APP DB
D
2008 SQL
Cisco XEON 4.6.3
R2 2008
APP + UCSC- 2.40 500 Build
1 DAM DC 16 GB Ent R2
DB C220- GHz (4 GB 5293
64 (SP3)
M3S Core) 0
Bit x64
Fujitsu 2012
XEON 4.6.3 SQL
PRIMER R2
APP + 3.00 1 Build 2014
2 DAM DR GY 16 GB Std
DB GHz (8 TB 5293 (SP2)
RX2530 64
Core) 0 x64
M1 Bit
 Data Leak Prevention – McAfee DLP has been implemented in standalone mode for web,
email and 15000 endpoint. The various components installed are
DLP Manager DC-1,DR-1
o DLP Monitor -1
o DLP Discover 1
o DLP Prevent DC-2, DR-2
 Mobile Device Management : AirWatch MDM solution has been implemented in standalone
mode for 10000 endpoints
HARDWARE SOFTWARE
Sl. No. Appliance Module Location
Container CPU RAM HDD OS APP DB
2012
Cisco
Xeon® R2 6.2.9200
Air-Watch UCSC- 16 500
1 APP DC 2.30 (6 Std build NA
Console C220- GB GB
Core) 64 9200
M3S
Bit
2012
Cisco
Xeon® R2 6.2.9200
Device C220- GB GB
Core) 64 9200
M3S
Bit
2012
Cisco
Xeon® R2 6.2.9200
Content C220- GB GB
Core) 64 9200
M3S
Bit
2012
Cisco
Air-Watch Xeon® R2 6.2.9200
UCSC- 16 500
4 Mail APP DC 2.30 (6 Std build NA
C220- GB GB
Gateway Core) 64 9200
M3S
Bit
2012
Cisco
Xeon® R2 6.2.9200 SQL
5 DB DC 2.30 (6 Std build 2014
Database C220- GB GB
Core) 64 9200 x64
M3S
Bit
 Vulnerability Management Solution : McAfee Vulnerability Management solution has been

implemented for 500 IP address
 PIM - Cyberark PIM solution has been implemented at DC & DR
 DDoS – Arbor on premise DDOS solution has been implemented at DC & DR
 WAF – WAF has been implemented at DC & DR
 Network Behavior Analysis – Cisco Stealth-watch is in the process of being implemented at
DC & DR
 AV for end-points with EDR and APT – McAfee EDR solution has been implemented across
all endpoints
 Hardened Email Gateway and AV for Mailboxes – TrendMicro is implemented as Email
Gateway and antivirus for mailboxes with 4500+10500 user license.
 IPSs and Firewalls deployed at Multiple Layers
 NAC: Cisco ISE has been implemented for NAC solution as follows
o SNS 3495 Admin Node DC-1 DR-1
o SNS 3495 Monitoring Node DC-1 -DR -1
o SNS 3495 – Policy Node DC-2,DR-2
o SNS 3415 – Tacacs Node DC-1 DR-1
69.2 Implementation - New Scope of Work
Bidder has to comply with the Minimum Technical Specifications of the products in this RFP.
Bidder will get disqualified in case of Non-Compliance.
.
A. SIEM
• Appliances shall be implemented in High availability configuration at DC
• Logs and Flow Collectors at DC, DR & HO to be deployed.
• Log Volume: 10,000 EPS license scalable to 20,000 EPS by license upgrade.
• Appliance based solution to be proposed from OEM with the processing capacity of 20,000
EPS and Data indexing capacity of 30,000 EPS to cater for peaks or bursts handling. All the
appliances should be in HA or Cluster mode in full redundancy.
• Log Retention: 3 months of Online storage of Security events / Metadata and 9 months
Offline storage of raw log data.
UEBA:
• This should be integrated with SIEM and should be capable of handling 14000 users.
• Additional prices for 10,000 slabs each.
SOAR:
• This tool must have Security Case / incident Management, Orchestration, Playbook
Automation and remediation capabilities.
• This may be a part of SIEM or a separate tool which could be integrated with SIEM,
bidirectional integration is required if the SOAR is a separate tool than SIEM.
• Minimum 30 Analysts shall access the SOAR simultaneously and should not restrict the
number of Analyst to be able to access the SOAR platform.
• No limitation should be there on the incident response capability / incident management
cases to be raised simultaneously and no limitation shall be there on the number of playbooks that
can be created on the platform.
Network Forensics:
• Dedicated PCAP & DPI capable appliances at DC, DR & HO.
• This tool must be integrated with SIEM to provide nested & correlated single view of alerts.
• 1 Gbps Network scanning throughput at DC, DR & HO. Total of 3 appliances.
• PCAP raw data for 15 days and meta data Storage up to 30 days.
Optional OEM Services to be Proposed:
OEM’s Analyst has to work with the SOC team on a weekly basis (at least one hour session per
week) to configure the platform and deployment though out the tenure of the Support and
maintenance period of the project :
• Validate configuration of the entity structure and lists relevant to each module
• Configure Machine analytics rules, advanced behavior analytics, and incident response plug-
ins
• Implement module-specific dashboards and reports to provide rapid access to the most
important information
• Expose previously unseen threats
• Prioritize threats in a precise way
• Drive down false positives through greater corroboration
During weekly meetings, OEM Analyst should align the platform with best practices, review and
tune content
Implementation:
 Implement SIEM solution only in cluster at DC with log collectors at DC,DR and HO
 Integrate the identified devices/application/operating systems/database with SIEM,
 Integrate existing security solutions mentioned along with the new solution procured though
this RFP with SIEM
 Integrate Application Logs with SIEM.
 Developing custom parsers for non-standard logs for 50 event sources
 Implement correlation rules out of the box and standard use cases
 Implement packet forensic solution at DC,DR and HO
 Implement and configure user and entity behavior analysis rules
 Integrate SOAR with SIEM
 Create playbooks as per the requirements
 Implement UEBA as per the requirements
 Deception - Implement the solution across the NIC‘s Datacenter and Disaster Recovery
center which are internet facing landscape and any other critical service as deemed by NIC
 Deception - Configure the Decoy (Honey Pot) rules and policies.
 Integrate Decoy (Honey Pot) with SIEM to generate alerts for any Decoy (Honey Pot)
violations and provide a correlated view of threats and vulnerabilities associated with them
along with remediation mechanism.
 Deception - Creating and applying policies after analyzing traffic pattern
 Configuring backup Schedule of the proposed solution
Monitoring:
 Improve the policies configured on an on-going basis to reduce the occurrence of false
Positives
 Monitor the SIEM alerts and suggest/take appropriate action
 Perform on-going optimization, performance tuning, maintenance, configure additional use
cases,
 Suggest improvements as a continuous improvement process, Trend Analysis etc.
 Install/Re-install/ reconfigure any component/ system of the security equipment’s supplied
by the bidder, in case of crash of those components / system on problem or patch/upgrades
etc.
 Root cause analysis of any event has to be done and proper corrective action has to be taken
with information to NIC officials. Based on that, the bidder should recommend for
improvement to policies, procedures, tools and other aspects
 Creating out of the box reports as per NIC requirement
The proposal should include OEM Professional Services for the successful implementation of SIEM
including UEBA, SOAR, Deception and Packet forensics. The OEM professional services shall
include but not limited to solution architecture, design, installation, integration, preparation of
acceptance test plan & procedure with expected results
B. Database Activity Monitoring

Implementation
 Update/Upgrade the existing solution to the latest version
 Creation of policies/rules for enforcing access control on databases
 Reporting of deviations to the policies and access control.
 Integrate the DAM with SIEM
 Monitor events from DAM and suggest/take appreciate action along with NIC officials
C. Network Admission Control - The existing NAC solution runs on Cisco SNS 3315. The ISE
solution also provides the TACACS management for the network and security devices
Implementation
 Update/Upgrade the existing NAC solution to the latest version
 Migrate the policies (NAC & TACACS)
 Verify the NAC functionalities
 Upgrade the NAC Agent
 Configure and Verify TACACS rules
Solution Integration
 Integrate Solution with SIEM to generate alerts for any violations.
 The Bidder needs to ensure the proposed solution is configured to generate events for
monitoring through SIEM.
D. Data leak prevention

Implementation
 Update/Upgrade the existing hardware/architecture
 Migrate the polices configured
 Verify the functionalities
 Integrate the solution to SIEM
E. Proxy
Implementation
 Update/Upgrade the existing hardware
 Upgrade the existing version if needed.
 Provide licenses as required.
 Migrate the polices configured
 Integrate with SIEM
 Any hardware upgrade needed for implementing the solution has to be provided by the
bidder.
F. MDM
Implementation
 Upgrade/migrate the existing hardware/architecture along with users to cloud solution with
99.9% SLA. Functionality wise there should not be any change in cloud solution.
 Provide the licenses.
 Migrate the users
 Bidder to equip NIC SOC Team with 4 Mobile Devices, two running Pure Android viz.
Google Pixel latest version and another two running iOS, Apple XS for periodic testing of
MDM policies. Devices are to be refreshed by Bidder as and when declared EOL by
respective OEM.
 Mobile Threat Prevention - Implement the solution across NIC
 Configure the Mobile Security Framework rules and policies.
 Integrate Mobile Security Framework with SIEM to generate alerts for any Mobile Security
Framework violations and provide a correlated view of threats and vulnerabilities associated
with them along with remediation mechanism.
 The proposed solution should be capable to work with existing VMware (AirWatch) MDM
solution
 Creating and applying policies after analyzing traffic pattern
 Configuring backup Schedule of the proposed solution
Solution Integration
 Integrate Solution with SIEM to generate alerts for any violations.
 The Bidder needs to ensure the proposed solution is configured to generate events for
monitoring through SIEM.
G. Anti-Phishing
Implementation
 Implement the solution across the NIC‘s Datacenter and Disaster Recovery center which are
internet facing landscape and any other critical service as deemed by NIC
 Validate the Anti-Phishing alerts and take action in coordination with NIC
H. Data classification and Information Rights Management

Implementation
Data Classification -
 Implement the solution at DC
 Integration with Active Directory
 Integration with Centralized File server for Discovery
 Installation of Agents
 Consult different department to identify and classify information
 Integrate classification solution with DLP
 Integrate the solution with SIEM for log management
IRM
Implement the solution across NIC
 Configure the IRM rules and policies.
 Integrate IRM with SIEM to generate alerts for any IRM violations and provide a correlated
view of threats and vulnerabilities associated with them along with remediation mechanism.
 Integrate the IRM solution with DLP
 Creating and applying policies after analyzing traffic pattern
Configuring backup Schedule of the proposed solution
The proposal should include OEM Professional Services for the successful implementation of Data
classification and IRM. The OEM professional services shall include but not limited to solution
architecture, design, installation, integration, preparation of acceptance test plan & procedure with
expected results and end user training.
Centralized Storage
Implementation
 Establish the uplink connectivity from the storage to the upstream network switches & ADS
server farm switch.
 Creating Raid Pool & assigning of capacity to controllers.
 Integrating with Active Directory
 Integration of NAS network with user base
 Integration of group policies
 Integrating CIFS with Active Directory service
 Creating 5 GB space for each user for 100 users as Shared folder in Desktop capacity used
via centralized NAS & ADS as authentication
 UAT
 Rollout to 14000 users
 CIFS NAS home directories on a storage system creating only one share that resolves the
location of all the users' home directories. Users are offered a dynamic share with their
matching directory name
 Create Group policy to ensure users has access only to the shared storage on the endpoints
The purpose of Centralized File server is to store the data centrally at the DC. Currently user generated
data are stored in the end user systems. Since the data are scattered in various locations it is not
possible to identify the data or to classify leading to Data leakage. Also since backup is not available
this leads to data loss in case of failure at system end. By having the data centrally the user will have
System Drive-mapped so that the data are stored only in the mapped drive. With data classification
solution the file server shall be scanned with built-in policies to identify known data elements such as
credit/debit card numbers as well as flexible pattern recognition to identify specific data for example
the presence of personal information (e.g. Employee IDs, Aadhar/PAN IDs, mobile phone numbers
that may relate to the Data Privacy Law) and non-personal information (e.g. IPR of NIC). The scans
shall be scheduled at regular configurable intervals to identify where sensitive data is stored and who
the owner is. The solution shall scan these repositories for existing sensitive data, and once identified
this data can be automatically classified at rest. The data classification solution shall automatically
and periodically monitor and scan the corporate file server, and then classify the files based on
sensitive keywords and data found in the contents, or file location, file types, and various other file
attributes. For example, the solution shall be able to scan a network shared folder every hour, and
classify any document stored inside as ‘Restricted’. The scan results shall be immediately displayed
in the Dashboard to show where sensitive data resides in the various repositories across the
organization
I. Vulnerability Assessment:
Vulnerability Assessment and Penetration Testing should cover NIC’s Information System
Infrastructure which includes Networking systems, Security devices, Servers, Databases,
Applications Systems, websites maintained at NIC’s premises. Bidder should carry out an assessment
of Threat & Vulnerabilities assessments and assess the risks in NIC’s Information Technology
Resources with the use of the proposed VA tool. This will include identifying existing threats if any
and suggest remedial solutions and recommendations of the same to mitigate all identified risks, with
the objective of enhancing the security of Information Systems.
The frequency for conducting VAPT should be half-yearly. The VA should be done though the
solution at least once in 6 months. However, NIC at its own discretion can change the frequency. The
Bidder should use the services of Auditor empanelled with Cert-IN for conducting the Penetrating
Testing for internet facing assets. Auditor is required to perform black Box Testing for
devices/applications. The Auditor shall be rotated by the Bidder, every three years.
Auditor is required to close all the gaps/issues identified and also coordinate with the existing vendors
of NIC in order to close all the gaps identified in VAPT Reports as per the timelines and submit the
status report of all the identified gaps in the VAPT Report on weekly basis.
NIC requires an authenticated type but non-destructive VAPT to be carried out.

i. VA should be able to cover a broad range of systems like Operating systems (Windows,
Linux, AIX, etc), Databases (MS SQL Server, MySQL, Oracle, etc), Web servers
(Apache, Tomcat, IIS etc), Application servers, Network devices (Cisco etc.), Security
devices (Cisco, Fortinet, Citrix, McAfee, Forcepoint, Microsoft etc.).
ii. VA is to be conducted against the standard configuration document that NIC has created,
as also the latest global standards and industry best practices. In case, any new asset is
identified during project execution, Auditor is expected to develop the checklist and
conduct the assessment.
iii. The purpose of the VAPT is to discover all systems on perimeter network and to assess
these systems for securities vulnerabilities. VAPT shall attempt to determine
vulnerabilities that may enable unauthorized logical access to protected system. The
VAPT should be conducted against network and security infrastructure components to
identify services in use and potential vulnerabilities present.
iv. Initially NIC proposes VAPT to be conducted for IT assets in Data Center & Disaster
Recovery Center & Offices/Branches. The VAPT exercise must cover the following IT
Infrastructure but not limited to:-
a. All the servers and applications in DC & DR.
b. All the Firewall Devices in DC & DR
c. PCs & Laptops at Offices
d. Routers installed at DC, DR & Offices.
e. L3, L2 network switches present in DC, DR & Offices
v. The assessment should check for various categories of threats including:
a. Unauthorized access into the network and extent of such access possible
b. Unauthorized modifications to the network and traffic flowing over network
c. Extent of information disclosure from the network
d. Spoofing of identity over the network
e. Possibility of denial of services
f. Possible threats from malicious codes (viruses, malware and worms etc.)
g. Possibility of traffic route poisoning
vi. Scope of work for Vulnerability Assessment
a. General aspects for all systems
 Access control and authentication
 Network settings
 General system configuration
 Logging and auditing
 Password and account policies
 Patches and updates
b. Specific requirements for Server/OS Configuration Audit
 File system security
 Account Policies
 Access Control
 Network Settings / Network Port / Network Access Details
 System Authentication
 Logging And Auditing
 Patches And Updates
 Unnecessary services
 Remote login settings
c. Configuration Audit of Networking & Security Devices
 Access Control
 System Authentication
 Auditing And Logging
 Insecure Dynamic Routing Configuration
 Insecure Service Configuration
 Insecure TCP/IP Parameters
 System Insecurities
 Latest software version and patches
d. Database Configuration Audit
 Database Account Authentication
 Password Policy
 Database Account Privileges
 Database Auditing
 Database Logging And Tracing
 Database Network Access Mechanism
 Database Patching
 Database Files And Directories Permission
 Access control and authentication
 Patches and updates
e. Security configuration of desktops, laptops, tablet phones and mobile devices that
are used by the business users can be performed on sampling basis as per NIC’s
requirements.
f. Annual IS Audits should also cover branches on sample basis, with focus on large
and medium branches, in critical areas like password controls, control of user ids,
operating system security, anti-malware controls, maker-checker controls,
Identity & Access management, physical security, review of exception
reports/audit trails, BCP policy and testing etc.
Penetration Testing: The objective of the assessment is to determine the effectiveness of the security
of NIC’s infrastructure and its ability to withstand an intrusion attempt. This may be achieved by
conducting both reconnaissance and a comprehensive penetration test. This will provide good insight
as to what an attacker can discover about the network and how this information can be used to further
leverage attacks. The security assessment should use the industry standard penetration test
methodologies (like Open Source Security Testing Methodology i.e. OSSTM) and scanning
techniques, and will focus on applications. The application tests should cover but not limited to latest
OWASP Top 10 attacks. Bidder shall perform application security testing, to identify security
vulnerabilities in the NIC‟s applications that may be exploited by a user to obtain unauthorized access.
This will also include identification of any configuration issues that may not have been possible to
identify using the vulnerability assessment tool. Bidder shall use automated and manual testing
techniques to exploit the weaknesses identified in the application logic, in areas like authentication,
authorization, information leakage, field variable control, session timeout & logout, cache control,
serve side logic, client side logic, error handling, application administration and encryption. The
Scope for penetration testing should include but not limited to list of internet facing websites/
applications in System Detail section. It is explicit that penetration tester should conduct
vulnerabilities assessment consulting with concerned personnel and proper permission of NIC. Finally
remediation and recommendations must be provided along with all findings. The following areas are
to be considered for penetration testing:
i. Network Security
a. Password Security Testing
b. Router Security Assessment
c. Anti-Virus System Security Assessment and Management Strategy
d. Internet User Security
ii. Host Security
a. Unix/Linux System Security Assessment
b. Windows System Security Assessment
c. Web Server Security Assessment
d. Other relevant/mapped application Security Assessment
iii. Database Security Assessment
iv. iv. Scope of work for Penetration
Testing
a. Tests for default passwords
b. Tests for DoS (Denial of Service) vulnerabilities
c. Test for directory Traversal
d. Test for insecure services such as SNMP
e. Check for vulnerabilities based on version of device/server
f. Test for SQL, XSS and other web application related vulnerabilities
g. Check for weak encryption
h. Check for SMTP related vulnerabilities such as open mail relay
i. Check for strong authentication scheme
j. Test for sample and default applications/pages
k. Check for DNS related vulnerabilities such as DNS cache poisoning and snooping
l. Test for information disclosure such as internal IP disclosure
m. Look for potential backdoors
n. Check for older vulnerable version
o. Remote code execution
p. Weak SSL Certificate and Ciphers
q. Missing patches and versions
r. This is a minimum indicative list, bidders are encouraged to check for more
settings in line with best practices including PCI, OSSTM etc
v. Review of System Security Plan. The Specific Objectives and Techniques are as
follows:-
a. Critical Element: System security plan to be documented for the system including
mapping of all interconnected systems.
b. Approved system security plan to be put in place.
c. The plan is to be in accordance with the existing guidelines and policies
promulgated in NIC
d. Implementation of corrective actions to be effectively ensured.
The Auditor has to do a reassessment after systems are patched.
The Auditor shall be rotated every three years.
J. User Training:
Implementation
 Integrate with NIC Active Directory
 Enabling the modules and rolling out for 100 users
 Configuring the Phishing Campaign and rollout of 100 users
Operations
 Periodic Reporting on the awareness training for 12000 users
 Creating the campaign based on NIC requirement
69.3 Summary – Overview of Products to be procured

The Products to be procured as part of the RFP: The New Products should be present in latest
available Gartner Leader's Magic Quadrant (where available) or, Forrester’s as on date of
this RFP Publication (Mandatory Requirement – Bidder will get disqualified in case of Non-
Compliance)
A Products
Security Incident and Event Management, including Packet Forensics, UEBA and Security
1 Orchestration and Automation, Deception
2 Vulnerability Analysis and Penetration Testing
3 Data classification, Central storage
4 McAfee Data Leakage Prevention upgrade
5 Cisco Network Admission Control upgrade
6 Forcepoint Web Security upgrade
7 Airwatch Mobile Device Management upgrade and Threat Protection
8 Fortigate Firewall upgrade with IPS blade and SSL Inspection
9 McAfee Database Activity Monitoring upgrade – separate servers required for DB and App
10 McAfee Endpoint Encryption upgrade
11 TrendMicro Enterprise Security Suite - IMSVA and Scanmail for Domino upgrade
12 SQL 2016 license
13 User Training - Optional
14 Information Rights Management - Optional
15 Anti-Phishing – Optional
16 DNS Security – Optional
C Services
1 24 x 7 IS Services
2 Compliance Management
Also refer, Section - 73.1
69.4 Intentionally Left Blank

69.5 Minimum Technical Specifications and Compliance of RFP for Security Information and
Event Manager
Security Information and Event Manager: < Bidder to mention Product Name>
Refere
nce
Docum
ent
name,
Sl. Complianc page
Technical Specifications
No. e (Yes/No) numbe
r, with
highlig
hted
paragr
aph
The SIEM platform should be based on a Hardened Operating System Based
solution with a clear physical separation of the collection engine, the logging
1
engine and the co-relation engine. The solution should have a scalable
architecture, catering multi-tier support and distributed deployment.
The solution should support log collection, correlation and alerts for the number
2
of devices mentioned in scope.
The solution should be able to conduct agent less collection of logs except for
3
those which cannot publish native audit logs
The solution should have connectors to support the listed devices/ applications
4 and additional, if any required, the bidder should develop customized
connectors for these at no extra cost
The proposed solution must ensure all the system components continue to
5
operate when any other part of the system fails or loses connectivity.
The proposed solution should be able to cater to 10000 sustained EPS while
6
being scalable to 20000 sustained EPS, storage for 1 year
The capacity for event correlation engine that is being proposed should be
7
properly sized for the specified EPS.
The proposed system/solution should have the ability to correlate all the fields
8
in a log
9 The proposed solution should be able to parse and correlate multi-line logs
The proposed solution must employ advanced analytics and machine learning
10
techniques
11 The UEBA must be offered fully integrated within the proposed solution
The UEBA must be able to detect and respond to insider threats, compromised
12
account, privileged account abuse, data exfiltration etc.
The UEBA must correlate log information to single identities to know the actors
behind the actions impacting the environment with Identity Inference, which
13
attributes identities to anonymous log messages, streamlining forensic
investigations
The UEBA must create a heuristic baseline of user activity by analyzing
behavior, so it must perform multidimensional baselining, enabling the
14 modeling of a broad set of user behaviors. Baselines are used to detect
anomalous behavior via machine learning and other statistical analysis
techniques
The UEBA must use the heuristic baseline to detect unusual behaviors in real
time, so it must continuously analyze current activity against baselines
15
established for each identity and peer group. Detect behavioral deviations from
user and peer group baselines
The UEBA must collect machine data from across NIC environment and fill in
16
forensic gaps with endpoint and network monitoring
17 Log security in terms of integrity and availability should be ensured
All logs should be Authenticated (time-stamped) and encrypted before
transmission to the correlation/normalization engine. This may be achieved by
18
encrypting the logs or the communication channel between the aforementioned
components.
The solution should be able to continue to collect log data during database
19 backup, de-fragmentation and other management scenarios, without any
disruption to service
The solution should have the capability to collect and analyse logs from various
log sources which include operational Events / Logs of Security devices
including IPS, Firewalls, Anti-virus and other such devices, Logs / Events from
the servers such as Web server, Mail server, DNS Server, Application Servers,
20
Operating systems (Windows, Unix, Linux, AIX, Solaris etc), Virtualization
platforms, Databases (Oracle, SQL, DB2 etc.), Storage systems, etc. as deemed
to be important for the purpose of Security. The system should support, not
restricted to, the following log and event collection methods:
21 - Syslog – UDP (as detailed in RFC 3164) TCP (as detailed in RFC 3195)
22 - Flat file logs such as from DNS, DHCP, Mail servers, web servers etc.
23 - Windows events logs – Agent-based or agent-less
24 - FTP, S/FTP, SNMP, ODBC, CP-LEA, SDEE, WMI, JDBC, etc.
In case the connectivity with SIEM management system is lost, the collector
should be able to store the data in its own repository for a minimum period of 7
25
days. The retention, deletion, synchronization with SIEM data store should be
automatic but it should be possible to control the same manually.
26 The Log collector should support filtering of log data.
All logs should be automatically categorized into categories like usernames,
27
event categories, actions, event id’s and other meta data fields
The solution shall automatically tag the logs with geo location, IP address, data
28
center category defined, source asset , application name etc.
Solution should provide threat intelligence feeds for botnet C&C servers,
malware domains, proxy networks, known bad IP’s and hosts, traffic to APT
29
domains etc. Proposed solution should support STIX/TAXII based threat
intelligence feed for correlation.
Solution should be able to perform the following correlations (but not limited
30 to) based on analysis rules mapped to various threat categories and provided
with criticality information.
The various threat categories to be covered include:
1) Vulnerability based
2) Statistical based
3) Historical based
4) Heuristics based
5) Behavior based on source entity, applications etc.
6) Information Leak
7) Unauthorized Access
8) Denial of Service
9) Service Unavailable
10) Phishing attack
11) Pattern based rules
12) Profiling
13) Whitelist/Blacklist/Reference List
The solution should provide out of box rules for alerting on threats found in log
31
or network data.
E.g. failed logins, account changes, expirations, port scans, suspicious file
names, default usernames, default passwords, security tools, AV signature
31. updates, successful authentications, bandwidth by IP, email senders, failed
1 privilege escalations, VPN failed logins, group management system
configuration changes, traffic to nonstandard ports, URL blocked, accounts
deleted, accounts disabled, top intrusions etc.
32 The solution should allow creating correlation rules on any meta fields
The solution shall allow sending alerts to external systems e.g.- syslog, email
33
etc.
34 The solution shall allow export of specific logs from the correlated event.
35 The solution should be capable for performing application monitoring.
The proposed solution should provide the ability to monitoring and alerting on
36 non-compliance events in real-time and provide necessary reports and
dashboards.
The solution should allow creating standard reports from the rules configured in
37 the system. The solution should also allow customizing reports in accordance
with the organization’s requirements from time to time.
The solution should provide out of box templates for reports on ISO 27001
38
standards at no additional cost.
39 The solution should provide both tabular and graphical reports
The dashboard should be in the form of a unified portal that can show correlated
40 alerts/ events from multiple disparate sources such as security devices, network
devices, enterprise management systems, servers, applications, databases, etc.
Events should be presented in a manner that is independent of device specific
41
syntax and easy to understand for all users
42 The solution should provide event playback for forensic analysis.
43 All artefacts/forensic evidence for each incident should be maintained
Should generate e-mail and SMS notifications for all critical/high risk alerts
44
triggered from SIEM
45 The system should allow scheduling reports
The system should provide a calendar view. Clicking on a date should show all
46
reports generated on the selected date
Reports should be available in the formats including but not limited pdf, csv,
47
etc.
The solution must provide a flexible dashboard with chart and summary displays
48
for a complete view of real-time captured data.
The solution must provide fully customizable queries and report library to define
49
report and alert combinations.
Dashboard should support different views relevant for different stake holders
50
including top management, operations team, Information Security Department
Dashboard views should be customizable as per user rights and access to
51
individual components of the application.
The system should permit setting up geographical maps or location wise real
52
time dashboards to identify impacted areas and sources of alerts.
Solution should have the ability to perform free text searches for events,
53
incidents, rules and other parameters.
The proposed solution should have inbuilt case management and should have
54
options for integrating with external ticketing solution
The system should allow centralized management and reporting for various
55
components from central site.
The solution should support creation of incident management workflows to
56 track incident from creation to closure, provide reports on pending incidents,
permit upload of related evidences such as screenshots etc.
57 The system should allow centralized system updates for application
The system should have interface to monitor health of the various components
58
of solution and provide details like CPU usage, interface usage, disk status etc.
The system should receive feeds from a threat intelligence repository
maintained by the OEM and from leading global intelligence sources. The
59 solution should support external threat intelligence which could be used to
identify incidents based on knowledge of global security research, to
supplement its own threat feed.
60 The system should audit all changes made to the system
The solution should support role based access control and user based access
61 control and have out of box dashboards for various roles like incident analyst,
incident coordinator, SOC lead etc.
62 The solution shall have intuitive dashboards for other stake holders
Network Forensic Analysis Tool
The packet appliance should support collection of full network traffic based on
1
all/desired protocols
The Packet capture appliance should have a throughput of as mentioned in the
2
sizing annexure
Should support filtering of desired traffic on filtering conditions using OSI
3 Layers 2-7 like BPF filters, ports, protocols, applications and meta data
conditions(Ex- truncate when destination zone is DMZ)
The solution should perform threat detection using
- Threat intelligence(Inbuilt feeds)
4
- STIX Support for external feed integration
- Community based threat intelligence
- Should support custom watch lists and feeds using CSV
- Correlation rules on packet data(Ex- PDF download followed by SSH
connection)
- Should have native correlation rules for network traffic and support
custom rules
- Simple alerts like ,destination country is ”Russia”
- The solution should support Easy-to-use dashboards for analysts for
hunting and investigation
The solution should be able to provide complete packet-by-packet details
5 pertaining to one or more session of interest including , web pages, FTP, Email
, image views, artifact & raw packet extractions
Should support on demon enrichment (Right click on asset and add more
6
context) with feeds based on Hashes, IP, incidents etc
7 Support session exports and remember recent queries
Support customization of analyst layouts to show specific meta data (Ex- show
8
only source/destination IP address, usernames, files names etc. in the view
Support multiple such layouts for each analyst and capability to share layouts
9
within various analysts
10 Should have native incident management workflows with features to support
11 Support sending of notifications on syslog, emails
12 Dashboard support to reflect desired parameters as charts and reports
13 Support Incident Management and workflows view based on user ID/role
Native Incident reports and related metric like trends, by Status, by Category
14
etc.
Evidence attachment in incident, Incident creation on rules or manually during
15
investigation process
Integration with third party helpdesk if required and integration with GRC tool
16
for incident management which NIC may have in future
Should have dedicated health and wellness page for monitoring logical and
17
physical condition of appliances
18 Support custom application and protocol parsers by analyst team
19 Support STIG based hardening and REST based API
The solution perform searches across all network data. The solution shall
20
search attachment file names
The proposed solution must detect and alert when inappropriate or
21
blacklisted applications are used
Security Orchestration, Automation & Response
The solution should provide integration with most prevalent IT and cyber
security systems like SIEM, IPS, Anti-APT, Firewalls, LDAP/AD, End point
1
protection, NAC, Vulnerability scanners, patch management etc. to consume
alert data, perform investigative and remediation actions.
The solution should support integrating custom sources in case product OEM is
2
not supported by default.
The solution should integrate with partner products using any of the standard
3 protocols and interfaces including REST API, SOAP, SSH/CLI interface, and
custom APIs
Solution shall have the capability of providing independent threat intelligence
4
for local and external threats
The solution must support the ability to correlate against 3rd party security data
5 feeds (i.e. geographic mapping, known botnet channels, known hostile
networks, etc.)
The solution should provide a simple, comprehensive, fully automated approach
6 to detect and stop the threats that matter, for on premise deployments from
internal & external attacks
The solution should support both human and machine based automation for
7
various tasks related to security investigations
The proposed solution must offer the play book functions embedded in the
8
platform at no additional cost.
Solution should provide capability to execute desired playbooks (collection of
9
actions/commands) based on manual analysis.
Solution Should do Automatic Remediation in real-time without any manual
10
intervention.
Solution should auto remediate the problem without causing a huge impact to
the organization. Some of the examples such remediation could be:–
· Push policies to prevent an external IP
11
· isolate an internal desktop/Server
· Disabling user accounts used for malicious purposes
· Patch automation in case tool finds vulnerability
The solution must provide a mechanism to capture all relevant aspects of a
12 security incident in a single logical view. This view must include relevant
events, network activity data, correlated alerts, vulnerability data, etc.
Solution should provide necessary integration with the IT/cybersecurity systems
13 for keeping the forensics artefacts from the integrated sources of the incident
before taking remedial actions.
Solution should support email or text notifications, along with functionality to
14
email comprehensive periodic reports and dashboards.
Solution should provide content for threat descriptions as well as remediation
15
advice
Solution should be configured with the used cases with automation for response
to the minimum basic threats like
· Blacklisted IP Communication
· Possible Penetration Testing Activity
· Connection to Known Malicious Actor in Published Host List
· DDOS Attack
· Vulnerability scan detection
16 · Phishing detection
· Brute force attack
· Malware activity
· Ransomware
. Endpoint Quarantine
. Suspend Users
Apart from the above used cases there should be provision for configuring new
use cases as well as compliances as per future requirements.
The solution should provide complete incident management capabilities to
17
provide end to end capabilities from alert collection to closure.
The solution must provide a playbook for each type of incident raised by the
solution. The playbook should specify what activities are to be performed by
18
L1/L2/L3 personnel and what investigation/action are to be taken by each
personnel.
19 The solution should allow attaching multiple playbooks to any incident.
The solution should be able to find related incidents from historical data based
20
on assets like IPs or user involved in incident
The SOAR solution must not have any limit the number of SOC analysts or
21 playbook templates that can be used
The proposed solution must the customers to add their own automated
22 remediation.
The proposed solution automated remediation must provide a built-in
23 hierarchy approval workflow
The proposed solution must calculate the mean time to detect and mean time to
24 respond automatically and show that on the dashboard for the analysts
Deception
1 The solution must have the ability to visually replay past events on an interactive
fluid dashboard that show all decoy elements and attacker details.
2 Solution must use a numeric risk score for an attacker based on dynamic analysis
of attacker behavior. Solution should not just use basic critical / high / medium
/ low buckets.
3 The system must have the ability to save and share custom views filtered based
on time and any event metadata for analyzing specific events. Results of saved
queries must be exportable.
4 The solution must have the ability to reconstruct raw attack data into plain
English attack analysis. It must also provide attacker / APT group attribution,
mitigation recommendations, MITRE mapping within the user interface for the
analyst.
5 The solution should have a central management console to manage the
deployment and event notifications. All other components should be controlled
and configured through the central management console only.
6 Both physical and virtual instances that can each support minimum 50 VLANs
and minimum 250 network decoys per appliance.
7 The solution should offer the option for both physical and virtual instances of
the solution components. The virtual instances must support VMware.
8 The solution should have capabilities to scan the surrounding environment, and
automatically deploy authentic deception that mimic not only the hostnames of
the surrounding systems but MAC addresses and services as well. The solution
must be able to choose the ratio between blend-in and stand-out decoys.
9 Ability to ‘agentless’ embed lures on real endpoints in the form of unique
dummy credentials that lead attackers on to decoy systems
10 Deception platform must be capable of creating file decoys that are deployed on
real systems and ‘agentless’ trigger alerts when opened, copied, modified or
deleted
11 The solution should have the ability to capture commands executed for hi-
interaction SSH connections on Linux decoys
12 Linux high-interaction decoys should not be emulated, but should be complete
distributions that are externally instrumented (no internally running agent /
process).
13 For authenticity, Linux high-interaction decoys should be one-to-one (the
solution should not re-use of a single internal VMs for multiple decoys).
14 The solution should be able to deploy built-in application decoys that look like
webmail portals, VPN login portals, network printer, PIM login, HRMS etc.
15 Decoy web-applications should include the ability to easily upload templates for
high-interaction (login / browsing of the decoy application).
16 All Windows high interaction activity should be logged, not just code execution
attempts. High-interaction should not involve transfer of malicious code to a
separate analysis VM, but should provide full interactive access to the attacker.
17 The solution must support geolocation of external threats.
18 The solution should have the ability to detect network scans in all VLANs in the
enterprise network including remote offices without the need for any complex
network changes like GRE tunnels or additional appliances in each branch
19 The solution should be able to create spear-phishing decoys to detect targeted
spear phishing attempts.
20 Decoys created must be individually unique, not just a variation of a few virtual
machines.
21 The solution should have an inbuilt feature to allow automatic isolation of an
attacking source system based on preset or custom rules
22 When an event occurs, the solution should have built in orchestration to take
specific actions based on preset or user specified rules that can be specified on
any event meta-data. The rule engine should support multiple Boolean and
logical conditions to appropriately orchestrate the response.
23 Decoys should be integrated with the real Active Directory domain and should
not use a domain trust relationship between a dummy Active Directory and the
real Active Directory domain that hackers can easily discover.
24 Decoy services like SSH, HTTP / HTTPS, FTP, SMB, MySQL, telnet should
be individually unique services and not just a few VMs offering the same service
on multiple IP addresses
25 Solution should include high-interaction Windows decoys that are accessible
over the following channels: WMI, RDP, WinRM, RPC-DCOM.
27 Solution should have the ability to create Internet facing decoys with low false
positives, not just running internal network decoys on the Internet. The Internet
facing decoys should consume backscatter threat intelligence from platforms
like MISP, Greynoise, Shodan etc.
28 Deception platform should automatically fill network decoys with realistic auto-
generated enticing content pertaining to specific business verticals like Finance,
Legal, HR, IT etc. Please list the specific types of “auto-generatable” files /
content etc.
29 The solution must support deep protocol inspection of network traffic such as
DCE/RPC / SSL-JA3 for detection of exploits, reconnaissance and zero-days
pre-engagement in the virtual machine.
30 Linux decoys must not contain a monitoring agent that could identify the OEM
vendor of deception solution.
31 Deception platform must be capable of real-time telephonic alerts based on
preset or custom notification rules
32 The solution should have a built in incident response capability that allows live
forensics of the attacking source system. This includes live memory analysis.
33 For security, the base operating platform (host operating platform on which the
decoys run) of the deception appliance must be hardened and capable of being
patched against any future vulnerability.
34 Solution must allow visual dissection of the PCAP traffic and preserve all
network traffic to and from the decoys while having the ability to export PCAPs
based on a time filter.
35 Solution must support Suricata signature detection for 'known bad' events and
must be updated with the latest emerging threat signatures.
36 The proposed solution must be listed by Gartner in the Magic Quadrant or as a
Cool Vendor
37 Detect MITM attacks like NBNS, LLMNR, MDNS, ARP, DHCP in every
VLAN of the enterprise
38 Deception solution provider (OEM) should offer professional services for
customization of decoys, deception strategy planning, and incident response
69.6 Minimum Technical Specifications and Compliance of RFP for Vulnerability Assessment
Solution
Vulnerability Assessment Solution: < Bidder to mention Product Name>
Refere
nce
Docum
ent
Complian name,
Sl.N
Technical Specification ce page
o.
(Yes/No) numbe
r, with
highlig
hted
paragr
aph
1 The proposed solution should have minimal impact on traffic, server
performance, networks etc. during deployment and operation
2 The system should work in any network topology
The proposed solution should maintain an updated database for latest
3
vulnerabilities
The proposed solution should provide flexible deployment of VAS solution
4 and capability for tuning the scanning configurations for optimal performance
of NIC's infrastructure
The proposed solution should provide pre-built integrations with other security
5
solutions
6 The proposed solution should perform a targeted scan (i.e. check for a specific
set of vulnerabilities or IP Addresses).
The proposed solution should support application scanning, mobile device
7
scanning
8 The proposed solution should support centralized management of scan
operations, reporting and administration.
9 The proposed solution should automatically discover and categorize assets
based on multiple attributes and not just the IP addresses
The proposed solution should be able to identify applications running on non-
10
standard ports.
The proposed solution should track hosts over time in a dynamic IP
11
environment (DHCP)
The vulnerability signature database should include breakdown of types of
12 signatures (i.e. CGI, RPC, etc.) and number of signatures that map directly to
CVE IDs.
The proposed solution should be able to conduct vulnerability assessment for
13 all operating systems and their versions including but not limited to: Windows,
AIX, Unix, Linux, Solaris servers etc.
14 The proposed solution should provide mechanism to upload IP lists of devices
through XLS format
15 The proposed solution should provide configurable Vulnerability assessment
policy and individual tests
The proposed solution should be able to scan workstation, servers, network and
16 security equipment and other devices such as printers, mobiles, webcams,
tablets etc.
17 The proposed solution should be able to run scans on network segments as well
as entire network.
The proposed solution should be able to perform authenticated and
18 unauthenticated scans and manage credentials centrally for authenticated
scans.
The proposed solution should be able to scan application databases for
19
vulnerabilities
20 The proposed solution should be able to detect weak password for databases
and point out accounts with simple, weak and shared passwords.
21 The proposed solution should be able to identify out-of-date software versions,
applicable patches and system upgrades.
The system should be able to identify configuration deviations/defects as per
22 NIC baselines, CIS, SCAP, OVAL baseline/ Standards /leading practices for the
various devices in scope
23 The proposed solution should include vulnerability rating methodology
configurable to NIC's requirement
24 The proposed solution should provide remediation information in the reports
including links to patches etc.
25 The proposed solution should produce a report listing all applications on a host
or network, regardless of whether the application is vulnerable
27 The proposed solution should be able to support “scan windows”, scan
scheduling, and automatic/manual pausing/stopping/restarting of scans.
The proposed solution should support users to modify existing rules or create
28
their own rules
The proposed solution should include a library of potential vulnerabilities and
29 rules which should cover SANS top 20. This library should be customizable by
the administrator and changes to the same should be traceable.
The proposed solution should produce reports in the following formats: XLS,
30
PDF, CSV, XML etc.
31 The proposed solution vendor should assist NIC in reducing the number of
false positives identified by the solution
32 The proposed solution should be able to prioritize vulnerabilities on the basis
of severity levels defined by the NIC
The proposed solution should be able to track the closure of all vulnerabilities
33 identified and should include parameters such as responsible person, date of
closure, action taken etc.
34 The proposed solution vendor should provide configuration review services as
a part of the solution
The proposed solution should generate reports on trends in vulnerabilities on a
35
particular asset.
36 The proposed solution should be able to integrate with other security solutions
(i.e. Security Information/Event Management, Patch Management, IPS, etc.)
37 The proposed Solution should have an Application Programming Interface
(API) to integrate with other systems
39 The proposed solution should support integration with threat feeds, allowing
vulnerabilities to be correlated against real-time threat information.
40 The proposed solution should be able to detect both wireless and rogue devices
41 The proposed solution should support all kind of standard platforms like
Solaris, Linux, MAC OS and Windows Etc.
42 The proposed solution should maintain history of scan and provide comparison
between two scans and differential reports of the scans
43 The proposed solution should support discoveries of vulnerabilities caused by
absence of update for OS, Database, Application, etc.
44 The proposed solution should support scanning of virtualization and terminal
platforms like vSphere, Hyper-V, XenApp, etc.
45 The proposed solution should provide both pre-configured and fully
customizable report templates for various stakeholders across organization.
The proposed solution should provide Built-in reports that include but not
limited to audit, baseline comparison, executive summary, PCI, policy
46
compliance, remediation planning, top remediation, SANS Top 20,
vulnerability verification report etc.
The proposed solution should support automatic, manual and offline
47
application updates
The proposed solution should allow NIC to schedule the VA of selected assets
48 for a pre-defined date and time. The proposed solution should also be able to
schedule scans based on asset ratings and asset types.
The bidder should assist in building of scan templates as per NIC's
49 requirements such as types of applications to be scanned, protocols to be used,
ports to be scanned etc.
69.7 Minimum Technical Specifications and Compliance of RFP for Data Classification and
Information Rights Management
Data Classification and Information Rights Management: < Bidder to mention Product Name>
Refere
nce
Docum
Complian ent
Sl.N
Technical Specification ce name,
o.
(Yes/No) page
number
, with
highlig
hted
paragra
ph
The solution should evaluate content, context, identity and other attributes of
1 unstructured data to make classification and policy decisions.
The solution should have a simple and a flexible policy engine to support
creation of rules - For example, upon an Event where the user clicks ‘Send’
2
on an email, under the Condition one of the email recipient had a certain
specific email domain, to take an Action to block the email from being sent.
The solution should support policy conditionality based on data attributes like
3 content, classification, recipients, sender, author, filename, path, IP address,
MAC address, modification date, file type, and location.
The solution should enable administrators to define policies with or without
4
classification as part of the policy.
The solution should support policy nesting/hierarchy to control the flow of
5 policy execution, making it easier to support more advanced use cases for
classification and policy enforcement.
The solution should provide context-sensitive help throughout the user
6 interface to support security training and help users select the correct
classification and policy remediation options.
Data Classification and Identification Requirements
The solution should support automated, suggested, and user-driven
7
classification.
The solution should enable the classification of Word, Excel and PowerPoint
8
documents from within Microsoft Office.
9 The solution should enable the classification of any custom file type.
The solution should support the ability to classify on Send, Save/Save As,
10 Print, New Email, Close/Open Document, and other email and document
events.
11 The solution should support unlimited number of classification fields.
The solution should support users to enforce data retention and disposition
12 tags, including date fields while classifying information especially sensitive
information which can result in increased liability if stored longer
The solution should support hierarchical and conditional classification fields,
so that the appearance of a sub-field is conditional on the value selected in the
13
higher-level field. For example, when a user selects “Restricted,” a sub-field
is presented with a list of departments including “HR Only.”
The solution should support dynamic/tailored classification selections based
14 on the user's Active Directory attributes or groups.
The solution should support the mapping of classification schemas across the
15
organization.
The solution should support the mapping of old classification values to new
16 ones, and seamlessly update previously classified information if required.
The solution should enable users to assign classification values via a one click
17
classification user interface.
The solution should enable users to assign classification values to any file type
18 by right-clicking in File Explorer and selecting one or more files.
The solution should enable users to assign classification values to non-
19
classified email in their inbox.
The solution should enable users to set their most frequently used
20
classifications as “Favorites.”
The solution should enable users to save type-in fields as Favorites so that the
21
information needs to be typed in only once.
The solution should provide tooltips, classification descriptions, and help page
22 links to assist users with classification policy.
The solution should support the use of automated classification for any
23 classification field. These classification values can be assigned based on
content, context, and/or user identity (e.g. user role).
The solution should support dynamic population of classification fields from
sources other than the pre-configured classification schema. For example,
24 metadata values can come from document attributes (e.g. author),
environmental variables (e.g. IP or MAC address), and/or Active Directory
(e.g. group, department).
The solution should support the ability to set the classification automatically
25 based on a series of questions presented to the user via the classification
dialog.
The solution should support the ability to ask users to confirm an automated
26 classification value (also called “suggested classification”).
The solution should support the ability to prompt users to change the default
27 classification(s) if the default is inappropriate for the content, context, or other
attributes of the email or document.
The solution should support the ability to prompt users to classify in some
cases, and use automated classification in others. For example, a default
28 classification may be used for internal email, but users are prompted to
classify for external email. Or users may be prompted to classify email only
when there is an attachment.
The solution should support the ability to scan for certain keywords and
29 regular expressions and set the classification accordingly.
The solution should support creating custom conditions within a policy. For
example, the solution should allow creating a custom condition to ensure a
30 particular software is installed on the system before allowing email to be sent,
query time of day to ensure an activity takes place during regular business
hours.
The solution should support creating custom actions within a policy. For
example, the solution should have provision to write a custom action to send
31 an email notification when a user performs an action denied by a policy, send
an email notification to an administrator when a user attempts to print or
distribute content classified as Restricted.
The solution should generate metadata for all file types, including persistent,
32 embedded metadata for many non-Office files, including PDF, TXT, Visio,
Project, images, and multimedia files.
The solution should support metadata remediation and prioritization when
multiple sources of metadata are available on a file. For example, a user-
33
applied classification may be most critical and trustworthy, while in other
cases, a DLP solution’s tag is treated as a preferred value.
The solution should support the creation of custom metadata for
34
interoperability, including custom X-headers.
The solution should support customizable visual markings in email and
35
documents (e.g. font, size, color, and content).
The solution should support customizable visual markings for HTML, RTF
36
and plaintext email.
The solution should support the ability to evaluate multiple email and
37 document attributes to determine the appropriate markings.
The solution should support different visual markings for the same
classification, depending on context. For example, a “Confidential” email
38
going to internal recipients may have different markings than a “Confidential”
email going to external recipients.
The solution should support different visual markings for different
39 applications, for instance, adding a header or footer for all documents but only
meta data into emails
The solution should support automatic classification of files when its
downloaded and saved to specific folders(e.g. Downloads, My Documents)
41 and the classification should be based on file content for files that can be read
by a text processor and based on file type or file size or file name or file path
for other file types
The solution should support Machine Learning Categorization to help predict
42 different categories of documents, providing classification suggestion or
automation on unknown content in documents and email
The solution should have the ability to classify email message with the same
43
classification label as files attached to it
The solution should have the ability to automatically classify email and
44 calendar events as 'Internal' based on the sender and recipient in the same
email domain
The solution should have the ability to enforce obtaining consent from end
45 users while handling sensitive information and capture the same in the meta
data
The solution should provide the ability to allow user to manually classify file
attachment(s) directly within MS Outlook when composing an email without
46
the need to open the attachment and without classifying the original source
file.
Data Discovery Requirements
The solution should support the discovery and identification of large volumes
48 of data, stored both on premise and in the cloud. This includes the scanning of
network file shares, as well as Cloud storage providers.
The solution should provide the ability to run scheduled scans to automatically
49 classify files based on several factors, including the file properties/attributes,
content, and/or metadata.
The solution should support the ability to encrypt files by integrating with
50 third party encryption solutions. This additional layer of protection can be
added based on the details of the file itself, or its location.
The solution should support the ability to collect file information during scans,
including file properties, classification (pre- and post-scan), and access
51
controls. This data inventory identifies what the data is, where it is, and who
has access to it.
The solution should provide the ability to analyze scanning results via a built-
in dashboard or third-party analytics tools to minimize data at risk, monitor
52
classification activities, and optimize data identification policies and data
storage solutions.
The solution should support the ability to quarantine files stored
inappropriately, flag files for follow-up, or take action based on results of the
53
scan. This may include updating security policies, or re-educating users on
the treatment of sensitive data.
The solution should have the ability to scan Windows file shares, and enforce
54 classification based on content, file attributes, file location
The solution should support Machine Learning Categorization to help predict
55 different categories of documents at rest, providing classification suggestion
or automation on unknown documents at rest
Information Protection Requirements
The solution should provide interactive warning messages that include
56 remediation options and URL links for additional help and information.
57 The solution should consolidate all policy warnings in the same policy dialog.
The solution should enable administrators to control whether users can
58
override policy warnings.
The solution should support the use of task panel alerts, which can be applied
59 at all times or only under certain conditions. For example, the task panel can
be configured to appear when handling an Excel spreadsheet containing PII.
The solution should support the ability for users to opt-in or opt-out of any
policies that the administrator defines as optional. For example, an
60
administrator may want to allow users to opt out of using default
classifications, or allow them to opt out of email and document scanning.
The solution should allow users to click a button to run a policy check before
61 sending an email or continuing to compose or save a document. This enable
the user to run a content scan without having to do a scan on every Save.
The solution should provide the ability to warn/prevent users from
62
downgrading, upgrading, or changing a classification.
The solution should provide the ability to save the name of the original
63 classifier in metadata, and to enforce policy so that only the original classifier
can change the classification.
The solution should provide the ability to warn users when opening sensitive
64
Office documents.
The solution should provide the ability to highlight sensitive information
65 within an email and redact the sensitive content so that users can remediate
any policy violations before the email leaves the desktop.
The solution should provide the ability to automatically invoke the Microsoft
Office Document Inspector to remove hidden or sensitive information, such
66
as comments, revisions, and document properties – without impacting
classification-related visual markings or properties.
The solution should provide the ability to evaluate the number of instances of
sensitive data within an email or document, and then apply the appropriate
67 policy. For example, users may be allowed to send an internal email with one
credit card number, but if there is more than one credit card number, the
message requires a restricted classification and will be encrypted.
The solution should provide advanced control over email attachments via
68 policies that evaluate content, recipients, sender, classification, filename, file
size, and other attributes.
The solution should provide the ability to restrict users from sending non-
69 classified email attachments (i.e. attachments that have no classification).
The solution should provide the ability to present the user with a checklist of
blocked attachments when a policy violation occurs, and allows the user to
70 manually select the attachments that are allowed to bypass the policy
violation. For example, the user can be shown all “Confidential” attachments
and asked to confirm individual attachments before sending the email.
The solution should support the scanning of zip file attachments, including the
71 ability to evaluate individual file properties such as metadata, filename, and
path (e.g. when a file is within a folder within the zip file).
The solution should support ability to Prompt the user to enter the password
used for sending password protected file over email. The password entered
72
should be appended to email header after encryption with the key generated
during tool installation
The solution should support the ability to check external recipient policies via
73 an LDAP directory instead of the corporate Active Directory.
The solution should provide the ability to present the user with a checklist of
blocked recipients when a policy violation occurs, and allows the user to
74 manually select the recipients that are allowed to bypass the policy violation.
For example, the user can be shown all external recipients and asked to
confirm individual recipients before sending the email.
The solution should support the ability to automatically BCC a specified
75
mailbox when an email triggers a policy.
The solution should prevent users from downgrading classification to lower
76
levels on files and Emails
The solution should allow only the file owner defined in file attribute to
77
downgrade file classification.
The solution should allow only a specific AD user group for downgrading or
78
changing classification
The solution should allow authorized users to enter a justification before
79
downgrading classification.
Auditing and Reporting Requirements
The solution should log user activity while users are handling email,
80
documents, and files.
The solution should provide flexibility to send user logs to SIEM, syslog
81
server, text file, and Windows event logs as per the need.
The solution should provide a reporting collector that can collect events
82 written to the Windows event logs and record them in a central reporting
database.
The solution should provide built-in reports and dashboards to analyze user
83
behavior and system health.
The solution should provide a built-in dashboard for reviewing data discovery
84 scanning results for user activity, deployment, data storage trends, and data
inventory.
Mobile Security Requirement
The solution should support classification of emails on the following mobile
devices without additional license. In case additional hardware is required for
85 the same, Bidder shall provide
Apple iPhone and iPad with iOS 9 or later.
Android phones with Android platform version 4.4 or above
The solution should support the ability to add classification label as a
86
customizable body tag within the email message.
The solution should provide clear display of the documents’ classification
87
when opened.
Configuration and Deployment Requirements
The solution should provide a centralized, web-based Administration Console
88
for classification configuration and policy management.
The solution should support the ability to save configurations in a single
89
configuration file.
The solution should enable clients to retrieve configurations from file shares
90
or web servers (HTTP or HTTPS).
The solution should have the ability to integrate with AD natively and enforce
91 policies based on AD groups and enable administrators to tailor configurations
to individual users or groups of users
92 The solution should cache configurations on endpoints locally for offline use.
The solution should provide the ability to deploy in silent mode either natively
93 or using third party software distribution tools so that software can be
deployed and enabled in different phases.
The solution should enable administrators to customize all user interface text
94 strings to support different languages and terminology. This includes
classification fields and values, and policy warning messages.
The solution should work with Microsoft Office 2010 (32 and 64 bit), 2013
95 (32-bit and 64-bit), 2016(32-bit and 64-bit) and 2019(32 and 64 bit)
The solution should work on Windows 7, 8.1, and 10; and Windows Server
96 2008 R2(SP1) and 2012 R2 and Windows Server 2016
The solution should work with in virtual machine environments including
97 Citrix XenDesktop, VMWare and other virtual desktops.
The solution should include installation and configuration, professional
services to plan, configure, and deploy the solution on-site and transfer
98
knowledge to the organization’s personnel in order to ensure continuous
operation.
Solution should have the ability to extend classification of emails and
99
documents seamlessly for MAC OS
Integration and Interoperability Requirements
The solution should provide the ability to attach metadata to information
100
objects, which can be leveraged by e-discovery solutions.
The solution should provide the ability to attach metadata to information
101 objects, which can be leveraged by third-party data loss prevention (DLP)
solutions and should work even when emails and documents are protected.
Solution should support enforcing policies like encrypt all documents which
102
has PCI information by integrating with IRM solutions
The solution should provide the ability to trigger encryption based on
metadata. For example, if a specific keyword or pattern is found in a message,
103 the solution can add a MAPI property with the Boolean value of “True”. The
encryption solution can use the “True” MAPI property to initiate the required
response.
The solution should integrate with Fileserver with the ability to scan. For
104 example, when the user uploads the document to fileserver
The solution should quickly identify where sensitive information is available
105 and who is touching it. It should also help prioritize risk and remediation and
should be capable of locking down the data without interrupting business.
The solution should have the ability to integrate with archival solutions and
106 take actions on archival based on classification label
Storage
Storage Quality Certification - The Storage OEM should be established in the
1
Gartner General Purpose storage arrays. Leader Quadrant 2018 or above
Storage Controller - The Storage system must have at least two controllers
running in an active-active mode with automatic failover to each other in case
if one controller fails for both NAS and SAN. ; The storage solution should
be a true unified architecture with support for all the protocols FC, iSCSI,
2
CIFS, NFS, FCoE, SMB, HTTP, pNFS natively. Single storage OS should
support all protocol without adding additional hardware. All necessary
software and hardware required to meet the requirement should be supplied
by OEM.
Storage Scalability - The Storage system should be scalable to a minimum of
3
8 controllers in the same cluster in active-active configuration
System Cache required - The system should Support minimum 64 GB
memory across the two controllers. Proposed system should have ability to
4 protect data on cache if there is a controller failure or power outage. .The cache
on the storage should have 72hrs or more battery backup (OR) should have
De-staging capability to either flash/disk.
Extended cache for enhanced performance - The system must provide
5 capability to use SSD/Flash as an extended/secondary cache. The system must
be supplied with at least 7.5 TB of SSD and/or NVMe Flash for this purpose.
Drive Support - The system must support intermixing of SSD, SAS and SATA
drives to meet the capacity and performance requirements of the applications.
6 The system must support a minimum of a 144 disks for scalability purpose
with 2 controllers. The scale out architecture should support minimum 1700
drives scalable with upto 10 PB
Protocols - The storage should be configured with FCP, iSCSI, NFS (NFSv3,
NFSv4, NFSv4.1) SMB (SMB2 & SMB3), pNFS protocols for use with
7 different applications. Any hardware/software required for this functionality
shall be supplied for the entire supported capacity in No Single Point Of
Failure mode.
RAID configuration - Should support various RAID levels (1/5/6) or
8
equivalent
Storage Performance - The storage model should support a 5 GB CIFS or NFS
shares for each of 15000 users across 100 branches
9
OEM should mention a bandwidth requirement from branches to storage
location
Storage Capacity - The usable capacity required for storage from day 1 is
10 75TB on SAS disk and additional SSD cache for performance .Max scalable
capacity should be 1.2 PB using SAS/NLSAS /SSD with two controllers
Front-End and Backend connectivity - The proposed storage system should
11 have minimum 8 numbers of 10GbE Ports frontend ports and 12Gb backend
SAS ports,
Rack Mountable - The storage should be supplied with rack mount kit. All the
necessary patch cords (Ethernet and Fiber) shall be provided and installed by
12
the vendor.
The Proposed solution should not exceed 16 Rack Units.
Storage Scalability - The proposed system should be field upgradeable to a
13
higher or same model with NAS scale-out: 1–24 nodes (12 HA pairs)
Storage functionality - The storage shall have the ability to expand
14
LUNS/Volumes on the storage online and instantly.
The storage shall have the ability to create logical volumes without physical
capacity being available or in other words system should allow over-
14.1
provisioning of the capacity. The license required for the same shall be
supplied for the maximum supported capacity of the offered storage model.
14.2 The storage should be configured with Quality of Service feature.
The storage shall support logical partitioning of controllers in future such that
14.3
each partition appears as a separate Virtual storage in itself.
The proposed storage system should be configured to provide data protection
14.4
against two simultaneous drive failures.
The required number hard disks for parity & spares, should be provided
14.5
exclusively of the usable capacity mentioned.
The proposed storage should support integration with Active directory for
14.6
users and group account to data access
System should have redundant hot swappable components like controllers,
14.7
disks, power supplies, fans etc.
Point-in-times images - The storage should have the requisite licenses to
create point-in-time snapshots. The storage should support minimum 250
15
snapshots per volume/LUN. The license proposed should be for the complete
supported capacity of the system.
Point-in-times images - The system should support instant creation of clones
15.1
of active data, with near zero performance impact.
Management - Easy to use GUI based and web enabled administration
16 interface for configuration, storage management and performance analysis
tools
OS support - Support for industry-leading Operating System platforms
including: LINUX, Microsoft Windows, HP-UX, SUN Solaris, IBM-AIX,
17
VMware, etc. Any Multi-pathing software required for the solution must be
supplied for unlimited host connectivity
De-Duplication and Compression - Proposed storage should support block
18 level data de-duplication and compression for all kinds of data (structured &
unstructured); should support both NAS and SAN.
Warranty & SLA - The Hardware and software quoted should have 5 years
19
support along with upgrade and updates.
Information Rights Management – Optional Procurement
1 The solution should be capable to provide security of documents on desktop,
laptops and fileservers
2 The solution should be capable to provide security of documents in emails.
Lotus INotes either through client or clientless
3 The solution should have the capability to restrict access/use of files by users,
groups & devices
4 The solution should have the capability to revoke access to the
documents/files to users at any time even after delivery
5 The solution should have the capability to protect documents and emails text
during storage, transmission and while it is being used
6 The solution should be capable to enable external users to access protected
documents, including agentless access (i.e. no installation of agent required to
view and edit the MS Office files even without the native application
7 The solution should allow the user to view the documents after initial
authentication and authorization without using passwords after successful first
authentication
8 The solution should be capable to provide a mechanism to manage external
users separately from the internal users via a different user repository
9 The solution should be capable to share protected documents with external
users by applying pre-created IRM template
10 The solution should support dominant MS Office formats and Open Office
formats
11 The solution should support older versions of MS Office e.g. 2010 especially
when sharing with external user
12 The solution should support most commonly used file formats like PDF, text
and text based formats, and dominant image formats
13 The solution should have the capability to protect any file format being used
by NIC
14 The solution should support all dominant versions of Windows, Linux & Mac
operating systems, dominant browser technologies, native app support for
mobile devices like Android and iOS
15 The solution should support dominant databases like Microsoft SQL and
Oracle, MySQL
16 The solution should support virtualized environments for deployment of
server components as well as for creating and accessing protected
documents/emails
17 The solution should have the capability to provide integration with existing
user management systems e.g. Active Directory and have built-in identity
management capabilities. Such integration should only be part of on premise
configuration only
18 The solution should support automatic deletion/disabling of internal/external
users based on changes in Identity Sources
19 The solution should support integration with Single Sign On systems, external
authentication systems (like Google etc.)
20 The solution should support highly granular rights: viewing, editing, printing,
copying, forwarding, screen capture prevention (even when file opens in
native application), time based expiry, and restrict access on mobile devices
21 The solution should be capable to allow to copy content from protected
document to a protected document only and not to an unprotected document.
It should insure that copied data does not lose the associated rights to that
information.
22 The solution should have the capability to lock access to a particular
machine/s, and ability to restrict access based on the location (IP address) i.e.
ability to restrict access of protected content inside NIC's premise only.
23 The solution should have the capability to allow document creators to assign
different rights for each user or group in the same window
24 The solution should have the capability to provide off-line use of protected
documents; can also control the period for which the user can have offline use
25 The solution should have the capability to allow enforced watermarked
viewing of protected files
26 The solution should be capable enough to enforce protection even when the
file formats are changed (e.g. word file saved as pdf)
27 The solution should allow to display dynamic watermark basis classification
applied in the file
28 The solution should be such that there is no single point of unprotecting the
documents other the document owner
29 The solution should be capable to retain rights regardless of where files are
stored, transmitted, used and archived. The rights and policies on the
document must apply irrespective of how the document is shared i.e. copied
to USB, FTP, shared via G-drive, Dropbox etc. and should be independent of
the collaboration platforms
30 The assigned rights should be dynamic; one can grant and withdraw the rights
for a specific user or group for the protected document at any time without the
need to recall or resend the document
31 The system administrator should be able to define and control which users are
allowed to define policies and can monitor these policies for compliance to
NIC's security standards. Admin/Owner of the document should also be able
to transfer document ownership
32 The solution should be capable to provide web-based activity searching and
reporting of user activities and admin activities
33 The solution should be capable to assign specific roles that can monitor the
usage of all documents within the defined hierarchy
34 The audit trail should capture the person who has used the document, what
has been done (un/authorized), the time, and the location. Activities can be
exported to be consumed by other monitoring systems.
36 Basic access to protected information (for view and edit) must be available on
desktops without any client installation or any required application software
like Word for MS office files
37 The desktop client/agent should be easy to install and should provide for
offline access to protected documents
38 If a user forwards a protected file to other users, there must be a system driven
workflow (and not just an email) for other users to ask for permissions/rights
from the owner of the file
39 The solution must be easy to use and must support existing enterprise
applications
40 The solution should support automation of protection including prompting
users to protect content
41 The Solution should be capable to transfer access related policy changes to
affected documents in short span of time.
42 The solution should have reusable rights templates to remove requirement of
repeated rights setting by end users. It must also provide control over which
user has access to custom and predefined templates
43 The solution should provide search-and-browse capabilities for documents,
activities, and rights templates for end users and administrators
44 The solution must not require a change in user behavior.
For e.g. The desktop file protection must happen at the endpoint and not by
uploading the file to a central location, external user must receive email
attachment that is protected and not a link etc.
45 The solution should provide a framework for integration with Network File
server and provide generic APIs for custom application integration
46 The solution should have readymade connector for integration with multiple
storage devices (e.g. Neap, SanDisk, Hitachi etc.)
47 The solution should provide connectors for integration with Data Loss
Prevention (DLP) systems to apply protection based on file classification and
/ or specific keywords identified within the document. NIC current has
McAfee DLP and the solution should have integration with the same
48 The solution should be capable to allow for automated folder-based protection
for NIC's central file server. Folders are mapped to user’s machines as local
drive e.g. G:\. All files existing and newly dropped in this folder must be
automatically protected with predefined policies. The user's view must not be
replaced with some custom or application specific view
49 The Solution should have integration with Microsoft AD for user
authentication / rights management. It should also support withdrawal of
access rights if employee / onsite vendor staff left the organization / transfers.
51 The solution should be capable to support delegation of duties and
administrative functions for efficient management
52 The solution should support installation of desktop client via standard
desktop/infrastructure management tools like RADIA-CAE, Desktop Central
etc.
53 The solution should provide basic in-app troubleshooting capabilities that can
be easily run by end users themselves
54 The solution should have minimal to no dependency on other proprietary
hardware/software on the desktop or server
55 The solution should not cause conflicts with other security systems like anti-
virus, anti-malware systems
56 The solution should support segregation of duties (defining end users, system
administrators, policy administrators)
57 The solution should have capability to create and apply custom FRM (File
Right Management) Rules at organization level, department level, Group level
or user level as per requirements.
58 The solution should have the capability to keep keys and content separate at
all times
59 The solution should establish communication within the system as well as
with external systems over secured communication protocols like https
60 The solution should be capable to provide two-factor authentication or
integrate with third party authentication mechanism
61 The solution should not require additional licenses for recipients of documents
within or outside of the enterprise
62 The solution should be capable to provide security of information irrespective
of vendor's computing environment (Storage, Network Connectivity). This
will be a fully offline environment
63 The solution should have the provision to lock the information to a specific
device on first access
69.8 Minimum Technical Specifications and Compliance of RFP for Mobile Threat Protection
Mobile Threat Protection: < Bidder to mention Product Name>
Refere
nce
Docum
ent
Complian name,
Sl.N
Technical Specification ce page
o.
(Yes/No) numbe
r, with
highlig
hted
paragr
aph
Solution must have Proactive defense against zero-day malicious repackaged
1 apps
Solution must have Incremental app analysis based on signature,
2 static/dynamic analysis, behavior, structure, permissions, source and more
Solution must have a Real-time response and protection against various known,
3 unknown and targeted malware attacks
4 Solution should include an effective shield against malicious Wi-Fi networks
5 Must have Detection, blocking and remediation of malicious iOS profiles
Should have Active Honeypot technology to identify Man-in-the- Middle, SSL
6 downgrading and content manipulation attacks without violating privacy
7 should have capability to Monitor devices for unpatched known vulnerabilities
8 Should educate users and notify security staff
Should help in Uncovering zero-day vulnerabilities in apps and operating
9 systems while informing vendors
Should detect unknown and known vulnerabilities such as Stage-fright and
10 Accessibility Clickjacking
11 The MTP solution should integrate with existing AirWatch MDM solutions
The solution must have a capability to Remote wipe incase a device is lost or
12 compromised
The solution must have a capability to Passcode lock to protect corporate
13 information
The solution must have a capability to generate comprehensive reporting on
14 devices, users and groups
Should have Deep static and dynamic analysis includes behavior analysis based
15 on machine learning
16 Should Constantly monitor and evaluate severity of open vulnerabilities
Solution should feed Intelligence to other enterprise systems like (i.e. EMM,
17 SIEM)
18 Should have Catalog characteristics of both good and bad apps and networks
19 Should Evaluate OS versions and device types to determine upgradability
Should help identify zero-day detection of repackaged apps and other malware
20 types
21 Solution should be Easy to deploy, adopt, maintain and update
22 Should have Zero impact on productivity
23 Should have Real-time protection from certain suspicious apps and networks
24 Should automate corporate asset protection when under attack
69.9 Minimum Technical Specifications for User Training (Optional Procurement)
User Training: < Bidder to mention Product Name>
Refere
nce
Docu
ment
name,
Complian page
Sl.
Technical Specifications ce numb
No.
(Yes/No) er,
with
highli
ghted
paragr
aph
The training should a web-based platform\virtual learning environment (VLE)
1 hosted by the bidder/OEM
2 The bidder must provide licenses for up to 12,000 users
The bidder/OEM must have at least one experience in providing security
awareness training in BFSI in India. Please provide names and examples of one
3 or more for whom security training has been provided
4 The solution must be available 24x7x365 days with 99.7% availability.
If provide as VLE must allow bulk uploading of users and addition of single
5 users
6 VLE login page must use strong encryption (AES 256 or stronger)
VLE should integrate with NIC Active directory and users should be able to
7 login with domain credentials
Security awareness training must require that users interact with the training
session, meaning user either answers questions during/throughout a session or
8 completes a quiz/assessment at the end of the training session
Security awareness training must provide users with a certificate of completion
9 upon successful conclusion of the training
VLE should allow multiple users to complete the training simultaneously
10 without degradation of service
VLE should be compatible with Windows and Mac platforms and Internet
Explorer, Safari, Firefox and Chrome browsers without the need for installation
11 of browser add-ons.
12 The solution must allow users to take training multiple times
The solution must notify users via e-mail that they have an outstanding
13 obligation to complete a lesson.
Security awareness training should be innovative, engaging and highly
interactive requiring the user to click on items, mouse over items, play a game
14 or answer questions during the training
Security awareness training content should be innovative, engaging and highly
15 interactive and updated at least annually
Security Training should have the ability to be taken all at once or staggered
16 into smaller parts and offered throughout the year
Security awareness training topics should be short (each topic under 20 minutes
17 in length).
Security awareness training content may include but is not limited to the
18 following topics
Security essentials
Security Beyond office
Safer Web Browsing
Mobile Apps
Securing your Email Series
URL Training
Social Engineering\Phishing
Safe Social Networking
Physical Security
Data Storage and Destruction
Mobile Device Security
USB Device Safety
Protecting Against Ransomware
Email Security
Security Awareness training should be able to initiate phishing simulation and
19 there by assign phishing related training and awareness to employees of NIC.
Phishing tests should show results for each participant (Fail = Clicked on the
20 link in the email, Pass = Did not click on link in the email)
21 Phishing test results should show
21.1 Recipient’s Name and email address
21.2 Date email was sent
21.3 Whether recipient clicked on the link
22 Remedial phishing training is provided to users that fail a phishing test
Security awareness training status reports should be easily exported (pdf, csv,
23 xls)
24 Executive level summary reports should be provided
Security awareness training status reports should show total
25 enrollment\completion and enrollment\completion by organization
26 Security awareness training reports should include:
26.1 Name
26.2 Email Address
26.3 Date training was assigned
26.4 Date training was completed
26.5 Modules completed
69.10 Minimum Technical Specifications and Compliance of RFP for Anti-Phishing (Optional
Procurement)
Anti-Phishing: < Bidder to mention Product Name>

Complian Refere
Sl. ce nce
Technical Specification
No. (Yes/No) Docum
ent
name,
page
numbe
r, with
highlig
hted
paragr
aph
1 24x365 proactive monitoring of World Wide Web etc. for Phishing, Brand
Abuse and any other threat or exploitation of vulnerabilities which lead to
compromising of credentials of the customers unknowingly directed against
the customers of the NIC.
2 Detecting the attacks proactively and blocking / shutting down of the attacks
anywhere in the world within the minimum possible time. For the purpose of
detection, service provider may use any technique or combination of
techniques.
3 Daily scanning of all the websites/apps of the NIC to detect any type of
blacklisted links, suspicious activities etc. Reporting to NIC the exact nature
and location of the infection for speedy removal of the infection / abnormality.
4 Proactive Monitoring of major Mobile App stores and blocking/Shutting down
of Malicious App/Trojan used for NIC.
5 Gathering the Forensic information such as IP address, exact URL, source of
attack, images, screen shots, email, account details, card details, compromised
data etc. from the attacks and sharing the same with the NIC.
6 Reporting to NIC in line with regulatory requirements about all the attacks and
providing detailed information through email & online dashboard
7 Take up and coordinate the cases with CERTs and / or other legal agencies of
any country in consultation with NIC.
8 Providing customized dashboard to the NICs SOC Team.
9 Monthly and other ad hoc reports to be provided as per the requirement and
format provided by the NIC.
10 Additional Login ID for NIC is to be created which will be utilized for activities
like logging of incidents, ascertaining status of current/closed incident,
generating reports of the reported incidents etc. as per requirement of the NIC.
11 Service provider should provide feasibility for entering the details of
websites/apps of the NIC which need to be whitelisted so that these sites are
not taken down.
12 Establishing and maintaining contacts with service providers, browser
developers and other major agencies such as CERT, global security Working
Group / Data Security Council etc. to ensure effective closure of incidents.
13 Taking all necessary security aspects into account to ensure the confidentiality
and integrity of the data related to above service.
14 Ability to monitor incidents related to brand abuse
15 Ability to monitor all kind of incidents given below:· Phishing:· Pharming·
Trojan· Brand Abuse· Compromised Servers· Domains (old / new) similar to
the NIC, Rogue Mobile Apps
16 Ability to report incidents through email & online dashboard and sending list
of compromised accounts immediately on detection.
17 Ability to close any incident within the earliest possible time, take proper
counter measures wherever required, ensuring continuous monitoring for
repeated incidents and maintaining sufficient contacts with ISP/third parties to
act on behalf of the NIC for timely closure of incidents.
18 Support many international languages in which service provider able to
communicate with the fraudsters.
19 Legal support in the form of communication with CERT/Cyber Crime (with
special permission from the NIC). Technical support should be provided on a
continuous basis.
20 Provision of Dashboard that should have all the following features:
· Display of high and low level reports
· Regular update of incidents
· Customized reports/ option to process adhoc queries
21 Forensics capability must ensure the following functionalities:
· Comprehensive analysis
· Extracting critical data
· Providing critical information to the customer as per the nature of the
incident.
· Ability to provide data for investigation purposes
22 Providing advisory services in the form of:
· Advisory for online threats
· Presentations in a quarter
· Review calls
· Intelligence alerts
· High and low level reports on a monthly basis
· Regular alerts on critical vulnerabilities
· Articles and white papers
· Tools and other methods used by the fraudster against the NIC
23 Contacts with Major leading browser developers, ISPs, countries there is a tie
up with ISPs, SI / OEM member of Anti-Phishing Work Group / Data Security
council.
24 The service provider/OEM should have experience in providing Anti-Phishing,
Anti-Pharming & Anti-Trojan services for a minimum of one year in India.
25 The service provider/OEM should have minimum number of one BFSI (Banks,
Insurance) customers using proposed / offered Anti Phishing service in India.
26 The service provider/OEM should provide the following additional services
as part of the overall scope:
i) Monitoring for NIC login domain.
ii) Webserver referral log monitoring
iii) Darknet / Darkweb Monitoring
69.11 Minimum Technical Specifications and Compliance of RFP for DNS Security (Optional
Procurement)
DNS Security: < Bidder to mention Product Name>
Complian Refere
ce nce
(Yes/No) Docu
ment
Sl. name,
Technical Specification
No. page
numb
er,
with
highli
ghted
paragr
aph
1 The proposed solution must be based mandatorily on recursive DNS analysis
and should support 18000 systems from day one
2 The solution must have a minimal impact with the existing DNS infrastructure
3 The threat intelligence must be consumed from the OEM facilities that serve
the recursive DNS requests.
4 The solution must offer several deployment options: either via an internal
virtual forwarder, or pointing the forwarder of the existing authoritative DNS
to the recursive service, or pointing the DNS configured on the Internal Proxy
to the recursive service, without any additional physical hardware.
5 The recursive DNS security must be:
Easily deployable, simply changing the forwarders to the OEM recursive DNS.
Delivered directly from the OEM’s global network.
Easy to manage and operate
6 The solution must be applicable simultaneously to corporate users connecting
from wired and wireless networks, with the possibility to define different
policies based on different public IPs, and or internal networks, or Active
Directory attributes (in case an internal virtual forwarder is necessary).
7 Security Requirements
8 The solution must be able to detect and block advanced malware regardless of
the specific ports or protocols used by the malware.
9 The solution must be able to detect and block malware using protocols different
from HTTP/HTTPS.
10 The solution must be able to detect and block advanced malware used for both
opportunistic attacks and targeted attacks targeted for this specific
organization.
11 The solution must be able to protect at least from the following categories of
malware: botnets, exploit kits, drive-by, and phishing.
12 The solution must be able to detect and block, suspicious DNS requests
returning RFC1918 compliant IP addresses not allowed to be routed on the
Internet, or directed to Dynamic DNS services.
13 The solution must be able to prevent infections, blocking the DNS requests
towards malware distribution domains or drive-by domains, and contain the
pre-existing infections, blocking the DNS requests towards command and
control infrastructures.
14 The solution must leverage predictive intelligence and not use static signatures
or blacklists
15 The predictive intelligence must be created via the DNS traffic analysis on a
global scale, via a network of at least 20 distributed Datacenter’s hosting the
resolvers.
16 The analysis algorithms must be enforce predictive detectors able to identify in
real time, where attacks are staged and consequently predict and prevent the
next move of attackers.
17 In order to allow the malware detection on a global scale, the network utilized
to build the threat intelligence must process at least 80 billion DNS
requests/day coming from at least 60 million daily users.
18 The solution must have a proven efficacy being able to block at least 80 million
of daily DNS requests.
19 The analysis algorithms must make use multi-layer predictive detectors. As a
mere example, these include (but are not limited to):
Analysis of DNS co-occurrences,
Analysis of Domains based on Natural Language Processing algorithms.
Detection of DGA via perplexity and entropy.
Detection of DNS traffic peaks
Soundwave analysis applied to DNS traffic
BGP anomalies detection.
20 Solutions using blacklists are not admitted.
21 The threat intelligence must be automatically updated in less than 15 minutes
after the discovery of a new threat without any manual update operations.
22 The solution should support transparent intelligent proxy configurable inside
each security policy and able to analyze both HTTP and HTTPS traffic.
23 Supported transparent proxy capability must be enforced without any explicit
mechanism such as a proxy PAC file or an adapter inside the network device.
24 The solution should support ability to enforce Web filtering policies, based on
62 categories. It must be possible to enforce the Web filtering policy
independently form the security policy.
25 Solution should supported web filtering and security policies should allow the
creation of global exceptions for several domains, via custom whitelists or
blacklists.
26 For each domain detected as malicious, the solution must allow to visualize the
IOCs and the features of this domain inside a dedicated investigation
dashboard.
27 The investigation dashboard must also allow the manual submission of
domains, IPs, email addresses, ASNs and hashes.
28 For each malicious domain, the investigation dashboard must show, if
available, the hash of the associated malware samples directly from the report,
without connecting to external services.
29 The solution must have ability to calculate risk score of apps which is compiled
from 3 elements i.e. Business, Usage, and Vendor Compliance.
30 The solution must have ability to showcase App Details , it should allow to
check information including its risk score, type, category, users that have used
it and detection date
31 The solution must have ability to show Workflow management via labeling of
un-reviewed and recently discovered apps to facilitate healthy cloud adoption.
32 The solution must have ability to block over 200 apps and automatically enable
app settings and policy configuration.
33 The solution must have ability to show DNS Requests by App Risk & assigns
a risk score to apps, based on a number of factors. The DNS requests made by
a high-risk app should be considered more problematic than the same number
of requests made by an app with a lower risk score.
34 The solution shall provide the capability for the administrator to classify public
SaaS applications as Corporate Sanctioned official ones or personal instances
and block them if need by
35 The solution must have Chromebook client support to provides DNS-layer
protection for Chromebook users whether they are connected to your networks
or remotely, no matter which Chromebook device they use
36 The solution must have ability to Protect against phishing threats automatically
leveraging global network data and predictive intelligence to discover internet
infrastructure used to host phishing sites.
37 The solution must have ability to Enforce policies to block in-appropriate
content
38 Management & Integration Requirements
39 The management interface must be web-based. It must allow to create
different user profiles with different level of permissions. As an example the
roles must include:
Administrator
Reporting User
Read-Only Users
40 The policy editor must allow the creation of security policies based on identities
such as networks, users, and computers.
41 The policy editor must have a test function to verify the identities matching a
security policy prior to its deployment in production.
42 It must be possible to customize the blocking page for each policy entry. The
customization must include the ability to define a custom message, insert a
custom logo, or an administrator email address.
43 The policy editor must allow to define a different blocking page for each
identity and category of events (for instance a blocking page for security-
related events, a blocking page for web filtering blocks, etc.)
44 The policy editor must allow to forward the blocked connection to an internal
URLs.
45 The policy editor must allow to create users, on a local database, with the ability
to bypass the blocking page.
46 The policy editor must allow to create special codes that allow to bypass the
block pages for the users who have them.
47 The events related to all the DNS queries analyzed must appear in real time,
with the ability to configure filters based on identity, destination, source IP,
response type and date.
48 The events related to the DNS queries associated to security events must appear
in real time, with the ability to configure filters based on identity, destination,
source IP and date.
49 All the filters must be applicable defining a custom time (filter by date).
50 The dashboard must allow to reclassify a domain related to a security event,
directly from the event record, via a link allowing to open a ticket towards the
security OEM research team.
51 The management platform must have advanced reporting capabilities to
identify cloud services or Shadow IT devices, in order to determine which
services are used inside the organization by traditional or embedded devices
and eventually detect anomalies in their usage.
52 The management platform must allow to generate the following reports:
Total requests
Activity volume
Top Domains
Top Categories
Top Identities.
53 All the reports must be exported in csv format or scheduled to be sent via
email.
54 All the activities made by administrators must be logged inside an Admin Audit
Log Report.
55 The solution must include a set of enforcement RESTful API able to import
domains from external sources and enforce them globally for the organization
via DNS.
56 The connector must use the EDNS0 protocol (RFC6891).
57 The solution must be able to extend the protection off the network through the
installation of a lightweight roaming agent on the Windows and OSX devices.
58 The roaming agent must be able to apply an additional level of enforcement
based on the analysis of the connections trying to connect directly to an IP
without generating and DNS queries (IP Layer Enforcement).
59 It must be possible to selectively enable the IP Layer Enforcement inside each
security policy.
60 The network used to deliver the DNS security service must use Anycast.
61 The network used to deliver the DNS security service must have experienced
an uptime of at least 99.9% over the last 10 years.
62 The management interface must support 2 Factor Authentication mechanisms
for the administrators, such as, for instance text messages or Google
Authenticator.
63 As an additional authentication mechanism for the administrators, the
management interface must support the SAML integration with a SSO
provider.
69.12 Sizing
Solution Sizing
High availability at DC
Collectors at DC,DR& HO in HA
EPS - 10000 scalable to 20000
3 months online storage
9 months offline storage
UEBA - This should be integrated with SIEM. 14000 users,
additional prices for 10,000 slabs each
SOAR - This tool may be a part of SIEM or a separate tool,
integrated with SIEM. 30 Analysts.
SIEM Packet Forensics - Standalone at DC, DR & HO. This tool may be a
part of SIEM or a separate tool but should be integrated with SIEM
to provide single view of alerts
1 Gbps throughput at DC & DR
500 Mbps at HO
Storage 15 day raw logs, 30 days Meta
This tool may be a part of SIEM or a separate tool, integrated with
SIEM.
Deception - Standalone in DC & DR. 10 Vlans. This tool may be a
part of SIEM or a separate tool but should be integrated with SIEM
to provide single view of alerts
Standalone in DC, Existing license 25 instance
DAM
Augmenting existing license with addition 25 new license
Standalone in DC
Data Classification
Discovery module for 100 TB, 14000 users
IRM Standalone in DC for 14000 users
Vulnerability Management Solution Total Devices – 1000 IP Addresses
Standalone in DC,
MDM
6500 Mobile devices
Standalone in DC
MTP
6500 Mobile devices
User Training 12000 users for 1 year.
Central Storage solution 100 TB usable storage with RAID
Penetration Testing Two /24 IP Pools at DMZ

69.14 Minimum Manpower Requirements For Security Operations Center (SOC) Team
Sl. Compliance
Minimum Manpower Requirements Remarks
No. (Yes/No)
A Monitoring team
1 Level 1 resources: with minimum 3 plus years’ experience in enterprise
information security environment. Having good understanding of
fundamentals of TCP/IP, DNS, Networking (Routing/Switching),
Operating Systems (Windows/Linux), Enterprise Anti-Virus. CCNA
certification is mandatory.
Two consoles 24x7
- Night Shift to be carried out from Data Centre
- Bidder to Quote for Two (2) Seats at the Data Centre and 1 seat
2
at DR in the Commercial Bid.
- Minimum 6 +1 Resources to be provided
- Additionally require Minimum 1 resource at DR
3 Trained on SIEM solution
B Security Management Team
1 Minimum Level 3 resources: with minimum 6 plus years’ experience in
enterprise core Information Security environment.
Experience on Information Security technologies viz. 2FA, AV, IPS, Mail
Gateways, Proxy, DLP, Stateful and Stateless Firewalls, NAC, Packet
Analyzer, SIEM with product certifications. Deep knowledge and hands-
on experience on Core Routers and Core and Server Farm Switches, Load
Balancers at DC/DR is mandatory.
Minimum 6 People in the Major Shift only
- Out of which One will do Switch
2
Management
- And One will be doing SIEM Management
Amongst these, One resource will be L4/L5 who will act as Technical
3
Team Lead
C Tools Management Team
1 Minimum Level 2 resources
2 Minimum 6 People in Major shift only
3 Experience: 4 years in Tools/services proposed in this RFP
D Compliance Management Resource – Minimum Level 3 Resource
E All the manpower should be on direct payroll of the Bidder and the
salary should be commensurate with best industry standards applicable
for experienced Information Security professionals.
F The Bidder shall be responsible for compliance of all laws, rules,
regulations and ordinances applicable in respect of its manpower
(including but not limited to Minimum Wages Act, Provident Fund laws,
Workmen Compensation Act etc. The Bidder shall establish and maintain
all proper records including but not limited to accounting records required
by any law, code, practice or corporate policy applicable to their line of
activity from time to time, including records and returns as applicable
under labor legislations. The Bidder shall indemnify NIC against any
claims made by any statutory authorities regarding then on compliance of
any of the related laws from time to time.
G The Bidder shall obtain license from the Competent Authority (Central)
for hiring on engagement of person or persons for the specific purpose for
which the RFP is floated and shall pay minimum wages and other
allowances and benefits such as insurance, gratuity, provident fund,
pension, bonus etc.to the persons so hired as per the legislations in force
such as but not limited to Contract Labor (Regulation and Abolition) Act,
Minimum Wages Act, Payment of Wages Act and other legislations for
the time being in force. Minimum Salary for Monitoring Team, Tools
Management Team, Security Management Team personnel, Technical
Team Lead and Compliance Management Resource per month Rupees
Thirty Thousand/-, Rupees Forty Five Thousand, Rupees. Seventy
Thousand, Rupees Seventy Five Thousand and Rupees Fifty Thousand
respectively. YoY Increment at minimum 5 %. Salary Sheets have to be
submitted to justify payment of minimum salary, prior to quarterly release
of arrears for manpower. Bidder is free to pay salary over and above
minimum.
H Major shift will mean timings from 09:00 Hrs to 20:00 Hrs
Days will include all Working days of NIC from Monday to Friday and
also on Saturday The Teams as specified in the table above will follow
NIC’s Holiday List
I The Bidder should not replace resources without prior permission of
NIC. Also, the bidder should give at least one month prior notice to
NIC in case of resource replacement. It is the duty of the bidder that
the replacement provided should be equally or more qualified and
Experienced than the existing resource. Also, the existing resource
should provide the complete handover to the new resource.
69.15 Service Level Agreement - Also Refer Section - 27, 28
Service Level: The SLA specifies the expected levels of service to be provided by the Bidder to NIC.
This expected level is also called the baseline. Any degradation in the performance of the solution and
services is subject to levying of penalties.
Payments to the Bidder are linked to the compliance with the SLA metrics. During the contract period, it
is envisaged that there could be changes to the SLAs, in terms of addition, alteration or deletion of
certain parameters, based on mutual consent of both the parties i.e. NIC and Bidder.
The Bidder shall monitor and maintain the stated service levels to provide quality service. Bidder
to use automated tools (limited to the SLA Management of this RFP) to provide the SLA Reports. The
proposed solutions to be integrated with tool. Bidder to provide access to NIC or its designated
personnel to the tools used for SLA monitoring.
Definitions:
1. “Availability” means the time for which the services and facilities are available for
conducting operations on the NIC system including application and associated infrastructure.
Availability is defined as (%) = (Operation Hours –Downtime) * 100%
(Operation
Hours)
2. The business hours are 24*7 on any calendar day the NIC is
operational.
3. All the infrastructure of Data Center, Disaster Recovery site, HO will be supported on
24x7 basis.
4. The “Operation Hours” for a given time frame are calculated after deducting the
planned downtime from “Operation Hours”. The Operation Hours will be taken on 24x7
basis, for the purpose of meeting the Service Level requirements i.e. availability and
performance measurements both.
5. “Downtime” is the actual duration for which the system was not able to service NIC
or the Clients of NIC, due to System or Infrastructure failure as defined by NIC and
agreed by the Bidder.
6. “Scheduled Maintenance Time” shall mean the time that the System is not in service due
to a scheduled activity as defined in this SLA. The scheduled maintenance time would not
be during business hours. Further, scheduled maintenance time is planned downtime with
the prior permission of NIC
7. “Incident” refers to any event / abnormalities in the functioning of any of IT Equipment /
Services that may lead to disruption in normal operations of the Data Centre, System o r
Application services.
8. Total Maintenance Cost refers to Sum of FM Manpower Cost and AMC, ATS & others
Cost for the entire contract duration.
Interpretation & General Instructions:

1. Typical Resolution time will be applicable if systems/components are not available to the
NIC’s users.
2. The SLA parameters shall be monitored on a monthly basis for the entire contract
duration (including the warranty period) as per the individual SLA parameter
requirements. The Bidder is expected to provide the following service levels. In case
the service levels defined in the tables below cannot be achieved, it shall result in a
breach of contract and invoke the penalty clause.
3. A Service Level violation will occur if the Bidder fails to meet Minimum Service
Levels o n a monthly basis for a particular Service Level.
4. Quarterly SLAs would be analyzed. However, there would be month wise SLAs and
all SLA targets have to be met on a monthly basis.
5. Overall Availability and Performance Measurements will be on a quarterly basis for the
purpose of Service Level reporting. Month wise “Availability and Performance Report”
will be provided by the Bidder for every quarter in the NIC suggested format
and a review shall be conducted based on this report. Availability and Performance
Report provided to NIC shall contain the summary of all incidents reported and
associated performance measurement for that period.
Service Level Criteria:

The SLA’s will be applicable post go-live of Solution at DC, DR, HO and other NIC Offices. During
the term of the contract, the bidder will maintain the equipment/components/ hardware/software in
perfect working order and condition and for this purpose bidder will provide the repairs and
maintenance services as require.
Level Classification:
Level Function/Technologies
i. Such class of errors will include problems, which prevent all users from
making Operational use of solution pan-NIC.
Critical ii. Security Incidents affecting multiple locations
iii. No work-around or manual process available
iv. Financial impact on NIC
i. Any incident which is not classified as “Critical” but which requires a
change to solve the problem and that change has not been implemented
in time and has pan-NIC impact
ii. Any problem due to which the infrastructure of the proposed solution is
High Priority not available to multiple NIC users or does not perform according to the
defined performance and query processing parameters required as per
the RFP or;
iii. Multiple Users/User Groups across various locations face severe
functional restrictions with the RFP solutions irrespective of the cause.
i. Moderate functional restrictions related to problems in the implemented
Medium Priority
solutions irrespective of the cause.
i. A service request raised for any new installation, creation, addition,
deletion, removal.
Low Priority ii. Any incident which is not classified as “Critical/High/Medium Priority”
but hampers the productivity of user; a problem or Incident that causes
work delay of user.
S. No. Service Area Expected Service Level Penalty
1 Incident 24x7 monitoring of all in- scope All Critical, High and Medium priority
Response devices incident should be logged as incident
tickets and responded as per below
SLAs:
Categorization of events into
Critical, High, Medium and Incident along with action plan/
Low priority shall be carried out mitigation steps should be provided to
in consultation with the NIC designated NIC personnel as per the
during the contracting phase. below SLA:
Critical incidents within 15
minutes of the incident
Example for calculation of identification. Update should be
percentage of incidents provided every 15 minutes till the
10 Incidents are logged of closure of the incident.
High priority incidents within 30
which 8 are responded within
minutes of the incidents
the specified time and 2 have identification. Update should be
been delayed. This means provided every 1 hour till the
8/10*100 = 80% have been closure of the incident
responded within the specified Medium priority incidents
timelines and correspondingly within 60 minutes of the
the penalty will be applied incidents identification. Update
should be provided every 4 hours till
based on the event/incident
the closure of the incident.
categorization.
Quarterly Maintenance Cost =

(Total Maintenance Cost (Including
AMC & ATS Cost) for the entire
contract period) /(Contract Period
*4)
Penalty:
SLA is measured on a Quarterly basis
and the penalty is as follows:
Critical Events:
95-99%: 10% of the Quarterly
Maintenance (Including ATS &
AMC) Cost
AMC) Cost
<90%: 20% of the Quarterly
AMC) Cost
High Priority Events:

AMC) Cost
AMC) Cost
AMC) Cost
Medium Priority Events:

95-99%: 0.5% of the Quarterly
AMC) Cost
AMC) Cost
AMC) Cost
Low Priority/ Operational Incidents

need to be logged and maintained for
reference.
2 Incident Response and resolution The timelines required for resolution

Resolution of the identified incidents. of Critical, High and Medium priority
mentioned below:
Managing the devices and Disaster or Critical incidents
fine-tuning them so as to within 60 minutes of the
avoid and prevent further incident identification. Update
attacks. should be provided every 15
minutes till the closure of the
incident
High priority incidents within 120
minutes of the event identification.
Update should be provided every 1
hour till the closure of the incident.
Medium priority incidents
within 240 minutes of the event
identification. Update should be
provided every 4 hours till the
closure of the incident.

*4)
Penalty:
Any violation in meeting the SLA
requirements which leads to Critical
incident, NIC shall impose a penalty
10% of the Quarterly Maintenance
Cost for each 30 minutes delay up to
2 hours, beyond 2 hours penalty
would be 10% of the overall
Quarterly Maintenance Cost for
each 20 minutes delay.
Any violation in meeting the SLA
requirements which leads to High or
Medium incident, NIC shall impose
a penalty of 5% of the Quarterly
Maintenance Cost for each 45
minutes delay up to
3 hours, beyond 3 hours penalty
would be 10%of the overall
Quarterly Maintenance Cost for
each 30 minutes delay.
3 Report Periodic reports to Daily Reports: Critical reports should
and be provided to NIC be submitted as and when required.
Dashboard Timings will be mutually decided.
Penalty
Delay in reporting for daily report for
more than 6 hour shall incur a penalty of
INR 2,500 for each default
Weekly Reports: Every Monday of the

subsequent week
Penalty
Delay in reporting by more than 3 days
for weekly reports shall incur a penalty
of INR 5,000 for each default
Monthly Reports: 5th of each month.

Penalty
Delay in reporting by more than 7 days
for monthly reports shall incur a penalty
of INR 10,000 for each default
4 Vulnerability The Bidder is expected To be conducted for identified

devices and/or applications and/or
Assessment to provide Vulnerability
Solutions in coordination with the
and Penetration Assessment Reports
NIC to ensure that business
Testing with remediation steps.
Operations are not
An incident needs to be impacted.
(External &
logged for all
Internal) Ad-hoc scan to be conducted as and
vulnerabilities
when required by the NIC
identified and the
incident response SLA
shall apply for these.
*4)
Penalty
Delay in performing VAPT scan
and providing final report by more
than 7 days from the specified
timelines shall incur a penalty of
10% of Quarterly Maintenance Cost
5 Continual The Bidder is expected Quarterly reports need to be
provided by the 5th day of each
Improvement to improve the
quarter beginning
operations on an on-
going basis.
The Bidder is expected Quarterly Maintenance Cost =
to provide a quarterly
report of the new (Total Maintenance Cost (Including
improvements AMC & ATS Cost) for the entire
suggested, action contract period) /(Contract Period
plans, *4)
and the status of these
Improvements to the Penalty:
NIC. Delay in providing quarterly
Improvement areas reports shall lead to 2% of Quarterly
could include: Maintenance Cost
process changes/
training resulting
in efficiency/SLA
improvement, new
correlation rules to
identify threat patterns
etc.
6 Periodic Review The Service Delivery Monthly meeting for the entire
Manager from the Bidder is contract period to be conducted on
expected to conduct a the 5th (tentatively) of each month
monthly review meeting during the operations phase.
with NIC officials resulting
in a report covering details (Total Maintenance Cost (Including
about current SLAs, status AMC & ATS Cost) for the entire
of operations, key threats
and new threats
identified, issues contract period) /(Contract Period
and challenges etc. *4)
Penalty:
A delay of more than three days
will incur a penalty of 1% of
Quarterly Maintenance Cost.
7 Security Device Bidder is expected to Penalty:
Management provide this service 24/7 For m o r e t h a n 1 h o u r d e l a y
and basis. Management and (after NIC confirmation) for
Administration administration of all in- rule modification in any of the
scope security devices security devices / solutions will
and/or solutions incur a penalty of INR 10,000 for
each default.
For wrong rule modification in
any of the security solutions will
incur a penalty of INR 10,000 for
each default.
For a wrong rule modification in
any of the security solutions by
which NIC incur any service
disturbance will incur a penalty of
INR 20,000 for each default.
Resources Deployment SLA
Service SLA Measurement

SLA Penalty Remarks
Details Measurement Tools
Attendance for
support
Penalty shall
personnel.
No of shift be INR 5,000
(covers all the
below for every 2%
Resource locations)
minimum default or part Manual
availability Minimum
attendance thereof below
attendance level
level the agreed
during any shift is
threshold
100% of agreed
deployment.
Penalty:
 NIC expects the Bidder to complete the scope of the project as mentioned in Section
- 69 scope of work of this document within the timeframe specified. Inability of the
Bidder either to provide the requirements as per the scope or to meet the timelines
as specified would be treated as breach of contract and would invoke the penalty
/LD clause.
 Inability of the Bidder to provide services at the service levels defined would result
in breach of contract and would invoke the penalty clause
 Notwithstanding anything contained above, no such penalty will be chargeable on
the Bidder for the inability occasioned, if such inability is due to reasons entirely
attributable to the NIC.
 Bidder needs to deploy the same resources or resources with equivalent/higher skill
sets as per the terms and conditions of the RFP. For Each Default, NIC may levy
the penalty of Rs. 1,00,000 quarterly till the Bidder deploys the required resources
 The Bidder is required to provide and implement the regular
updates/upgrades/patches released by the OEM within the timelines as mentioned,
NIC will levy the penalty of Rs. 20,000 per week or part thereof in not adhering the
schedules.
 If during the contract period, any equipment has a hardware failure on three or
more occasions in a quarter, it shall be replaced by equivalent or higher new
equipment by the bidder at no additional cost to NIC.
 The right to levy the penalty is in addition to and without prejudice to other rights
/ remedies available to the NIC such as termination of contract, invoking
performance guarantee and recovery of amount paid etc.
 The NIC reserves the right to recover the penalty from any payment to be
made under this contract.
 The penalty would be deducted from the quarterly payouts and the cap on any
penalty due during the Warranty period will be adjusted against the payments
made for bills/invoices provided by the bidder. Quarterly penalty will be 20% of
the quarterly payout. For the purpose of this RFP, the total of penalties as per
SLA and the Liquidated damages will be subject to a maximum of 5% of the
overall contract value.
 Also refer Section - 27, 28
Exception
NIC shall not hold the Successful Bidder responsible for a failure to meet any
Service Level if it is directly attributable to:
 Execution of the disaster recovery plan/business continuity plan for an
NIC declared disaster situation;
 Any established inability of other third party vendor or service
provider of NIC, to fulfill the requirements as per the contract.
 Any established inability or delay from NIC to fulfill the requirements
as per the contract.
69.17Intentionally Left Blank
70 Annexure 1 (Vol-II) – Technical Bid Letter

Technical Bid Letter
To,
Chief Manager - IT,
IT Department
3 Middleton Street, 4th floor,
Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740
Ref.: RFP Number - NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019

Date: ……………….
Sir,
We hereby declare
1. We/our principals are equipped with adequate manpower / machinery / technology for
providing the Products and Services as per the parameters laid down in the Master
Document and ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019, (Scope of
Work, as in Volume-II) and we are prepared for live/technical demonstration of our
capability and preparedness before the representatives of NIC. We/our principals are
also equipped with adequate maintenance and service facilities within India for
supporting the offered document.
2. We hereby offer to provide the Products and Services at the prices and rates mentioned
in the Commercial Bid at Section -73.1.
3. We do hereby undertake that, in the event of acceptance of our bid, the Products and
Services shall be provided as stipulated in the schedule to the RFP 01_Volume-II and
that we shall perform all the incidental services.
4. We enclose herewith the complete Technical Bid as required by you. This includes:
a. Technical Bid Letter Section - 70
b. Technical Bid Particulars Section- 70.1
c. Technical Compliance, in respect of components of the solution, Sections -
69.1 to 69.17
d. Unpriced Bill of Materials (BoM).
e. Statement of Deviation from RFP Terms and Conditions Section-72, if any
f. Details of the proposed solution, proposed methodology and timeline (in a
separate sheet)
g. A CD containing the soft copy of the Technical Bid in pdf and xls format
We agree to abide by our offer for a period of one year from the date fixed for opening
of the Commercial Bid and that we shall remain bound by a communication of
acceptance within that time.
We have carefully read and understood the terms and conditions of the Master
Document and ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 and the
conditions of the Contract applicable to the bid and we do hereby undertake to provide
services as per these terms and conditions. The deviations from the technical
specification(s) are only those mentioned in the deviations in Section-72.
We do hereby undertake, that, until a formal contract is prepared and executed, this bid,
together with your written acceptance thereof or placement of letter of intent awarding
the contract, shall constitute a binding contract between us.
Dated this, the ________ day of ________20__

Signature: …………………………
Name of the authorized signatory …………………………
Designation …………………………
Duly authorized to sign the RFP Response for and on behalf of:
………………………… (Name and Address of Company)
Company Seal:
70.1 Annexure 2 (Vol-II) – Technical Bid Particulars
Technical Bid Particulars
1. RFP Number - NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019

Date: ……………….
2. Name of the Bidder: …………………………………………………
3. Full Address of the Bidder: …………………………………………………
4. Name of the actual signatory of the product(s)/service(s) offered:

…………………………………………………
5. Bidder’s proposal number and date:

…………………………………………………
6. Name and Address of the officer to whom all references shall be made regarding
the bid: …………………………………………………
Telephone: …………………………
Fax: …………………………
E-mail: …………………………
7. Name and Address of the Single Point of Contact for all communications
(including issue resolution and support):
………………………………………………
Fax: …………………………
E-mail: …………………………
Bidder:
Duly authorized to sign the RFP Response for and on behalf of: ……………………
(Name and Address of Company)
Company Seal:
71 Annexure 3 (Vol-II) – Bidder Profile
RFP Number - NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019

Date: ………………..
Response along with page

Sl.
Required Particulars number of supporting
No.
document
1 Name of the Bidder
Bidder’s registered office address
Telephone number
2
Fax number
E-mail
3 Bidder’s Correspondence / contact address
Toll Free Number of the Bidder for Service
4
Support, operating 365x24x7
Details of Bidder’s contact person
(Name, designation, address etc.)
5
Telephone number
Fax number e-mail
Is the Bidder a registered company under The
Companies Act, 1956?
6 If yes,
o Submit photocopy of certificate of
registration.
o Provide year and place of the
establishment of the company.
(Should be an established Information
Technology company and in operation for at
least 5 years in India)
Is the Bidder registered for service tax with
Central Excise Department (Service Tax Cell)?
7
If yes, submit photocopy of valid service tax
registration certificate.
Is the Bidder registered with sales tax
8 department? If yes, submit photocopy of valid
sales tax registration certificate.
Submit receipt of latest Income Tax Return
9 filed with Income Tax Department.
Submit photocopy of PAN card.
1 Is the Bidder registered with GSTN? Kindly
0 provide relevant Photocopy of documents.
Is the Bidder blacklisted/debarred/denied by
1 any Government department/Public Sector
1 undertaking as on date of bid submission?
If yes, give details.
Has the Bidder filed for Bankruptcy in any
1 country? (Declaration in this regard to be
2 signed, stamped by Company
Secretary/CFO/COO/CEO of the bidder)
Does the Bidder have valid ISO 9000 / 9001,
1 ISO 20000 and ISO 27001 certification?
3
If yes, submit photocopies of certificates.
Does the Bidder have at least 20 certified
1 security professionals on their payroll with
4 minimum two CISA/CISM/CISSP
certifications
Has the bidder implemented minimum three
out of four solutions (SIEM, packet forensics,
Vulnerability Management, APT) out of the
1
new solutions in at least 1 (one) of PSU /
5
BFSI. Completion Certificates to be provided
from Customer. For the rest either
Bidder/OEM references should be given
The Bidder should have at least 2 (Two)
Information Security Orders of their National
1 Customers, each having an order value of at
6 least Rs. 20 Crore
within the last 5 years –Or,
4 (Two) Information Security Orders of their
National Customers, each having an order
value of at least Rs. 10 Crore within the last 5
years
Completion Certificates to be provided from
Customer
The Bidder should have implemented and
maintained captive SOC for any one
PSU/BFSI/Government customers (with at
least 1000 locations) in India within last 5
1
years. SOC solution should have at least 3 out
7
of the following components like SIEM, WAF,
DAM, PIM, NBA, Anti-APT solutions/Anti-
Phishing, DLP, MDM. Completion Certificates
to be provided from Customer
Does the Bidder have an annual turnover of
more than Rs. 750 Crores in each of the last 3
(Three) Financial Years 2015-16, 2016-17 and
1 2017-18?
8
Submit audited balance sheet highlighting the
annual turnover from the financial years, along
with (Section- 71.1)
Does the Bidder have net profit after tax in the
last 3 (Three) Financial Years -2015-16, 2016-
1 17 and 2017-18, as per audited accounts
9 Submit audited balance sheet highlighting the
net profit from the financial years along-with
(Section-71.1)
Does the Bidder have support office in at least
4 (Four) Metro Locations [Kolkata, Mumbai,
2
New Delhi, Chennai] and in Bangalore,
0
Hyderabad, Pune? Substantiate with
documents.
2 Bidder to provide Power of Attorney, in
1 favour of the authorized signatory of the Bid
2 Bidder to provide signed and stamped
2 Integrity Pact
Company Seal:
Note: The Pre-Qualification Bid, Section - 71, to be submitted along with Financial
Information, Section -71.1, and Citations, Section - 71.2.
Proof of transfer of Bid Security (Earnest Money) for an amount equal to Rs. 50,00,000.00
(Rupees Fifty Lakhs Only) should be enclosed in the appropriate envelope.
71.1 Annexure 4 (Vol-II) – Financial Information
Bidder’s Financial Information

Date: ………………..
Net Profit (after tax)(Rs. Crore)

Name Turn Over (Rs. Crore)
of the
Bidder 15-16 16-17 17-18 15-16 16-17 17-18
Company Seal:
71.2 Annexure 5 (Vol-II) – Citations

Date: ………………..
Details Page number of

Sl. No. Item Guidelines
supporting document
Number of
1
Clients
Number of
2
years/client
Name, Address, Contact
3 Client Details person’s Name and Phone
No. for each client
Company Seal:
Note:
1. The Citations should be given in the above format. A separate copy of this format should
be used for each citation and Bidder to provided citations in respect of all such
implementations.
2. Submit photocopies of client engagement letters or certificates on the client letterhead,
duly signed and stamped by the client’s authorized signatory.
71.3 Annexure 6 (Vol-II) – Intentionally Left Blank

72 Annexure 7 (Vol-II) – Statement of Deviation from RFP Terms and Conditions
Statement of Deviation from RFP Terms and Conditions
To,
Chief Manager - IT,
IT Department
Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740

Date: ………………..
Dear Sir,
Following are the deviations and variations from the Terms and Conditions of the
Master Document and ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
These deviations and variations are exhaustive. Except these deviations and
variations, the entire implementation can be performed as per your specifications in
the ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019.
Deviation in the RFP

Sl. No. Section No. Brief Reason
Response
1
2
3
Company Seal:
73 Annexure 8 (Vol-II) – Commercial Bid Letter
Commercial Bid Letter

To,
Chief Manager - IT,
IT Department
Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740

Date: ………………..
Sir,
We hereby declare
1. We hereby offer to provide the Products and Services at the prices and rates mentioned
in the Commercial Bid at Section-73.1.
2. We do hereby undertake that, in the event of acceptance of our bid, the Products and
Services shall be provided as stipulated in the Master Document and NIC/IT/RFP/Enterprise
Info-Sec Solution/RFP/07/2019 and that we shall perform all the incidental services.
3. We enclose herewith the complete Commercial Bid as required by you. This includes:
a. Commercial Bid Letter Section-73
b. Commercial Bid Particulars Section- 73.2
c. Commercial Bid Section-73.1.
d. A CD containing the soft copy of the Commercial Bid in pdf and xls format
We agree to abide by our offer for a period of one year from the date of opening of the
Commercial Bid and that we shall remain bound by a communication of acceptance within that
time.
We have carefully read and understood the terms and conditions of the Master Document and
ENTERPRISE INFO-SEC SOLUTION/RFP/07/2019 and the conditions of the Contract
applicable to the bid and we do hereby undertake to provide services as per these terms and
conditions.
We do hereby undertake, that, until a formal contract is prepared and executed, this bid,
together with your written acceptance thereof or placement of letter of intent awarding the
contract, shall constitute a binding contract between us.
Dated this, the ________ day of ________20__

Duly authorized to sign the RFP Response for and on behalf of: …………………………
(Name and Address of Company)
Company Seal:
73.1 Annexure 10 (Vol-II) – Commercial Bid
Commercial Bid

Date: ……………….
Commercial Bid for Volume-II:
Commercial Bid
A. Product Cost (Inclusive of 5 Years On-Site Comprehensive Warranty)
***ERV
Clause
Ta
Sl. Unit (% of
Make and Amoun x
No Compulsory Items Qty. Pric Product,
Model t (%
. e which is
)
imported
)
Security Incident
and Event
Management Tool
(SIEM) in cluster
with UEBA, SOAR
& packet forensics
in DC. (UEBA,
SOAR, Correlation
Engine, Analytics
1 collector/receiver in 1
DC). The DC, DR,
HO to only have
collector/receivers
to collect remote
logs and packet
forensics.) – Price
to be quoted
separately for each
module
Vulnerability
Management
Solution at DC
2 1000 IPs; no 1000
limitation of
number of times IPs
can be scanned
Deception at DC &
3 1
DR
Mobile Threat
4 6500
Protection
Data classification
5 14000
tool – in DC
Central Storage at
6 100 TB
DC
24 port 10G Switch
C1-WSC3850-
24XS-S - with Cisco
7 10
Prime Infra License
for Existing Prime
NMS
8 Sub-Total (A)
B. Renewal
McAfee Database
25 Renewal + 25
1 Activity Monitoring
Upgrade
Tool – in DC
McAfee Data Leak
Prevention Tool –
Host DLP licenses
2 will be 15,000;
Network DLP in
DC, DR, HO
Internet Gateways
Buyback of existing
2.1 DLP equipment’s
as-is-where-is basis
25000
Cisco - Network
3 Endpoint ,
Admission Control
17000 users
Buyback of existing Quantity,

3.1 NAC equipment’s SNS 3495 - 8
as-is-where-is basis SNS3415 -2
Forcepoint Web
Security licenses
6500 licenses,
renewal (6500)
4 1+1+1
along-with refresh
Hardware
of hardware in at
DC, DR and HO
Buyback of existing
Quantity,
Web Security As per the
4.1 Device
equipment’s as-is- details in scope
Details
where-is basis
AirWatch - Mobile
Device
Management
5 6500
licenses renewal
(6500) along-with
hardware refresh
McAfee Endpoint
6 2000
Encryption
Fortigate Firewall
at HO, with IPS
Blades and SSL
7 1+1 in HA
inspection – NGFW
throughput of 2
Gbps
Buyback of existing
Firewall
equipment’s as-is-
7.1 where-is basis in
case of end of
support needs to
replaced
1 (Required
Fort-Analyzer at for Cluster
8
DR configuration
)
TrendMicro
Enterprise Security
Suite - IMSVA 4500 licenses
9
License and for 2 years
Scanmail for
Domino License
SQL DB 2016 2 + 1 (each
10
Standard edition with 22 Core)
Citrix 10G/1G Dual
11 16+16
Mode SR
12 Sub-Total (B)
C. Services
Implementation
1
Cost
Two Seats at DC,
Kolkata (24 x 7 one
2 seat and 8x5 another 2
seat) Operation for 5
years
One Seat at DR,
Bangalore for 8x5
3 1
Operation for 5
years
Bidder to
mention
quantity but
should not be
IS Management -
4 less than the
Monitoring Team
minimum
mentioned,
Section -
69.14
Bidder to
mention
quantity but
IS Management - should not be
5 Security less than the
Management Team minimum
mentioned,
Section -
69.14
Bidder to
mention
quantity but
IS Management - should not be
6 Tools Management less than the
Team minimum
mentioned,
Section -
69.14
Bidder to
mention
quantity but
Compliance should not be
1 Resource at
7 Management less than the
HO
Resource minimum
mentioned,
Section -
69.14
Yearly PT through Quote Price for
8
CERT-IN Auditor contract period
9 Sub-Total (C)
Grand Total Price (without Tax) (Total of Sl. Nos.

10
A+B+C)
D. Optional Equipment Cost (Inclusive of 5 Years On-Site Comprehensive Warranty)
***ERV
Clause
Ta
Sl. Unit (% of
Item Description Make and Amoun x
No Qty. Pric Product,
(optional) Model t (%
. e which is
)
imported
)
Information Rights
1 14000
Management
SIEM License for
additional EPS in
slabs of 10,000. In
2 case additional 10000
hardware required
to scale to 20,000
EPS mention the
cost as separate line
item
Anti-Phishing
3 solution Take down 50
per year
4 Microsoft Service 450 hours
1000 instances
each. For every
Data Recovery and
additional
5 Data Erasure
erasure/recovery
Solution
, unit price will
be used.
AirWatch – Mobile
Device
Management
6 1000
(additional slabs of
licenses, for use
when required)
7 DNS Security 4000
UEBA – additional
8 10,000
slabs
Cisco 40G
SFP : QSFP-40G-
9 SR- 8
BD
8
Fortinet
10 12+12
Transceiver
Cisco GLC - T
11 20+20
(20+20)
User Training per
12 12,000
year
SMI-52 MRO-TEK
13 with v.35/E1 50 pair
Interface and G.703
14 Sub-Total (D)
Note:
1. The Commercial Bid should be given in the above format. All the Tables should be
filled-in by the bidder.
2. All the prices of this document should flow correctly from the respective sheets.
3. The total cost (Grand Total Price (without Tax)) should flow from the respective
Amount’s (Total of A+B+C).
4. Bidder should strictly follow the format given in Table.
5. The above-mentioned quotations should be valid for minimum 1 (one) year from the
date of opening of Commercial Bid.
6. Above prices should include all transport, insurance, installation, etc. as applicable at
implementation sites.
7. NIC reserves the right to change the quantity of items quoted above at the time of
placing order. In such case the value of the order will be the cost of items finally opted
by NIC.
8. The Bidder is responsible for all the arithmetic computation & price flows. NIC is not
responsible for any errors.
9. Optional Price (Sub-Total – D) will not be part of L1 Calculation. However, L1 Bidder
has to match the lowest quoted price in Optional Item.
10. A separate table should be provided mentioning unit price (INR) and applicable tax
(mentioning individual HSN/SAC Code) in separate columns of all the
components/services that make up each of the components. The lowest price would be
decided on the basis of “Grand Total Price (without Tax) - TCO for Project Period”
11. The price quoted by the bidder shall be inclusive of all taxes, levies, duties and cess like
GST, CGST, and IGST etc., which will be paid as per the rate prescribed by
Government time to time.
Company Seal:
73.2 Annexure 9 (Vol-II) – Commercial Bid Particulars
Commercial Bid Particulars

Date: ………………..
1. Name of the Bidder: …………………………………………………
2. Full Address of the Bidder: …………………………………………………
3. Name of the actual signatory of the product(s) offered:

…………………………………………………
4. Bidder’s proposal number and date:

…………………………………………………
5. Name and Address of the officer to whom all references shall be made regarding
the bid: …………………………………………………
Fax: …………………………
E-mail: …………………………
6. Name and Address of the Single Point of Contact for all communications
(including issue resolution and support):
………………………………………………
Fax: …………………………
E-mail: …………………………
Bidder:
Company Seal:
74 Annexure – 11 (Vol-II) Format for Queries from Bidders – Bidders have to provide
their queries on scope of work, terms & conditions etc. in the below format in excel file only
(xls/xlsx). Bidders should provide a reference of the page number, state the clarification point
and the queries/suggestion/modification that they propose as shown below
Sl. Point/Section No # Term as stated in the Bidder’s

No. Master Document or Query/Suggestion/Modification
the Volume-II
75 Annexure -12 (Vol-II) – E-tendering Procedure
A. E Tendering Pre-Requisite:
• P.C. connected with internet.
 Computer System with good configuration (Min PIV, 1 GB RAM,
Windows 7 or above)
 Microsoft Internet Explorer 6.0 or above
 Digital Certificate(s)
• Registration with Service provider portal www.tenderwizard.com/NICL
• The vendor should possess a Class III Digital Signature certificate (Mandatory).
• (Bids will not be recorded without Digital Signature Certificate.)
• In case of any clarification please contact ITI Ltd., before the schedule time of the
e-Procurement.
Contact Helpdesk:-
HELPDESK NO. 9073677150/151,152, E-mail: helplinetenderwizard@gmail.com
for more detail please click on ‘Contact Us’ link
a) For registration, Submission procedure and method of correspondence etc. Please visit
our website: www.tenderwizard.com/NICL and click on the link “User Manual
(Download)” on home page
b) To view the RFP/Tender Documents please visit our website:

www.tenderwizard.com/NICL and click on “Live Tenders” link
c) Registration/Enrollment of Bidder on e-procurement Portal of NICL:
In order to submit the Bid, the bidders have to get themselves registered
online on the e-Procurement portal of NICL with valid Digital Signature Certificate (DSC)
issued from any agency authorized by CCA and which can be traced up to the chain of
trust to the Root Certificate of CCA... The registration should be in the name of bidder,
whereas DSC holder may be either bidder himself or his duly authorized person.
The bidders will have to accept unconditionally the online user portal agreement which
contains the acceptance of all the Terms and Conditions of NIT including
Commercial and General Terms & Conditions and other conditions, if any, along
with on-line undertaking in support of the authenticity of the declarations regarding the
facts, figures, information and documents furnished by the Bidder on-line in order to
become an eligible bidder. No conditional bid shall be allowed/accepted.
The bidder will have to give an undertaking online that if the
information/declaration/scanned documents furnished in support of the same in respect
of eligibility criteria is found to be wrong or misleading at any stage, they will be
liable to be punitive action.
d) Help for participating in e-tender:
The detailed method for participating in the e-procurement are available in the website
www.tenderwizard.com/NICL . The bidders have to Log on to NICL’s tendering web site
and then click on the specified links to start participating in the e-tendering process.
Bidders are also free to communicate with the contact person of the service provider to get
all clarifications regarding the mode of the e-procurement process.
N.B. :
( I ) As such, bidders are requested to see the website once again before due date of
tender opening to ensure that they have not missed any corrigendum uploaded against
the said tender after downloading the tender document. The responsibility of
downloading the related corrigendum, if any, will be that of the bidders.
(II) No separate intimation in respect of corrigendum to this Notice Inviting Tender (NIT)
(if any) will be sent to bidders. Bidders are requested to follow NIC website and e-
tendering website.
e) The offer should be submitted (uploaded) as per the terms and conditions and
procedures laid down in the website of M/s ITI Ltd www.tenderwizard.com/NICL tender
document failing which the offer is liable for rejection.
Bidders should download the complete NIT including the Annexure and read carefully
before filling the details and uploading the documents.
f) The bidder must upload all the documents required as per the terms of NIT. Any other
document uploaded which is not required as per the terms of the NIT shall not be
considered.
B. Digital Certificate authentications
The bidder shall authenticate the bid with his Digital Certificate for submitting the bid
electronically on e-Procurement platform and the bids not authenticated by digital
certificate of the bidder will not be accepted on the e-Procurement platform. All the
bidders who do not have Digital Certificate need to obtain Digital Certificate. Bidders
may contact Help Desk of ITI.
C. Submission of Hard copies:
After submission of the bid online, the bidders are requested to submit the demand
drafts / Bank Guarantee towards tender fees and EMD in a separately sealed envelope
mentioning the RFP No. along with other documents in a separate envelope as
required, latest by the due date. All the bidders are requested to submit the hard copy
of complete bid documents (Pre-qualification, Technical & Commercial Bids) in
proper sealed condition as mentioned in the RFP. The Technical Bid & Commercial
Bid should be similar in both the cases. The Company calling for tenders shall not be
responsible for any claims / problems arising out of this.
D. Bid Submission Acknowledgement:
a. The user should complete all the processes and steps required for bid submission.
The successful bid submission can be ascertained once acknowledgement is given by
the system through bid submission number after completing all the processes and
steps. NIC and ITI will not be responsible for incomplete bid submission by users.
Users may also note that the incomplete bids will not be saved by the system and not
available for the Tender Inviting Authority for processing.
a. Before uploading scanned documents, the bidders shall sign on all the statements,
documents, certificates uploaded by him, owning responsibility for correctness
/authenticity.
Neither NIC Ltd. nor the service provider (ITI) is responsible for any failure of submission
of bids due to failure of internet or other connectivity problems or reasons thereof. The
company reserves the right to accept or reject any or all offers. Bids of any Tenderer may
be rejected if a conflict of interest between the Tenderer and the company is detected at
any stage. Incomplete offers are liable to be summarily rejected.
E. Special instructions to Bidders for e-Tendering

Digital Certificates
For integrity of data and authenticity/ non-repudiation of electronic records, and to be
compliant with IT Act 2000, it is necessary for each user to have a Digital Certificate (DC).
also referred to as Digital Signature Certificate (DSC), of Class III , issued by a Certifying
Authority (CA) licensed by Controller of Certifying Authorities (CCA) [refer
http://www.cca.gov.in].
Registration
1- Bidder are required to register themselves in Tender Wizard portal

(www.tenderwizard.com/NICL) of ITI under the category of buyer Specific (NIC
specific) Registration.
2- Only one registration shall be retained after completion of this tender for future
bidding in NIC’s e- Tenders. The other registration(s) will be de-activated.
3- Annual registration fee of Rs. 3,000/- plus Taxes shall be payable by the bidder to
Tenderwizard.
4- Vendor has to pay the E-tender processing fee of Rs. 3000/- plus taxes for
participating (Download the Bid, Submission of bid) in each tender.
In case any help required on registration , contact below:
HELPDESK NO. 9073677150/151,152, E-mail: helplinetenderwizard@gmail.com

for more detail please click on ‘Contact Us’ link
Some Bidding related Information for this Tender (Sealed Bid)

The entire bid-submission would be online on ETS (unless specified for Offline
Submissions).
Broad outline of submissions are as follows:
-Parts/ Envelopes
-Part
-Part
-Part
information pertaining Bid Security/ Earnest Money Deposit (EMD).
Offline Submissions:
The bidder is requested to submit the following documents offline to the under mentioned
address before the start of Public Online Tender Opening Event in a Sealed Envelope
without fail:
Dy. General Manager - IT,

IT Department
Kolkata - 700 071
Phone No: 2283-0795 Fax No: 2283-1740
CC: abhijit.bhattacharya@nic.co.in
The envelope shall bear RFP Number, Due Date and Wordings “DO NOT OPEN
BEFORE “….-…-20_”and contain the following documents:
1. Original copy of the Bid Security in the form of a Bank Guarantee.

2. Original copy of the letter of authorization shall be indicated by written power-of-
attorney.
3. Proof of NEFT/RTGS of Rs. 25,000/- in favour of National Insurance Company Limited
payable at
Kolkata against payment of RFP fee.
4. Passphrase for relevant bid part (i.e. Pre-qualification, Technical & Commercial bid
parts)
Note: The Bidder should also upload the scanned copies of all the above mentioned
original documents as Bid-Annexures during Online Bid-Submission.
F. Other Instructions
For further instructions, the vendor should visit the home-page of the portal HELPDESK
NO. 9073677150/151,152, E-mail: helplinetenderwizard@gmail.com for more detail
please click on ‘Contact Us’ link
The help information provided through ‘ETS User-Guidance Center’ is available in

three categories – Users intending to Register / First-Time Users, Logged-in users of
Buyer organizations, and Logged-in users of Supplier organizations. Various links
(including links for User Manuals) are provided under of the three categories.
Important Note: It is strongly recommended that all authorized users of Supplier

organizations should thoroughly peruse the information provided under the relevant links,
and take appropriate action. This will prevent hiccups, and minimize teething problems
during the use of ETS.

RFP For Enterprise Information Security Solution

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RFP For Enterprise Information Security Solution

Uploaded by

Copyright:

Available Formats

NIC/IT/RFP/Enterprise Info-Sec Solution/RFP/07/2019

RFP for Enterprise Information Security Solution

NATIONAL INSURANCE COMPANY LIMITED

Registered and Head Office: 3, Middleton Street, Kolkata – 700 071

1.3 Objectives of the RFP

1.4 RFP Documents

Volumes and Sections of this Master Document:

1.5 GT&C – Instructions to Bidders:

The EMD will be refunded/returned to the successful Bidder on production of a performance

No interest on EMD will be paid to either Successful or Unsuccessful Bidder.

Details of the procedure to be followed for online, is available in Annexure-12 (Volume-

Supporting documents have to be indexed and page numbers, paragraph numbers

Prices must not be indicated in the Pre-Qualification Bid.

The Technical Bid must be submitted in an organized and structured manner.

Supporting documents have to be indexed and page numbers, paragraph numbers

The corrections or alterations, if any should be authenticated. In the case of the

No brochures/leaflets etc. should be submitted in loose form.

Prices must not be indicated in the Technical Bid.

In case of deviation, the bid is liable to be disqualified.

The term Volume-II or (RFP No: NIC/IT/RFP/Enterprise Info-Sec

Specimen of the Contract has been given in Volume-I.

4 GT&C – Bidder to Note:

6 GT&C – Deadline for submission of Bids:

8 GT&C – Delivery Schedule:

Downtime provisioning will be done by NIC.

Also refer Scope of Work

Note 1: Installation is deemed to be complete viz. “Commissioned” when:

An authorized official of ‘NIC’ should acknowledge commissioning of the items.

9 GT&C – Place of Delivery and Installation:

A Invoice showing NIC’s purchase order reference, services/goods description, quantity,

Submission of Contract in respect of ENTERPRISE INFO-SEC

12 GT&C - Payment will be made in the following Manner:

13 GT&C - Documents to be produced for the release of payment:

14 GT&C - Availability of Service / Product:

17 GT&C - Maintenance during Warranty Period:

18 GT&C - Copyright violations and Patent Rights:

20 GT&C - Satisfactory Performance:

22 GT&C - Transportation and Insurance till delivery of the equipment:

23 GT&C - Change of Purchase Order: ‘

24 GT&C - Performance Security:

25 GT&C - Cancellation Clause:

26 GT&C - Delays in the Supplier’s performance:

27 GT&C - Liquidated Damages:

Service Level Response Time Resolution Time

28 GT&C – Resort to Liquidated Damages:

31 GT&C – Income/Corporate Taxes:

32 GT&C - Taxes and Duties:

33 GT&C - ERV Clause:

34 GT&C - Contract with NIC:

36 GT&C – Limitation of Liability:

37 GT&C - Governing Language:

38 GT&C - Applicable Law:

41 GT&C - Right of Selection, Product, Service and Quantity:

44 GT&C - Force Majeure:

45 GT&C - Termination for Convenience:

47 GT&C – Compliance with Terms and Conditions:

48 GT&C – Acceptance of Terms:

49 GT&C - No Legal Relationship:

51 GT&C – Compliance with NIC’s Information Security Policy/s:

52 GT&C - Risk Assessment:

55 GT&C – Risk Title:

56 GT&C - Confidentiality and Non-Disclosure:

57 GT&C - Arbitration Clause:

THIS Memorandum of Understanding/Agreement is made on this _day of , 20

Dated this, the __ day of 20