REQUEST FOR PROPOSAL

FOR

IT / CYBER SECURITY AUDIT OF

PFRDA IT INFRASTRUCTURE

Page 1 of 29
 Table of Contents
SECTION-1: INTRODUCTION ............................................................................................ 5
SECTION-II- INSTRUCTIONS TO BIDDERS ................................................................... 6
SECTION-III: BROAD SCOPE OF AUDIT ........................................................................ 9
SECTION-IV: PRE-QUALIFICATION CRITERIA ........................................................ 14
SECTION-V: CHECKLIST OF DOCUMENTS TO BE SUBMITTED ALONG WITH
THIS BID: ............................................................................................................................... 15
SECTION-VI: OTHER TERMS AND CONDITIONS ...................................................... 16
ANNEXURE-1: BIDDER’S PROFILE ................................................................................ 17
ANNEXURE-2: BIDDER’S AUTHORIZATION CERTIFICATE .................................. 18
ANNEXURE-3: SELF – DECLARATION – NON-BLACKLISTING............................. 19
ANNEXURE-4: PAST EXPERIENCE DETAILS ............................................................. 21
ANNEXURE-5: LETTER OF UNDERTAKING-ACCEPTANCE OF TERMS AND
CONDITIONS ........................................................................................................................ 22
ANNEXURE-6: MODEL NON-DISCLOSURE AGREEMENT ...................................... 24
 DISCLAIMER

a. The information contained in this RFP or information provided subsequently

to Bidder(s) in documentary form/email by or on behalf of PFRDA, shall be
deemed to be part of this RFP.

b. The purpose of this RFP is to provide the interested and eligible Bidder(s)
with information to assist them in preparation of their Bid proposals. This RFP
does not claim to contain all the information each Bidder may require. Each
Bidder should conduct its own investigations and analysis and should check
the accuracy, reliability and completeness of the information contained in
this RFP and where necessary obtain independent advices/ clarifications.
PFRDA may in its absolute discretion, but without being under any obligation
to do so, update, amend or supplement the information in this RFP to get the
best proposal.

c. PFRDA makes no representation or warranty and shall have no liability to any

person, including any Bidder under any law, statute, rules or regulations or
tort, principles of restitution or unjust enrichment or otherwise for any loss,
damages, cost or expense which may arise from or be incurred or suffered on
account of anything contained in this RFP or otherwise, including the
accuracy, adequacy, correctness, completeness or reliability of the RFP and
any assessment, assumption, statement or information contained therein or
deemed to form or arising in any way for participation in this bidding process
by bidders.

d. PFRDA also accepts no liability of any nature whether resulting from

negligence or otherwise, howsoever caused arising from reliance of any
Bidder upon the statements contained in this RFP.

e. The Bidder is presumed to have examined all instructions, forms, terms and
specifications in this RFP along with the eligibility conditions as on the date
of submission of its bid. Failure to furnish all information required under this
RFP or to submit a Bid not substantially responsive to this RFP in all respect
will be at the Bidder’s risk and may result in rejection of the Bid.

f. This RFP is not an offer by PFRDA but an invitation to receive proposals/ bids
from interested and eligible bidders for engagement of CERT-In empaneled
IT Audit firm for conducting cybersecurity audit of IT Infrastructure of PFRDA.

g. No contractual obligation whatsoever shall arise from the RFP process unless
and until a formal contract is executed between PFRDA and the successful
bidder. PFRDA reserves the right to cancel the selection process at any stage,

Page 3 of 29
 prior to the engagement of IT Audit firm without any liability owed to any
party.

h. This RFP is being issued with no financial commitment and PFRDA reserves
the right to withdraw the RFP and change or vary any part thereof or
foreclose the same at any stage.

i. This RFP document shall not be transferred, reproduced or otherwise used

for purpose other than for which it is specifically issued.

Page 4 of 29
 SECTION-1: INTRODUCTION

1. Pension Fund Regulatory and Development Authority (PFRDA) (hereinafter

referred to as the “Authority”) has been established under the Pension Fund
Regulatory & Development Authority Act 2013, notified on 1st February,
2014. The Authority interalia regulates National Pension System (NPS),
subscribed by employees of Government of India, State Governments and by
certain other employees of private institutions/organizations & unorganized
sectors. The Authority strives to ensure the orderly growth and development
of pension sector. National Pension System (NPS), regulated by Authority, is
a defined contribution system which is now being offered on voluntary basis
to all citizens of India and is mandatory for all new recruits (except armed
forces) of Central Government with effect from 1st January, 2004. Majority
of the State governments and Union territories have also opted for NPS for
their new recruits.
2. The Authority with its Head Office located at B-14/A, Chhatrapati Shivaji
Bhawan, Qutab Institutional Area, Katwaria Sarai, New Delhi-110016, invites
bids on GeM portal from CERT-In empaneled IT Auditor firms for conducting
Cyber security Audit of IT Infrastructure of Pension Fund Regulatory and
Development Authority. Prospective bidders are advised to check the
prequalification criteria before applying for bids.

3. The various crucial dates relating to “Tender for conducting Cyber security
Audit of IT Infrastructure of Pension Fund Regulatory and Development
Authority” is as under:

Tender Number PFRDA/ICS/2023-24/RFP/01

Date of Issue
Last Date for seeking Clarifications,
if any
Pre-Bid Clarification Date and Time
Last Date and time for submission
of Tender Document
Date and time for opening of
Technical Bids
Date and time for opening Financial
Bids
Name of the contact person for any
clarification
26-Dec-2023
03-Jan-2024 18:00
04-Jan-2024 15:00 hours
17-Jan-2024 15:00 hours
17-Jan-2024 15:30 hours
Eligible bidders shall be notified through
Gem portal post evaluation
Ms. Sanchita Jaiswal,
Assistant Manager
Email: dept-cybersecurity@pfrda.org.in

Page 5 of 29
 SECTION-II- INSTRUCTIONS TO BIDDERS

1. Bidder(s) shall submit their bid (comprising of “Technical” and “Financial” bid),
online at GEM Portal. Bidders shall have to visit the GeM portal
(http://gem.gov.in/), select the appropriate GeM bid number and upload
electronically by scanning in PDF format duly filled and signed technical bid
documents, defined forms, bidder’s needs to click on final submission link to
submit their encrypted bid.

2. Aspiring Bidders/Suppliers who have not enrolled/registered in GeM portal

should enroll/ register before participating through the website
www.gem.gov.in.

3. On Line submission of bids: Online bids will have to be submitted within the
time specified on website https://gem.gov.in/ the following manner:-

 Technical Bid: Scanned Copies to be uploaded (.pdf):

The technical information should be prepared very carefully and as
indicated in the tender document, since it will form the basis for pre-
qualification of bidder(s).Only relevant and to the point information
/document should be uploaded. Failure to provide any required
information, may lead to the rejection of the offer. Bidder(s) must read
the tender document very carefully before signing on it. Submission of
financial quotation along with technical documents will be summarily
rejected without further consideration.

 Financial Bid: (.xls): Bidder(s) must read the terms and condition as
mentioned in this tender document and submit the form accordingly.
Bidder(s) are required to check the prices / amount carefully before
uploading financial bid.

4. Submission of more than one bid is not allowed and shall result in
disqualification of the bidder.

5. Validity of bids: Bid submitted by the Bidder(s) shall remain valid for
acceptance for a minimum period of Ninety (90) days from the last date of
submission of bid (Technical and Financial), including extensions, if any.

6. PFRDA reserves the right to reject any or all the bids without assigning any
reasons thereof.

7. Hard copy of the bid documents will not be accepted and any such offer, if
received by PFRDA, will be out rightly rejected.

8. Corrigendum/Addendum to the Tender Notice, if any, shall be issued/

available online on GeM Portal/CPPP and Website of the Corporation only.
Prospective bidders are requested to view website/GeM portal regularly.

Page 6 of 29
9. The Bidders must fully comply with all the terms and conditions given in the
Tender document. It is clarified that in case, any of the stipulated terms and
conditions are not fulfilled by the Bidders and incomplete or incorrect
information submitted by the Bidder, the bid may be treated as ineligible and
Bidder may be technically disqualified and Price Bid shall not be opened.

10. Further it is also intimated that GeM Portal is used only as a platform for
procurement/tendering. All the terms and conditions contained in this Tender
shall be applicable during the whole tender process.

11. Evaluation Of Bid:

The bidders will be evaluated on two parts by an evaluation cum selection
committee. The first part would be evaluation towards fulfillment of
eligibility criteria. Second part would be a commercial/ financial evaluation.
The details of evaluation criteria are explained below:

a. Technical Evaluation Against Qualification Criteria:

The first stage of evaluation would involve examination of the bid
documents by evaluation cum selection committee of each of the
bidders against the qualification criteria set out under RFP.

The Authority may ask bidder(s) for additional information to the

evaluation cum selection committee, arrange discussions with their
professional, technical faculty to verify claims made in bid
documentation. The bidders are expected to respond/provide the
information/clarifications within the stipulated time. The failure to
provide the information may lead to disqualification of the bidder.

The results of technical evaluation will be uploaded on the GeM

Portal. In case there are technically disqualified bidders, the reasons
for disqualification will be uploaded and price bid shall be opened.
Intimation of Price bid opening will be provided through GeM only.

Please note that the technical proposal must NOT contain any pricing
information.

b. Financial Evaluation
The financial bids will be opened for only those bidders who are
declared technically qualified by the evaluation cum selection
committee. The financial evaluation will take into account the
information supplied by the Bidders in the financial proposal, and the
same shall be evaluated in accordance with the evaluation criteria
specified in this RFP.

The financial evaluation would be based on L1 Criteria i.e. the bidder

with the least financial quote shall be eligible for award of contract
for IT audit.

At no point of time will any deviation from the quoted rate would be

Page 7 of 29
entertained by the Authority. Where the fee quoted in the financial
bid is zero, such bids shall be treated as non-responsive and rejected.

Please note that the financial bid should not be conditional and no
technical information should be provided along with the financial
proposal.

Page 8 of 29
 SECTION-III: BROAD SCOPE OF AUDIT

1. The main objective of this project is to engage CERT-In empaneled Auditors,

to audit the security implementation across PFRDA IT Infrastructure, including
its web-based applications. The agency will also assist the PFRDA in
identification of the vulnerabilities during assessment & provide
recommendations to cope with encountered vulnerabilities. The broad scope
of work include the following:

a. Conduct Cybersecurity Audit of PFRDA IT Infrastructure in

conformance with Information and Cyber Security Policy of PFRDA and
latest version of “Cyber Security Audit Baseline Requirements” by
National Security Council Secretariat followed by CERT-In and
ascertain the ISO 27001 and ISMS readiness.

b. The scope of Audit shall broadly cover the following areas:

 Current IT infrastructure of PFRDA
 Information security policies
 Human resource security
 Asset management
 Access control
 Physical and environmental security
 Operations security
 Communications/Network security
 Vendor/Service provider relationships
 Information security incident management
 Information security aspects of business continuity management

c. Conduct Vulnerability Asse ssment / Penetration Test for PFRDA’s

IT setup, Website and network, wherever necessary. Based on the
findings, suggest corrective actions/redressals/mitigation of risks/Non-
Conformities (NCs), with the objective of enhancing the security posture
of the information systems.

d. Review of PFRDA existing IT and cybersecurity policies and Procedures

and recommend suitable measures for adopting best practices in line
with ISO 27001 and ISMS readiness.

e. Recommend suitable Cyber Crisis Management Plan (CCMP) for PFRDA IT

facilities, for consideration of the Authority, which will contain strategy
followed in case of a Cyber-attack or threat

2. Security Audit: PFRDA would like to have the audit performed in a phased
manner, wherein Phase-1 (Security Audit) needs to be commenced within
10 business days of issuing the Work Order. This needs to be carried out at
PFRDA Head quarters situated at New Delhi.

Page 9 of 29
3. The selected agency shall audit the IT Infrastructure Cyber Security at
PFRDA, in compliance with the Information and Cyber Security Policy of
PFRDA and latest version of “Cyber Security Audit Baseline Requirements”
by National Security Council Secretariat followed by CERT-In and ISO 27001.
Report of Cyber Security Gaps along with the recommendations needs to
be provided by the Bidder and based on the same security Gap analysis and
action would be taken at PFRDA end. The compliance report shall be
submitted to PFRDA by the Selected Agency within 30 days of
commencement of the Audit.

4. After the first Phase of the Cyber Security Audit and Reporting thereof by
the selected agency, PFRDA would take some reasonable time to would
attempt to rectify the corrections pointed as much as possible. After the
Gap bridging exercise by PFRDA has been completed, the Bidder would be
informed accordingly by concerned PFRDA representative, and thereafter
the Bidder should commence the Second Phase of Cyber Security Audit
exercise. The time taken by PFRDA for bridging the Cyber Security Gap will
not affect the Bidder in any way as the Bidder will not be held responsible
for any delay in the same.

5. Post Audit Compliance Verification: The Phase-2 of the Cyber security

Audit needs to be completed within 20 business days after PFRDA gives the
go ahead for the Second Phase i.e., Cybersecurity Audit exercise. The
purpose of the Second Phase Audit exercise would be to review and ensure
that remediation action has been taken against all the observation
points/gaps. The Second phase audit exercise should also result in a
Detailed Report and Analysis to be submitted for the current Cyber Security
status of PFRDA.

6. The bidder shall review and recommend IT and Cyber Security policies
(Internal) for PFRDA. The policies shall include the themes as mentioned in
deliverables and any additional theme identified in the Audit report and
not included in the scope. The selected agency shall Recommend suitable
Cyber Crisis Management Plan (CCMP) for PFRDA IT facilities, for
consideration of the Authority and will contain strategy followed in case of
a Cyber-attack or threat in PFRDA.

7. Certify the Web applications / websites tested as “Safe for Hosting”

8. The selected bidder should provide the below mentioned details at the
starting of the Cyber Security Audit exercise:

a. Methodology in which the Cyber Security Audit activity is to be done,

this will include the time frame of each activity so as to organize the
cyber audit activity for better control and monitoring.
b. Standards of Security and Quality that are to be followed during the
Cyber Security Audit activity.
c. Tools and Software that may be used for the cyber security audit
activity. All tools and software used by the bidder need to be
licensed.

Page 10 of 29
9. Reports required by PFRDA, during and at the end of the Cyber Security
Audit exercise:
a. Audit Plan and proposed and actual progress in the Cyber Audit exercise
on a weekly basis.
b. Summary of Cyber Audit findings, including identification tests and the
results of the tests need to be shared with concerned PFRDA officials on
a weekly basis and as and when required by PFRDA.
c. Analysis of vulnerabilities and issues of concern of Cyber Security needs
to be reported on a weekly basis.

10. Deliverables:
a. Compliance Assessment Report (after phase-1), along with
recommendations for corrective actions/redressals/mitigation of
risks/Non-Conformities (NCs),.
b. Vulnerability Assessment Report
c. Detailed Audit Report (after Phase-2 )
d. IT and Cyber Security Policies, as required and Draft Cyber Crisis
Management Plan
e. Audit Certificate

11. Any Additional and Mandatory standards of Cyber Audit regulation as

required for CERT- IN Audit, should be made available and applicable by
the Auditor.

12. Presentation on the Cyber Security Audit Report, its findings, conclusions,
and recommendations for Gap Analysis and Plugging, as per CERT-In
guidelines, need to be made to the management of PFRDA as required.
Recommendations should also be given for Quality Standard ISO 27001, as
this is also a prime objective of the Cyber Security Audit Output.

13. Details of the Authorized Contact person for the Cyber Security Audit
Exercise need to be provided by the Bidder, designated for PFRDA, to be
the single point of contact for the Bidder.

14. SCOPE OF IT INFRASTRUCTURE TO BE AUDITED:

Organization locations Pension Fund Regulatory and Development

Authority, B-14/A, Chatrapati Shivaji Bhawan,
Qutab Institutional Area,
Katwaria Sarai, New Delhi-110016

Inter Connectivity between Two point-point leased lines of Powergrid and

PFRDA and NIC locations MTNL connecting NIC and PFRDA of capacity 68
Mbps and Internet Leased Lines from Power Grid
of 50 Mbps.

No. of end user stations Approx 200 No.s;

under Scope

Page 11 of 29
 DR site NIC’s Cloud Server is used.

No. of Servers None

Operating Systems
No. of Routers
No. of L2 Switches/Access
Switches
Information Security policy
Software Application
Windows/Mc OS
7
4
Reviewing the existing IT security policy and
recommending updated policies, processes,
procedures to be put in place is part of scope of
the audit exercise.
Tally ERP

Web enabled applications:

E-Office( NIC)
Freshdesk ITSM portal
eViews Software
Websites PFRDA Corporate Website
PFRDA Financial Literacy Website
Retirement Planner portal
PFRDA’s Website with Content Management
System is hosted at NIC Cloud.
Email NIC Email System
Endpoint Security Seqrite Endpoint Security System
Others Biometrics based access controls, CCTV Network
System, EPABX System

15. DELIVERABLES: The Auditors shall complete the task of audit within 50
business days.

16. Audit Approach and Audit Considerations:

i. The independent IT/Cyber security audit will be undertaken through

an evaluation of risk management by assessing total chain process of
IT environment for operation integrity and operational management.

ii. The agency shall sign a Confidentiality Agreement before starting

the assignment, which will ensure the confidentiality and integrity
of the content, data, applications, logics, structure, designs and
other property of the Client, which should be shared, given access,
and will be used by the agency during the execution of the
assignment.

17. The selected agency should take care of the following considerations and
details at the beginning of the IT/Cyber Security Audit exercise:

a. Approach and Methodology in which the IT/Cyber Security Audit

activity is to be done, this will include the time frame of each
activity so as to organize the IT/Cyber audit activity for better

Page 12 of 29
 control and monitoring.
b. Standards of Security and Quality that are to be followed during the
IT/Cyber Security Audit activity.
c. Tools and Software that may be used for the IT/Cyber security audit
activity. All tools and software used by the bidder need to be
licensed.
d. Any Additional and Mandatory standards of Cyber Audit regulation
as required for CERT- IN Audit, should be made available and
applicable by the Auditor.

Page 13 of 29
 SECTION-IV: PRE-QUALIFICATION CRITERIA

Sl. Criteria Documents To be submitted

No.
1. The Bidder may be a partnership firm or Year of establishment and
a limited liability company or company constitution. Certified copy of
registered under Companies Act, 2013, “Partnership Deed” or “Certificate of
in India Incorporation” should be submitted,
as the case may be.
2. The Bidder must have completed IT audit Self-attested Copies of relevant
of at least 3 Government Organizations or contracts to be submitted along with
Scheduled Commercial Banks or Insurance bid in support of having completed
Companies in the last 5 years; the IT Audit in the last 5 during each
of the year.

i. For the purpose of calculation of

last 05 years, the preceding 05
financial years shall be considered
including the present financial year
till last date of original bid
submission.

The above documents should be

submitted in the format as per
Annexure-3 in ATC.

3. The Bidder must have at least 3 Professionals Self-Declaration on Letter Head of the
on Payroll/Partners with relevant industry firm
recognized certifications – CISA/CISM
/GSNA/CISSP/CEH
4. The Bidder should be empanelled with CERT- Copy of Empanelment with CERT-In
on the date of bid submission.

5. The Bidder should not be blacklisted /barred Self-Declaration as per Annexure-3 in

by Government of India or any regulatory ATC.
body in India in the last five years.

6 The entity should have a registered Copy of PAN Card and GST Registration
Permanent Account Number (PAN) and GST Certification
registration.

7 Acceptance of Terms & Conditions The Bidder has to submit acceptance

certificate as per the format specified at
Annexure-5 in ATC document along with
the copy GeM bid document and ATC of
duly signed in all pages.

Note: All The eligibility criterion has to be duly satisfied on the date of submission of
Page 14 of 29
bid and not later.

SECTION-V: CHECKLIST OF DOCUMENTS TO BE SUBMITTED ALONG WITH THIS

BID:

1. Bidder’s Profile as per the format at Annexure-1;

2. Certificate of Incorporation/Partnership deed of the bidder, as applicable;
3. Self-attested copy of PAN Card;
4. Self-attested copy of GST Certification;
5. Authorization Certificate as per format at Annexure-2;
6. Self-attested Copies of Work orders supporting Pre-qualification criteria enclosed
along the format as per Annexure-4;
7. Self-Declaration regarding Qualified Manpower supporting Pre-qualification
criteria;
8. Self-attested copy of valid cert-In empanelment certificate supporting Pre-
qualification criteria;
9. Acceptance Certificate as per the format specified at Annexure-5 in ATC
document along with the copy GeM bid document and ATC of duly signed in all
pages.
10. ‘Non-Blacklisting Certificate’ as per the format specified at Annexure-3

Page 15 of 29
 SECTION-VI: OTHER TERMS AND CONDITIONS

1. Confidentiality
All documents, information and reports relating to the assignment would be
handled and kept strictly confidential and not shared/published/supplied or
disseminated in any manner, by the Auditor. The selected agency shall Selected
agency has to sign Non-Disclosure agreement with PFRDA before commencing the
audit. The format of NDA agreement shall be as per the format at Annexure-6.

2. Payment Terms
100% Payment shall be made only after completion of both the phases of Audit
and submission of all deliverables.

3. Indemnity
The successful bidder shall exercise reasonable skill, care and diligence in the
performance of the assignment and indemnify and keep the Authority, its
members, officers, or any employee indemnified in respect of any loss, damage
or claim howsoever arising out of or related to breach of contract, statutory duty
or negligence by the firm or by its staff, agents or sub- contractors in relation to
the performance or otherwise of the Services to be provided under the Contract.

4. Assigning to Others
The successful bidder shall not, without the prior written consent of the
Authority, assign or transfer or cause to be assigned or transferred, whether
actually or as the result of takeover, merger or other change of identity or
character of the Consultants, any of its rights or obligations under the Contract
or any part, share or interest therein. Upon any such assignment or transfer,
this engagement may forthwith be terminated by the Authority.

5. PFRDA reserves its right to add some additional area of audit work or
delete/ modify existing area of audit work apart from whatever is mentioned
in this document.

Page 16 of 29
 ANNEXURE-1: BIDDER’S PROFILE
(To be submitted on the letter head of the firm)

Sr.No. Particulars Details

1. Registered Name of the entity/firm
Complete Address of Registered
2.
Office
Constitution
(Proprietary / Partnerships /
3. Private/Public etc.)
Please enclose self-certified copy of
certificate of incorporation
4. Date and Country of Incorporation
5. a. Permanent Account Number (PAN)
b. GST No.
c. Website
6. AUTHORISED SIGNATORY DETAILS
a) Name of the Authorised Signatory
b) Designation
c) Contact Details:
Mobile#
Landline #
E-Mail ID:
Manpower(No.s):
A) Qualified Professionals:
7.
(i) Partners
(ii) Others

Authorized Signatory of the bidder

Name:
Designation:
Date:
Place:

Seal of the company

Page 17 of 29
 ANNEXURE-2: BIDDER’S AUTHORIZATION CERTIFICATE
(To be submitted on the letter head of the Bidder)

To
General Manager (I & CS),
Pension Fund Regulatory and Development Authority,
B-14/A, Chatrapati Shivaji Bhawan, Qutub Institutional Area,
Katwaria Sarai, New Delhi-110016

<Bidder’s Name>
______________________________<Designation>_________________
________________ is hereby authorized to sign relevant documents on behalf of
the Proprietorship/ Partnership firm/ Company in dealing with GEM Bid No.
________ _______________________. He is also authorized to submit technical &
commercial information as may be required by you in the course of processing
above said RFP.

Yours Sincerely,

Signatory of the bidder

Name:
Designation:
Date:
Place:

Seal of the company

Page 18 of 29
 ANNEXURE-3: SELF – DECLARATION – NON-BLACKLISTING

To
The General Manager,
Information & Cybersecurity Department,
Pension Fund Regulatory and Development Authority,
B-14/A, Chhatrapati Shivaji Bhavan,
Qutab Institutional Area , Katwaria Sarai
New Delhi, Delhi 110016

Sir,

Non-Blacklisting Certificate

In response to the GEM/2023/B/4345910 dated 26.12.2023, I/ We

hereby declare that presently our Company / firm is having unblemished
record and is not declared ineligible for corrupt & fraudulent practices
either indefinitely or for a particular period of time by any State / Central
Government / PSU / Autonomous Body.

I/We hereby declare that our firm does not have any pecuniary
liability or any claim/disciplinary/legal proceeding pending against us/
our director(s) or partner(s) or employees or any other cause which could
hamper our ability to render the services as envisaged. We also declare
that our firm has not been banned /blacklisted or declared ineligible for
corrupt and fraudulent practices and does not have any disciplinary
proceedings pending against it or any of the partners by the Govt. of India
/ State Governments /PSUs/RBI/SEBI/IRDAI/ ICAI /C&AG /Autonomous
bodies.

If the aforesaid representation /declaration or information in the

annexures is found to be incorrect, we agree that the PFRDA shall be
entitled to terminate the agreement, if executed, and/ or initiate suitable
action as deemed fit and appropriate by the PFRDA, without reference to
us. We or our affiliates have, during the last three years, neither failed to
perform any agreement, as evidenced by imposition of a penalty by an
arbitral or a judicial pronouncement or arbitration awarded against us or
our Affiliates, nor we have been expelled from any project nor had any
contract with us terminated for breach by us or our affiliates of any
obligations therein

Page 19 of 29
Thanking you,

Yours faithfully,

Signature of Authorized Signatory………………………………

Name of the Authorized Signatory………………………………

Designation:…………………………….

Seal of the Organization……………………………

Place
Date

Page 20 of 29
 ANNEXURE-4: PAST EXPERIENCE DETAILS
To be submitted on the Company/Firm’s Letter Head duly signed by Authorised Signatory

Past Experience details

S. No. Financial Name of the Client Description of Proof of completion of

Year of Work Contract uploaded
supply (Invoice No /CRAC No
/Completion Certificate)
1
2

Signature of Authorized Signatory………………………………

Name of the Authorized Signatory………………………………

Designation.………………………….

Seal of the Organization……………………………

Place
Date

Page 21 of 29
 ANNEXURE-5: LETTER OF UNDERTAKING-ACCEPTANCE OF TERMS AND
CONDITIONS
<To be submitted on the Company/Firm’s Letter Head duly signed by Authorised Signatory>

To
The General Manager,
Information & Cybersecurity Department,
Pension Fund Regulatory and Development Authority,
B-14/A, Chhatrapati Shivaji Bhavan,
Qutab Institutional Area , Katwaria Sarai
New Delhi, Delhi 110016

Bid No: - GEM/2023/B/4345910 dated 26.12.2023

Dear Sir/Ma’am,

Sub: LETTER OF UNDERTAKING-ACCEPTANCE OF TERMS AND CONDITIONS

With the reference to the GEM/2023/B/4345910 dated 26.12.2023
I/ We have read and understood the instructions and the terms and conditions
contained in the GeM bid document.
I/We, accordingly accept all terms and conditions of the GeM bid document
including GTC, ATC documents.

I/ We do hereby declare that the information furnished/ uploaded is correct to

the best of my/our knowledge and belief.

I/ We also hereby certify that if at any time, information furnished by us is

proved to be false or incorrect, I am / We are, liable for any action as deemed
fit by the purchaser in addition to forfeiture of the earnest money.

Yours faithfully,

Signature of Authorized Signatory………………………………

Name of the Authorized Signatory………………………………

Designation:…………………………….

Page 22 of 29
 Seal of the Organization……………………………
Place
Date

Page 23 of 29
 ANNEXURE-6: MODEL NON-DISCLOSURE AGREEMENT

(Between CERT-In empanelled Auditor & Auditee)

THIS NON-DISCLOSURE AGREEMENT is made on this …….. day (date) of

………… (Year)

By and between

# In case of Central Government Ministry/ Departments #/State Government

Departments
President of India/Governor of (name of state) acting through
……………………………. (Name, Designation) of …………………….. (Name of Ministry/
Department) address …………………… hereinafter referred to
as “Auditee” which expression shall unless repugnant to the context or meaning
thereof ,include its successors and assigns)of the first part.

# In case of Autonomous Societies/ Not-for-profit companies/ Public sector

Undertakings/Private sector

……………………………. (Name of Company/ Society) incorporated /registered under the

Companies Act,1956/2013/ the societies registration Act,1860 having its
registered/corporate office at …………………… (hereinafter referred to as
“Auditee” which expression shall unless repugnant to the context or meaning thereof,
includes its successors, administrators and permitted assigns) of the first part .

And

Name incorporated/registered under the….….. Name of the Act havingits

registered/corporate office at ………………(herein referred to as “Auditor” which
expression shall unless repugnant to the context or meaning thereof ,includes its
successors, assigns, administrators, liquidators and recievers)of the second part

WHEREAS

A. Auditor is a services organization empanelled by the Indian Computer Emergency

Response Team (hereinafter CERT-IN) under Department of Electronics & IT, for
auditing, including vulnerability assessment and penetration testing of computer
systems , networks, computer resources & applications of various agencies or
departments of the Government, critical infrastructure organizations and those in other
sectors of Indian economy vide communication No…………dated…….

B. Auditor as an empanelled Information Security Auditing organization has agreed to

fully comply the “Guidelines for CERT-In Empanelled Information Security Auditing

Page 24 of 29
Organizations , Terms & conditions of empanelment and Policy guidelines for handling
audit related data” while conducting audits.

C. Auditee is also aware of the aforesaid Guidelines along with guidelines for Auditee
Organizations published by CERT-In.

D. Both Auditor and Auditee have given their irrevocable consent to fully comply
the aforesaid Guidelines and any amendments thereof without any reservations.

NOW, THEREFORE, in consideration of the foregoing and the covenants and

agreements contained herein, the parties agree as follows:

1. Definitions:

(a) The term “Confidential Information” shall include, without limitation, all
information and materials, furnished by either Party to the other in
connection with Auditee products and services including information transmitted
in writing, orally, visually, (e.g. video terminal display) or on magnetic media,
and including all proprietary information, customer & prospect lists, trade
secrets, trade names or proposed trade names, methods and procedures of
operation, business or marketing plans, licensed document know-how, ideas,
concepts, designs, drawings, flow charts, diagrams, quality manuals, checklists,
guidelines, processes, formulae, source code materials, specifications,
programs, software packages, codes and other intellectual property relating to
Auditee products and services. Results of any information security audits, tests,
analysis, extracts or usages carried out by the Auditor in connection with the
Auditee’s products and/or services, IT infrastructure, etc. shall also be
considered Confidential Information.

(b) The term “Auditee products” shall include all such products, goods, services,
deliverables, which are subject to audit by the empanelled auditor under the
Agreement.

2. Protection of Confidential Information. With respect to any Confidential

Information disclosed to it or to which it has access, Auditor affirms that it shall:

(a) Use the Confidential Information as necessary only in connection with

scope of audit and in accordance with the terms and conditions contained
herein;
(b) Maintain the Confidential Information in strict confidence and take all
reasonable steps to enforce the confidentiality obligations imposed
hereunder, but in no event take less care with the Confidential
Information that the parties take to protect the confidentiality of its own
proprietary and confidential information and that of its other clients;

Page 25 of 29
 (c) Not to make or retain copy of any details of products and/or services,
prototypes, business or marketing plans, Client lists, Proposals developed by
or originating from Auditee or any of the prospective clients of Auditee.
(d) Not to make or retain copy of any details of results of any information security
audits, tests, analysis, extracts or usages carried out by the Auditor in
connection with the Auditee’s products and/or services, IT infrastructure, etc.
without the express written consent of Auditee.
(e) Not disclose or in any way assist or permit the disclosure of any Confidential
Information to any other person or entity without the express written consent
of the auditee ; and
(f) Return to the auditee, or destroy, at auditee’s discretion, any and all
Confidential Information disclosed in a printed form or other permanent
record, or in any other tangible form (including without limitation, all copies,
notes, extracts, analyses, studies, summaries, records and reproductions
thereof) immediately on (i) expiration or termination ofthis agreement, or (ii)
the request of Auditee therefor.
(g) Not to send Auditee’s audit information or data and/or any such Confidential
Information at any time outside India for the purpose of storage, processing,
analysis or handling without the express written consent of the Auditee.
(h) The auditor shall use only the best possible secure methodology to avoid
confidentiality breach, while handling audit related data for the purpose of
storage, processing, transit or analysis including sharing of information with
auditee.
(i) Not to engage or appoint any non-resident/foreigner to undertake any activity
related to Information Security Audit. In case of information security audits
for Government/ critical sector organization, only the man power declared to
CERT-In shall be deployed to carry out such audit related activities.
(j) Not to discuss with any member of public, media, press, any or any other
person about the nature of arrangement entered between the Auditor and the
Auditee or the nature of services to be provided by Auditor to the Auditee.
(k) Make sure that all the employees and/or consultants engaged to undertake
any audit on its behalf have signed the mandatory non-disclosure agreement.

3. Onus: Auditor shall have the burden of proving that any disclosure or use inconsistent
with the terms and conditions hereof falls within any of the foregoing exceptions.

4. Permitted disclosure of audit related information:

The auditor may share audit information with CERT-In or similar Government entities
mandated under the law as and when called upon to do so by such agencies with
prior written information to the auditee.

5. Exceptions. The Confidentiality obligations as enumerated in Article 2of this

Agreement shall not apply in following cases:

a. Which is independently developed by Auditor or lawfully received from

another source free of restriction and without breach of this Agreement; or
Page 26 of 29
 b. After it has become generally available to the public without breach of this
Agreement by Auditor; or
c. Which at the time of disclosure to Auditor was known to such party free of
restriction and evidenced by documents in the possession of such party; or
d. Which Auditee agrees in writing is free of such restrictions.
e. Which is received from a third party not subject to the obligation of
confidentiality with respect to such Information;

6. Remedies:
Auditor acknowledges that any actual or threatened disclosure or use of the
Confidential Information by Auditor would be a breach of this agreement and may cause
immediate and irreparable harm to Auditee or to its clients; Auditor affirms that
damages from such disclosure or use by it may be impossible to measure accurately; and
injury sustained by Auditee / its clients may be impossible to calculate and compensate
fully. Therefore, Auditor acknowledges that in the event of such a breach, Auditee shall
be entitled to specific performance by Auditor of its obligations contained in this
Agreement. In addition Auditor shall compensate the Auditee for the loss or damages
caused to the auditee actual and liquidated damages which may be demanded by
Auditee. Liquidated damages not to exceed the Contract value. Moreover, Auditee shall
be entitled to recover all costs of litigation including reasonable attorneys’ fees which
it or they may incur in connection with defending its interests and enforcement of
contractual rights arising due to a breach of this agreement by Auditor. All rights and
remedies hereunder are cumulative and in addition to any other rights or remedies
under any applicable law, at equity, or under this Agreement, subject only to any
limitations stated herein.

7. Need to Know. Auditor shall restrict disclosure of such Confidential Information to its
employees and/or consultants with a need to know (and advise such employees and/or
consultants of the obligations assumed herein), shall use the Confidential Information
only for the purposes set forth in the Agreement, and shall not disclose such
Confidential Information to any affiliates, subsidiaries, associates and/or third party
without prior written approval of the Auditee. No information relating to auditee
shall be hosted or taken outside the country in any circumstances.

8. Intellectual Property Rights Protection. No license to a party, under any trademark,

patent, copyright, design right, mask work protection right, or any other intellectual
property right is either granted or implied by the conveying of Confidential Information
to such party.

9. No Conflict. The parties represent and warrant that the performance of its obligations
hereunder do not and shall not conflict with any other agreement or obligation of the
respective parties to which they are a party or by which the respective parties are
bound.

10. Authority. The parties represent and warrant that they have all necessary authority
and power to enter into this Agreement and perform their obligations hereunder.

11. Governing Law. This Agreement shall be interpreted in accordance with and governed
by the substantive and procedural laws of India and the parties hereby consent to the
jurisdiction of Courts and/or Forums situated at < Name of the city>

Page 27 of 29
12. Entire Agreement. This Agreement constitutes the entire understanding and
agreement between the parties, and supersedes all previous or contemporaneous
agreement or communications, both oral and written, representations and under
standings among the parties with respect to the subject matter hereof.

13. Amendments. No amendment, modification and/or discharge of this Agreement shall

be valid or binding on the parties unless made in writing and signed on behalf of
each of the parties by their respective duly authorized officers or representatives.

14. Binding Agreement. This Agreement shall be binding upon and inure to the benefit of
the parties hereto and their respective successors and permitted assigns.

15. Severability. It is the intent of the parties that in case any one or more of theprovisions
contained in this Agreement shall be held to be invalid or unenforceable in any respect,
such provision shall be modified to the extentnecessary to render it, as modified, valid
and enforceable under applicable laws, and such invalidity or unenforceability shall
not affect the other provisions of this Agreement.

16. Waiver. Waiver by either party of a breach of any provision of this Agreement, shall
not be deemed to be waiver of any preceding or succeeding breach of thesame or any
other provision hereof.

17. Survival. Both parties agree that all of their obligations undertaken herein with respect
to Confidential Information received pursuant to this Agreement shall survive till
perpetuity even after expiration or termination of this Agreement.

18. Non-solicitation. During the term of this Agreement and thereafter for a further
period of two (2) years Auditor shall not solicit or attempt to solicit Auditee’s
employees and/or consultants, for the purpose of hiring/contract or to proceed to
conduct business similar to Auditee with any employee and/or consultant of the
Auditee who has knowledge of the Confidential Information, without the prior
written consent of Auditee.

19. This Agreement is governed by and shall be construed in accordance with the laws of
India. In the event of dispute arises between the parties in connection with the validity,
interpretation, implementation or alleged breach of any provision of this Agreement,
the parties shall attempt to resolve the dispute in good faith by senior level
negotiations. In case, any such difference or dispute is not amicably resolved within
forty five (45) days of such referral for negotiations, it shall be resolved through
arbitration process, wherein both the parties will appoint one arbitrator each and the
third one will be appointed by the two arbitrators in accordance with the Arbitration
and Conciliation Act, 1996. The venue of arbitration in India shall be (please choose
the venue of dispute resolution as the city) or where the services are provided. The
proceedings of arbitration shall be conducted in English language and the arbitration
award shall be substantiated in writing and binding on the parties. The arbitration
proceedings shall be completed within a period of one hundred and eighty (180) days
from the date of reference of the dispute to arbitration.

20. Term. This Agreement shall come into force on the date of its signing by both the
Page 28 of 29
 parties and shall be valid up to ……… year.

IN WITNESS HEREOF, and intending to be legally bound, the parties have executed this
Agreement to make it effective from the date and year first written above.

# In case of auditee being Central Government Ministry/ Departments #

For & on behalf of President of India

(Name and designation of authorized signatory)
……………………………
<Name of Central Govt. Ministry/Department>
Or

# In case of auditee being State Government Department #

For & on behalf of Governor of ……. < State name>

………………………..

(Name and designation of authorized signatory)

<Name of State Department>

Or

# In case of Autonomous Societies/Not-for-profit-company/Public sector undertaking

/Private Sector #

for <Name of organization> ,

<Name and designation of authorized signatory> duly authorized by rules & regulations /
of <Name of society>/ vide resolution no. …. Dated
……. Of Board of Directors of ......... <Name of organization>.

(AUDITEE) (AUDITOR)

WITNESSES:

1.

**********************************************************************************************************

Page 29 of 29