REQUEST FOR PROPOSAL (RFP) FOR

INFORMATION SYSTEMS AUDIT

2009-10

𸸣÷¸ú¡¸ ¥¸‹¸º „Ô¸¸½Š¸ ¹¨¸ˆÅ¸ç¸ ñ¸ÿˆÅ

Small Industries Development Bank of India
Information Services Department
3rd Floor, SME Development Center
Plot No.C-11, ‘G’ Block
Bandra Kurla Complex, Bandra (E), Mumbai - 400 051
Website :www.sidbi.in

THE INFORMATION PROVIDED BY THE BIDDERS IN RESPONSE TO THIS TENDER DOCUMENT WILL BECOME
THE PROPERTY OF SIDBI AND WILL NOT BE RETURNED. SIDBI RESERVES THE RIGHT TO AMEND, RESCIND OR
REISSUE THIS TENDER DOCUMENT AND ALL AMENDMENTS WILL BE ADVISED TO THE BIDDERS AND SUCH
AMENDMENTS WILL BE BINDING ON THEM.

(THIS DOCUMENT SHOULD NOT BE REUSED OR COPIED OR USED

EITHER PARTIALLY OR FULLY IN ANY FORM)
Request for Proposal: Information Systems Audit 2009-10

Critical Information Summary

SIDBI

PUBLIC TENDER NO. 400/2010/558/BYO/ISD

1) The RfP is posted on SIDBI website www.sidbi.in. SIDBI reserves the right to
change the audit requirements. However, any such changes will be posted on
web site.
2) Bidders are advised to study the tender document carefully. Submission of
bids shall be deemed to have been done after careful study and examination
of the tender document with full understanding of its implications.
3) Any clarifications from bidder or any change in requirement, will be posted on
SIDBI website. Hence before submitting bids, bidder must ensure that such
clarifications / changes have been considered by them. SIDBI will not
have any responsibility in case some omission is done by any bidder.
4) In case of any clarification required by SIDBI to assist in the examination,
evaluation and comparison of bids SIDBI may, at its discretion, ask the
bidder for clarification. The response / Clarification shall be in writing and
no change in the price of substance of the bid shall be sought, offered or
permitted.
5) Please note that all the information required as per the bidding document
needs to be provided. Incomplete information in these areas may lead to non-
selection.
6) Modification And/Or Withdrawal of Bids:
Bids once submitted will be treated, as final and no further correspondence
will be entertained. No bid shall be modified after the deadline for submission
of bids. No bidder shall be allowed to withdraw the bid, if bidder happens to be
the successful bidder.
7) SIDBI has the right to reject any or all tenders received without assigning any
reason whatsoever.

NOTE:
SIDBI SHALL NOT BE RESPONSIBLE FOR NON-RECEIPT / NONDELIVERY OF THE BID
DOCUMENTS DUE TO ANY REASON WHATSOEVER.

Confidential -2-
Request for Proposal: Information Systems Audit 2009-10

Schedule of events :
Sl. Bid Reference -
No.
1 Purpose Information Systems Audit - 2009-10

2 Cost of Tender Rs. 500/-

3 EMD Rs. 10,000/-
To be submitted as Demand Draft in favour of
SIDBI, payable at Mumbai. The above 2
amounts can be paid by a single DD for
Rs.10,500/-
4 No. Of Envelopes Two (2) Envelopes
(Non window, sealed) to Envelope 1 containing:
be submitted 1. Technical Bids as per Section 5
(Submit 1 hard copy and 1 soft copy in CD)
2. DD towards cost of tender & EMD.

Envelope 2 containing:
Commercial Bid as per Section 6 (Only one
bid to be kept)

5 Last Date of Submission Jan 20, 2010 by 4:00 pm

of Bids
6 Venue, Date and time of At 5:00 PM, on last date of bid submission, at
opening of Bids, except the address given at Sr. no. 10
Commercial Bids.
7 Pre-bid meeting Jan 12, 2010 at 3.00 PM
8 Response to clarification Jan 14, 2010
/ pre bid meeting to be
put on web site
9 Bid Validity 90 days from the last date of submission
10 Address for submission of The General Manager (Systems)
Bids SIDBI
SME Development Center
Plot No.C-11, ‘G’ Block,
Bandra Kurla Complex,Bandra(East)
Mumbai - 400 051
Ph : 67531100 Fax: 67531236
Contact Persons
11 Name & Phone E-mail
Designation
Smt. N Uma 67531319 numa@sidbi.in
AGM (Systems)

Confidential -3-
Request for Proposal: Information Systems Audit 2009-10

Table of Contents
SCHEDULE OF EVENTS : .......................................................................................................................... 3

1. INTRODUCTION AND DISCLAIMERS ......................................................................................... 6

1.1 PURPOSE OF RFP ............................................................................................................................. 6
1.2 INFORMATION PROVIDED ................................................................................................................ 6
1.3 DISCLAIMER .................................................................................................................................... 6
1.4 COSTS TO BE BORNE BY RESPONDENTS ........................................................................................... 6
1.5 NO LEGAL RELATIONSHIP ............................................................................................................... 6
1.6 RECIPIENT OBLIGATION TO INFORM ITSELF .................................................................................... 6
1.7 EVALUATION OF OFFERS ................................................................................................................. 7
1.8 ERRORS AND OMISSIONS ................................................................................................................. 7
1.9 ACCEPTANCE OF TERMS .................................................................................................................. 7
1.10 LODGMENT OF RFP ......................................................................................................................... 7
1.11 REQUESTS FOR PROPOSAL .............................................................................................................. 8
1.12 NOTIFICATION ................................................................................................................................. 8
1.13 DISQUALIFICATION.......................................................................................................................... 8
2. BACKGROUND................................................................................................................................... 9
ABOUT SIDBI ............................................................................................................................................. 9
PRESENT IT SETUP:...................................................................................................................................... 9
3. REQUIREMENTS ............................................................................................................................. 10
3.1 OBJECTIVE .................................................................................................................................... 10
3.2 SCOPE............................................................................................................................................ 10
3.3 SCOPE OF IT CONTROL REVIEW .................................................................................................... 11
3.4 SCOPE OF NETWORK AND SECURITY AUDIT (NSA) ...................................................................... 11
3.5 EXPECTED DELIVERABLES ............................................................................................................ 13
3.6 FOLLOW-UP AND COMPLIANCE ..................................................................................................... 14
3.7 TERMS AND CONDITIONS ............................................................................................................... 14
3.8 TIME FRAME OF THE DELIVERABLES .............................................................................................. 15
4. SELECTION CRITERIA.................................................................................................................. 16
4.1 TENDER METHODOLOGY ............................................................................................................... 16
4.2 SELECTION PROCESS ...................................................................................................................... 16
5. TECHNICAL BID.............................................................................................................................. 17
5.1 MINIMUM ELIGIBILITY CRITERIA .................................................................................................. 17
5.2 AUDIT FIRM DETAILS:................................................................................................................... 18
5.3 CONTACT DETAILS:....................................................................................................................... 19
5.4 DETAILS OF IT AUDIT PROJECTS DONE IN PREVIOUS 3 YEARS IN BANKING DOMAIN: .................... 19
6. COMMERCIAL BID ......................................................................................................................... 21

7. ANNEXURE - A ................................................................................................................................. 22

1) SPECIAL TERMS & CONDITIONS:.......................................................................................................... 22

2) GENERAL TERMS AND CONDITIONS:.................................................................................. 23

I. DEFINITIONS.................................................................................................................................... 23

II. USE OF CONTRACT DOCUMENTS AND INFORMATION ................................................. 24

Confidential -4-
Request for Proposal: Information Systems Audit 2009-10

III. SUBCONTRACTS ......................................................................................................................... 24

IV. GOVERNING LANGUAGE ......................................................................................................... 24

V. COMMERCIAL TERMS.............................................................................................................. 25

VI. APPLICABLE LAWS.................................................................................................................... 25

VII. PATENT RIGHTS ......................................................................................................................... 26

VIII. FORCE MAJEURE ................................................................................................................... 26

IX. FORFEITURE OF PERFORMANCE SECURITY.................................................................... 27

X. TERMINATION............................................................................................................................. 27

XI. RESOLUTION OF DISPUTES..................................................................................................... 28

Confidential -5-
Request for Proposal: Information Systems Audit 2009-10

1. Introduction and Disclaimers

1.1 Purpose of RfP
The purpose of RfP is to short list Auditor for conducting IS Audit for IT Control Review based on
1) Minimum Eligibility Criteria 2) Technical bid and 3) Commercial bid.

1.2 Information Provided

The Request for Proposal document contains statements derived from information that is
believed to be relevant at the date but does not purport to provide all of the information that may
be necessary or desirable to enable an intending contracting party to determine whether or not to
enter into a contract or arrangement with SIDBI. Neither SIDBI nor any of its employees, agents,
contractors, or advisers gives any representation or warranty, express or implied, as to the
accuracy or completeness of any information or statement given or made in this document.
Neither SIDBI nor any of its employees, agents, contractors, or advisers has carried out or will
carry out an independent audit or verification exercise in relation to the contents of any part of the
document.

1.3 Disclaimer
Subject to any law to the contrary, and to the maximum extent permitted by law, SIDBI and its
officers, employees, contractors, agents, and advisers disclaim all liability from any loss or
damage (whether foreseeable or not) suffered by any person acting on or refraining from acting
because of any information including forecasts, statements, estimates, or projections contained in
this RfP document or conduct ancillary to it whether or not the loss or damage arises in
connection with any negligence, omission, default, lack of care or misrepresentation on the part of
SIDBI or any of its officers, employees, contractors, agents, or advisers.

1.4 Costs to be borne by Respondents

All costs and expenses incurred by Respondents in any way associated with the development,
preparation, and submission of responses, including but not limited to; the attendance at
meetings, discussions, demonstrations, etc. and providing any additional information required by
SIDBI, will be borne entirely and exclusively by the Respondent.

1.5 No Legal Relationship

No binding legal relationship will exist between any of the Respondents and SIDBI until execution
of a contractual agreement.

1.6 Recipient Obligation to Inform Itself

The Recipient must conduct its own investigation and analysis regarding any information
contained in the RfP document and the meaning and impact of that information.

Confidential -6-
Request for Proposal: Information Systems Audit 2009-10

1.7 Evaluation of Offers

Each Recipient acknowledges and accepts that SIDBI may in its absolute discretion apply
selection criteria specified in the document for evaluation of proposals for short listing / selecting
the eligible vendor(s). The RfP document will not form part of any contract or arrangement, which
may result from the issue of this document or any investigation or review, carried out by a
Recipient.

1.8 Errors and Omissions

Each Recipient should notify SIDBI of any error, omission, or discrepancy found in this RfP
document.

1.9 Acceptance of Terms

A Recipient will, by responding to SIDBI for RfP, be deemed to have accepted the terms of this
Introduction and Disclaimer.

1.10 Lodgment of RfP

1.10.1 RfP submission:
RfP document submission is required to be done as under:-

1 hard copy along with 1 soft copy (Of Technical Bids) at the following address in a single
sealed envelope.
General Manager (Systems)
Small Industries Development Bank of India
3rd Floor, SME Development Centre,
Plot No. C-11, G Block
Bandra Kurla Complex (BKC), Bandra (E)
Mumbai - 400 051

Telephone No. : +91 – 22 – 67531100, 67531319

Fax No. : +91 – 22 – 67531236
♦ Copies of the RfP must be submitted before the aforementioned closing date and time
mentioned in Critical Information Summary.

♦ Faxed copies of any submission are not acceptable and will be rejected by the Bank.

♦ All copies of RfPs and attachments must be provided in a sealed envelope.

If the submission does not include all the information required or is incomplete, the proposal is
liable to be rejected.

All submissions, including any accompanying documents, will become the property of SIDBI.
Recipients shall be deemed to license, and grant all rights to SIDBI to reproduce the whole or any
portion of their submission for the purpose of evaluation, to disclose the contents of the
submission to other Recipients and to disclose and/or use the contents of the submission as the
basis for any resulting RfP process, notwithstanding any copyright or other intellectual property
right that may subsist in the submission or accompanying documents.

Confidential -7-
Request for Proposal: Information Systems Audit 2009-10

1.10.2 RfP Validity Period

The proposal must remain valid and open for evaluation according to their terms for a period of at
least three (3) months from the time the RfP closes on the deadline for lodgment of RfP.

1.11 Requests For Proposal

Recipients are required to direct all communications related to this RfP, through the Nominated
Point of Contact person :

Contact : Smt N Uma

Position : Asst. General Manager (Systems)

Email : numa@sidbi.in
Telephone : +91 - 22 – 67531319
Fax : +91 - 22 - 67531236

SIDBI will not answer any communication initiated by Respondents later than five business days
prior to the due date for lodgment of RfPs. However, SIDBI may, in its absolute discretion, seek
additional information or material from any Respondents after the RfP closes and all such
information and material provided must be taken to form part of that Respondent’s response.

Respondents should provide details of their Fax, email and full address(s) to ensure that replies
to RfP could be conveyed promptly.

If SIDBI, in its absolute discretion, deems that the originator of the question will gain an
advantage by a response to a question, then SIDBI reserves the right to communicate such
response to all Respondents.

SIDBI may, in its absolute discretion, engage in discussion or negotiation with any Respondent
(or simultaneously with more than one Respondent) after the RfP closes to improve or clarify any
response.

1.12 Notification
SIDBI will notify all short-listed Respondents in writing as soon as practicable about the outcome
of their RfP. SIDBI is not obliged to provide any reasons for any such acceptance or rejection.

1.13 Disqualification
Any form of canvassing/lobbying/influence/query regarding short listing, status, etc will be a
disqualification.

Confidential -8-
Request for Proposal: Information Systems Audit 2009-10

2. Background
About SIDBI
Small Industries Development Bank of India (SIDBI) was established in April
1990. The mission of SIDBI is to empower the Micro, Small and Medium Enterprises
(MSME) sector with a view to contributing to the process of economic growth,
employment generation and balanced regional development having objective to
serve as a single window for meeting financial and developmental needs of MSME
sector.

The four basic objectives set out in the SIDBI Charter are Financing, Promotion,
development and Co-ordination for orderly growth of industry in the MSME sector.
The Charter has provided SIDBI considerable flexibility for adopting appropriate
operational strategies to meet these objectives. The activities of SIDBI, as they have
evolved over the period of time, now meet almost all the requirements of sector
which fall into a wide spectrum constituting modern and technologically superior units
at one end and traditional units at the other.

The bank provides its services through a network of around 100 locations/offices
located all over India. Detailed information on the functions of the bank is provided
on the website, www.sidbi.in.

Present IT setup:
SIDBI has been using Information Technology (IT) extensively for its day to day
business operations. The Information Services Department (ISD) is located at
Mumabi HO. A centralised Data Centre (DC) has been set up at Mumbai having
centralised database [Oracle 10g/9i RDBMS] for all the applications for its Branch
offices [BOs]. All BOs are connected to the DC through MPLS VPN based WAN with
ISDN as backup. These offices use Citrix Metaframe software to connect to the DC
at Mumbai and access the application software hosted on application server (Citrix).
The DC is having around 60 servers [2 IBM AIX, 2 HP UNIX and 55 Intel (with
Windows 2000/2003 / Linux OS) ]. Lotus notes is used as the mail messaging
system for all the offices of SIDBI. Some of the application software implemented at
SIDBI are Direct Finance System, Refinance System, Bills finance System, Branch
Accounts System, Payroll etc. In addition, there are many corporate level application
software, being used only at Mumbai. The Bank has also set up of Disaster
Recovery Site at Chennai [one IBM AIX server and 7 Intel servers with Windows
2000 ]. The IT Security Policy [ITSP] and Information Technology Procedure Manual
[ITPM] is already in place for SIDBI, which forms the basis of day to day IT
Operations.

Confidential -9-
Request for Proposal: Information Systems Audit 2009-10

3. Requirements
3.1 Objective
SIDBI plans to carry out for following projects conduct annual Information Systems
(IS) Audit by outsourcing as detailed below:
Project 1: IS Audit – IT Control Review (ITCR)
Project 2: IS Audit Network & Security Audit (N&SA)

Project Area to be Locations

covered
1 IT Control Review Data Centre at Mumbai ,
(for 2 locations) DR site at Chennai
2 Network and Data Centre at Mumbai ,
Security Audit (for DR site at Chennai
2 locations)

The detailed scope of work, terms and conditions, bid format etc are part of
this document. Accordingly, SIDBI invites proposal in two separate envelopes
(One for technical bid and other for commercial bid) for the above projects.

The audit firm will be required to submit technical and commercial quotation in
separate envelopes for the combined audit exercise. The selected audit firm will be
awarded all these audit exercises for all identified SIDBI offices as per RfP.

3.2 Scope
The scope of the proposed audit exercises are given below. The audit firm shall deploy
minimum 2 CISA/ BS7799 LA/ ISO27001 LA / CISSP professionals for the entire audit
project. The audit firm will be required to deploy minimum 2 CISA/ BS7799 LA/
ISO27001 LA / CISSP professionals for Mumbai and Chennai locations out of which one
must be CISSP. (However, the audit firm may depute the same CISSP auditor to both
locations to be part of Audit team for Network & Security Audit). The audit team should
comprise only regular employees of the audit firm and should not comprise any part-time
or hired employees. The audit firm will not sub contract part or complete assignment to
any other agency or individual. The audit team should comprise at least one CISSP
certified professional, considering the technical nature of Network & Security Audit. The
audit firm will be required to prepare the checklist taking into account of the guidelines
and suggestions prescribed by RBI with respect to IS Audit and best audit practices in
industry. In addition, selected audit firm has to follow-up with the offices/departments for
compliance and monitor and review progress of compliance for speedy closure of audit
compliance. Persistent and recurring problems / issues in audit based on past reports to
be reported.

Confidential - 10 -
Request for Proposal: Information Systems Audit 2009-10

3.3 Scope of IT Control Review

Sr. No. Activity Mumbai DR Site
1 IT Management Y N
2 Branch IT Management Issues N Y
3 Departmental setup Y N
4 IT Purchase Y N
5 Review of AMC and Facility Management Y Y
Services, Help Desk
6 Physical access and Environmental Y Y
controls
7 In house Application development, Y N
maintenance, application roll out and
training.
8 Outsourced development / purchase of Y N
application software
9 Change Management Procedure Y N
10 Review of IT Infrastructure operations - Y Y
Hardware, IT Asset Management
11 Risk assessment of IT Infrastructure Y Y
12 Physical access and Environmental Y Y
controls
13 User id / password management and Y Y
Logical access controls
14 Backup Procedure wherever applicable Y Y
15 Antivirus Measures Y N
16 End User Computing wherever applicable Y Y
17 Call logging in DC Support, Problem Y Y
escalation, resolution
18 WAN Management and Network N Y
Administration – Issues at branch level

Y : Indicates ‘Applicable’ N: Indicates ‘ Not Applicable’

A detailed risk assessment of the IT infrastructure at Mumbai and Chennai is

to be carried out. The risk assessment process should include identification
and classification of potential threats and vulnerabilities, quantify loss
exposures based on estimated frequencies. Recommendations on allocation
of resources to mitigate risk involved so as to minimize total exposure. A draft
report on the risk assessment including risk mitigation measures is to be
submitted for review by SIDBI and acceptance.

3.4 Scope of Network and Security Audit (NSA)

Sr. No. Activity Mumbai DR Site
1 Network issues – Performance monitoring of Y N
routers (CPU, Memory etc.), Latency
measurement, CoS Implementation

Confidential - 11 -
Request for Proposal: Information Systems Audit 2009-10

Sr. No. Activity Mumbai DR Site

checking, Availability of Backup link, Network
Availability, Capacity / Bandwidth utilization,
Security – Encryption of data and physical
security, Network documentation, Internet
usage policy.
2 Error logging and monitoring, Network Y N
monitoring, Bandwidth utilization and
monitoring, Firewall Policy, Squid Proxy
Server
3 Citrix Configuration and management Y N
4 Anti virus measures Y N
5 Lotus Notes Administration Y N
6 Internet and SIDBI Website Y N
7 Windows 2000/2003 System Y Y
Oracle Database Administration
8 Enterprise backup system / Backup plan and Y Y
procedure
9 Logical controls with emphasis on Y Y
management of administration and powerful
passwords of Unix (AIX and Linux) Windows
2000/2003 Servers, Routers, Firewalls
Ironport.
10 Review of Services and Daemons in Y N
Windows 2000/2003, Routers, Firewall etc.
11 Review of Security Audit of NDS System Y N
(RBI)
12 Review of logs in Oracle database, Lotus Y N
Notes, Windows 2000/2003 servers,
Routers, Firewalls and Ironport.
13 Review of IIS Server used for hosting HRMS Y N
14 Disaster Recovery Plan & effectiveness Y Y
15 Vulnerability Analysis (VA) and Penetration Y N
Testing (PT)
Y : Indicates ‘Applicable’ N: Indicates ‘ Not Applicable’

Confidential - 12 -
Request for Proposal: Information Systems Audit 2009-10

Location wise list of Servers and Network Equipments for

(Network Security Audit)
Location Hardware Details No of items
Windows 2000 Server 40
WIN 2003 R2 STD 10
Linux Server 4
IBM AIX Server 2
HP Unix 2
WINDOWS XP 1
Router
Cisco 3800 Series 2
Mumbai Cisco 1800 Series 1
Cisco 2960 6

Security Devices
Ironport 2
NIPS 4240 1
PIX 2
HIPS 1
Fortigate 1
Switches
Cisco 4500 Series 1
Cisco 2900 Series 20
WINDOWS 2000 7
IBM AIX Server 1
Router
Chennai Cisco 1800 Series 1
Switches
Cisco 2900 Series 1
Dlink 3526 2

The focus of the audit exercise will be on configuration, deployment,

administration, access control, User Id, Password management, performance
tuning, Service pack / patch updation, logging and back up and security aspects.

3.5 Expected Deliverables

The selected audit firm will be required to submit the following documents after
the audit exercise for each location / office, as mentioned below.
Deliverables
Sr Audit Projects Report
No
1 IT Control Review 1. Executive Summary
2. Audit Report
3. Check list
4. Quarterly Compliance Progress
5. Summary compliance report

Confidential - 13 -
Request for Proposal: Information Systems Audit 2009-10

At the end of each quarter

6. Final Compliance report
After all observations complied.
7. Risk assessment report on IT
Infrastructure
8. Persistent and recurring problems report
2 Network & Security Audit 1. Executive Summary
2. Audit Report
3. Check list
4. Quarterly Compliance Progress
5. Summary compliance report
At the end of each quarter
6. Final Compliance report
After all observations complied.
7. Persistent and recurring problems report
Y : Indicates ‘Applicable’ N: Indicates ‘ Not Applicable’

The audit firm will submit a detailed report on the risk assessment and review of
the IT infrastructure at Mumbai and Chennai offices. Three sets of hard copies and
softcopy (in MS Word format) of all audit reports including Executive Summary have to
be submitted.

3.6 Follow-Up and Compliance

The Audit firm is required to follow-up with the offices for all compliance. The
Audit firm will submit quarterly compliance reports, summary compliance report
(furnishing total number of points, complied and pending status as per format given
by the bank) at end of each quarter and a final compliance report after all
observations are complied for the projects separately or one year from the date of
commencement of the Audit.

3.7 Terms and conditions

The terms and conditions of the work are given at Annexure A. SIDBI reserves the
right to modify them if required, at time of issue of order.

The audit firm must also submit specific suggestions/ recommendations and other
detailed steps for enhancing the Facility Management Services, Environmental
controls, Logical access controls & End User Computing, based on the best industry
practices.

Confidential - 14 -
Request for Proposal: Information Systems Audit 2009-10

3.8 Time frame of the deliverables

The selected audit firm will be required to start the project within 7 days from the
date of placing the order for the audit.

The actual audit exercise must be completed latest by 15th March 2010.

All the draft reports of the agreed deliverables should be submitted by the firm
within 50 days of the commencement of the audit. After submission of the draft
reports, a meeting with ISD officers will be held for discussing and finalizing the
reports. The Project Leader along with key members of the audit team involved in
the audit should attend the meeting at Mumbai HO.

The final reports of the deliverables should be submitted by the firm within 20
days of receiving feedback from SIDBI on draft reports.

The audit, as mentioned above, has to be completed within timeframe specified.
It is expected that the audit firm may deploy multiple teams to complete the audit
projects within given time frame.

The Audit period including Compliance will be for one year starting from date of
commencement of Audit. IS auditor will be required to send the final report to
respective branches for compliance with a copy to ISD, SIDBI, Mumbai. Follow-
up activity will be carried out by auditor with branches using normal mode of
communication i.e. Letter/ e-mail/ phone/ fax etc. It is not required to visit
branches for verifying compliance. However, written and signed communication
of compliance from branches have to be analysed by Audit firm for compliance
and acceptance.

Confidential - 15 -
Request for Proposal: Information Systems Audit 2009-10

4. Selection Criteria
4.1 Tender Methodology

a) The tender methodology adopted is “Two Bid System” i.e., Technical Bid and
Commercial Bid.
b) The Technical Bid should be placed in a non-window sealed cover super
scribed with “RfP No. -------“, “Technical Bid for IS Audit“.
c) The envelop containing Technical Bid should also contain One Demand Draft
for Rs.10,500/- (Rupees Ten Thousand Five Hundred Only) . [ Rs. 10000/-
towards EMD (refundable) and Rs. 500/- towards Application Fee
(Nonrefundable) ]
d) The DD should be drawn in favour of “Small Industries Development Bank of
India [SIDBI], payable at Mumbai “.
e) The Commercial Bid should be placed in Non-Window sealed cover super
scribed with “RfP No. ----- “, “Commercial Bid for for IS Audit“.
f) All the covers thus prepared should also indicate clearly the Name and
Address of the Vendor.
g) The bidder shall bear all the costs associated with the preparation and
submission of the bid and SIDBI will in no case be responsible or liable for
those costs, regardless of the conduct or the outcome of the tendering
process.
h) Bids submitted without EMD and Application Fee Demand Draft will not be
considered for evaluation.
i) Bids sent by fax or e-mail will not be considered for evaluation.

4.2 Selection process

SIDBI will evaluate proposals of the Respondents on the basis of Financial Status
and Technical Capability of the respondent and also the track record of successful
delivering /implementation of the products/services required by the Bank. Therefore,
respondents should submit necessary details that would help evaluation. The
response submitted should contain the respondent’s proposed solution covering all
the requirement of scope of audit listed in Requirements section (3).
The selection will take place in two phases:
Phase I : Envelope I will be opened and bidders meeting the minimum eligibility
criteria will be short-listed. The qualifying vendors will be informed about the same.
Phase II : The Commercial proposals for short listed bidders after Phase I, will be
opened and selection will be done on L1 basis.
SIDBI in its sole/absolute discretion can apply whatever criteria deemed appropriate
in determining the responsiveness of the proposal submitted by the respondents.
SIDBI may reject any / all proposal(s) at any stage without assigning any reason
thereof.

Confidential - 16 -
Request for Proposal: Information Systems Audit 2009-10

5. Technical Bid

The Bidder must be a registered partnership firm or a limited company having its
registered office in India.

To ensure audit independence, the bidder should not have been a vendor of IT
equipment / peripherals / services to the Bank in the past 3 years.

5.1 Minimum Eligibility Criteria

S. Requirements Compli- Details
No ance
1 Existence in Last 3 years (provide necessary proof like Yes/No
certificate of Incorporation / Deed of partnership )
2 The firm should be making positive networth and cash Yes/No
profit (i.e. no cash loss) in 2 years out of last 3 years. @
3 Should be performing IS audit activity for last 2 years Yes/No
4 The Bidder must be having on their rolls, on permanent Yes/No
employment basis, a minimum of five (5 nos.)
professionals who hold professional certifications like
CISA/ CISM/ CISSP/ ISO 27001 LA/ BS 7799LA/
ISO27001 LA)
5 Should deploy minimum 3 number of Technical Yes/No
manpower (CISA/ CISM /CISSP/ BS7799 LA/ ISO27001
LA) qualified professionals (who are regular employees
of the firm) for the audit for SIDBI IS audit project.
(Proof of Certification should be attached)
6 Experience of conducting similar IS Audit as proposed Yes/No
by SIDBI of a minimum of 2 audit projects in all India
Banks or Financial Institutions, having centralised Data
Centre operations with network, database setup
7 IS Audit must either be a core activity of the firm or Yes/No
carried out by a regular departmental set up of the firm
8 a. Organisation is empaneled by CERT-In for providing Yes/No
IT Security Auditing Service
(Should be a valid member of Panel of IT Security
Auditors impaneled by CERT-In )
b. Documentary evidence of the same enclosed Yes/No
• @- Provide Annual report or CA certificate for last three years mentioning the
turnover, networth and cash profit.
• All the above clauses of the eligibility criteria are mandatory and cannot be waived.

Confidential - 17 -
Request for Proposal: Information Systems Audit 2009-10

5.2 Audit Firm Details:

S.No. Description Vendor Response

1 Name of the IS Audit Firm / Company
2 Year of establishment of the audit firm
3 Year of starting IS Audit Activity
No. of years of IS Audit
4 Contact details: (indicate contact person
name, Telephone No., Fax No., e-mail
address, etc.)
5 No. Of employees in the Firm/Company No of CISA/ CISM/ CISSP/ ISO
27001 LA/ BS 7799LA/ ISO27001
LA) :

Others:-
6 Technical Manpower (CISA/ CISM/ No of CISA/ CISM/ CISSP/ ISO
CISSP/ ISO 27001 LA/ BS 7799LA/ 27001 LA/ BS 7799LA/ ISO27001
ISO27001 LA) deployed for SIDBI IS LA) :
Audit project. Others:-
7 Describe Project Management clearly
indicating about the composition of
various teams.
8 Describe Audit Methodology and
Standards to be used.
9 Indicate Project Plan with milestones and
the time frame of completion of different
activities.
10 List of deliverables vis-à-vis the
timeframe of the deliverables as per the
scope of the project in Section 3.
11 Role and responsibility of SIDBI and the
Audit firm. Explain other requirements
from SIDBI, if any.
12 Briefly mention about a minimum of 2 IT
audit projects with details of scope,
duration & size (in the order of
size/duration) related to the above project
carried out in all-India Banks/FIs, since
last three years.
14 Include Job / Experience / qualifications
profile of the Project Manager and other
key personnel to be involved in the
project. (Please note that involvement of
CISA/ BS7799 LA/ ISO27001 LA
professionals are a must in each team).
15 Any other related information, not

Confidential - 18 -
Request for Proposal: Information Systems Audit 2009-10

mentioned above, which the audit firm

wish to furnish.
16 Declaration of commercial terms and
conditions, if any. It is expected that the
firm will accept the conditions as
stipulated by SIDBI. In case, some
conditions are not acceptable or any
additional conditions stipulated, the same
may be indicated here.
Note: All the relevant details & documentary evidence are to be furnished

Additional Information :
IS Audit Experience in
a. Wide Area Network (IP based network with CISCO Yes/No
router,switch etc)
b. Security assessment: - Firewall , IDS, IPS, using Yes/No
network such as MPLS, leased lines, ISDN ,
dialups etc.
c. Operating Systems ( Unix, Windows 2000 / 2003 Yes/No
etc)
d. Database (Oracle, MS SQL etc.) & Application Yes/No
software Audits
e. Centralised Data Centre operations with network, Yes/No
database setup
f. Penetration Testing Yes/No

5.3 Contact Details:

a) Name of the company

b) Company’s address in India
c) Contact person
d) Telephone no.
e) Fax
f) E-mail address

5.4 Details of IT Audit Projects done in previous 3 years in

Banking domain:

S.N Client Name Contact Contact E-mail Scope of Audit Period

Person No. Audit
1
2
3
4

Confidential - 19 -
Request for Proposal: Information Systems Audit 2009-10

Declaration

We hereby declare that the information submitted above is complete in all

respect and true to the best of our knowledge. We understand that in case any
discrepancy or inconsistency or incompleteness is found in the information submitted by
us, our application is liable to be rejected.

Date: Authorised Signatory.

Confidential - 20 -
Request for Proposal: Information Systems Audit 2009-10

6. Commercial Bid
The commercial Bid should contain the Total project cost, on a fixed cost basis. SIDBI
will neither provide nor reimburse expenditure towards any type of accommodation,
travel ticket, airfares, train fares, halting expenses, transport, lodging, boarding etc.

The format for the commercial bid is given below:

Name of the Projects Total Cost Taxes, Net Cost

[Rs.] if any [Inclusive of all
[Rs.] taxes, etc]
[Rs.]
IS Audit
(inclusive all fees and
expenses)

Signature of
Date
Authorised Signatory -

Place Name of the Authorised Signatory -

Designation -

Name of the Organisation -

Seal -

Confidential - 21 -
Request for Proposal: Information Systems Audit 2009-10

7. Annexure - A
Terms & Conditions
1) Special Terms & Conditions:

1) The audit firm will offer commercial quote, based on fixed cost, inclusive of taxes, if
any. SIDBI will not pay any additional amount other than indicated in the offer.
2) Payment terms will be as follows:

a) 50 % on submission of draft Audit reports for all offices as per the scope.
b) 40 % on acceptance and finalisation of all the reports i.e. on completion of all
projects.
c) 10% on submission of Final Compliance report.

TDS will be deducted at source for any payment made by SIDBI, as per rules of
Government of India.
3) SIDBI will neither provide nor reimburse expenditure towards any type of
accommodation, travel ticket, airfares, train fares, halting expenses, transport,
lodging, boarding etc.
4) SIDBI may impose penalty, in case of delay of any deliverables at the rate of 1% per
week delay, either for completion of audit exercises or submission of draft final
report, subject to a maximum of 5% of the total cost, for all delays attributable directly
to the Audit firm.
5) The audit firm will not sub contract part or complete assignment to any other agency
or individual. In case of such unavoidable circumstances, the audit firm has to take
prior written permission from SIDBI for engaging such agency or individual.
6) The audit firm shall keep information related to SIDBI confidential and will not divulge
to outside agencies without written consent from SIDBI.
7) If selected, the audit firm shall sign agreements as given in the Annexure I, before
commencement of the audit.

Confidential - 22 -
Request for Proposal: Information Systems Audit 2009-10

2) General Terms and Conditions:

(These terms and conditions are generic in nature, which have been mentioned for the
knowledge of the bidders and may be changed to specific terms and conditions with
necessary changes with each Purchase Order as and when applicable)

I. Definitions
In this Contract, the following terms shall be interpreted as indicated:

a) “The Bank ” means Small Industries Development Bank Of India (SIDBI);

b) “The Contract” means the agreement entered into between the Bank,
represented by its Head Office / Zonal Offices and the Supplier of goods and
services, as recorded in the Contract Form signed by the parties, including all
attachments and appendices thereto and all documents incorporated by
reference therein;

c) “The Contract Price” means the price payable to the Supplier under the
Contract for the full and proper performance of its contractual obligations;

d) “The Goods” means all of the materials which the Supplier is required to
supply to the Bank under the Contract;

e) “The Services” means IT and IT related services, provision of technical

assistance, training and other such obligations of the Supplier as applicable
under the Contract;

f) “TCC” means the Terms and Conditions of Contract contained in this

section;

g) “The Supplier” or “the Vendor” means the individual or firm supplying or

intending to supply the Goods and Services under this Contract; and

h) “The Project Site” means various Head Office/Branches/Administrative

offices of Small industries Development Bank of India.

Confidential - 23 -
Request for Proposal: Information Systems Audit 2009-10

II. Use of Contract Documents and Information

The Supplier shall not, without the Bank’s prior written consent, disclose
the Contract, or furnish any provision thereof, or any specification, plan, drawing,
pattern, sample or information, website contents, applications furnished by or on
behalf of the Bank in connection therewith, to any person other than a person
employed by the Supplier in the performance of the Contract. Disclosure to any
such employed person shall be made in confidence and shall extend only so far
as may be necessary for purposes of such performance.

The Supplier will treat as confidential all data and information about the
Bank, obtained in the execution of his responsibilities, in strict confidence and will
not reveal such information to any other party without the prior written approval of
the Bank.

III. Subcontracts
The Supplier shall not assign to others, in whole or in part, its obligations
to perform under the contract, except with the Bank’s prior written consent.
The Supplier shall notify and obtain concurrence from the Bank in writing
of all subcontracts / Franchisees awarded under the Contract, if not already
specified in the quotation. Such notification, in the original quotation or later, shall
not relieve the Supplier from any liability or obligation under the Contract.
Subcontracts / Franchisees, if any must comply with the provisions of
TCC.

IV. Governing language

The Contract shall be written in English. All correspondence and other
documents pertaining to the Contract, which are exchanged by the parties, shall
be written in English.

The technical documentation involving detailed instruction for operation

and maintenance, users' manual etc. is to be delivered with every unit of the
equipment supplied. The language of the documentation should be English.

Confidential - 24 -
Request for Proposal: Information Systems Audit 2009-10

V. Commercial Terms
All Payments will be made to the bidder in Indian rupee only.

The Bidder must accept the payment terms proposed by the Bank. The
financial bid submitted by the Bidder must be in conformity with the payment
terms proposed by the Bank. Any deviation from the proposed payment terms
would not be accepted. The Bank shall have the right to withhold any payment
due to the Bidder, in case of delays or defaults on the part of the Bidder. Such
withholding of payment shall not amount to a default on the part of the Bank..

Once a contract price is arrived at, the same must remain firm and must
not be subject to escalation during the performance of the contract due to
fluctuation in foreign currency, change in the duty/tax structure, changes in costs
related to the materials and labour or other components or for any other reason.

VI. Applicable laws

The Contract shall be interpreted in accordance with the laws prevalent in
India.
Compliance with all applicable laws: The Bidder shall undertake to
observe, adhere to, abide by, comply with and notify the Bank about all laws in
force or as are or as made applicable in future, pertaining to or applicable to
them, their business, their employees or their obligations towards them and all
purposes of this RFP and shall indemnify, keep indemnified, hold harmless,
defend and protect the Bank and its employees/ officers/ staff/ personnel/
representatives/ agents from any failure or omission on its part to do so and
against all claims or demands of liability and all consequences that may occur or
arise for any default or failure on its part to conform or comply with the above and
all other statutory obligations arising therefrom.

Confidential - 25 -
Request for Proposal: Information Systems Audit 2009-10

Compliance in obtaining approvals/ permissions/ licenses: The Bidder

shall promptly and timely obtain all such consents, permissions, approvals,
licenses, etc., as may be necessary or required for any of the purposes of this
project or for the conduct of their own business under any applicable Law,
Government Regulation/Guidelines and shall keep the same valid and in force
during the term of the project, and in the event of any failure or omission to do so,
shall indemnify, keep indemnified, hold harmless, defend, protect and fully
compensate the Bank and its employees/ officers/ staff/ personnel/
representatives/agents from and against all claims or demands of liability and all
consequences that may occur or arise for any default or failure on its part to
conform or comply with the above and all other statutory obligations arising
therefrom and the Bank will give notice of any such claim or demand of liability
within reasonable time to the bidder.

VII. Patent Rights

In the event of any claim asserted by a third party of infringement of
copyright, patent, trademark, industrial design rights, etc. arising from the use of
the Goods or any part thereof in India, the Supplier shall act expeditiously to
extinguish such claim. If the Supplier fails to comply and the Bank is required to
pay compensation to a third party resulting from such infringement, the Supplier
shall be responsible for the compensation including all expenses, court costs and
lawyer fees. The Bank will give notice to the Supplier of such claim, if it is made,
without delay.

VIII. Force majeure

If the performance as specified in this order is prevented, restricted,
delayed or interfered by reason of Fire, explosion, cyclone, floods, War,
revolution, acts of public enemies, blockage or embargo, Any law, order,
proclamation, ordinance, demand or requirements of any Government or
authority or representative of any such Government including restrict trade
practices or regulations, Strikes, shutdowns or labour disputes which are not
instigated for the purpose of avoiding obligations herein, or Any other
circumstances beyond the control of the party affected, then notwithstanding

Confidential - 26 -
Request for Proposal: Information Systems Audit 2009-10

anything here before contained, the party affected shall be excused from its
performance to the extent such performance relates to prevention, restriction,
delay or interference and provided the party so affected uses its best efforts to
remove such cause of non-performance and when removed the party shall
continue performance with utmost dispatch.
If a Force Majeure situation arises, the Bidder shall promptly notify the
Bank in writing of such condition, the cause thereof and the change that is
necessitated due to the conditions. Until and unless otherwise directed by the
Bank in writing, the Bidder shall continue to perform its obligations under the
Contract as far as is reasonably practical, and shall seek all reasonable
alternative means for performance not prevented by the Force Majeure event.

IX. Forfeiture of performance security

The bid security [EMD] may be forfeited:
if a Bidder withdraws its bid during the period of bid validity specified by
the Bidder on the Bid Form;
Or
in case of the successful Bidder, if the Bidder fails to accept the order /
sign the Contract Or furnish Performance Guarantee.
The Bank shall be at liberty to set off/adjust the proceeds of the
performance security towards the loss, if any, sustained due to the supplier’s
failure to complete its obligations under the contract. This is without prejudice to
the Bank’s right to proceed against the Supplier in the event of the security being
not enough to fully cover the loss/damage.

X. Termination
The Bank may at any time terminate the contract by giving written notice
to the Bidder if the Bidder becomes bankrupt or otherwise insolvent. In this event,
termination will not prejudice or affect any right of action or remedy, which has
accrued or will accrue thereafter to the Bank.
The Bank reserves the right to cancel the contract in the event of
happening one or more of the following Conditions:

Confidential - 27 -
Request for Proposal: Information Systems Audit 2009-10

 Failure of the successful bidder to accept the contract and furnish the
Performance Guarantee within specific days of receipt of purchase
contract as stated in the Purchase order;

 Delay in offering services

 Delay in completing installation / implementation and acceptance tests

/ checks beyond the specified periods;
In addition to the cancellation of purchase contract, Bank reserves the
right to appropriate the damages through encashment of Bid Security /
Performance Guarantee given by the Bidder.

XI. Resolution of Disputes

It will be the Bank’s endeavor to resolve amicably any disputes or
differences that may arise between the Bank and the Bidder from misconstruing
the meaning and operation of the RFP and the breach that may result.
In case of Dispute or difference arising between the Bank and a Supplier
relating to any matter arising out of or connected with this agreement, such
disputes or difference shall be settled in accordance with the Arbitration and
Conciliation Act, 1996. The Arbitrators shall be chosen by mutual discussion
between the Bank and the Supplier OR in case of disagreement each party may
appoint an arbitrator and such arbitrators may appoint an Umpire before entering
on the reference. The decision of the Umpire shall be final.
The Bidder shall continue work under the Contract during the arbitration
proceedings unless otherwise directed in writing by the Bank or unless the matter
is such that the work cannot possibly be continued until the decision of the
Arbitrator or the umpire, as the case may be, is obtained.
Arbitration proceedings shall be held at Mumbai, India, and the language
of the arbitration proceedings and that of all documents and communications
between the parties shall be English;
Not withstanding anything contained above, in case of dispute, claim &
legal action arising out of the contract, the parties shall be subject to the
jurisdiction of courts at Mumbai, India only.

Confidential - 28 -
Request for Proposal: Information Systems Audit 2009-10

Any notice given by one party to the other pursuant to this Contract shall
be sent to the other party in writing or by fax and confirmed in writing to the other
party’s specified address. The same has to be acknowledged by the receiver in
writing.
A notice shall be effective when delivered or on the notice’s effective
date, whichever is later.

**********************

Confidential - 29 -
Request for Proposal: Information Systems Audit 2009-10

Annexure I
Declaration to be signed by the
third party vendors / service provider

(to be filled in by authorised signatory of the vendor

/ service provider while accepting the order)

In case of a limited company

I, Shri ____________________, son / daughter of Shri ___________________,
aged about ___ years, Indian inhabitant residing at ________________, do hereby
solemnly declare and state as follows:

(i) I am a Director/ the Managing Director / __________________ (designation ) of

___________________ Ltd., a Company within the meaning of the Companies Act,
1956 and having its Registered Office at ___________________ (hereinafter called "the
Company") and I am duly authorised by the Company to make this declaration for and
on behalf of the Company.

In case of a partnership firm.

We,
1. Shri ____________________, son / daughter of Shri _________________, aged
about ___ years, Indian inhabitant residing at _______________,
2. Shri ____________________, son / daughter of Shri_________________, aged
about ___ years, Indian inhabitant residing at _______________,
3. Shri ____________________, son / daughter of Shri ___________________,
aged about ___ years, Indian inhabitant residing at _______________,
the partners of ________________________ , a partnership firm carrying on its
business at __________________ (hereinafter referred to as "Firm") do hereby solemnly
declare and state as follows:
(i) We say that we are the partners of the firm.
In case of a proprietary concern.
I, Shri ___________________, son / daughter of Shri___________________,
aged about ___ years, Indian inhabitant residing at ____________________ do hereby
solemnly declare and state as follows :

Confidential - 30 -
Request for Proposal: Information Systems Audit 2009-10

(i) I say that I carry on business in the name and style as M/s ____________________
as a Sole Proprietary Concern at ____________________,

1(ii) I / We will keep information related to SIDBI confidential and will not divulge to
any outside agency or person without written consent from SIDBI. This shall include
passwords, access codes, pass phrases used by the personnel of my company. I / We
will ensure that any user ids / manuals / SIDBI related information in printed / soft form /
hardware items used by the personnel of my company shall be returned / handed over to
the concerned person in SIDBI upon the completion of the task assigned to the company
or as per the guidelines issued by SIDBI.
(iii) I / We shall also indemnify and keep SIDBI indemnified against all losses,
damages, costs, claims and expenses whatsoever which SIDBI may suffer, pay or incur
by reason of or in connection with any such default on the part of the
___________________(firm /company).

Signature
Date:
Place:

Confidential - 31 -
Request for Proposal: Information Systems Audit 2009-10

Declaration to be signed by employees

of the third party vendor / service provider

(to be filled in by each vendor / service provider personnel)

I ___________________, representative / service engineer of M/s

____________________ do hereby declare that I will faithfully, truly and to the
best of my knowledge and ability, execute and perform the duties required by me
for Small Industries Development Bank of India (SIDBI) as per the terms &
agreement of SIDBI entered into with the vendor / service provider - M/s
_____________________ .

I further declare that I will not communicate or allow to be communicated

to any person not legally entitled thereto any information relating to the affairs of
SIDBI and its affiliates. I will hand over any user ids / manuals / SIDBI related
information in printed / soft form in my possession / hardware items used by me
to the concerned person in SIDBI upon the completion of my task. I will not
divulge passwords, access codes, pass phrases used for discharging my duties
to any person not legally entitled thereto.

I also do hereby declare that I agree to abide by the instructions /

guidelines given by SIDBI from time to time.

Signature

Date:
Place:

Confidential - 32 -