Professional Documents
Culture Documents
FOR
PFRDA IT INFRASTRUCTURE
Page 1 of 29
Table of Contents
SECTION-1: INTRODUCTION ............................................................................................ 5
SECTION-II- INSTRUCTIONS TO BIDDERS ................................................................... 6
SECTION-III: BROAD SCOPE OF AUDIT ........................................................................ 9
SECTION-IV: PRE-QUALIFICATION CRITERIA ........................................................ 14
SECTION-V: CHECKLIST OF DOCUMENTS TO BE SUBMITTED ALONG WITH
THIS BID: ............................................................................................................................... 15
SECTION-VI: OTHER TERMS AND CONDITIONS ...................................................... 16
ANNEXURE-1: BIDDER’S PROFILE ................................................................................ 17
ANNEXURE-2: BIDDER’S AUTHORIZATION CERTIFICATE .................................. 18
ANNEXURE-3: SELF – DECLARATION – NON-BLACKLISTING............................. 19
ANNEXURE-4: PAST EXPERIENCE DETAILS ............................................................. 21
ANNEXURE-5: LETTER OF UNDERTAKING-ACCEPTANCE OF TERMS AND
CONDITIONS ........................................................................................................................ 22
ANNEXURE-6: MODEL NON-DISCLOSURE AGREEMENT ...................................... 24
DISCLAIMER
b. The purpose of this RFP is to provide the interested and eligible Bidder(s)
with information to assist them in preparation of their Bid proposals. This RFP
does not claim to contain all the information each Bidder may require. Each
Bidder should conduct its own investigations and analysis and should check
the accuracy, reliability and completeness of the information contained in
this RFP and where necessary obtain independent advices/ clarifications.
PFRDA may in its absolute discretion, but without being under any obligation
to do so, update, amend or supplement the information in this RFP to get the
best proposal.
e. The Bidder is presumed to have examined all instructions, forms, terms and
specifications in this RFP along with the eligibility conditions as on the date
of submission of its bid. Failure to furnish all information required under this
RFP or to submit a Bid not substantially responsive to this RFP in all respect
will be at the Bidder’s risk and may result in rejection of the Bid.
f. This RFP is not an offer by PFRDA but an invitation to receive proposals/ bids
from interested and eligible bidders for engagement of CERT-In empaneled
IT Audit firm for conducting cybersecurity audit of IT Infrastructure of PFRDA.
g. No contractual obligation whatsoever shall arise from the RFP process unless
and until a formal contract is executed between PFRDA and the successful
bidder. PFRDA reserves the right to cancel the selection process at any stage,
Page 3 of 29
prior to the engagement of IT Audit firm without any liability owed to any
party.
h. This RFP is being issued with no financial commitment and PFRDA reserves
the right to withdraw the RFP and change or vary any part thereof or
foreclose the same at any stage.
Page 4 of 29
SECTION-1: INTRODUCTION
3. The various crucial dates relating to “Tender for conducting Cyber security
Audit of IT Infrastructure of Pension Fund Regulatory and Development
Authority” is as under:
Page 5 of 29
SECTION-II- INSTRUCTIONS TO BIDDERS
1. Bidder(s) shall submit their bid (comprising of “Technical” and “Financial” bid),
online at GEM Portal. Bidders shall have to visit the GeM portal
(http://gem.gov.in/), select the appropriate GeM bid number and upload
electronically by scanning in PDF format duly filled and signed technical bid
documents, defined forms, bidder’s needs to click on final submission link to
submit their encrypted bid.
3. On Line submission of bids: Online bids will have to be submitted within the
time specified on website https://gem.gov.in/ the following manner:-
Financial Bid: (.xls): Bidder(s) must read the terms and condition as
mentioned in this tender document and submit the form accordingly.
Bidder(s) are required to check the prices / amount carefully before
uploading financial bid.
4. Submission of more than one bid is not allowed and shall result in
disqualification of the bidder.
5. Validity of bids: Bid submitted by the Bidder(s) shall remain valid for
acceptance for a minimum period of Ninety (90) days from the last date of
submission of bid (Technical and Financial), including extensions, if any.
6. PFRDA reserves the right to reject any or all the bids without assigning any
reasons thereof.
7. Hard copy of the bid documents will not be accepted and any such offer, if
received by PFRDA, will be out rightly rejected.
Page 6 of 29
9. The Bidders must fully comply with all the terms and conditions given in the
Tender document. It is clarified that in case, any of the stipulated terms and
conditions are not fulfilled by the Bidders and incomplete or incorrect
information submitted by the Bidder, the bid may be treated as ineligible and
Bidder may be technically disqualified and Price Bid shall not be opened.
10. Further it is also intimated that GeM Portal is used only as a platform for
procurement/tendering. All the terms and conditions contained in this Tender
shall be applicable during the whole tender process.
Please note that the technical proposal must NOT contain any pricing
information.
b. Financial Evaluation
The financial bids will be opened for only those bidders who are
declared technically qualified by the evaluation cum selection
committee. The financial evaluation will take into account the
information supplied by the Bidders in the financial proposal, and the
same shall be evaluated in accordance with the evaluation criteria
specified in this RFP.
At no point of time will any deviation from the quoted rate would be
Page 7 of 29
entertained by the Authority. Where the fee quoted in the financial
bid is zero, such bids shall be treated as non-responsive and rejected.
Please note that the financial bid should not be conditional and no
technical information should be provided along with the financial
proposal.
Page 8 of 29
SECTION-III: BROAD SCOPE OF AUDIT
2. Security Audit: PFRDA would like to have the audit performed in a phased
manner, wherein Phase-1 (Security Audit) needs to be commenced within
10 business days of issuing the Work Order. This needs to be carried out at
PFRDA Head quarters situated at New Delhi.
Page 9 of 29
3. The selected agency shall audit the IT Infrastructure Cyber Security at
PFRDA, in compliance with the Information and Cyber Security Policy of
PFRDA and latest version of “Cyber Security Audit Baseline Requirements”
by National Security Council Secretariat followed by CERT-In and ISO 27001.
Report of Cyber Security Gaps along with the recommendations needs to
be provided by the Bidder and based on the same security Gap analysis and
action would be taken at PFRDA end. The compliance report shall be
submitted to PFRDA by the Selected Agency within 30 days of
commencement of the Audit.
4. After the first Phase of the Cyber Security Audit and Reporting thereof by
the selected agency, PFRDA would take some reasonable time to would
attempt to rectify the corrections pointed as much as possible. After the
Gap bridging exercise by PFRDA has been completed, the Bidder would be
informed accordingly by concerned PFRDA representative, and thereafter
the Bidder should commence the Second Phase of Cyber Security Audit
exercise. The time taken by PFRDA for bridging the Cyber Security Gap will
not affect the Bidder in any way as the Bidder will not be held responsible
for any delay in the same.
6. The bidder shall review and recommend IT and Cyber Security policies
(Internal) for PFRDA. The policies shall include the themes as mentioned in
deliverables and any additional theme identified in the Audit report and
not included in the scope. The selected agency shall Recommend suitable
Cyber Crisis Management Plan (CCMP) for PFRDA IT facilities, for
consideration of the Authority and will contain strategy followed in case of
a Cyber-attack or threat in PFRDA.
8. The selected bidder should provide the below mentioned details at the
starting of the Cyber Security Audit exercise:
Page 10 of 29
9. Reports required by PFRDA, during and at the end of the Cyber Security
Audit exercise:
a. Audit Plan and proposed and actual progress in the Cyber Audit exercise
on a weekly basis.
b. Summary of Cyber Audit findings, including identification tests and the
results of the tests need to be shared with concerned PFRDA officials on
a weekly basis and as and when required by PFRDA.
c. Analysis of vulnerabilities and issues of concern of Cyber Security needs
to be reported on a weekly basis.
10. Deliverables:
a. Compliance Assessment Report (after phase-1), along with
recommendations for corrective actions/redressals/mitigation of
risks/Non-Conformities (NCs),.
b. Vulnerability Assessment Report
c. Detailed Audit Report (after Phase-2 )
d. IT and Cyber Security Policies, as required and Draft Cyber Crisis
Management Plan
e. Audit Certificate
12. Presentation on the Cyber Security Audit Report, its findings, conclusions,
and recommendations for Gap Analysis and Plugging, as per CERT-In
guidelines, need to be made to the management of PFRDA as required.
Recommendations should also be given for Quality Standard ISO 27001, as
this is also a prime objective of the Cyber Security Audit Output.
13. Details of the Authorized Contact person for the Cyber Security Audit
Exercise need to be provided by the Bidder, designated for PFRDA, to be
the single point of contact for the Bidder.
Page 11 of 29
DR site NIC’s Cloud Server is used.
15. DELIVERABLES: The Auditors shall complete the task of audit within 50
business days.
17. The selected agency should take care of the following considerations and
details at the beginning of the IT/Cyber Security Audit exercise:
Page 12 of 29
control and monitoring.
b. Standards of Security and Quality that are to be followed during the
IT/Cyber Security Audit activity.
c. Tools and Software that may be used for the IT/Cyber security audit
activity. All tools and software used by the bidder need to be
licensed.
d. Any Additional and Mandatory standards of Cyber Audit regulation
as required for CERT- IN Audit, should be made available and
applicable by the Auditor.
Page 13 of 29
SECTION-IV: PRE-QUALIFICATION CRITERIA
3. The Bidder must have at least 3 Professionals Self-Declaration on Letter Head of the
on Payroll/Partners with relevant industry firm
recognized certifications – CISA/CISM
/GSNA/CISSP/CEH
4. The Bidder should be empanelled with CERT- Copy of Empanelment with CERT-In
on the date of bid submission.
6 The entity should have a registered Copy of PAN Card and GST Registration
Permanent Account Number (PAN) and GST Certification
registration.
Note: All The eligibility criterion has to be duly satisfied on the date of submission of
Page 14 of 29
bid and not later.
Page 15 of 29
SECTION-VI: OTHER TERMS AND CONDITIONS
1. Confidentiality
All documents, information and reports relating to the assignment would be
handled and kept strictly confidential and not shared/published/supplied or
disseminated in any manner, by the Auditor. The selected agency shall Selected
agency has to sign Non-Disclosure agreement with PFRDA before commencing the
audit. The format of NDA agreement shall be as per the format at Annexure-6.
2. Payment Terms
100% Payment shall be made only after completion of both the phases of Audit
and submission of all deliverables.
3. Indemnity
The successful bidder shall exercise reasonable skill, care and diligence in the
performance of the assignment and indemnify and keep the Authority, its
members, officers, or any employee indemnified in respect of any loss, damage
or claim howsoever arising out of or related to breach of contract, statutory duty
or negligence by the firm or by its staff, agents or sub- contractors in relation to
the performance or otherwise of the Services to be provided under the Contract.
4. Assigning to Others
The successful bidder shall not, without the prior written consent of the
Authority, assign or transfer or cause to be assigned or transferred, whether
actually or as the result of takeover, merger or other change of identity or
character of the Consultants, any of its rights or obligations under the Contract
or any part, share or interest therein. Upon any such assignment or transfer,
this engagement may forthwith be terminated by the Authority.
5. PFRDA reserves its right to add some additional area of audit work or
delete/ modify existing area of audit work apart from whatever is mentioned
in this document.
Page 16 of 29
ANNEXURE-1: BIDDER’S PROFILE
(To be submitted on the letter head of the firm)
Page 17 of 29
ANNEXURE-2: BIDDER’S AUTHORIZATION CERTIFICATE
(To be submitted on the letter head of the Bidder)
To
General Manager (I & CS),
Pension Fund Regulatory and Development Authority,
B-14/A, Chatrapati Shivaji Bhawan, Qutub Institutional Area,
Katwaria Sarai, New Delhi-110016
<Bidder’s Name>
______________________________<Designation>_________________
________________ is hereby authorized to sign relevant documents on behalf of
the Proprietorship/ Partnership firm/ Company in dealing with GEM Bid No.
________ _______________________. He is also authorized to submit technical &
commercial information as may be required by you in the course of processing
above said RFP.
Yours Sincerely,
Page 18 of 29
ANNEXURE-3: SELF – DECLARATION – NON-BLACKLISTING
To
The General Manager,
Information & Cybersecurity Department,
Pension Fund Regulatory and Development Authority,
B-14/A, Chhatrapati Shivaji Bhavan,
Qutab Institutional Area , Katwaria Sarai
New Delhi, Delhi 110016
Sir,
Non-Blacklisting Certificate
I/We hereby declare that our firm does not have any pecuniary
liability or any claim/disciplinary/legal proceeding pending against us/
our director(s) or partner(s) or employees or any other cause which could
hamper our ability to render the services as envisaged. We also declare
that our firm has not been banned /blacklisted or declared ineligible for
corrupt and fraudulent practices and does not have any disciplinary
proceedings pending against it or any of the partners by the Govt. of India
/ State Governments /PSUs/RBI/SEBI/IRDAI/ ICAI /C&AG /Autonomous
bodies.
Page 19 of 29
Thanking you,
Yours faithfully,
Designation:…………………………….
Place
Date
Page 20 of 29
ANNEXURE-4: PAST EXPERIENCE DETAILS
To be submitted on the Company/Firm’s Letter Head duly signed by Authorised Signatory
Designation.………………………….
Place
Date
Page 21 of 29
ANNEXURE-5: LETTER OF UNDERTAKING-ACCEPTANCE OF TERMS AND
CONDITIONS
<To be submitted on the Company/Firm’s Letter Head duly signed by Authorised Signatory>
To
The General Manager,
Information & Cybersecurity Department,
Pension Fund Regulatory and Development Authority,
B-14/A, Chhatrapati Shivaji Bhavan,
Qutab Institutional Area , Katwaria Sarai
New Delhi, Delhi 110016
Dear Sir/Ma’am,
Yours faithfully,
Designation:…………………………….
Page 22 of 29
Seal of the Organization……………………………
Place
Date
Page 23 of 29
ANNEXURE-6: MODEL NON-DISCLOSURE AGREEMENT
By and between
And
WHEREAS
Page 24 of 29
Organizations , Terms & conditions of empanelment and Policy guidelines for handling
audit related data” while conducting audits.
C. Auditee is also aware of the aforesaid Guidelines along with guidelines for Auditee
Organizations published by CERT-In.
D. Both Auditor and Auditee have given their irrevocable consent to fully comply
the aforesaid Guidelines and any amendments thereof without any reservations.
1. Definitions:
(a) The term “Confidential Information” shall include, without limitation, all
information and materials, furnished by either Party to the other in
connection with Auditee products and services including information transmitted
in writing, orally, visually, (e.g. video terminal display) or on magnetic media,
and including all proprietary information, customer & prospect lists, trade
secrets, trade names or proposed trade names, methods and procedures of
operation, business or marketing plans, licensed document know-how, ideas,
concepts, designs, drawings, flow charts, diagrams, quality manuals, checklists,
guidelines, processes, formulae, source code materials, specifications,
programs, software packages, codes and other intellectual property relating to
Auditee products and services. Results of any information security audits, tests,
analysis, extracts or usages carried out by the Auditor in connection with the
Auditee’s products and/or services, IT infrastructure, etc. shall also be
considered Confidential Information.
(b) The term “Auditee products” shall include all such products, goods, services,
deliverables, which are subject to audit by the empanelled auditor under the
Agreement.
Page 25 of 29
(c) Not to make or retain copy of any details of products and/or services,
prototypes, business or marketing plans, Client lists, Proposals developed by
or originating from Auditee or any of the prospective clients of Auditee.
(d) Not to make or retain copy of any details of results of any information security
audits, tests, analysis, extracts or usages carried out by the Auditor in
connection with the Auditee’s products and/or services, IT infrastructure, etc.
without the express written consent of Auditee.
(e) Not disclose or in any way assist or permit the disclosure of any Confidential
Information to any other person or entity without the express written consent
of the auditee ; and
(f) Return to the auditee, or destroy, at auditee’s discretion, any and all
Confidential Information disclosed in a printed form or other permanent
record, or in any other tangible form (including without limitation, all copies,
notes, extracts, analyses, studies, summaries, records and reproductions
thereof) immediately on (i) expiration or termination ofthis agreement, or (ii)
the request of Auditee therefor.
(g) Not to send Auditee’s audit information or data and/or any such Confidential
Information at any time outside India for the purpose of storage, processing,
analysis or handling without the express written consent of the Auditee.
(h) The auditor shall use only the best possible secure methodology to avoid
confidentiality breach, while handling audit related data for the purpose of
storage, processing, transit or analysis including sharing of information with
auditee.
(i) Not to engage or appoint any non-resident/foreigner to undertake any activity
related to Information Security Audit. In case of information security audits
for Government/ critical sector organization, only the man power declared to
CERT-In shall be deployed to carry out such audit related activities.
(j) Not to discuss with any member of public, media, press, any or any other
person about the nature of arrangement entered between the Auditor and the
Auditee or the nature of services to be provided by Auditor to the Auditee.
(k) Make sure that all the employees and/or consultants engaged to undertake
any audit on its behalf have signed the mandatory non-disclosure agreement.
3. Onus: Auditor shall have the burden of proving that any disclosure or use inconsistent
with the terms and conditions hereof falls within any of the foregoing exceptions.
6. Remedies:
Auditor acknowledges that any actual or threatened disclosure or use of the
Confidential Information by Auditor would be a breach of this agreement and may cause
immediate and irreparable harm to Auditee or to its clients; Auditor affirms that
damages from such disclosure or use by it may be impossible to measure accurately; and
injury sustained by Auditee / its clients may be impossible to calculate and compensate
fully. Therefore, Auditor acknowledges that in the event of such a breach, Auditee shall
be entitled to specific performance by Auditor of its obligations contained in this
Agreement. In addition Auditor shall compensate the Auditee for the loss or damages
caused to the auditee actual and liquidated damages which may be demanded by
Auditee. Liquidated damages not to exceed the Contract value. Moreover, Auditee shall
be entitled to recover all costs of litigation including reasonable attorneys’ fees which
it or they may incur in connection with defending its interests and enforcement of
contractual rights arising due to a breach of this agreement by Auditor. All rights and
remedies hereunder are cumulative and in addition to any other rights or remedies
under any applicable law, at equity, or under this Agreement, subject only to any
limitations stated herein.
7. Need to Know. Auditor shall restrict disclosure of such Confidential Information to its
employees and/or consultants with a need to know (and advise such employees and/or
consultants of the obligations assumed herein), shall use the Confidential Information
only for the purposes set forth in the Agreement, and shall not disclose such
Confidential Information to any affiliates, subsidiaries, associates and/or third party
without prior written approval of the Auditee. No information relating to auditee
shall be hosted or taken outside the country in any circumstances.
9. No Conflict. The parties represent and warrant that the performance of its obligations
hereunder do not and shall not conflict with any other agreement or obligation of the
respective parties to which they are a party or by which the respective parties are
bound.
10. Authority. The parties represent and warrant that they have all necessary authority
and power to enter into this Agreement and perform their obligations hereunder.
11. Governing Law. This Agreement shall be interpreted in accordance with and governed
by the substantive and procedural laws of India and the parties hereby consent to the
jurisdiction of Courts and/or Forums situated at < Name of the city>
Page 27 of 29
12. Entire Agreement. This Agreement constitutes the entire understanding and
agreement between the parties, and supersedes all previous or contemporaneous
agreement or communications, both oral and written, representations and under
standings among the parties with respect to the subject matter hereof.
14. Binding Agreement. This Agreement shall be binding upon and inure to the benefit of
the parties hereto and their respective successors and permitted assigns.
15. Severability. It is the intent of the parties that in case any one or more of theprovisions
contained in this Agreement shall be held to be invalid or unenforceable in any respect,
such provision shall be modified to the extentnecessary to render it, as modified, valid
and enforceable under applicable laws, and such invalidity or unenforceability shall
not affect the other provisions of this Agreement.
16. Waiver. Waiver by either party of a breach of any provision of this Agreement, shall
not be deemed to be waiver of any preceding or succeeding breach of thesame or any
other provision hereof.
17. Survival. Both parties agree that all of their obligations undertaken herein with respect
to Confidential Information received pursuant to this Agreement shall survive till
perpetuity even after expiration or termination of this Agreement.
18. Non-solicitation. During the term of this Agreement and thereafter for a further
period of two (2) years Auditor shall not solicit or attempt to solicit Auditee’s
employees and/or consultants, for the purpose of hiring/contract or to proceed to
conduct business similar to Auditee with any employee and/or consultant of the
Auditee who has knowledge of the Confidential Information, without the prior
written consent of Auditee.
19. This Agreement is governed by and shall be construed in accordance with the laws of
India. In the event of dispute arises between the parties in connection with the validity,
interpretation, implementation or alleged breach of any provision of this Agreement,
the parties shall attempt to resolve the dispute in good faith by senior level
negotiations. In case, any such difference or dispute is not amicably resolved within
forty five (45) days of such referral for negotiations, it shall be resolved through
arbitration process, wherein both the parties will appoint one arbitrator each and the
third one will be appointed by the two arbitrators in accordance with the Arbitration
and Conciliation Act, 1996. The venue of arbitration in India shall be (please choose
the venue of dispute resolution as the city) or where the services are provided. The
proceedings of arbitration shall be conducted in English language and the arbitration
award shall be substantiated in writing and binding on the parties. The arbitration
proceedings shall be completed within a period of one hundred and eighty (180) days
from the date of reference of the dispute to arbitration.
20. Term. This Agreement shall come into force on the date of its signing by both the
Page 28 of 29
parties and shall be valid up to ……… year.
IN WITNESS HEREOF, and intending to be legally bound, the parties have executed this
Agreement to make it effective from the date and year first written above.
Or
(AUDITEE) (AUDITOR)
WITNESSES:
1.
**********************************************************************************************************
Page 29 of 29