Scribd Logo
Upload

Welcome to Scribd!

  • Step 1 Documentation Round

    Uploaded by

    zxcvbnm1230
    58 views11 pages
    step 1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    step 1

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    58 views11 pages

    Step 1 Documentation Round

    Uploaded by

    zxcvbnm1230
    step 1

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    Indian Computer Emergency Response Team (CERT-In)

    Step-1: Documentation Round:

    The fresh applicant organizations are requested to submit following documents and annexures
    duly signed and stamped by authorised person:

    1. Application Form for Empanelment of Information Security Auditing Organisations by CERT-


    In (As per format attached)

    2. Annexure I: Background verification certificate from the organization (as per the Template)

    3. Annexure II: Consent Form (as per the Template)

    4. Annexure III: Undertaking by the organization on code of conduct (as per the Template)

    5. Annexure A: Detailed information regarding last 5 information security audits carried out by
    organization during the last 3 years (as per the template)

    6. Copy of two detailed information security audit reports carried out in last 3 years.
    (Organisation may sanitize financial information only from the Information Security Audit
    Reports)

    7. Self-signed /self-attested copy of CV and passport of technical personnel.

    8. Self-attested supporting documentary evidences regarding the certifications /


    qualifications in information security of technical personnel.

    9. Statutory Declaration (As per format attached)

    The organizations are required to submit the information form to CERT-In in an envelope, duly
    super –scribed “Application for empanelment of Information Security Auditing
    Organisations” to the address given below:

    Empanelment Group,
    Indian Computer Emergency Response Team (CERT-In),
    Ministry of Electronics and Information Technology,
    Electronics Niketan, 6 C.G.O Complex,
    Lodhi Road, New Delhi -110003

    Note: Any discrepancies/ False Information/ Manipulated data in application submission may lead
    to disqualification and blacklisting of the organization from current and future participation in the
    empanelment process.

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Indian Computer Emergency Response Team (CERT-In)

    No. 3(15)/2004-CERT-In
    Government of India
    Ministry of Electronics & Information Technology
    Indian Computer Emergency Response Team (CERT-In)
    Electronics Niketan, CGO Complex, Lodhi Road, New Delhi 110003

    Application Form for


    Empanelment of Information Security Auditing Organisations by CERT-In
    Note:
    • Strikeout whichever is not applicable.
    • Kindly attach a separate sheet, if the space provided is insufficient.
    • If the rows provided in the given tables are insufficient, the same may be increased as per
    requirement.

    1. Organisation's Name …………………………………….……................................................…


    ......................................................................................................................

    2. Address
    …………………………………………………………………………………………..………
    ………………….………………………………………………………………………..………
    ………………………………………………......
    ……..……………………..……………………... PIN

    3. Telephone (with STD Code) 0

    4. FAX (with STD Code) 0

    5. Website URL : …………………………………………………………………

    6. Contact Person’s Name: ..............................................................................................................

    7. Designation: .................................................................................................................................

    8. Cellular/Mobile Phone

    9. E-mail Id: ......................................................................................................................................

    10. Other Indian Localities, from where the organisation’s IT security related activities are being
    carried out: ...................................................................................................................................
    .......................................................................................................................................................
    ......................................................................................................................................................

    11. Whether organization is subsidiary of multinational company/has Headquarters


    or offices at overseas locations? If yes, please provide the details.
    ...................................................................................................................................................
    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    ...................................................................................................................................................

    12. Whether organization has foreign tie-ups for services/ product offered by it?
    If yes, please provide the details.
    .....................................................................................................................................................................
    .....................................................................................................................................................................

    13. A Demand Draft / Pay Order No. …………… dated ……………. issued
    by ……….....………….….. Bank ……………...…………. Branch, for Rs. 5000/-, in
    favour of “PAO, MeitY, New Delhi”, payable at New Delhi is enclosed herewith as a fee
    towards analysis, assessment and processing of the application and supporting
    documents, submitted for empanelment by CERT-In as an Information Security Auditing
    Organisation

    14. Information security audit related activities, are being carried out continuously by our
    organisation from (month, year):......................................................................................................

    15. Information Security Audit Methodologies:

    16. Details of audit conducted in last 12 months

    S.No Category Brief Descrition of Details of Contact Additional Info.


    (Govt./PSU/Private) Scope of Work Person at Auditee
    Organization (Name,
    email, website URL,
    Mobile, telepohne,
    fax, etc)

    17. (a) No. of technical personnel involved in Information Security Auditing related activities:
    ……………………..

    (b) Information regarding the technical personnel:

    Specify in
    S. Technical Place Working with Information Total Credential Self-signed copy Yes/No
    No. Personnel’s of the Security related experience in s verified of Passport (if whether the
    Name Posti organisation qualifications information by any) (Yes/No) person will be
    (CISSP/ISMS
    ng since (month LA security organizati deployed for
    & year) / CISM/ CISA/ related on government and
    ISA etc., state as activities (Yes/No) critical sector
    applicable) (years) audits/projects
    1.

    2.
    3.
    4.
    5.
    6.

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Indian Computer Emergency Response Team (CERT-In)

    All the professional deployed by the organisation must possess at least one of the
    Information security related relevant qualifications or relevant information security
    auditing experience. Out of these, preferably two personnel must possess either CISSP or
    ISMS (Ex. BS7799/ISO17799/ISO27001) Lead Assessor certification or any other
    information security qualifications. Please attach brief curriculum vitae / bio-data (1 page,

    max.) of each of the personnel mentioned against clause 17 (b), along with the self-attested
    supporting documentary evidences regarding their certifications and self-attested copy of
    Indian passport. Please note that we are looking only the information security related
    certifications / qualifications, as given above.

    18. Whether outsourcing the information security auditing work to the External Security Auditing
    Experts or other Information security auditing organisations on contract basis for carrying out
    the same on your organisation’s behalf ? : Not applicable / Yes

    19. (a) Acceptance of the condition for background checks of all the technical personnel:
    Agree / Disagree

    (b) Background verification certificate from the organisation for the technical personnel
    mentioned against clause 17(b) above (Annexure-I). Attached/ Not Attached

    20. Consent form (Annexure-II): Attached/ Not Attached

    21. (a) Detailed information regarding last 5 information security audits carried out by our
    organisation during the last 3 years is attached (as per format given) at Annexure A:
    Attached / Not Attached

    (b) One copy each of the two information security audit reports for any of the two
    Information Security Audits carried out, out of the 5 Information Security Audits
    enlisted in clause 21 (a) above, along with the applicable relevant information /
    documents are also attached. (Organisation may sanitize financial information only from
    the InformationSecurity Audit Reports. CERT-In, MeitY will provide undertaking for
    non-disclosure of the acquired information from the information security audit reports,if
    required (as per theTemplate-NDA Form): Attached / Not Attached

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Annexure-I

    Background Verification Certificate

    We, M/s ……………......… <Organization’s name, location and address > ………………………..,
    certify that following technical employees are working with this organization and necessary
    background checks have been made. We assure that, only following employees will be deployed
    for government and critical sector related audit/projects. We also agree that any change in the
    manpower, to be deployed for Government and Critical Sector, will be informed to CERT-In with
    all the required details.

    S. No. Name of Employee Employee code and Date of Joining the


    Passport No.(If any) organization
    1
    2
    3
    4
    5
    6

    Date: Signed for and on behalf of

    M/s ……………………………………

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Indian Computer Emergency Response Team (CERT-In)

    Annexure-II

    Empanelment of Information Security Auditing Organisations


    Consent Form

    We, M/s ……………......… < Organization’s name, location and address > ………………………..,
    having submitted information as required by CERT-In, do hereby declare that:
    1. We comply with all the applicable requirements and have submitted the latest and
    accurate information for empanelment.
    2. We possess necessary tools, skills and capabilities to carry out the following tasks (strike
    out those not applicable):
    • Information Security Testing
    • Process Security Testing
    • Internet Technology Security Testing
    • Communications Security Testing
    • Application security testing
    • Wireless Security Testing
    • Physical Access Controls & Security Testing
    • Network Security Testing
    • Software Vulnerability Assessment
    • Penetration Testing
    • ICS/SCADA Assessment
    • Compliance Assessments
    • Assessment against Cyber Security Audit Baseline Requirements
    3. We agree to provide the Information Security Auditing Services in accordance with the
    terms and conditions of empanelment, as issued by CERT-In.
    4. We agree to share generic information related to Information Security Audits with CERT-
    In, as and when required.
    5. We hereby agree that we will inform to CERT-In about any changes in manpower status
    immediately.
    6. We agree to abide by all the applicable terms and conditions of empanelment stipulated by
    the CERT-In and auditee organizations for assigned projects. We also agree to provide an
    undertaking with regard to the code of conduct.

    Date: Signed for and on behalf of

    M/s ……………………………………

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Indian Computer Emergency Response Team (CERT-In)

    Annexure-III

    Empanelment of Information Security Auditing Organizations


    Undertaking for Code of Conduct

    I/We , on behalf of …………………….<Name of the auditing organization> herewith agree,


    confirm and undertake that any information acquired by M/s <Name of the prospective information
    security auditing organization> during the information security audit process from the
    auditeeorganisation i.e. the entity that is being audited, shall be kept confidential. M/s <name of
    the prospective information security auditing organization> and/or its employees, shall not
    disclose any information from the information security audit reports in any form, full or any part, to
    any third party and/or person, without the written consent of the auditeeorganisation or an express
    order of court of law/ competent authority.

    I/ We agree to enter into Non-Disclosure Agreement (NDA) with the auditee organization from
    Government & critical sector organization before beginning of audit assignment for which we will
    be engaged. We also confirm that NDA will have following features:-
    • Will be legally enforceable.
    • Will detail the obligations and responsibilities of the parties and what constitutes a breach
    of the contract including maintenance of confidentiality of information received during
    course of security audit.
    • Will bring out the penalties that could be attracted in the event of breach of contractual
    terms, such as termination of the contract, debarment from future engagement for a
    stipulated period as well as compensation or liquidated damages for loss to the auditee
    organization.
    • Provision for sharing information with Government agencies mandated under the law
    including CERT-In etc. if and when called upon to do so with prior written information to
    the auditee organization.

    We further undertake and agree that only manpower declared to CERT-In will be deployed for
    government and critical sector organizations projects.

    Signed for and on behalf of

    M/s <name of the prospective information security auditing organization>

    (signature)
    (Prop./ Partner/ Director)
    Seal of Organization

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Indian Computer Emergency Response Team (CERT-In)

    Annexure ‘A’
    Details of an Information Security Audit carried out during the last 3 Years
    (Please use five copies of this format for providing details of each of the five information
    security audits)

    Audit No. ………..


    Information Security Audit was carried out during :Fromdd/mm/yyyyTodd/mm/yyyy

    Customer / Auditeeorganisation’s Name & Address: ………………………..………………………


    .....................…………………………………
    …………….....................……………………
    .....................…………………………………

    URL of AuditeeOrganisation: ...........................................

    Customer / Auditeeorganisation’s Contact Person’s Details – Name :…………………………………


    e-mail :………..………………………
    Telephone :……..………………………

    Business domain of the customer auditeeorganisation :……………………………………....…………

    Scope of project (Full description):

    Details of Projects (as applicable):

    URL audited : ............................... Technologies : ...................................


    Domain :.......................... Nos. of Computer Systems :..........................
    Nos. of Servers :.................. Nos. of Routers :..........................
    Nos. of Switches :................. Nos. of Firewalls :..........................
    Nos. of IDS/IPS :........................

    Major findings of Project / Vulnerabilities Identified (as applicable):

    Whether Vulnerability Assessment was carried out for all the systems/servers and applications? :
    Yes/ No

    Whether Penetration Test was carried out? : Yes / No

    Any specific information, you may like to mention:

    (Signature)
    Authorised Signatory’s Name:
    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Dated : Auditing organisation’s name with Seal

    Indian Computer Emergency Response Team (CERT-In)

    STATUTORY DECLARATION

    We agree to provide the Information Security Auditing services in accordance with the commercial
    contract, to be entered into with the auditeeorganisations and abide by all the terms and conditions
    of the empanelment as well as service delivery. Further, it is also certified that we meet all the
    stipulated terms and conditions, as stated in the “Guidelines for empanelment of Information
    Security Auditing Organisations” document. The information stated herein as well as in the
    annexed documents is true to the best of our knowledge & belief and nothing has been concealed
    or falsely stated. We understand that in case of any information is found to be wrong or falsely
    stated at any time; our empanelment status will be withdrawn with immediate effect without any
    further consideration in this regard.

    Place: Signature of Authorised Signatory


    Dated:
    With Organisation’s Seal

    List of Enclosure (s): 1.


    2.
    3.
    4.

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Indian Computer Emergency Response Team (CERT-In)

    Date :

    UNDERTAKING by CERT-In for NON-DISCLOSURE of INFORMATION

    Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics &


    Information Technology, Government of India, having its office at “Electronics Niketan, 6, CGO
    Complex, Lodhi Road, New Delhi - 110003”, hereinafter called “CERT-In”, is empanelling
    Information Security AuditingOrganisations for providing Information Security Auditing services
    to various organisations of the Government, critical infrastructure organisations, and other
    sectors of the Indian economy.

    In this connection, CERT-In has asked the respondent, M/s...................................................,


    having its registered office at “................................ ”, to submit copy of information security audit
    reports of two recently carried out information security audits by them to CERT-In for
    consideration of their application for empanelment as an information security auditing
    organisation. Since the information security audit reports may contain sensitive and confidential
    information, M/s.............................................................. has requested for Non-disclosure of
    information from CERT-In in the interest of auditing as well as auditeeorganisation.

    As required by M/s.............................................................., CERT-In herewith agree,


    confirm and undertake that any information, acquired by CERT-In, through the above mentioned
    information security audit reports, including the information that CERT-In may receive during the
    evaluation process from M/s.............................................................. shall be kept confidential and
    shall be used for the sole and limited purpose of evaluation of their suitability for empanelment as
    an Information Security Auditing Organisation. CERT-In, and/or its employees, shall not disclose
    any information from the said copy of submitted information security audit reports in any form,
    full or any part, to any third party and/or person.

    CERT-In will destroy the Information Security Audit Reports submitted by


    M/s....................................................................or return the same, if so asked, after completion of
    the evaluation process.

    For and on behalf of ‘CERT-In’

    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
    Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021

    You might also like